Skip to content

Merging internal commits for release/8.0#11787

Merged
gpaskaleva-msft merged 10 commits into
release/8.0from
internal-merge-8.0-2026-07-14-2022
Jul 17, 2026
Merged

Merging internal commits for release/8.0#11787
gpaskaleva-msft merged 10 commits into
release/8.0from
internal-merge-8.0-2026-07-14-2022

Conversation

@dotnet-bot

@dotnet-bot dotnet-bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor
Microsoft Reviewers: Open in CodeFlow

ProductConstructionServiceProd and others added 10 commits June 3, 2026 04:45
…ernal/release/8.0

Resolves mirror conflict for branch release/8.0 (GitHub → AzDO internal).
   Ref: #11677

   Commits being merged:
   - b9fef20 Update branding to 8.0.29 (#11685)
   - 6e3dff9 Update dependencies from dotnet/arcade build 20260528.3 (#11676)

----
#### AI description  (iteration 1)
#### PR Classification
Dependency version update and internal branch merge to update toolset packages and increment the patch version.

#### PR Summary
This pull request merges changes from release/8.0 into internal/release/8.0, updating Microsoft.DotNet.Arcade toolset dependencies and incrementing the patch version.

- `eng/Version.Details.xml` and `global.json`: Updated Microsoft.DotNet.Arcade.Sdk, Microsoft.DotNet.CodeAnalysis, Microsoft.DotNet.Helix.Sdk, Microsoft.DotNet.ApiCompat, and Microsoft.DotNet.GenAPI from version 8.0.0-beta.26224.3 to 8.0.0-beta.26278.3
- `eng/Versions.props`: Incremented PatchVersion from 28 to 29
- `NuGet.config`: Removed temporary darc-int package sources for dotnet-runtime and dotnet-winforms
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
This PR addresses multiple MSRC-reported security vulnerabilities in WPF's native rendering pipeline by adding bounds checks and overflow protection to prevent out-of-bounds writes and heap corruption.

## Changes

### 1. Pixel Shader bytecode validation

**File:** `WpfGfx/core/fxjit/PixelShader/pstrans.cpp`

- Reject excessively large shader bytecode (> 1MB) to prevent integer overflow in allocation calculations
- Validate sampler register numbers against `PSTR_MAX_TEXTURE_SAMPLERS` before array indexing
- Validate input register numbers against `PSTR_MAX_NUMINPUTREG` before use
- Validate texture register numbers against `PSTR_MAX_NUMTEXTUREREG` before use
- Cap source parameter count at `PSTR_MAX_NUMSRCPARAMS` to prevent OOB writes
- Validate sampler stage index before use in texture lookup paths
- Gracefully fail with `E_FAIL` instead of corrupting heap memory

### 2. GuidelineCollection heap overflow fix

**File:** `WpfGfx/core/common/guidelinecollection.cpp`

- Add safe integer multiplication (`UIntMult`/`UIntAdd`) for allocation size calculation in `CSnappingFrame::PushFrame`
- Prevents heap corruption when `uCountX + uCountY` would cause `sizeof(float) * uCount * 2` to overflow

### 3. System.Printing gradient band overflow fix

**File:** `System.Printing/CPP/src/GDIExporter/gdirt.cpp`

- Cap gradient group range to 10,000 in `FillLinearGradient` to prevent integer overflow in band/vertex/index calculations
- Returns `E_NOTIMPL` for excessively large gradient ranges

## Opt-out Switches

All fixes are gated behind AppContext switches for servicing safety:

## Testing

- Validated with crafted malicious pixel shader bytecode PoCs that previously caused OOB heap writes
- Verified that well-formed shaders and documents continue to render correctly
- Confirmed opt-out switches disable the checks when set

## Risk

**Low.** All changes add early-exit validation before existing code paths. No behavioral change for valid inputs. 


----
#### AI description  (iteration 1)
#### PR Classification
Security bug fix to add bounds checking and input validation to prevent integer overflow vulnerabilities in WPF pixel shader and printing components.

#### PR Summary
This PR implements security fixes by adding bounds checking protection to WPF's pixel shader processing and GDI printing to prevent integer overflow attacks. The changes introduce AppContext switches to allow disabling the protection if needed for compatibility.

- `pstrans.cpp`: Added validation for bytecode size limits, source parameter counts, register numbers (sampler, input, texture), and token counts to prevent buffer overflows
- `guidelinecollection.cpp`: Added integer overflow checks using `UIntMult` and `UIntAdd` for memory allocation size calculations
- `gdirt.cpp`: Added maximum gradient group range validation (10000) to prevent integer overflow in gradient band calculations
- `PrintingSwitches.h` and `WpfGfxSwitches.h` (via includes): Introduced AppContext switches `Switch.MS.Inte...
This PR addresses multiple vulnerabilities where WPF's restrictive/unsafe XAML loading path could be bypassed, allowing attacker-controlled XAML to instantiate dangerous types (e.g., `ObjectDataProvider` → `Process.Start`) and achieve Remote Code Execution.

## Changes

### 1. Async XamlReader.LoadAsync taint propagation fix

**File:** `System/Windows/Markup/XamlReader.cs`

The synchronous `WpfXamlLoader` propagates `IsUnsafe = true` to nested-load-capable objects (`ResourceDictionary`, `Frame`, `NavigationWindow`) when loaded under `RestrictiveXamlXmlReader`. The asynchronous `LoadAsync` path was missing this propagation, allowing a first-stage async-loaded `ResourceDictionary` to load second-stage unrestricted XAML via its `Source` property.

**Fix:** Add the same taint propagation in `LoadAsync`'s `AfterBeginInitHandler`:

```csharp
if (_textReader is RestrictiveXamlXmlReader && args != null)
{
    if (args.Instance is ResourceDictionary rd)
        rd.IsUnsafe = true;
    else if (args.Instance is Frame frame)
        frame.NavigationService.IsUnsafe = true;
    else if (args.Instance is NavigationWindow nw)
        nw.NavigationService.IsUnsafe = true;
}
```

### 2. FixedPage NavigateUri → NavigationService unsafe taint

**File:** `System/Windows/Navigation/NavigationService.cs`

When navigation originates from a FixedPage element (Path, Canvas, Glyphs, or FixedPage) carrying `FixedPage.NavigateUri`, the target content could be attacker-controlled XAML within an XPS package. The `NavigationService` was not marked as unsafe in this path, allowing the XAML loader to process the content without restrictions.

**Fix:** Detect FixedPage-origin navigation in `OnRequestNavigate` and set `IsUnsafe = true` before the navigation proceeds.

### 3. XAML deserialization bypass in Undo and Clipboard paths

**Files:**
- `MS/Internal/Ink/ClipboardProcessor.cs`
- `System/Windows/Documents/TextTreeDeleteContentUndoUnit.cs`

Both the clipboard paste (InkCanvas) and text undo code paths call `XamlReader.Load` to deserialize stored XAML without the restrictive reader. An attacker who can influence clipboard content or trigger undo of crafted content could instantiate arbitrary types.

**Fix:** Pass `useRestrictiveXamlReader: true` to `XamlReader.Load` in both paths.

## Attack Scenarios Addressed

| Vector | Before | After |
|--------|--------|-------|
| XPS document with Frame → async ResourceDictionary → ObjectDataProvider | RCE | Blocked by restrictive reader |
| XPS FixedPage NavigateUri → attacker XAML part | RCE | Blocked (NavigationService marked unsafe) |
| Clipboard/Undo XAML deserialization with gadget types | RCE | Blocked by restrictive reader |

## Testing

- Validated with PoC: XPS package exploiting async taint gap on .NET 10(previously vulnerable) now blocks payload
- Verified synchronous restrictive path remains unaffected
- Confirmed normal XPS rendering, clipboard, and undo operations continue to work

## Risk

**Low.** The changes enforce the...
…ernal/release/8.0

Resolves mirror conflict for branch release/8.0 (GitHub → AzDO internal).
Ref: #11710

----
#### AI description  (iteration 1)
#### PR Classification
Dependency updates and version increment to resolve mirror conflicts between release branches.

#### PR Summary
This pull request merges release/8.0 into internal/release/8.0 by updating toolset dependencies and incrementing the patch version number.

- **`/eng/Version.Details.xml`**: Updated Microsoft.DotNet.Arcade.Sdk, Microsoft.DotNet.CodeAnalysis, Microsoft.DotNet.Helix.Sdk, Microsoft.DotNet.ApiCompat, and Microsoft.DotNet.GenAPI from version 8.0.0-beta.26224.3 to 8.0.0-beta.26278.3
- **`/eng/Version.Details.xml`**: Updated Microsoft.DotNet.Wpf.DncEng from version 8.0.0-rtm.26253.1 to 8.0.0-rtm.26309.3
- **`/eng/Versions.props`**: Incremented PatchVersion from 28 to 29
- **`/global.json`**: Updated MSBuild SDK versions for Microsoft.DotNet.Arcade.Sdk and Microsoft.DotNet.Helix.Sdk to match Version.Details.xml changes
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
…t-winforms

- Coherency Updates:
    - Microsoft.NETCore.Platforms: from 8.0.28-servicing.26264.13 to 8.0.29-servicing.26315.23 (parent: Microsoft.Private.Winforms)
    - Microsoft.NETCore.App.Ref: from 8.0.28 to 8.0.29 (parent: Microsoft.Private.Winforms)
    - Microsoft.NETCore.App.Runtime.win-x64: from 8.0.28 to 8.0.29 (parent: Microsoft.Private.Winforms)
    - VS.Redist.Common.NetCore.SharedFramework.x64.8.0: from 8.0.28-servicing.26264.13 to 8.0.29-servicing.26315.23 (parent: Microsoft.Private.Winforms)
…otnet-winforms build 20260625.2

On relative base path root
Microsoft.Dotnet.WinForms.ProjectTemplates , Microsoft.Private.Winforms From Version 8.0.29-servicing.26316.1 -> To Version 8.0.29-servicing.26325.2
System.Drawing.Common From Version 8.0.29 -> To Version 8.0.29

Dependency coherency updates
On relative base path root
Microsoft.NETCore.Platforms,VS.Redist.Common.NetCore.SharedFramework.x64.8.0 From Version 8.0.29-servicing.26315.23 -> To Version 8.0.29-servicing.26324.3 (parent: Microsoft.Private.Winforms)

Microsoft.NETCore.App.Ref,Microsoft.NETCore.App.Runtime.win-x64 From Version 8.0.29 -> To Version 8.0.29 (parent: Microsoft.Private.Winforms)

System.Security.Cryptography.Xml From Version 8.0.3 -> To Version 8.0.4 (parent: Microsoft.Private.Winforms)
…ng/internal/dotnet-winforms

This pull request updates the following dependencies

[marker]: <> (Begin:Coherency Updates)
## Coherency Updates

The following updates ensure that dependencies with a *CoherentParentDependency*
attribute were produced in a build used as input to the parent dependency's build.
See [Dependency Description Format](https://github.com/dotnet/arcade/blob/master/Documentation/DependencyDescriptionFormat.md#dependency-description-overview)

[DependencyUpdate]: <> (Begin)

- **Coherency Updates**:
    - **Microsoft.NETCore.Platforms**: from 8.0.29-servicing.26315.23 to 8.0.29-servicing.26324.3 (parent: Microsoft.Private.Winforms)
    - **Microsoft.NETCore.App.Ref**: from 8.0.29 to 8.0.29 (parent: Microsoft.Private.Winforms)
    - **Microsoft.NETCore.App.Runtime.win-x64**: from 8.0.29 to 8.0.29 (parent: Microsoft.Private.Winforms)
    - **VS.Redist.Common.NetCore.SharedFramework.x64.8.0**: from 8.0.29-servicing.26315.23 to 8.0.29-servicing.26324.3 (parent: Microsoft.Private.Winforms)
    - **System.Security.Cryptography.Xml**: from 8.0.3 to 8.0.4 (parent: Microsoft.Private.Winforms)

[DependencyUpdate]: <> (End)

[marker]: <> (End:Coherency Updates)

[marker]: <> (Begin:0ce99e90-7dcb-4849-5aa3-08dbd5a5c716)
## From https://dev.azure.com/dnceng/internal/_git/dotnet-winforms
- **Subscription**: [0ce99e90-7dcb-4849-5aa3-08dbd5a5c716](https://maestro.dot.net/subscriptions?search=0ce99e90-7dcb-4849-5aa3-08dbd5a5c716)
- **Build**: [20260625.2](https://dev.azure.com/dnceng/internal/_build/results?buildId=3008190) ([320236](https://maestro.dot.net/channel/3880/azdo:dnceng:internal:dotnet-winforms/build/320236))
- **Date Produced**: June 25, 2026 5:17:41 PM UTC
- **Commit**: [997e819eac134e12bc1b2e50d8644d1aadd387d1](https://dev.azure.com/dnceng/internal/_git/dotnet-winforms?_a=history&version=GC997e819eac134e12bc1b2e50d8644d1aadd387d1)
- **Branch**: [refs/heads/internal/release/8.0](https://dev.azure.com/dnceng/internal/_git/dotnet-winforms?version=GBrefs/heads/internal/release/8.0)

[DependencyUpdate]: <> (Begin)

- **Dependency Updates**:
  - From [8.0.29-servicing.26316.1 to 8.0.29-servicing.26325.2][1]
     - Microsoft.Dotnet.WinForms.ProjectTemplates
     - Microsoft.Private.Winforms
  - From [8.0.29 to 8.0.29][1]
     - System.Drawing.Common

[1]: https://dev.azure.com/dnceng/internal/_git/dotnet-winforms/branches?baseVersion=GCe126432737a0d81e9e6cea3ae9467828ab9529db&targetVersion=GC997e819eac134e12bc1b2e50d8644d1aadd387d1&_a=files

[DependencyUpdate]: <> (End)


[marker]: <> (End:0ce99e90-7dcb-4849-5aa3-08dbd5a5c716)
@dotnet-bot
dotnet-bot requested a review from a team July 14, 2026 20:22
@dotnet-policy-service dotnet-policy-service Bot added the PR metadata: Label to tag PRs, to facilitate with triage label Jul 14, 2026

@himgoyalmicro himgoyalmicro left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@harshit7962 harshit7962 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Internal changes, LGTM

@gpaskaleva-msft
gpaskaleva-msft merged commit 5d3f183 into release/8.0 Jul 17, 2026
8 checks passed
@gpaskaleva-msft
gpaskaleva-msft deleted the internal-merge-8.0-2026-07-14-2022 branch July 17, 2026 06:05
@vseanreesermsft
vseanreesermsft restored the internal-merge-8.0-2026-07-14-2022 branch July 17, 2026 12:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

PR metadata: Label to tag PRs, to facilitate with triage

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants