cef/patch/patches/base_sandbox_2743.patch

diff --git base/BUILD.gn base/BUILD.gn
index 4c0e4645f64e3..4ace56138209d 100644
--- base/BUILD.gn
+++ base/BUILD.gn
@@ -41,6 +41,7 @@ import("//build/nocompile.gni")
 import("//build/timestamp.gni")
 import("//build/util/process_version.gni")
 import("//build_overrides/build.gni")
+import("//cef/libcef/features/features.gni")
 import("//testing/libfuzzer/fuzzer_test.gni")
 import("//testing/test.gni")
 
@@ -1503,7 +1504,11 @@ component("base") {
     "hash/md5_constexpr_internal.h",
     "hash/sha1.h",
   ]
-  if (is_nacl) {
+  deps += [ "//cef/libcef/features" ]
+  if (enable_cef) {
+    configs += [ "//cef/libcef/features:config" ]
+  }
+  if (is_nacl || is_cef_sandbox_build) {
     sources += [
       "hash/md5_nacl.cc",
       "hash/md5_nacl.h",
@@ -1934,6 +1939,12 @@ component("base") {
       defines += [ "COM_INIT_CHECK_HOOK_DISABLED" ]
     }
 
+    if (!use_custom_libcxx) {
+      # Enable the VS 2015 Update 2 fix when building with the MSVC standard
+      # library.
+      defines += [ "_ENABLE_ATOMIC_ALIGNMENT_FIX" ]
+    }
+
     libs += [
       "cfgmgr32.lib",
       "ntdll.lib",
diff --git base/allocator/dispatcher/dispatcher.cc base/allocator/dispatcher/dispatcher.cc
index 3dd632a89dc90..a64cd61ddb02b 100644
--- base/allocator/dispatcher/dispatcher.cc
+++ base/allocator/dispatcher/dispatcher.cc
@@ -8,6 +8,7 @@
 #include "base/check.h"
 #include "base/dcheck_is_on.h"
 #include "base/no_destructor.h"
+#include "cef/libcef/features/features.h"
 #include "partition_alloc/buildflags.h"
 #include "partition_alloc/shim/allocator_shim.h"
 
@@ -33,7 +34,7 @@ struct Dispatcher::Impl {
   }
 
   void Reset() {
-#if DCHECK_IS_ON()
+#if DCHECK_IS_ON() && !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
     DCHECK([&] {
       auto const was_set = is_initialized_check_flag_.test_and_set();
       is_initialized_check_flag_.clear();
diff --git base/hash/md5.h base/hash/md5.h
index 215d636fec275..922e88f31b999 100644
--- base/hash/md5.h
+++ base/hash/md5.h
@@ -11,8 +11,9 @@
 #include "base/base_export.h"
 #include "base/containers/span.h"
 #include "build/build_config.h"
+#include "cef/libcef/features/features.h"
 
-#if BUILDFLAG(IS_NACL)
+#if BUILDFLAG(IS_NACL) || BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 #include "base/hash/md5_nacl.h"
 #else
 #include "base/hash/md5_boringssl.h"
diff --git base/hash/sha1.h base/hash/sha1.h
index 2158b648ca58a..8a8cb13b2fd74 100644
--- base/hash/sha1.h
+++ base/hash/sha1.h
@@ -15,7 +15,9 @@
 #include "base/compiler_specific.h"
 #include "base/containers/span.h"
 #include "build/build_config.h"
-#if BUILDFLAG(IS_NACL)
+#include "cef/libcef/features/features.h"
+
+#if BUILDFLAG(IS_NACL) || BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 #include "base/hash/sha1_nacl.h"
 #else
 #include "base/hash/sha1_boringssl.h"
diff --git base/metrics/crc32.cc base/metrics/crc32.cc
index 83e3cee2579ab..8238767ab9126 100644
--- base/metrics/crc32.cc
+++ base/metrics/crc32.cc
@@ -3,14 +3,15 @@
 // found in the LICENSE file.
 
 #include "base/metrics/crc32.h"
+#include "cef/libcef/features/features.h"
 
-#if !BUILDFLAG(IS_NACL)
+#if !BUILDFLAG(IS_NACL) && !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 #include "third_party/zlib/zlib.h"
 #endif  // !BUILDFLAG(IS_NACL)
 
 namespace base {
 
-#if !BUILDFLAG(IS_NACL)
+#if !BUILDFLAG(IS_NACL) && !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 uint32_t Crc32(uint32_t sum, span<const uint8_t> data) {
   if (data.empty()) {
     return sum;
diff --git base/rand_util.h base/rand_util.h
index 746166bf75df7..7192a939e4fec 100644
--- base/rand_util.h
+++ base/rand_util.h
@@ -17,8 +17,9 @@
 #include "base/containers/span.h"
 #include "base/gtest_prod_util.h"
 #include "build/build_config.h"
+#include "cef/libcef/features/features.h"
 
-#if !BUILDFLAG(IS_NACL)
+#if !BUILDFLAG(IS_NACL) && !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 #include "third_party/boringssl/src/include/openssl/rand.h"
 #endif
 
@@ -123,7 +124,7 @@ class RandomBitGenerator {
   ~RandomBitGenerator() = default;
 };
 
-#if !BUILDFLAG(IS_NACL)
+#if !BUILDFLAG(IS_NACL) && !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 class NonAllocatingRandomBitGenerator {
  public:
   using result_type = uint64_t;
diff --git base/rand_util_win.cc base/rand_util_win.cc
index 9c2ae8389bfb2..e639a4d85b3dd 100644
--- base/rand_util_win.cc
+++ base/rand_util_win.cc
@@ -20,7 +20,11 @@
 
 #include "base/check.h"
 #include "base/feature_list.h"
+#include "cef/libcef/features/features.h"
+
+#if !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 #include "third_party/boringssl/src/include/openssl/rand.h"
+#endif
 
 // Prototype for ProcessPrng.
 // See: https://learn.microsoft.com/en-us/windows/win32/seccng/processprng
@@ -32,6 +36,7 @@ namespace base {
 
 namespace internal {
 
+#if !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 namespace {
 
 // The BoringSSl helpers are duplicated in rand_util_fuchsia.cc and
@@ -53,6 +58,10 @@ bool UseBoringSSLForRandBytes() {
   return g_use_boringssl.load(std::memory_order_relaxed);
 }
 
+#else  // !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
+void ConfigureBoringSSLBackedRandBytesFieldTrial() {}
+#endif
+
 }  // namespace internal
 
 namespace {
@@ -70,11 +79,13 @@ decltype(&ProcessPrng) GetProcessPrng() {
 }
 
 void RandBytesInternal(span<uint8_t> output, bool avoid_allocation) {
+#if !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
   if (!avoid_allocation && internal::UseBoringSSLForRandBytes()) {
     // BoringSSL's RAND_bytes always returns 1. Any error aborts the program.
     (void)RAND_bytes(output.data(), output.size());
     return;
   }
+#endif  // !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 
   static decltype(&ProcessPrng) process_prng_fn = GetProcessPrng();
   BOOL success =
diff --git base/unguessable_token.cc base/unguessable_token.cc
index ea33ca66f384c..33f4cc76f76bd 100644
--- base/unguessable_token.cc
+++ base/unguessable_token.cc
@@ -11,8 +11,9 @@
 #include "base/format_macros.h"
 #include "base/rand_util.h"
 #include "build/build_config.h"
+#include "cef/libcef/features/features.h"
 
-#if !BUILDFLAG(IS_NACL)
+#if !BUILDFLAG(IS_NACL) && !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 #include "third_party/boringssl/src/include/openssl/mem.h"
 #endif
 
@@ -58,7 +59,7 @@ std::optional<UnguessableToken> UnguessableToken::DeserializeFromString(
 }
 
 bool operator==(const UnguessableToken& lhs, const UnguessableToken& rhs) {
-#if BUILDFLAG(IS_NACL)
+#if BUILDFLAG(IS_NACL) || BUILDFLAG(IS_CEF_SANDBOX_BUILD)
   // BoringSSL is unavailable for NaCl builds so it remains timing dependent.
   return lhs.token_ == rhs.token_;
 #else
diff --git base/win/sid.cc base/win/sid.cc
index 2f250ba9bf79d..0af427e779266 100644
--- base/win/sid.cc
+++ base/win/sid.cc
@@ -29,12 +29,56 @@
 #include "base/win/scoped_handle.h"
 #include "base/win/scoped_localalloc.h"
 #include "base/win/windows_version.h"
+#include "cef/libcef/features/features.h"
+
+#if !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 #include "third_party/boringssl/src/include/openssl/sha.h"
+#else
+#include <wincrypt.h>
+#endif
 
 namespace base::win {
 
 namespace {
 
+#if BUILDFLAG(IS_CEF_SANDBOX_BUILD)
+
+#define SHA256_DIGEST_LENGTH 32
+
+bool SHA256(const uint8_t* InData, size_t InDataLen, uint8_t* OutHash) {
+  HCRYPTPROV hProv = 0;
+  HCRYPTHASH hHash = 0;
+
+  if (!CryptAcquireContext(&hProv, nullptr, nullptr, PROV_RSA_AES,
+                           CRYPT_VERIFYCONTEXT)) {
+    return false;
+  }
+
+  if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+    CryptReleaseContext(hProv, 0);
+    return false;
+  }
+
+  if (!CryptHashData(hHash, InData, static_cast<DWORD>(InDataLen), 0)) {
+    CryptDestroyHash(hHash);
+    CryptReleaseContext(hProv, 0);
+    return false;
+  }
+
+  DWORD dwHashLen = SHA256_DIGEST_LENGTH;
+  if (!CryptGetHashParam(hHash, HP_HASHVAL, OutHash, &dwHashLen, 0)) {
+    CryptDestroyHash(hHash);
+    CryptReleaseContext(hProv, 0);
+    return false;
+  }
+
+  CryptDestroyHash(hHash);
+  CryptReleaseContext(hProv, 0);
+  return true;
+}
+
+#endif  // BUILDFLAG(IS_CEF_SANDBOX_BUILD)
+
 template <typename Iterator>
 Sid FromSubAuthorities(const SID_IDENTIFIER_AUTHORITY& identifier_authority,
                        size_t sub_authority_count,