| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IndexedDB: Unregister cursors from transactions more consistently.
IndexedDBCursor now calls IndexedDBTransaction::UnregisterOpenCursor()
in Close(), which is called by the destructor.
The previous setup missed an edge case where calling
IndexedDBCursor::Close() directly would not unregister the cursor. This
behavior was relied upon in IndexedDBTransaction::CloseOpenCursors(),
but was not intended at other callsites.
(cherry picked from commit 23303e6f178ca2993bfde7114e6bdf48dd0eff9d)
Bug: 1005753
Reviewed-by: Joshua Bell <jsbell@chromium.org>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#699937}
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#872}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Change-Id: I9a16b513715e05b3c85e80f9103305f771590a45
|
| |
|
|
|
|
|
|
|
|
|
| |
Roll expat to R_2_2_8-5-g4f23e05
Diffs here should match those at
https://github.com/libexpat/libexpat/compare/39e487da353b20bb3a724311d179ba0fddffc65b..4f23e05a33a66c5962589a32c87df4fe68144fce
Bug: chromium:1004341
Change-Id: I9a105b4e7635c262be4d090415b011e74b00c143
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scanForNetworksWithParameters has ben removed in the sdk that ships
with XCode 11. Replace its use with scanForNetworksWithName.
The results should be the same.
Task-number: QTBUG-78997
Change-Id: Ifaeb6b380d02364133280b44644ae8ca1e51119a
Reviewed-by: Peter Varga <pvarga@inf.u-szeged.hu>
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
(cherry picked from commit 1f1bd0af331476d46fe69ceb6df14b82f98cd54d)
Reviewed-by: Dmitriy Kuminov <coding@dmik.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Backports the following Chromium fixes:
- [ios] Get things compiling on Xcode 11: https://chromium-review.googlesource.com/c/chromium/src/+/1642508
- mac: fix sdk version comparison: https://chromium-review.googlesource.com/c/chromium/src/+/1864374
Also fixes the same issue in gn.
Task-number: QTBUG-78997
Change-Id: Iaf3f5f2f69f7afd214e278ba24d04c238542cc40
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manually adapted backport.
[IndexedDB] Fixed invalid max_object_store_id after database deletion
The connection request system keeps around the LevelDBDatabase object
when a delete happens to allow subsequent open on that same database.
To do this, it resets the IndexedDBMetadata back to a default state.
During a recent refactor, this state reset wasn't done properly, and we
don't have any tests to catch that error. This change fixes that
incorrect state reset.
A test isn't included here because:
1. It passes the third party test provided to us,
2. The current unittesting framework isn't great and needs to be
replaced (don't want to create negative work)
3. It is pretty obvious this fixes the problem, and there are no other
'incorrectly' or 'not' re-initialized state here,
4. Current layout tests should have caught this, and it is unclear why.
Bug to create this test: https://crbug.com/1018444
5. IndexedDB work is currently on the backburner while Storage Service
is pursued, and won't be re-prioritized until next year-ish. I don't
want to spend time on this now when it's needed for Storage Service
work.
If more P0 bugs crop up in IndexedDB over the next week, then we may
have to re-think this policy and divert engineering effort towards
making IndexedDB more stable. This is present in m78, which was just
promoted to stable. If there are any more issues, we expect them to
show up in the next week or so.
TESTED=Manually tested using example test case from field.
R=cmp@chromium.org
Bug: 1018406
Change-Id: Idbde22b6cb13e25c56e2142a9ed2129aefabdb30
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual update.
Roll libxml, libxslt, that fixes a bug
libxslt fixed an issue with type confusion in xmlXPathNextPrecedingSibling.
R=dcheng@chromium.org
BUG=930663
Change-Id: Ib8055551b370c7d64957152e0fda57090110dee8
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Change-Id: Ic9b8f1d1639a1ef4058f805aa37f7a3c4c5ed4ed
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport.
[M77] [resource-timing] Report performance entries with failing status codes
Currently we don't report performance entries with failing status codes.
From the spec's perspective, reporting aborts is a MAY, but failing
status code responses should not be considered aborts. [1]
Chromium is the only engine which doesn't report those entries.
This CL fixes that to report them similarly to successful status codes.
Bug: 883400, 990849
Change-Id: Ic5e99e3df77f3869aa0dd70f0141d88016fdb972
[1] https://github.com/w3c/resource-timing/issues/165#issuecomment-441413636
Commit-Queue: Yoav Weiss <yoavweiss@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#695596}
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#857}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Change-Id: I5251942aa8061c3e93a4ae5a664fa81034df5395
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport.
Require dedicated process for all WebUI schemes.
This changes SiteInstanceImpl::DoesSiteURLRequireDedicatedProcess() to
return true for all WebUI schemes instead of just singling out the
chrome: scheme. This ensures that these URLs get placed in dedicated
processes even if site isolation is disabled.
(cherry picked from commit 7be7426134cc4978a253f3be6dcdbf77ee25702f)
Bug: 991153,991888
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Change-Id: I9862363c6bb7d78957819f5dfd89e37e8cb489d3
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Media Session] Fix issues in media session
For more context, please see the bug. This CL
is two part:
1) Unconditionally remove the player from
the media session
2) Do not add a pepper player if focus fails
BUG=997190
(cherry picked from commit e30383d507bb7f94a42a32c42d98ff2dd4811166)
Commit-Queue: Becca Hughes <beccahughes@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#600}
Cr-Branched-From:
0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
chromium/content/browser/media/session/media_session_controller.cc
chromium/content/browser/media/session/media_session_impl_browsertest.cc
Change-Id: I8a90ffddcd3fd6a3f55c1b6036b89bb1b5dcd020
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport
Disallow combining Kana voiced sound marks (U+3099 and U+309A) in IDN
This CL disallows U+3099 and U+309A characters from domain names. Any IDN
containing these characters will be displayed as punycode.
As of July 2019, these characters are not used in any popular domains.
Bug: 868846
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Change-Id: I0d10343ad9b4a0cafa6f4739162a5095a8a80e16
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport.
Merge "Add more checks in MojoCdmService"
This is to prevent abnormal cases from happening.
(cherry picked from commit b7b305f3389017cc42e2cfac6e7a319f42d5bde3)
Bug: 999311
Test: Tested w/ shaka player demo and existing unit tests pass
Auto-Submit: Xiaohan Wang <xhwang@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: John Rummell <jrummell@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Xiaohan Wang <xhwang@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#691911}
Cr-Commit-Position: refs/branch-heads/3865@{#688}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Change-Id: I23d4a5c808d65d803c8cd637afe6436ca1a37117
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Fix an integer overflow in CPDF_RenderStatus::ProcessType3Text().
BUG=chromium:966263
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Change-Id: I756bd9226ac109ea33439c0b462fb32cd63ffab7
|
| |
|
|
|
|
|
|
|
|
|
| |
Manual backport.
XPath: Do not crash by a deep expression.
The union defined in xpath_grammar.y should be on the stack.
Bug: 961413
Change-Id: I58af2a86975e529fab21f526bfd3e398c18ee997
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make path URL parsing more lax
Parsing the path component of a non-special URL like javascript or data
should not fail for invalid URL characters like \uFFFF. See this bit
in the spec:
https://url.spec.whatwg.org/#cannot-be-a-base-url-path-state
Note: some failing WPTs are added which are because url parsing
replaces invalid characters (e.g. \uFFFF) with the replacement char
\uFFFD, when that isn't in the spec.
Bug: 925614
Change-Id: Iad9ef7456ddb4d86b1d8d995e2d48fee9483864e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed force close during pending connection open
During a force close of the database, the connections to that database
are iterated and force closed. The iteration method was not safe to
modification, and if there was a pending connection waiting to open,
that request would execute once all the other connections were
destroyed and create a new connection.
This change changes the iteration method to account for new connections
that are added during the iteration.
R=cmp@chromium.org
Bug: 941746
Change-Id: Idae4763a6249ece994eab485fbd40aa692a36052
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of:
Use response tainting to calculate CORS-exposed header-name list
XHR uses the same-originness of the request origin and the destination
URL to calculate the CORS-exposed header-name list, which leads to
wrong results with redirects. Use response tainting as specced.
Bug: 959390
Change-Id: I0531847b73ced5155a898e4c4607a5dbb4825f82
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport with adjustments:
Early return if a download Id is already used when creating a download
This is protect against download Id overflow and use-after-free
issue.
BUG=958533
Change-Id: Ib7501ceaefd87390369e3206f645f0e8622220a1
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
| |
sqlite: backport bugfixes for dbfuzz2
Bug: 952406
Change-Id: I67092be3853d92e80153ef647f6639403c6e4eb5
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
| |
sqlite: Backport bugfix for clusterfuzz security bug
Bug: 940205
Change-Id: If45839bcf60b29db3ee0096a69a05dfcf8c7c9c2
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[DevTools] Escape exclamation points in copy as curl
Manual cherry-pick.
Bug: 919356
Change-Id: Ica39b0f779e7afa8595de9481f2778b7842966fe
--------------------------------------------------------------------
DevTools: fix encoding for Copy as cURL
Before, the 'Copy as cURL' option would escape all characters outside
of a limited range [\x20-\x7e] with ANSI-C `\u` or `\x`. This caused
problems because `\x` does not properly encode Unicode chars outside
of the range (e.g. latin, CJK, emoji).
Instead, this CL treats control codes (C0, C1 sets) as the only
characters that need `\u` escaping, while everything else (except
single quote, backslash, newline) is not escaped.
Bug: 578054
Change-Id: I7587ea07250ff28bcde12cd62bc0e8a61757028d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Cleanup media BitReader ReadBits() calls
Initialize temporary values, check return values.
Small tweaks to solution proposed by adtolbar@microsoft.com.
Bug: 929962
Change-Id: I06501312c651ef305fe3cfa17f58d5cbac3f95e6
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport from Blink to WebKit.
CORS errors are broken for ImageBitmapRenderingContext
ImageBitmapRenderingContext.toDataURL() does not throw CORS errors
when reading from a tainted canvas. It is not super urgent right now
as the entire functionality is broken, it simply returns black pixels,
so there is no security vulnerability RIGHT now. Regardless
once https://bugs.chromium.org/p/chromium/issues/detail?id=838108 is
fixed, it will expose a problem.
Currently toDataURL() in dev builds fails https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/graphics/unaccelerated_static_bitmap_image.cc?q=unaccelerated_static_bitmap_image&sq=package:chromium&dr=C&l=28
and on https://cs.chromium.org/chromium/src/cc/paint/paint_image_builder.cc?dr=C&q=paint_image_builder&sq=package:chromium&g=0&l=47
not sure when this was introduced, but as of now we have no tests for
toDataURL().
toDataURL() with LOCAL images also appears to be broken for
ImageBitmapRenderingContext, as it just returns empty images.
Will add tests and try to fix those problems in other CLs
Bug: 930057
Change-Id: I4e0837a49f7a71c937746fbcac8b6edcf51fd6d7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To M73: MSE: Prevent OOB in AVC conversion to AnnexB
Overflowing size_t buffer indexer could allow OOB unless overflow is
caught.
BUG=933743
Change-Id: I9955fe1deb807171d73bdb7b48629fc747f99df6
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by John Rummell <jrummell@chromium.org>:
Fix buffer size comparisons for VP8 parser
With fuzzed data the frame_size field can be huge, which causes the
address range checks to fail.
BUG=917608
Change-Id: I5fcaeac4681ed24924034dd2230e45d0e72f756b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of patch by Jan Wilken Dörrie <jdoerrie@chromium.org>:
[Sandbox] Fix integer overflow in CreateFromBuffer
This change fixes a integer overflow in
CrossCallParamsEx::CreateFromBuffer, resulting in a fuzzer failure.
Bug: 916874
Change-Id: Ie9f6f0e5ac83b1147926e00a23729209d6d66128
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Original patch by Tobias Tebbi <tebbi@chromium.org>:
[ic] do not expose global object
Bug: chromium:913212
Change-Id: I9173e33a539c89bb9e8ff5edeca16cb8a8d4529b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enfore valid register for SignExtendWord8ToInt32.
On ia32, the instruction selector uses movsx_b to compile the wasm
SignExtendWord8ToInt32 instruction. movsx_b requires a byte register
as input. However, not all allocatable registers on ia32 are. As we
cannot currently express constraints on subsets of registers, this
change now forces the input to movsx_b into eax.
Bug: chromium:919572
Change-Id: I40b128958b5994bdcba5c313a8d5f1986565fa64
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
[wasm][arm] Fix {Word32Shr} instruction selection.
This fixes a corner case with the matching for a {UBFX} instruction.
According to the ISA reference "UBFX Rd, Rn, #lsb, #width" is only valid
for "#width" in the [1;32-#lsb] range. Specifically a "#width" of 0 is
invalid but was not checked against by the instruction selector.
BUG=chromium:924905
Change-Id: I76f2cc7090111427807730a6e0d188b9647e0a1c
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Manual backport from scoped_refptr to WTF::RefPtr
Make ElementResolveContext hold a ref to the root element's ComputedStyle
Bug: 947029
Change-Id: I94fc947269bdeb868df6439c70bf9dbc8f24ab4b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Sam Zackrisson <saza@webrtc.org>:
Change the type of indW32 back to int32_t
It was changed to size_t in https://codereview.webrtc.org/1227163003,
which makes sense if the pitch lags in the code are also guaranteed
to be non-negative. Otherwise, integer wraparounds may happen, which
causes the code to circumvent the check for too low values here:
https://cs.chromium.org/chromium/src/third_party/webrtc/modules/audio_coding/codecs/isac/fix/source/pitch_filter.c?q=webrtcisacfix_pitchfilter&sq=package:chromium&g=0&l=112
Bug: chromium:906379
Change-Id: Ia9711fdba80f091f86230cc84629406500e8e232
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Initialize line width clamp values
Bug: 906652
Change-Id: Ic78fc4688977de77b835ed7b9eaa121a911f46c9
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Update chrome.dashboardPrivate API match
Bug: 937487
Change-Id: I18fd1d617b11c43a92ef8b5b8d0965ea3a2f624e
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
The function signature changed though the ABI stayed the same.
Change-Id: I86ca361b5e4f0c523e1031910df438c23beee876
Fixes: QTBUG-77037
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
(cherry picked from commit b84e8682b312fb16b16ffb9591415067ceae69f8)
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent kernel commit[1] moved a bit the define for this constant. This revealed
a missing include in WebRTC.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0768e17073dc5
Bug: webrtc:10677
Change-Id: I6ed69d307599d077760ae6ad74be10bfbdd1cac6
Commit-Queue: Karl Wiberg <kwiberg@webrtc.org>
Reviewed-by: Karl Wiberg <kwiberg@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#28108}
See-Also: https://chromium.googlesource.com/external/webrtc/+/6806550d5d51a820104a12205d1f37ce0acebf19
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
(cherry picked from commit 74e69da92d0a895122ca65922b9a2b8b3926c882)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
| |
Change-Id: I291dd041c5646c4fdd714ff98dd939566861d921
Reviewed-on: https://chromium-review.googlesource.com/892092
Task-number: QTBUG-75853
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
| |
Change-Id: Id43be7e7ac15b1c407d8179719eb364d3daaa6a1
Fixes: QTBUG-75212
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
| |
Including fix for Chrome security issue 872189
Change-Id: Ibb02f48346bfab74012cb8b091b984546ae04251
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix UAP in ImageBitmapLoader/FileReaderLoader
FileReaderLoader stores its client as a raw pointer, so in cases like
ImageBitmapLoader where the FileReaderLoaderClient really is garbage
collected we have to make sure to destroy the FileReaderLoader when
the ExecutionContext that owns it is destroyed.
TBR=mek@chromium.org
(cherry picked from commit 419c4bfbfb94849ed30dcab7c3aaf67afe238b27)
Bug: 913970
Change-Id: I40b02115367cf7bf5bbbbb8e9b57874d2510f861
Reviewed-on: https://chromium-review.googlesource.com/c/1374511
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#616342}
Reviewed-on: https://chromium-review.googlesource.com/c/1379106
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#368}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
vp8: Fix potential use-after-free in mfqe.
Similar issue to 842265.
The pointer in vp8 postproc refers to show_frame_mi which is only
updated on show frame. However, when there is a no-show frame which also
changes the size (thus new frame buffers allocated), show_frame_mi is
not updated with new frame buffer memory.
Change the pointer in postproc to mi which is always updated.
BUG= 913246
(cherry picked from commit 0e408ea67cd142a3f27189d7e00cbabea96a28d6)
[modify] https://crrev.com/be3c1ee28aeb699c508b02cfcccf7f13feaed3eb/vp8/common/mfqe.c
Change-Id: I5159ba7134a06db472c29a1d84b8d39bb60c7254
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge M72: FileReader: Make a copy of the ArrayBuffer when returning partial results.
This is to avoid accidentally ending up with multiple references to the
same underlying ArrayBuffer. The extra performance overhead of this is
minimal as usage of partial results is very rare anyway (as can be seen
on https://www.chromestatus.com/metrics/feature/timeline/popularity/2158).
Bug: 936448
Reviewed-on: https://chromium-review.googlesource.com/c/1492873
Task-number: QTBUG-74254
Change-Id: I00f95963946c1258f6a1e7da814fb41a957df569
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge "Fix crashes in RenderFrameImpl::OnSelectPopupMenuItem(s)" to M72 branch
ExternalPopupMenu::DidSelectItem(s) can delete the RenderFrameImpl.
We need to reset external_popup_menu_ before calling it.
Bug: 912211
Change-Id: Ia9a628e144464a2ebb14ab77d3a693fd5cead6fc
Reviewed-on: https://chromium-review.googlesource.com/c/1381325
Commit-Queue: Kent Tamura <tkent@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#618026}(cherry picked from commit 5405341d5cc268a0b2ff0678bd78ddda0892e7ea)
Reviewed-on: https://chromium-review.googlesource.com/c/1390879
Reviewed-by: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#519}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
M71: Clone dict before iteration in CJS_Document::get_info
Bug: chromium:895152
TBR=tsepez@chromium.org
Change-Id: I678350841892f88a5d580b58a33a639a1b6ec305
Reviewed-on: https://pdfium-review.googlesource.com/c/44050
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
(cherry picked from commit d2e27d660a96080882e43825fb4b5d03e8a4d05a)
Reviewed-on: https://pdfium-review.googlesource.com/c/47333
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disable FileSystemManager::CreateWriter if WritableFiles isn't enabled.
TBR=mek@chromium.org
(cherry picked from commit f045c704568e9cf6279b3cbccbec6d86c35f8a13)
Bug: 922677
Change-Id: Ib16137cbabb2ec07f1ffc0484722f1d9cc533404
Reviewed-on: https://chromium-review.googlesource.com/c/1416570
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#623552}
Reviewed-on: https://chromium-review.googlesource.com/c/1427044
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#755}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick : change convex scan converter to be defensive
Intended for M72
Had to perform manual rebase to both SkPath.cpp and SkScan_Path.cpp as
they had diverged by the time I tried the cherry-pick from head.
Bug: 899689
Bug: skia:8606
Change-Id: Ie6c13dcd2e45d55faef4180ede299703f71b1412
Reviewed-On: https://skia-review.googlesource.com/c/175832
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-By: Mike Klein <mtklein@google.com>
Reviewed-By: Cary Clark <caryclark@google.com>
Reviewed-on: https://skia-review.googlesource.com/c/182443
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fix CPLW_Wnd ownership model in CFFL_FormFiller.
CFFL_FormFiller::DestroyPDFWindow() might get re-entered, so
do not leave any dangling references in maps. Use unique_ptr
to be more sure that we have it right.
Bug: chromium:898531
Reviewed-on: https://pdfium-review.googlesource.com/c/44542
Change-Id: I01f2986c6082760b3d73f5326dab9d6f0017a5ea
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
M70: Validate decoder pipelines.
PDF decoders, AKA filters, can be chained together. There can be
an arbitrary number of decoding / decompressing filters in the pipeline,
but there should be at most 1 image decoder, and the image decoder
should only be at the end of the chain.
BUG=chromium:880675
TBR=tsepez@chromium.org
Change-Id: Iffa27c70ec1ed7574e38e0de23413840ee900959
Reviewed-on: https://pdfium-review.googlesource.com/42711
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
(cherry picked from commit 5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400)
Reviewed-on: https://pdfium-review.googlesource.com/42970
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Merge M71: Make public IndirectObjectHolder orphan tracking feature
Original CL at https://pdfium-review.googlesource.com/c/45111
Manual merge to avoid conflicts.
Bug: chromium:901654
Reviewed-on: https://pdfium-review.googlesource.com/c/45330
Change-Id: Ifdad31c5ef15b5d2479c571d43b00bd3edbca5e3
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merged: [turbofan] Fix Math.expm1 builtin typing.
Revision: c59c9c46b589deb2a41ba07cf87275921b8b2885
BUG=chromium:880207
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jarin@chromium.org
Change-Id: I453d23ff1bfe355c792b39d7e69d48cc5414cd47
Reviewed-on: https://chromium-review.googlesource.com/c/1316047
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.1@{#32}
Cr-Branched-From: f70aaa8ab2e8815505a6145c745e50d8328cd28c-refs/heads/7.1.302@{#1}
Cr-Branched-From: 1dbcc78efa17a9047f7e923958087ef9eec43066-refs/heads/master@{#56462}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
| |
Don't use is_fuchsia
Change-Id: I12e8b64ff12657fa3dd87060953cf5ac88e52852
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
| |
Declare use_fuzzing_engine
Change-Id: Ib1cc7d19ca9bac219fc15983d590611995aadbde
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
