| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2153325:
Avoid nullptr dereference in RTCPeerConnectionHandler
Bug: 1071327
Fixes: QTBUG-86752
Change-Id: Icf4189905dc5c95854b5af4b3e5e25e0607dd39e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
M85: Correctly retrieve the plugin when printing.
The logic in PrintRenderFrameHelper to retrieve a plugin is out of sync
with the logic in WebLocalFrameImpl::PrintBegin(). If
PrintRenderFrameHelper thinks it is printing a webpage, while
WebLocalFrameImpl thinks it is printing a plugin, bad things happen.
Fix this by adding WebLocalFrame::GetPluginToPrint(), to expose the
plugin finding logic in WebLocalFrameImpl. With GetPluginToPrint()
available, PrintRenderFrameHelper can delete its own GetPlugin() helper,
and switch the GetPlugin() callers to use GetPluginToPrint() instead.
Once synchronized, some use cases for printing Flash now work correctly.
(cherry picked from commit f8d7d428b1549ff1f87e3d34c5ca0b53d6ce4e84)
Tbr: japhet@chromium.org
Bug: 1098860
Change-Id: I9500db9ed2d6da0f87dad84c197f738d3a1e3c84
Reviewed-by: Nate Chapin <japhet@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#791564}
Reviewed-by: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/branch-heads/4183@{#1009}
Cr-Branched-From: 740e9e8a40505392ba5c8e022a8024b3d018ca65-refs/heads/master@{#782793}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
| |
Pull in a more recent OpenH264 sources from Chromium 85
Change-Id: Iad5293f5eb3332c35a823a5b3a76f66ecf9afa2b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove anonymous block wrapper when inline continuation is removed.
Keeping empty anonymous blocks around is bad. The only known actual
problem is in multicol (but it may cause other issues too). Based on the
layout object tree, multicol creates anonymous LayoutMultiColumnSet and
LayoutMultiColumnSpannerPlaceholder objects, to keep track of what is
regular column content and what are spanners. Leaving a
LayoutMultiColumnSet around just for the sake of an empty anonymous
block (which may get cleaned up without notifying the multicol code)
will confuse multicol layout.
(cherry picked from commit 48919b7a63545c092d11d2424cb4058ffa0ef7c3)
Bug: 1102137
Change-Id: Ibfb46d0dc173ecfdb2e7903efee5a49de3da3ff3
Commit-Queue: Morten Stenshorne <mstensho@chromium.org>
Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org>
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#786197}
Commit-Queue: Ian Kilpatrick <ikilpatrick@chromium.org>
Cr-Commit-Position: refs/branch-heads/4183@{#658}
Cr-Branched-From: 740e9e8a40505392ba5c8e022a8024b3d018ca65-refs/heads/master@{#782793}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Presentation API] Fix use-after-free.
This fixes a potential UAF in PresentationConnectionCallbacks::OnSuccess.
TBR=mlamouri@chromium.org
(cherry picked from commit 42a17e378ad7efbf57d47f3a7612d7c7cf95a907)
Bug: 1116706
Change-Id: I25fc55edf968f41bfedecbeb2054a5eae56d0de7
Reviewed-by: Mounir Lamouri <mlamouri@chromium.org>
Commit-Queue: mark a. foltz <mfoltz@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#799342}
Reviewed-by: mark a. foltz <mfoltz@chromium.org>
Cr-Commit-Position: refs/branch-heads/4183@{#1636}
Cr-Branched-From: 740e9e8a40505392ba5c8e022a8024b3d018ca65-refs/heads/master@{#782793}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
| |
Set explicitly PNG_ARM_NEON_OPT for arm in gn.
This fixes fat library on iOS.
Change-Id: I8f46d9e4915d990d3fa79a33b733ef1fa17b2afe
Reviewed-by: Shawn Rutledge <shawn.rutledge@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
| |
It works just fine for us, no need to block compilation just because
upstream is lazy.
Task-number: QTBUG-86092
Change-Id: If4077d12f8d5a7054603bf9d434165f621e6393e
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
| |
Do a replace run inspired by newer versions of the script.
Fixes: QTBUG-86018
Change-Id: Ib1dc771e22a662aff0fae842d135ad58fad08bc1
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
|
|
|
|
|
| |
Task-number: QTBUG-85626
Change-Id: I67544564d352d86d559cac21448a78ea4de38cb8
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2285473:
Use SupportWeakPtr in OfflineAudioDestinationHandler
OfflineAudioDestinationHandler's render thread notifies the
main thread when the rendering state changes. In this process,
the associated audio context can be deleted when a posted task
is performed sometime later in the task runner's queue.
By using WeakPtr, the task runner will not perform a scheduled task
in the queue when the target object is no longer valid.
Bug: 1095584
Test: Locally confirmed that the repro case does not crash after 30 min.
Change-Id: Ic1814b97f8d9a8d1027ef04f475112874cfa8137
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Raymond Toy <rtoy@chromium.org>
Commit-Queue: Hongchan Choi <hongchan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#786381}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/2298145:
Fix stale validation cache on buffer deletion.
When we would delete the currently bound element array buffer we
would neglect to invalidate a specific validation cache variable.
This incorrectly would let us skip buffer size validation and lead
to internal invalid memory accesses.
Bug: chromium:1105202
Change-Id: I23ab28ccd3ac6b5d461cb8745b930f4d42d53b35
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2314158:
Update FocusChanged notifiers to operate on a copy
These focus changed calls ultimately trigger javascript events. These
events could potentially run code that would modify the list of items
that the FocusChanged notifiers are notifying, and thus invalidate their
in-use iterators.
Fix this by having these methods iterate over a copy instead of the
member list.
Fixed: 1107815
Change-Id: I03fa08eeadc60736f3a3fae079253dbd3ee26476
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Klaus Weidner <klausw@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Auto-Submit: Alexander Cooper <alcooper@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791261}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2311620:
indexeddb: fix crash in WebIDBGetDBNamesCallbacksImpl
Resolve() can end up freeing WebIDBGetDBNamesCallbacksImpl by throwing a
mojo error that deletes the self-owned associated receiver that owns it.
So, don't call any other functions after it.
As the promise resolver can only resolve/reject once, it is safe to
not clear it.
Bug: 1106682
Change-Id: Iea943f3c5c1e57adb6ad399baff49522f54d264b
Commit-Queue: Daniel Murphy <dmurph@chromium.org>
Reviewed-by: Daniel Murphy <dmurph@chromium.org>
Auto-Submit: enne <enne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790857}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2312703:
Use copy of source map in MediaElementElementListener::UpdateSources()
Prior to this CL, this function iterated over a source map that could
be modified by a re-entrant call triggered by JS code.
Bug: 1105426
Change-Id: I47e49e4132cba98e12ee7c195720ac9ecc1f485b
Reviewed-by: Marina Ciocea <marinaciocea@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790894}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://skia-review.googlesource.com/c/skia/+/304416:
MallocPixelRef should always allocate as large as computeByteSize() says
Bug: 1103827
Change-Id: I837f92cf10a1a389fe1b0ba55ae1323e7e68f741
Reviewed-by: Ben Wagner <bungeman@google.com>
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2314981:
Fix iterator invalidation issue
If a RemotePlayback availabilityCallback invokes watchAvailability(),
it may cause changes to the underlying |availability_callbacks_|. This
can invalidate the iterator we are using to loop over the callbacks.
This CL copies the callbacks to a vector before invoking them, allowing
them to add/remove callbacks without problem.
Bug: 1108497
Change-Id: I78220da0b8e10c1d6c0e4fa5e15ada81f10f8fc3
Auto-Submit: Thomas Guilbert <tguilbert@chromium.org>
Reviewed-by: Mounir Lamouri <mlamouri@chromium.org>
Commit-Queue: Thomas Guilbert <tguilbert@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791472}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2308550:
Worker: Fix a race condition on task runner handling
WebSharedWorkerImpl accesses WorkerScheduler from the main thread to
take a task runner, and then dispatches a connect event to
SharedWorkerGlobalScope using the task runner.
This causes a race condition if close() is called on the global scope
on the worker thread while the task runner is being taken on the main
thread: close() call disposes of WorkerScheduler, and accessing the
scheduler after that is not allowed. See the issue for details.
To fix this, this CL makes WebSharedWorkerImpl capture the task runner
between starting a worker thread (initializing WorkerScheduler) and
posting a task to evaluate worker scripts that may call close(). This
ensures that WebSharedWorkerImpl accesses WorkerScheduler before the
scheduler is disposed of.
Bug: 1104046
Change-Id: I145cd39f706019c33220fcb01ed81f76963ffff0
Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790284}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/2314216:
D3D11: Fix bug with static vertex attributes.
In some specific cases after binding a zero size buffer we could end
up trying to use a buffer storage that was no longer valid. Fix this
by ensuring we don't flush dirty bits when we have an early exit due
to a zero size buffer.
Also adds a regression test.
Bug: chromium:1107433
Change-Id: I9db560e8dd3699abed2bb7fe6d91060148ba1817
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
| |
Chromium was forcing the debugger to look for the pdb files in the same dir
as the executable, which just isn't true for us.
Change-Id: I2577bd4a10d677fcd273161ca830322b5a01e1fe
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://skia-review.googlesource.com/c/skia/+/293349:
Rewrite SkVertices serialization to use SkReadBuffer/SkWriteBuffer
These classes are much safer (there's no way to safely deserialize a
string with SkReader32 without knowledge of how it works internally).
Prior to this CL, SkVertices was the only complex type that had manual
serialization using the lower level types - now it works like everything
else. Additionally: the versioning can now be tied to picture versions
going forward (like everything else).
Bug: chromium:1105720
Bug: chromium:1105723
Bug: oss-fuzz:22909
Bug: oss-fuzz:22918
Bug: skia:9984
Bug: skia:10304
Change-Id: I3cf537eb765b5c8ce98b554c0f200e5d67c33d14
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
| |
I had to apply this in Debian to make Qt WebEngine build with GCC 10.
Gentoo has this patch too: https://bugs.gentoo.org/721876#c13.
Change-Id: I6f331823783e6504753e7ef50549dd5055e44482
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
| |
Didn't compile
Change-Id: I08feb425e6dcd42fb401eb8a4e5421f003126551
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
| |
Bug: 1050608
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#740710}
Fixes: QTBUG-85863
Change-Id: If05d806be6ff35c209c983ef8d79790ecd1addb7
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2203776:
fido: improve guards against adding authenticators with identical IDs
Make FidoRequestHandler::AuthenticatorAdded() return early when an
FidoAuthenticator is added whose ID matches that of a previously added
authenticator. The request handler previously did not add the
duplicate authenticator into its |active_authenticators_| map, but then
attempted to dispatch its request to it (or rather to an invalid
reference).
Also better guard against authenticators being removed during
initialization by making the (asynchronously run)
InitializeAuthenticatorAndDispatchRequest() method look up the
AuthenticatorState for the authenticator to be initialized by its ID
rather than passing around AuthenticatorState pointers that may have
been freed by the time the method runs because the authenticator went
away.
Lastly, derive VirtualFidoDevice IDs randomly. It previously used its
instance pointer address for "randomness" which, aside from being weird,
could lead to re-use of IDs. (FidoAuthenticator ID reuse in itself
_should_ not be a problem, but certainly could lead to bugs if the rest
of the code is less than careful about it.)
Bug: 1082105
Commit-Queue: Martin Kreichgauer <martinkr@google.com>
Reviewed-by: Christopher Thompson <cthomp@chromium.org>
Reviewed-by: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#770190}
Change-Id: Ie4e3fd39c3360bf0131cdd6dd33b2be4dbb225a8
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2228136:
Revert "fido: add FidoDiscoveryFactory::ResetRequestState()"
This reverts commit 9f151687295d2547bc3d7c1542b80505552f0f87.
Reason for revert: The original change makes an invalid assumptions
about the lifetime of FidoDiscoveryFactory (crbug/1087158). Instances of
FidoDiscoveryFactory generally belong to the
AuthenticatorRequestClientDelegate and as such should outlive the
WebAuthn request. As an exception, instances obtained via
AuthenticatorEnvironmentImpl::GetDiscoveryFactoryOverride() may be
unregistered and freed before the request finishes.
This revert is safe because the caBLE data reset by ResetRequestState
(a) only gets set in the first place if the
WebAuthenticationPhoneSupport flag is on (which is default-off); and (b)
gets set anew for every single request, so it will never be reused
across requests.
Bug: 1087158
Original change's description:
> fido: add FidoDiscoveryFactory::ResetRequestState()
>
> FidoDiscoveryFactory instances generally outlive a WebAuthn request, but
> some of the state is specific to a single request (caBLE pairing and QR
> code generation keys). This is currently not an issue, because
> AuthenticatorCommon explicitly resets all that state at the beginning of
> the request. But I worry that we accidentally break that and leak state
> between requests. To mitigate, introduce an explicit ResetRequestState
> function and call it in AuthenticatorCommon::Cleanup().
>
> Change-Id: I8333a3b14d189d7977cde17cbfe44b4b8dcf6ee2
> Reviewed-on:
> https://chromium-review.googlesource.com/c/chromium/src/+/1793792
> Commit-Queue: Martin Kreichgauer <martinkr@chromium.org>
> Reviewed-by: Nina Satragno <nsatragno@chromium.org>
> Reviewed-by: Adam Langley <agl@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#696593}
Reviewed-by: Nina Satragno <nsatragno@chromium.org>
Reviewed-by: Adam Langley <agl@chromium.org>
Commit-Queue: Martin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/master@{#774784}
Change-Id: I75c800d5370ce9d7003846985d038cd566739be5
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2283901:
Fix UAF in SelectType
This fixes the UAF detected by ClusterFuzz in [1], caused by [2].
The test case added here is a minimized version of the clusterfuzz
case, and I verified that it crashes (ASAN UAF) before this patch
and no longer crashes after.
[1] https://clusterfuzz.com/testcase-detail/6224868955193344
[2] https://chromium-review.googlesource.com/c/chromium/src/+/1912682
Fixed: 1102408
Change-Id: Ieb6a9582ff5b9676596048920bbcff881fdc2eb2
Commit-Queue: Mason Freed <masonfreed@chromium.org>
Auto-Submit: Mason Freed <masonfreed@chromium.org>
Reviewed-by: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#785970}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2304538:
usb: Prevent iterator invalidation during Promise resolution
This change swaps sets of ScriptPromiseResolvers into local variables in
a number of places where it was possible for script to execute during
the call to Resolve() or Reject() and modify the set being iterated
over, thus invalidating the iterator.
(cherry picked from commit dbc6c3c3652680e287c60b3c6551622748543439)
Bug: 1106773
Change-Id: Id4eb0cd444a7dbb5de23038ec80f44fee649cfe4
Auto-Submit: Reilly Grant <reillyg@chromium.org>
Commit-Queue: James Hollyer <jameshollyer@chromium.org>
Reviewed-by: James Hollyer <jameshollyer@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#790217}
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/branch-heads/4147@{#931}
Cr-Branched-From: 16307825352720ae04d898f37efa5449ad68b606-refs/heads/master@{#768962}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/179161
Check for null before accessing SctpTransport map.
Bug: chromium:1104061
Change-Id: I52d44ff1603341777a873e747c625665bc11bfa5
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2157382:
[protectors] Move regexp species protector back to the isolate
This reverts the changes made in
https://chromium-review.googlesource.com/c/v8/v8/+/1695465
https://chromium-review.googlesource.com/c/v8/v8/+/1776078
We originally moved this protector to the native context to avoid
cross-native-context pollution of protector state. Ideally,
invalidating a protector in one NC should not affect any other NC.
But as it turns out, having the protector on the NC causes more
problems than it solves since all affected callers now need to find
the correct native context to check. Sometimes (e.g. in CSA regexp
builtins) it is possible to blindly check the current NC, but the
reasoning behind this optimization is tricky to understand.
Sometimes, fetching the correct NC is not possible due to access
restrictions. These implementation complexities outweigh the (unknown)
potential performance benefits.
In the future we should attempt to move away from the protector
concept for these kinds of checks.
Bug: chromium:1069964,v8:9463
Change-Id: I2cbb2ec7266282165dae5e4a6c8bdbda520c50a9
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67415}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2134662:
Adding a new MSAN check to validate if the skImage is initialized
ImageDataBuffer may trying to be copying an uninitialized SkImage.
Adding an MSAN check to check before doing the copy to ensure that has
been initialized.
Bug: 1052492
Change-Id: I6cfefffe42f5cf11eaf5119df1352338c2b00010
Commit-Queue: Fernando Serboncini <fserb@chromium.org>
Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Auto-Submit: Juanmi Huertas <juanmihd@chromium.org>
Cr-Commit-Position: refs/heads/master@{#757045}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update sqlite to version 3.32.1
Backport of patch originally committed as
https://chromium.googlesource.com/chromium/deps/sqlite/+/b5399f70d4778fa2f0f0ada1bb5910e14c096be9
Amalgamations for release 3.32.1
Bug: 1087629
Also fixes bug 1029569
Change-Id: If43d7c75cf5a8028d6f0e88a65d819cf5d298e0e
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
| |
Change-Id: I007de1b12ddb952516f373360da29e58c13850b2
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2241517:
Relax a CHECK
The condition was too strong since we never store Smis into
{previously_materialized_objects}.
Bug: chromium:1094132
Change-Id: I680eb7f175f12d3c44882fd8a9eff0d062eda55f
Commit-Queue: Georg Neis <neis@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68317}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
| |
Do not include FIDO just to build typemaps
Change-Id: I84a1bef5241e0c9abb497466565c33ed1b6abbc6
Reviewed-by: Tamas Zakor <ztamas@inf.u-szeged.hu>
Reviewed-by: Peter Varga <pvarga@inf.u-szeged.hu>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2160909:
Check for executionContext returning null
This will happen if invoking functions on an object after its
context has been destroyed.
Added test.
Bug: chromium:1072412
Change-Id: Icc2e8a5ad47398acffb2d56a299a51b11386c9f2
Commit-Queue: Harald Alvestrand <hta@chromium.org>
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#763355}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1961827:
Use [RaisesException] for immediate promise rejections in peerconnection
This is a part of effort for using [RaisesException] when synchronously
rejecting a promise.
It uses [RaisesException] for
//third_party/blink/renderer/modules/peerconnection.
Bug: 1001114
Change-Id: I0d309be08a87e99af777a802301f55242c367057
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Commit-Queue: Julie Kim <jkim@igalia.com>
Cr-Commit-Position: refs/heads/master@{#724165}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2147813:
Add some crash debugging checks
Bug: 1065122
Change-Id: I2d73a5d5d1e9ed59f26afe10fcce421572ca7fe6
Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org>
Commit-Queue: Aaron Leventhal <aleventhal@chromium.org>
Cr-Commit-Position: refs/heads/master@{#758849}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/third_party/ffmpeg/+/2108824:
Check that ogg stream contains enough data while checking codec
If the buffer doesn't contain enough bytes when replacing a stream,
fail rather than continuing on with unitialized data.
Bug: 1054229
Test: Failing fuzzer test passes locally
Change-Id: Ieee9484159a9a3715dca62ffaff3a9c6817694d3
Reviewed-by: Chrome Cunningham <chcunningham@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
| |
- Enable typemaps.gni for WebAuth.
- Workaround a gcc 6 compiler error when flat_map is uncopyable.
- Also fix the build with gcc 6 and gcc 7.
Task-number: QTBUG-54720
Task-number: QTBUG-85117
Change-Id: If73ce3fccdb7fc3dc2cddd39bba998f51956e45a
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of patch originally committed to ffmpeg:
libavformat/amr.c: Check return value from avio_read()
If the buffer doesn't contain enough bytes when reading a stream,
fail rather than continuing on with initialized data. Caught by
Chromium fuzzeras (crbug.com/1065731).
Change-Id: I6fc8f1f2abddb6ed1e4aaf36da174c4912aa252a
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2135407:
Fix text fragment for user activation
For security reasons, text fragments must only be activated when
navigated with a user gesture. However, browser initiated navigations
(e.g. user typing in the omnibox, bookmarks) don't have the user gesture
bit set despite being initiated by the user (see discussion in
https://crrev.com/c/2132673 for details). Because of this limitation,
text fragment code explicitly checked if the navigation was browser
initiated, assuming that such navigations are always user activated.
However, history navigations are a special case. They're intentionally
considered to be browser initiated, even if they originate from renderer
script (e.g. `history.back()`). This meant that our check above would
allow script to use the history API to activate a text fragment without
a user gesture.
This CL explicitly forbids activating a text fragment if the navigation
is of history type. This is a trivial change (in terms of UX) because a
history navigation will restore the scroll position to where the user
left off so the text fragment scroll is already clobbered. This change
prevents a transient scroll that will be undone.
Note: we had an explicit test for this case that failed to catch the
failure. The reason was that the test was checking that the fragment
wasn't activated by checking that the scroll offset after a navigation
is 0. However, the text fragment's scroll would be clobbered (assuming
by history scroll restoration) so this check would erroneously pass. We
fix it in this CL by using a scroll listener so that we can tell a
scroll occurred even if it is later restored.
Bug: 1042986
Change-Id: Ia0ad9a8adcda2250603e6a7dd2b386193be2a6e6
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
developer tools
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2154228:
DevTools: check whether Fetch domain is enabled before handling commands
Bug: 1016278
Change-Id: Icd80e3b287f090ffb4ac67437e7e1ebae392c98b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2254119:
Guard against UaF in NavigationRequest
This CL adds a check in NavigationRequest::OnWillProcessResponseProcessed to
return early if the call to ReadyToCommit leads to the deletion of the
NavigationRequest.
Bug: 1090543
Change-Id: Ida21db80caef1772f2f21c5d2449d3efe4dd1bb1
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2161355:
Use parseHTMLSubset() in chrome://histograms.
This prevents a maliciously created histogram name from injecting
code (XSS) in the context of chrome://histograms.
Fixed: 1073409
Change-Id: I75c9a26b95363cad4a470ed6488718421289961e
Commit-Queue: dpapad <dpapad@chromium.org>
Auto-Submit: dpapad <dpapad@chromium.org>
Reviewed-by: Alexei Svitkine <asvitkine@chromium.org>
Cr-Commit-Position: refs/heads/master@{#761723}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/173821:
Update set of known root certificates.
This has been automatically generated by running [1].
See https://codereview.webrtc.org/1503473002 for some background about
the generator script.
[1] - https://cs.chromium.org/chromium/src/third_party/webrtc/tools_webrtc/sslroots/generate_sslroots.py
Bug: chromium:978779
Change-Id: I78cf8947b3363738dd0e21182348253dbad95f02
Reviewed-by: Taylor <deadbeef@webrtc.org>
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Commit-Queue: Mirko Bonadei <mbonadei@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#31131}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2181318:
Fix uninitialized frame policy issue in javascript url
This CL follows up the previous CL that fixed the timing bug on
frame policy(https://chromium-review.googlesource.com/c/chromium/src/+/1852905).
There was a uncovered code path for subframe navigation where frame
policy is not initialized.
Bug: 1074340
Change-Id: I3840cd5a4f8b18f0976b164e5c768ad56eb6e492
Reviewed-by: Philip Jägenstedt <foolip@chromium.org>
Commit-Queue: Charlie Hu <chenleihu@google.com>
Cr-Commit-Position: refs/heads/master@{#767358}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2202394:
[PATCH] Replace memcopy with memmove for overlapping copies
copyFromChannel can produce overlapping areas when the source array is
the same as the channel data array. Use memmove instead of memcpy to
handle this case. copyToChannel has the same issue, so fix that too.
Manually tested the repro case with a local asan build. The issue no
longer reproduces.
Bug: 1081722
Change-Id: I168ef418fccf45646bb4d8a01c22cecfbd5da20b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
Drop SkTextBlobs with > 2M glyphs.
This will guard against buffer overflows
for large text blobs.
Bug: chromium:1080481
Change-Id: I13a10869babfa149a70c2f4caebb3a1ae4452b77
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2153215:
guard against missing CommandLineAPIScope
Fixed: chromium:986051
Change-Id: I01ef94fe43ac5c8734890706a6dccd01e008bfec
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67204}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To fix warnings/errors from binutils 2.35 branch about relocation in
read-only section `.text'.
See the following binutils bugs:
- https://sourceware.org/bugzilla/show_bug.cgi?id=20824
- https://sourceware.org/bugzilla/show_bug.cgi?id=22909
And this Debian bug: https://bugs.debian.org/965328.
Change-Id: I4faa3b31d346f7423ba655782e9611a51a2e4934
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|