| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Remove MemoryCoordinatorClient from content/browser/dom_storage.
BUG=888904
Reviewed-on: https://chromium-review.googlesource.com/c/1272958
Change-Id: I19aca1ca76bfb3f4642fd6b19845d6b8927d7121
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Fix an integer overflow inside cpdf_textpage.cpp.
BUG=chromium:919643
Reviewed-on: https://pdfium-review.googlesource.com/c/50071
Change-Id: Ib503e8e5415f20e8524ba09fd8646b0c868e18cb
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
| |
No reason to not allow shims except Google Chrome doesn't want them.
Change-Id: I226ed56d45dd28b5644ac7fc6dd06de5daeba3bd
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of original patch by Andy Paicu <andypaicu@chromium.org>
Rework of "inherit the navigation initiator when navigating"
Spec: https://w3c.github.io/webappsec-csp/#initialize-document-csp
This is a rework and reland of https://chromium-review.googlesource.com/c/chromium/src/+/1314633
The initial patch got reverted because it did not pass the trusty leak
build checks. The issue was that holding to the initiator document as a
member in FrameLoader was holding said document alive unreasonably long.
Instead this rework holds a copy of the initiator's CSP.
Bug: 905301, 894228, 836148
Reviewed-on: https://chromium-review.googlesource.com/c/1353978
Change-Id: I2445961a2b8ad82864d23fa43fa066eacd83b437
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Show an error page if a URL redirects to a javascript: URL.
BUG=935175
Reviewed-on: https://chromium-review.googlesource.com/c/1488152
Change-Id: Id018406e18d39bb1b94abd34e687d14bebe04738
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Update chrome.dashboardPrivate API match
Bug: 937487
Reviewed-on: https://chromium-review.googlesource.com/c/1497631
Change-Id: I18fd1d617b11c43a92ef8b5b8d0965ea3a2f624e
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix integer overflow in CFX_DIBBase::GetOverlapRect().
BUG=chromium:914983
Reviewed-on: https://pdfium-review.googlesource.com/c/47271
--------------------------------------------------------:
Check for integer overflows in AdjustGlyphSpace().
BUG=chromium:914983
Reviewed-on: https://pdfium-review.googlesource.com/c/50112
Change-Id: I4e39a127db352318769cfee186b9dd594b1805c4
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merged: [ast] Always visit all AST nodes, even dead nodes
Revision: 9439a1d
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=leszeks@chromium.org
Bug: chromium:926651
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1503378
-----------------------------------------------------------------------
More accurate dead statement elision
The Ignition statement list visitor will skip the rest of the
statements in the list if it hits a jump statement (like a return
or break), as the rest of the code in the list can be considered
dead.
return;
dead_call(); // skipped
However, since this is at an AST node level, it does not take into
account condition shortcutting:
if(2.2) return;
dead_call(); // not skipped
There is also a second dead code elimination in Ignition compilation, at
the bytecode array writer level, where a bytecodes are not emitted if an
"exit" bytecode (Return, Jump, or a few others) has been written, until
the next basic block starts (i.e. a Bind).
This can cause an issue with statements that resurrect the bytecode
array writer part-way through their visit. An example is try-catch
statements, which save the context to a register, and then Bind to start
the try region.
For the case:
if (2.2) return;
try { // try statement not skipped
...
}
the bytecode writer is called with
OutputReturn() // exit bytecode seen
OutputMove(<context>, r1) // not emitted
Bind(&try_begin) // starts new basic block
// try body
So, the try is emitted, but without saving the context to a register.
This means that the liveness analysis sees the read of that register
(as the output liveness of throwing bytecodes), but does not have a
write to the register, which means that the liveness escapes.
This patch fixes this by using the bytecode array writer dead-code
elimination (i.e. "exit bytecode seen") to inform the statement list
visitor, so that in this example the try statement is not visited at
all.
Bug: chromium:902395
Reviewed-on: https://chromium-review.googlesource.com/c/1322951
Change-Id: I0e7745cac03a4597e1e10fee8cf1d756551bb086
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
LiteralBuffer::ExpandBuffer always grows
Bug: chromium:914736
Reviewed-on: https://chromium-review.googlesource.com/c/1405859
Change-Id: If8516356d83a78ed2af152751a504972665b1b47
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge M72: FileReader: Make a copy of the ArrayBuffer when returning partial results.
This is to avoid accidentally ending up with multiple references to the
same underlying ArrayBuffer. The extra performance overhead of this is
minimal as usage of partial results is very rare anyway (as can be seen
on https://www.chromestatus.com/metrics/feature/timeline/popularity/2158).
Bug: 936448
Reviewed-on: https://chromium-review.googlesource.com/c/1492873
Task-number: QTBUG-74254
Change-Id: I00f95963946c1258f6a1e7da814fb41a957df569
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Chrome assigns a download Id to each new download.
This ID was retrieved from the history DB on start up, and then
keep on incrementing.
For in-progress DB work, download will only be stored to history DB
once they finish.
As a result, the history DB don't have all the Ids on startup.
This CL lets the DownloadManagerImpl to get all Ids from both
history DB and In-progress downloads.
And use the largest Id to issueing out new Ids for new downloads.
This allows in-progress downloads to have their own IDs without
reporting them to history DB.
BUG=842245
Change-Id: I381222cfc53cfe4a79cf7315eb15f040f85edcf4
Reviewed-on: https://chromium-review.googlesource.com/1144311
Commit-Queue: Min Qin <qinmin@chromium.org>
Reviewed-by: Xing Liu <xingliu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#579101}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DownloadManagerService
InProgressDownloadManager could get created before DownloadManagerImpl ctor.
And DownloadManagerService will own the InProgressDownloadManager in that case.
This CL allows DownloadManagerImpl to retrieve the pre-created
InProgressDownloadManager from DownloadManagerService
BUG=695115
Change-Id: I6f4f2539089737f50672a03651e6079085f253e3
Reviewed-on: https://chromium-review.googlesource.com/1135986
Commit-Queue: Min Qin <qinmin@chromium.org>
Reviewed-by: Xing Liu <xingliu@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Cr-Commit-Position: refs/heads/master@{#577075}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Roll libexpat to 2.2.6
Bug: 895970
Change-Id: I2787f9760e9db84b5160823407899361bfef5a37
Reviewed-on: https://chromium-review.googlesource.com/c/1287090
Reviewed-by: Scott Graham <scottmg@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#600661}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[regalloc] Splinter to the end of interval if value dies
If a value dies in deferred code, there is no need to reload it at the
end of the deferred code, as it will be dead in the non-deferred code
that follows in control flow order. In the linearized view of register
allocation, this is encoded as a lifetime gap (or the end of an
interval).
Moreover, this may lead to wrong assignments if the value dies
between two deferred blocks and we leave a non-splintered live
range in the middle of deferred code.
Bug: chromium:915975
Change-Id: Iec68fe86f0dfbbac612635a637f3239475906d14
Reviewed-on: https://chromium-review.googlesource.com/c/1433784
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59068}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix invalid memory read
Buffer might be relocated inside replace_glyphs().
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=895117
Change-Id: Id57a6ad2379933ef1275e665d20ab7a7fd824e57
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix security error in CanvasAsyncBlobCreator
Currently CanvasAsyncBlobCreator creats a SkImage from the
StaticBitmapImage that is passed in. If a colorspace conversion is
necessary, it RE-creates the StaticBitmapImage from the SkImage it made
earlier without transferring ownership of the SkImage. This opens up
asan bugs, as other threads could have been waiting to serialize the
first image passed in. Make a copy of the SkImage instead to prevent
this.
Bug: 901677
Change-Id: I1c8fe85a0f8dbe8f43933318992f44113ef2ee6a
Reviewed-on: https://chromium-review.googlesource.com/c/1374058
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Commit-Queue: Aaron Krajeski <aaronhk@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#617625}(cherry picked from commit fdb8c9ffdabec68a4bafa99975087026d7894ad8)
Reviewed-on: https://chromium-review.googlesource.com/c/1394748
Cr-Commit-Position: refs/branch-heads/3626@{#550}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fix potential UAF if table role changes.
Bug: 903500
Change-Id: I4e55e0323fe642f8af0a79152a52bccc1cb6ac82
Reviewed-on: https://chromium-review.googlesource.com/c/1334195
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Aaron Leventhal <aleventhal@chromium.org>
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#607770}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
lavf/mov: ensure only one tkhd per trak
Chromium fuzzing produced a whacky file with extra tkhds. This caused
an AVStream that was already in use to be corrupted by assigning it a
new id, which blows up later in mov_read_trun because the
MOVFragmentStreamInfo.index_entry now points OOB.
Bug: 908358
Change-Id: I968a2d0c0b4685a7b3bc7b8897f90410367a837f
Reviewed-on: https://chromium-review.googlesource.com/c/1370897
Reviewed-on: https://chromium-review.googlesource.com/c/1375016
Reviewed-on: https://chromium-review.googlesource.com/c/1380873
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Updates sqlite to 3.26.0 with patches to what it is in
Chromium 72.
Includes fixing security issue 911253
Change-Id: I713fa142e6d847965a3a40285013c49f9005a53f
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
compiler: Fix const non-square matrix component mult.
It seems like there weren't any dEQP tests for constant folding of
nonsquare matrices component-wise multiplication. There were a couple
bugs in our implementation which could lead to undefined behaviour.
Fixes the code and cleans up a few style issues.
Also includes a regression test.
Bug: chromium:912505
Bug: chromium:912508
Change-Id: I7fb85d1404a32950fa9fe4c3bbba9edc9f38ddd1
Reviewed-on: https://chromium-review.googlesource.com/c/1387065
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Yuly Novikov <ynovikov@chromium.org>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Map U+0A24 to '3' in the list of IDN confusables.
Unicode character U+0A24 is easily confused with a '3'. This CL adds
this character to the list of confusable characters to use when
determining whether to render IDNs as punycode instead of their unicode
representation.
R=tommycli@chromium.org
Bug: 896725
Change-Id: Ieaa38b5977b9afb454e672461722f3c8be9a2a2c
Reviewed-on: https://chromium-review.googlesource.com/c/1297638
Reviewed-by: Tommy Li <tommycli@chromium.org>
Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#602383}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
[DevTools] Fix request preview for URI encoded html
Bug: 895081
Change-Id: I49c6131e1cc432e470e4b04353282d3ebebcb063
Reviewed-on: https://chromium-review.googlesource.com/c/1286758
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#601792}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
service worker: Make navigate/openWindow go through more security checks.
WindowClient.navigate() and Clients.openWindow() were implemented in
a way that directly navigated to the URL without going through
some checks that the normal navigation path goes through. This CL
attempts to fix that:
- WindowClient.navigate() now goes through Navigator::RequestOpenURL()
instead of directly through WebContents::OpenURL().
- Clients.openWindow() now calls more ContentBrowserClient functions
for manipulating the navigation before invoking
ContentBrowserClient::OpenURL().
Bug: 904219
Change-Id: Ic38978aee98c09834fdbbc240164068faa3fd4f5
Reviewed-on: https://chromium-review.googlesource.com/c/1345686
Commit-Queue: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610753}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mapping several Indic characters to confusables.
A number of characters from several Indian scripts are confusable,
especially with numbers. This change maps these characters to their
ASCII lookalike to allow fallback to punycode when displaying probable
spoofing URLs.
Bug: 849421
Bug: 892646
Bug: 896722
Change-Id: I6d463642f3541454dc39bf4b32b8291417697c52
Reviewed-on: https://chromium-review.googlesource.com/c/1295179
Reviewed-by: Tommy Li <tommycli@chromium.org>
Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#602032}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Include U+0517 in set of Cyrillic/Latin lookalikes.
Cyrillic letter U+0517 (ԗ) looks somewhat similar to the Latin letter p.
This CL adds this character to the set of Cyrillic characters that look
like Latin characters. Domains made up entirely of Cyrillic/Latin
lookalikes are displayed as punycode in URLs.
Bug: 863663
Change-Id: I4340c48d124c9c4cd3d3b5d0f9d3865d709e082d
Reviewed-on: https://chromium-review.googlesource.com/c/1286825
Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org>
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#600582}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove caching of CORS info from CanvasRenderingContext.
Before this CL, CanvasRenderingContext remembered which request URLs
were CORS same-origin and which were CORS cross-origin. This worked
relatively well in a pre-service-worker world. But with service workers,
the same request URL can have different response URLs. Also, even if two
things have have the same response URL, they could differ in whether
they were CORS approved or not.
The solution is to remove the caching entirely. This causes more calls
to CanvasImageSource::WouldTaintOrigin(), but the implementations of
those look relatively lightweight so I don't expect performance to be
worse than tracking URLs in two HashSets.
Test: fetch-canvas-tainting-double-write.https.html added in
https://chromium-review.googlesource.com/c/chromium/src/+/1347952.
Bug: 907047
Change-Id: I4cf6289174935dee40ccad0364eb425d717b9f7f
Reviewed-on: https://chromium-review.googlesource.com/c/1347953
Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Reviewed-by: Makoto Shimazu <shimazu@chromium.org>
Commit-Queue: Matt Falkenhagen <falken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610498}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Validate glClearBuffer*v function |buffer| param on the client side
Otherwise we could read out-of-bounds even if an invalid |buffer| is passed
in and in theory we should not read the buffer at all.
BUG=908749
TEST=gl_tests in ASAN build
R=piman@chromium.org
Change-Id: I94b69b56ce3358ff9bfc0e21f0618aec4371d1ec
Reviewed-on: https://chromium-review.googlesource.com/c/1354571
Reviewed-by: Antoine Labour <piman@chromium.org>
Commit-Queue: Zhenyao Mo <zmo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#612023}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix crash in RunInfo::NumGraphemes
Fix crash in NumGraphemes when called with an invalid end char position.
Bug: 913975
Test: fast/text/international/ar_tab_selection_crash.html
Change-Id: I93a94ba04e3e02b10ac8ef4186cf606b7df5c859
Reviewed-on: https://chromium-review.googlesource.com/c/1374630
Commit-Queue: Koji Ishii <kojii@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#616145}(cherry picked from commit 8c7054864ea9b70015351b17376b8515296efb8f)
Reviewed-on: https://chromium-review.googlesource.com/c/1379110
Reviewed-by: Emil A Eklund <eae@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#369}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make MediaStreamDispatcherHost per-request instead of per-frame.
Instead of having RenderFrameHost own a single MSDH to handle all
requests from a frame, MSDH objects will be owned by a strong binding.
A consequence of this is that an additional requester ID is added to
requests to MediaStreamManager, so that an MSDH is able to cancel only
requests generated by it.
In practice, MSDH will continue to be per frame in most cases since
each frame normally makes a single request for an MSDH object.
This fixes a lifetime issue caused by the IO thread executing tasks
after the RenderFrameHost dies.
Drive-by: Fix some minor lint issues.
TBR=guidou@chromium.org
(cherry picked from commit 971548cdca2d4c0a6fedd3db0c94372c2a27eac3)
Bug: 912520
Change-Id: I52742ffc98b9fc57ce8e6f5093a61aed86d3e516
Reviewed-on: https://chromium-review.googlesource.com/c/1369799
Reviewed-by: Emircan Uysaler <emircan@chromium.org>
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Reviewed-by: Olga Sharonova <olka@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#616347}
Reviewed-on: https://chromium-review.googlesource.com/c/1397637
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#583}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick : change convex scan converter to be defensive
Intended for M72
Had to perform manual rebase to both SkPath.cpp and SkScan_Path.cpp as
they had diverged by the time I tried the cherry-pick from head.
Bug: 899689
Bug: skia:8606
Change-Id: Ie6c13dcd2e45d55faef4180ede299703f71b1412
Reviewed-On: https://skia-review.googlesource.com/c/175832
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-By: Mike Klein <mtklein@google.com>
Reviewed-By: Cary Clark <caryclark@google.com>
Reviewed-on: https://skia-review.googlesource.com/c/182443
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disable FileSystemManager::CreateWriter if WritableFiles isn't enabled.
TBR=mek@chromium.org
(cherry picked from commit f045c704568e9cf6279b3cbccbec6d86c35f8a13)
Bug: 922677
Change-Id: Ib16137cbabb2ec07f1ffc0484722f1d9cc533404
Reviewed-on: https://chromium-review.googlesource.com/c/1416570
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#623552}
Reviewed-on: https://chromium-review.googlesource.com/c/1427044
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#755}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
vp8: Fix potential use-after-free in mfqe.
Similar issue to 842265.
The pointer in vp8 postproc refers to show_frame_mi which is only
updated on show frame. However, when there is a no-show frame which also
changes the size (thus new frame buffers allocated), show_frame_mi is
not updated with new frame buffer memory.
Change the pointer in postproc to mi which is always updated.
BUG= 913246
(cherry picked from commit 0e408ea67cd142a3f27189d7e00cbabea96a28d6)
[modify] https://crrev.com/be3c1ee28aeb699c508b02cfcccf7f13feaed3eb/vp8/common/mfqe.c
Change-Id: I5159ba7134a06db472c29a1d84b8d39bb60c7254
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merged: ValueSerializer: Report if buffer expansion fails during WriteHostObject.
Revision: 8494c583ca1daf1208d272db038c1cee727548a8
BUG= chromium:914731
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=yangguo@chromium.org
Change-Id: I77a81edec553b5affd83f434418ea8530ff0d9ef
Reviewed-on: https://chromium-review.googlesource.com/c/1398684
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.2@{#37}
Cr-Branched-From: 6acd03c9b8a8232aee95f25fbf6ae822aaedae75-refs/heads/7.2.502@{#1}
Cr-Branched-From: b03041de094610ef24e0e4fb6bf4c700fa1553ed-refs/heads/master@{#57910}
[modify] https://crrev.com/dd9eae86d8a5dfbc761c5d9e25d04a9ca4edcfea/src/value-serializer.cc
[modify] https://crrev.com/dd9eae86d8a5dfbc761c5d9e25d04a9ca4edcfea/test/unittests/value-serializer-unittest.cc
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make CPDF_ContentMarkItem stop caching the properties dict.
It could be aliased with some other dictionary in the file. We
note that the dictionary one level up will always be an indirect
object in the sharing case, and indirect objects are persisted
by the IndirectObjectHolder, so hold a pointer to that and retrieve
the specific property_name field on the fly.
Bug: chromium:900552
Change-Id: I2e300020d6a7191648dd139a485b6d284e259976
Reviewed-on: https://pdfium-review.googlesource.com/c/44970
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check weak pointers in RTCPeerConnectionHandler::WebRtcSetDescriptionObserverImpl
Bug: 912074
Change-Id: I8ba86751f5d5bf12db51520f985ef0d3dae63ed8
Reviewed-on: https://chromium-review.googlesource.com/c/1411916
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Reviewed-by: Henrik Boström <hbos@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#622945}(cherry picked from commit 3514a77e7fa2e5b8bfe5d98af22964bbd69d680f)
Reviewed-on: https://chromium-review.googlesource.com/c/1412028
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#741}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge "Fix crashes in RenderFrameImpl::OnSelectPopupMenuItem(s)" to M72 branch
ExternalPopupMenu::DidSelectItem(s) can delete the RenderFrameImpl.
We need to reset external_popup_menu_ before calling it.
Bug: 912211
Change-Id: Ia9a628e144464a2ebb14ab77d3a693fd5cead6fc
Reviewed-on: https://chromium-review.googlesource.com/c/1381325
Commit-Queue: Kent Tamura <tkent@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#618026}(cherry picked from commit 5405341d5cc268a0b2ff0678bd78ddda0892e7ea)
Reviewed-on: https://chromium-review.googlesource.com/c/1390879
Reviewed-by: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#519}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix UAP in ImageBitmapLoader/FileReaderLoader
FileReaderLoader stores its client as a raw pointer, so in cases like
ImageBitmapLoader where the FileReaderLoaderClient really is garbage
collected we have to make sure to destroy the FileReaderLoader when
the ExecutionContext that owns it is destroyed.
TBR=mek@chromium.org
(cherry picked from commit 419c4bfbfb94849ed30dcab7c3aaf67afe238b27)
Bug: 913970
Change-Id: I40b02115367cf7bf5bbbbb8e9b57874d2510f861
Reviewed-on: https://chromium-review.googlesource.com/c/1374511
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#616342}
Reviewed-on: https://chromium-review.googlesource.com/c/1379106
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#368}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix SVG crash for v0 distribution into foreignObject.
We require a parent element to be an SVG element for non-svg-root
elements in order to create a LayoutObject for them. However, we checked
the light tree parent element, not the flat tree one which is the parent
for the layout tree construction. Note that this is just an issue in
Shadow DOM v0 since v1 does not allow shadow roots on SVG elements.
Bug: 915469
Change-Id: Id81843abad08814fae747b5bc81c09666583f130
Reviewed-on: https://chromium-review.googlesource.com/c/1382494
Reviewed-by: Fredrik Söderquist <fs@opera.com>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#617487}(cherry picked from commit 032c3339bfb454c65ce38e7eafe49a54bac83073)
Reviewed-on: https://chromium-review.googlesource.com/c/1387454
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#491}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
M71: Clone dict before iteration in CJS_Document::get_info
Bug: chromium:895152
TBR=tsepez@chromium.org
Change-Id: I678350841892f88a5d580b58a33a639a1b6ec305
Reviewed-on: https://pdfium-review.googlesource.com/c/44050
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
(cherry picked from commit d2e27d660a96080882e43825fb4b5d03e8a4d05a)
Reviewed-on: https://pdfium-review.googlesource.com/c/47333
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merged: [turbofan] Relax range for arguments object length
Revision: 8e4588915ba7a9d9d744075781cea114d49f0c7b
BUG=chromium:906043
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jarin@chromium.org
Change-Id: I35ea165d8e9e2b0e32f38f7f607a23ece97dffdd
Reviewed-on: https://chromium-review.googlesource.com/c/1363142
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.2@{#7}
Cr-Branched-From: 6acd03c9b8a8232aee95f25fbf6ae822aaedae75-refs/heads/7.2.502@{#1}
Cr-Branched-From: b03041de094610ef24e0e4fb6bf4c700fa1553ed-refs/heads/master@{#57910}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merged: [turbofan] Fix wrong typing of SpeculativeSafeIntegerSubtract.
Revision: e3c923962677908c183121644c945777cdb31570
BUG=chromium:913296
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=jarin@chromium.org
Change-Id: I8580f60c6ae6ee586c65714afebf0d8c3ae2e973
Reviewed-on: https://chromium-review.googlesource.com/c/1373772
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.2@{#21}
Cr-Branched-From: 6acd03c9b8a8232aee95f25fbf6ae822aaedae75-refs/heads/7.2.502@{#1}
Cr-Branched-From: b03041de094610ef24e0e4fb6bf4c700fa1553ed-refs/heads/master@{#57910}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[M72 merge] Disable the use of QUIC proxies for https:// URLs.
This is a partial revert of https://chromium-review.googlesource.com/c/chromium/src/+/858603
BUG=914497
TBR=lassey@chromium.org
(cherry picked from commit e62461ede4cdb45b0bfec2e75785d2fddde768e0)
Change-Id: I378b42b01367aca8642d49b682b121f6f8873786
Reviewed-on: https://chromium-review.googlesource.com/c/1375112
Reviewed-by: Brad Lassey <lassey@chromium.org>
Reviewed-by: Nick Harper <nharper@chromium.org>
Reviewed-by: Ryan Hamilton <rch@chromium.org>
Commit-Queue: Brad Lassey <lassey@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#616211}
Reviewed-on: https://chromium-review.googlesource.com/c/1380792
Cr-Commit-Position: refs/branch-heads/3626@{#401}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
| |
This just cleans dependencies for ffmpeg.
I should be now enough to unset media_use_ffmpeg,
use_webaudio_ffmpeg to skip ffmpeg.
Change-Id: I3b5b5a88b368f927413c605ec7ee7ff6687352e8
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
| |
It caused -no-webengine-extensions builds to fail.
Change-Id: Ib6fc044d8bf09bfe8a2b926b444e9eac1c64aa15
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
| |
Change-Id: I0719ee9cbc49e3f170931a0532b8ab11e433a53c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
| |
Change-Id: Ic9c26e5b03be43779d10789b74ab347d2d31dc2b
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Simplify "WouldTaintOrigin" concept in media/blink
Currently WebMediaPlayer has three predicates:
- DidGetOpaqueResponseFromServiceWorker
- HasSingleSecurityOrigin
- DidPassCORSAccessCheck
. These are used to determine whether the response body is available
for scripts. They are known to be confusing, and actually
MediaElementAudioSourceHandler::WouldTaintOrigin misuses them.
This CL merges the three predicates to one, WouldTaintOrigin, to remove
the confusion. Now the "response type" concept is available and we
don't need a custom CORS check, so this CL removes
BaseAudioContext::WouldTaintOrigin. This CL also renames
URLData::has_opaque_data_ and its (direct and indirect) data accessors
to match the spec.
Bug: 849942, 875153
Change-Id: I6acf50169d7445c4ff614e80ac606f79ee577d2a
Reviewed-on: https://chromium-review.googlesource.com/c/1238098
Reviewed-by: Fredrik Hubinette <hubbe@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Raymond Toy <rtoy@chromium.org>
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Cr-Commit-Position: refs/heads/master@{#598258}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Check for stack overflow when pushing arguments in JSConstructStubGeneric
Bug: chromium:896326
Change-Id: I9257573963f611711edbc48a46a3bacbe12a567d
Reviewed-on: https://chromium-review.googlesource.com/c/1305934
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57398}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merged: [turbofan] Fix Math.expm1 builtin typing.
Revision: c59c9c46b589deb2a41ba07cf87275921b8b2885
BUG=chromium:880207
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jarin@chromium.org
Change-Id: I453d23ff1bfe355c792b39d7e69d48cc5414cd47
Reviewed-on: https://chromium-review.googlesource.com/c/1316047
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.1@{#32}
Cr-Branched-From: f70aaa8ab2e8815505a6145c745e50d8328cd28c-refs/heads/7.1.302@{#1}
Cr-Branched-From: 1dbcc78efa17a9047f7e923958087ef9eec43066-refs/heads/master@{#56462}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Always inline BasicStringPiece constructor to avoid linker errors with
GCC 8.2.
Task-number: QTBUG-71689
Change-Id: Ib573b035c19fa1e359935e83277ec9e174998bf8
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
