| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To M73: MSE: Prevent OOB in AVC conversion to AnnexB
Overflowing size_t buffer indexer could allow OOB unless overflow is
caught.
BUG=933743
Reviewed-on: https://chromium-review.googlesource.com/c/1490832
Change-Id: I9955fe1deb807171d73bdb7b48629fc747f99df6
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by John Rummell <jrummell@chromium.org>:
Fix buffer size comparisons for VP8 parser
With fuzzed data the frame_size field can be huge, which causes the
address range checks to fail.
BUG=917608
Reviewed-on: https://chromium-review.googlesource.com/c/1391777
Change-Id: I5fcaeac4681ed24924034dd2230e45d0e72f756b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of patch by Jan Wilken Dörrie <jdoerrie@chromium.org>:
[Sandbox] Fix integer overflow in CreateFromBuffer
This change fixes a integer overflow in
CrossCallParamsEx::CreateFromBuffer, resulting in a fuzzer failure.
Bug: 916874
Change-Id: Ic074f9bfd7038b885edae638b385a5485bb32651
Reviewed-on: https://chromium-review.googlesource.com/c/1393371
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch by Lukasz Anforowicz <lukasza@chromium.org>:
Ignore port numbers when matching isolated origins.
If IsolatedOrigins includes https://corp.example.com (defaulting to port
443), then https://corp.example.com:8443 should be isolated from
https://mail.example.com (even though 8443 is different from the port
number used when specifying which origins to isolate).
Bug: 914511
Reviewed-on: https://chromium-review.googlesource.com/c/1374524
Omitting changes to unit tests.
Change-Id: I892f81f79a2ee86812f4e367cbb6870676f0c3a2
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
| |
Wrong copy and paste of check led to assert.
Change-Id: I6aae07448f030bd9ed60b56ad919827b83f4ac99
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
| |
Missing semicolon at the end of DCHECK for arm code.
Change-Id: I72322cea1fedb08a23742e6bf230ccf62e4c9a09
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
| |
Overeager size_t replacement led to missing symbol.
Change-Id: I8ac7ba11d8e96298fa6dcfbb1923a301e941100c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
| |
Patch was missing a closing bracket.
Change-Id: I591e5c16329fe45d092cb3018565f6b2a66fe5b0
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
| |
Several changes did not match the old state and were too large to
be backported as well.
Change-Id: Ie53fc211db08df9400829aae0a1126c7b1ded57e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
| |
Fix some typos and some replacements that were missing or overlooked
whe backporting due to upstream refactoring.
Change-Id: Iaa4486afc426ddd7c7fa032cb6e3b54e10c49417
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
| |
Missing semicolon
Change-Id: Ife4a313c56593bc199530400c92e173d9acdff82
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
| |
Typo in revision of manual backport.
Change-Id: I90847fdbb438ab07f2ab0b5332d791bd4279b508
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Web MIDI: Make TaskService and MidiManagerWin integer-overflow-proof
TaskService and MidiManagerWin uses int to identify the instance,
but this change makes it int64_t and improve them to fail gracefully
without shutting-down the browser due to CHECK failures.
For practical use, the original int is enough and it's impossible
to overflow the instance ID unless attackers success to run their code
for several months on an occupied active processor.
Bug: 921581
Reviewed-on: https://chromium-review.googlesource.com/c/1449483
Change-Id: Ia721bf8ba705c8a132d354aed239e990600d6532
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restrict redundancy elimination from widening types
This CL prevents redundancy elimination from widening types, which
can cause problems if the input of a DeadValue (which has type None)
is replaced by an equivalent node that does not have type None. This
can happen because load elimination does not re-type nodes, for
example.
Bug: chromium:919340
Reviewed-on: https://chromium-review.googlesource.com/c/1397709
Change-Id: I045c1088a79e7ff0eeaf6882376da14dac8c59b3
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enfore valid register for SignExtendWord8ToInt32.
On ia32, the instruction selector uses movsx_b to compile the wasm
SignExtendWord8ToInt32 instruction. movsx_b requires a byte register
as input. However, not all allocatable registers on ia32 are. As we
cannot currently express constraints on subsets of registers, this
change now forces the input to movsx_b into eax.
Bug: chromium:919572
Reviewed-on: https://chromium-review.googlesource.com/c/1400409
Change-Id: I40b128958b5994bdcba5c313a8d5f1986565fa64
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
[wasm][arm] Fix {Word32Shr} instruction selection.
This fixes a corner case with the matching for a {UBFX} instruction.
According to the ISA reference "UBFX Rd, Rn, #lsb, #width" is only valid
for "#width" in the [1;32-#lsb] range. Specifically a "#width" of 0 is
invalid but was not checked against by the instruction selector.
BUG=chromium:924905
Reviewed-on: https://chromium-review.googlesource.com/c/1435939
Change-Id: I76f2cc7090111427807730a6e0d188b9647e0a1c
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mark all streams-created promises with isSettled flag
Wrap v8.createPromise() in a createPromise() function which always sets
the isSettled flag to false. Make resolvePromise() and rejectPromise()
ignore promises that don't have the isSettled flag present. Replace
Promise_resolve() and Promise_reject() with createResolvedPromise() and
createRejectedPromise() functions that also set the isSettled flag.
Strictly speaking, the createR*Promise() functions only need to be used
when a promise is stored and might be resolved or rejected later. But to
avoid confusion about where they are needed, always use them in place of
Promise_resolve() and Promise_reject().
BUG=931640
Reviewed-on: https://chromium-review.googlesource.com/c/1481178
Change-Id: If7081732204e81b387fbcc4c58c2614276194b21
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Streams: Prevent double-resolution of promises
The v8.resolvePromise() and v8.rejectPromise() do not make
double-resolution of promises a no-op like the JavaScript APIs do. Add
protection against resolving or rejecting the same promise twice.
Attach a new internal symbol "_isSettled" to a promise when it is
resolved or rejected inside the resolvePromise() and rejectPromise()
functions. If the symbol is already present, the promise has already
been resolved or rejected and so do nothing.
BUG=931953
Reviewed-on: https://chromium-review.googlesource.com/c/1475591
Change-Id: Ied15330289c3b8e2cce78b30fc8475da2033967c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Y and UV planes release mechanism fix
The Y and UV planes weren't getting released properly because the local
variables used in base::RetainBlock() are snapshots of their current
values and do not get updated by subsequent code. In this case,
y_surface and uv_surface would always be at their original value of
EGL_NO_SURFACE and eglReleaseTexImage/eglDestroySurface would never get
called. Using pointers to these values solves the issue, since the
pointers do not get modified by subsequent code and the values can be
checked properly by dereferencing the pointers.
Bug: chromium:932986 chromium:929088
Reviewed-on: https://chromium-review.googlesource.com/c/1483690
Change-Id: Ie437400dd68709da94368f7972868d6d88c18a06
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Throw OOM when allocating FixedDoubleArrays with negative length
Bug: chromium:938251
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1505312
Change-Id: Ia0ebe9ccfb313a320520a40c771146c4dd55f949
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of original patch by Zhenyao Mo <zmo@chromium.org>:
Remove Safe* math helper functions in gpu command buffer
The base::Check* function semantics are better.
BUG=905509
TEST=gpu_unittests
R=piman@chromium.org
Change-Id: Ide79451ade00bb6c76cff72ebbacf112b3497b72
Reviewed-on: https://chromium-review.googlesource.com/c/1408031
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Andrienne Walker <enne@chromium.org>:
Fix potential memory overrun in MapRasterCHROMIUM
ScopedTransferBufferPtr does an AllocUpTo which may return a valid
pointer to memory that is smaller than requested. MapRasterCHROMIUM
assumed that if the memory was valid then it was the size that was
requested, which is incorrect.
This is also a dependency for security bug 905509 (13/13)
Bug: 917707
Change-Id: Ifb8f762632e06b7d7a30b428ba35c79445b211e0
Reviewed-on: https://chromium-review.googlesource.com/c/1461757
Reviewed-on: https://chromium-review.googlesource.com/c/1479292
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Antoine Labour <piman@chromium.org>:
Sanitize use of size_t in {Service,Client}FontManager and
RasterCHROMIUM
Because transfer buffers are 4GB at the max, use uint32_t instead of
size_t (or uint64_t) for sizes in font manager serialized data.
Bug: 905509
Change-Id: Iafc1e86f2f053eb978103fb02704d3513ac908af
Reviewed-on: https://chromium-review.googlesource.com/c/1404390
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual and partial backport of original patch by Antoine Labour
<piman@chromium.org>:
Use uint32_t instead of size_t as appropriate in RasterImplementation
Some size_t where silently converted to 32 bits, which could cause
issues in extreme cases.
Bug: 905509
Change-Id: Id455e61a996ae3a601daeb9d433a24b22ac98407
Reviewed-on: https://chromium-review.googlesource.com/c/1404096
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of original patch by Antoine Labour
<piman@chromium.org>:
Audit size_t usage in gpu/command_buffer/service
This backports omits changes in:
* gpu/command_buffer/service/gpu_command_buffer_memory_tracker.cc
Fix and/or replace, as appropriate, problematic patterns.
Bug: 905509
Change-Id: I5e53df210e6d7d07b96a6898d7b4f62ef0bbb2aa
Reviewed-on: https://chromium-review.googlesource.com/c/1404396
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Antoine Labour <piman@chromium.org>:
Audit size_t: odds and ends in gpu/command_buffer/client
Mostly just replacing size_t (and unsigned int) to uint32_t as
appropriate.
Bug: 905509
Change-Id: I0ab1348f0b87f6143539a034bd26f5eda4d8231c
Reviewed-on: https://chromium-review.googlesource.com/c/1401850
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by: Antoine Labour <piman@chromium.org>:
Audit use of size_t in GLES2Implementation and ProgramInfoManager
- use uint32_t where appropriate.
- refactor logic around GetActiveAttrib / GetActiveUniform /
GetActiveUniformBlockName / GetTransformFeedbackVarying to avoid
underflow.
Bug: 905509
Change-Id: Ic173134db48bf667152cbfb7449fda10f98af813
Reviewed-on: https://chromium-review.googlesource.com/c/1401459
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Zhenyao Mo <zmo@chromium.org>:
Sanity check program data returned by GL driver
BUG=905509
Reviewed-on: https://chromium-review.googlesource.com/c/1396382
Change-Id: Ie02ef59534de3d9c2c7abbcef7826ad42a46dbb9
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of original patch by Antoine Labour
<piman@chromium.org>:
Make ClientTransferCache entries use a uint32_t size
As they go into transfer buffers, they need to fit within 4GB, so check that at
the source. Some places were silently clamping size_t to uint32_t, which could
be a theoretical issue.
Bug: 905509
Change-Id: Id4a89557eb4147d0cb16097d8f48fb284a6b3d9f
Reviewed-on: https://chromium-review.googlesource.com/c/1400046
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Antoine Labour <piman@chromium.org>
Use uint32_t for sizes in gpu::FencedAllocator
Since it is backed by a gpu::Buffer, the size is capped at 4GB.
Also use uint32_t consistently instead of unsigned int.
Bug: 905509
Change-Id: Ia53250b0cc512799bff502ee4e7552385ace2f8e
Reviewed-on: https://chromium-review.googlesource.com/c/1399226
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Antoine Labour <piman@chromium.org>:
Use uint32_t instead of size_t in gpu::gles2::GLES2Util
Fix up callers and add math validation as necessary.
Bug: 905509
Change-Id: Icf9e7baf5fdaf6c493577a263ace4cbe940fb4d2
Reviewed-on: https://chromium-review.googlesource.com/c/1399570
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of original patch by Antoine Labour
<piman@chromium.org>:
Change gpu::Buffer and gpu::BufferBacking to use uint32_t sizes
Because client and service may be of different bitness, offsets in
command buffers have to fit in a uint32_t, effectively limiting
transfer buffers to 4GB. This makes it clearer by enforcing it on IPC
boundaries and using uint32_t for the size, removing casts along the
way.
Bug: 905509
Change-Id: I90a539defac7cc029103b20e541798cc2698e65d
Reviewed-on: https://chromium-review.googlesource.com/c/1396861
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Antoine Labour <piman@chromium.org>:
Have CommandBuffer::CreateTransferBuffer take a uint32_t instead of
size_t
Because client and service may be of different bitness, offsets in
command buffers have to fit in a uint32_t, effectively limiting transfer
buffers to 4GB.
Make this clear in CommandBuffer::CreateTransferBuffer by taking a
uin32_t instead of a size_t (fixing callers as appropriate), avoiding
potential security issues with silent clamping.
Bug: 905509
Change-Id: Ia027ba0db2214c1b4e02432d51db734b3e5bf287
Reviewed-on: https://chromium-review.googlesource.com/c/1396132
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of original patch by Antoine Labour
<piman@chromium.org>:
Fix ImplementationBase::SetBucketContents to take a uint32_t
The command takes a uint32_t, so any size_t would be silently truncated.
Clarify the proper range at the source.
Bug: 905509
Change-Id: Id2038d47f0e741a3baa1efb06b78b07e1b7c0929
Reviewed-on: https://chromium-review.googlesource.com/c/1336913
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual bckport of original patch by Charlie Harrison
<csharrison@chromium.org>:
Implement opener download metrics for cross-process opener navigations
Currently, the metrics only account for the same-process flow through
BeginNavigation. With this CL, we plumb the relevant information
through the RemoteFrame / RenderFrameProxy / OpenURL path.
Bug: 632514
Reviewed-on: https://chromium-review.googlesource.com/c/1380967
Change-Id: Ie4062172a52d9c329db6fa4a229689b3ed67b5ef
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of original patch by Yao Xiao <yaoxia@chromium.org>:
Prevent download in sandbox
Implements the feature while keeping it disabled. Will follow the
Intent to Implement/Ship process to enable it.
Bug: 539938
Reviewed-on: https://chromium-review.googlesource.com/c/1336493
Change-Id: If8dd91915b71ec742521c6965d7f565d1ab9a567
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of patch by Nasko Oskov <nasko@chromium.org>:
FrameLoadRequest should reuse origin instead of recreating it.
FrameLoadRequest is currently constructing the requestor origin from
the URL of the requestor document. However, constructing origins based
on URL is a lossy process and does not preserve precursor origin
information.
Since the requestor document is already passed in as a parameter, the
origin of the document should be used directly. This CL changes that.
It also fixes a bug in the GetDownloadPolicy method where origin
comparison is assigned to a boolean incorrectly.
Bug: 632514, 882053
Change-Id: Ia680ab7e90488b8393f117e5207d3dab1bfe96e1
Reviewed-on: https://chromium-review.googlesource.com/c/1378587
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Charlie Harrison
<csharrison@chromium.org>:
Add an API for adding browser-side UseCounters to //content
This CL:
1. Adds method to ContentBrowserClient which allows logging blink
UseCounters scoped to a given RenderFrameHost.
2. Uses this new API to log UseCounters for opener navigations resulting
in downloads.
Bug: 632514
Change-Id: I0017563fe5bb15bc3b849ec3ee17b268d99ec5c5
Reviewed-on: https://chromium-review.googlesource.com/c/1324244
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Charlie Harrison
<csharrison@chromium.org>:
Add more specific download policies for opener navigations
Bug: 632514
Change-Id: I6cbf33505c844f87bed359a7433e157d638c130e
Reviewed-on: https://chromium-review.googlesource.com/c/1329863
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of original patch by
Charlie Harrison <csharrison@chromium.org>:
Collect metrics for downloads from opener navigations
This CL does two major things:
1. Plumb information to //content about whether a navigation is an
"opener navigation". That is, is the initiator navigating its opener.
2. Armed with the "opener_navigation" bit, we can apply a policy to
navigations to tell them to disallow downloads for opener navigations.
This entails changing a boolean "allow_downloads" in
CommonNavigationParams to an enum, which enumerates out the reason why
the download was blocked (opener, view source, interstitial, etc).
In navigation logic, we can start logging some metrics to get a sense
for how often opener navigations actually end up being downloads.
Ideally, numbers will be low and we can deprecate this behavior. If
numbers are still high, we can relax this restriction. Two possible
relaxations:
a. Allow navigations resulting in downloads if the initiator is
same-origin with the opener.
b. Allow navigations resulting in downloads if the initiator has a
user gesture.
For now, we merely collect some UMA to see how prevalent this case is,
for evidence in a deprecation / intervention.
Bug: 632514
Change-Id: I9a8b9fc0d235d65a8b9b8af8592c0922924da0f0
Reviewed-on: https://chromium-review.googlesource.com/c/1316167
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of original patch by Camille Lamy <clamy@chromium.org>:
Create NavigationRequest from LoadURLParams
This CL allows to create the NavigationRequest directly from
LoadURLParams for new navigations.
Bug: 803859
Reviewed-on: https://chromium-review.googlesource.com/c/1097407
Change-Id: I06c9462cb15c604d511de67a6473f73712fcac72
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check the source browsing context's CSP in Location::SetLocation prior to dispatching a navigation to a `javascript:` URL.
Makes `javascript:` navigations via window.location.href compliant with
https://html.spec.whatwg.org/#navigate, which states that the source
browsing context must be checked (rather than the current browsing
context).
Bug: 909865
Change-Id: I91323ac7f06f8a52eb885b5196e0d6bbeaf0a38a
Reviewed-on: https://chromium-review.googlesource.com/c/1359823
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Original patch by Tobias Tebbi <tebbi@chromium.org>:
[ic] do not expose global object
Bug: chromium:913212
Reviewed-on: https://chromium-review.googlesource.com/c/1371605
Change-Id: I9173e33a539c89bb9e8ff5edeca16cb8a8d4529b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by chcunningham <chcunningham@chromium.org>:
lavf/id3v2: fail read_apic on EOF reading mimetype
avio_read may return EOF, leaving the mimetype array unitialized. fail
early when this occurs to avoid using the array in an unitialized state.
Bug: 906437
Reviewed-on: https://chromium-review.googlesource.com/c/1380880
Change-Id: Iffa1b7f6ea790faff8d75f23af0d1141e6c259f5
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of original patch by Sam Zackrisson <saza@webrtc.org>:
Change the type of indW32 back to int32_t
It was changed to size_t in https://codereview.webrtc.org/1227163003,
which makes sense if the pitch lags in the code are also guaranteed
to be non-negative. Otherwise, integer wraparounds may happen, which
causes the code to circumvent the check for too low values here:
https://cs.chromium.org/chromium/src/third_party/webrtc/modules/audio_coding/codecs/isac/fix/source/pitch_filter.c?q=webrtcisacfix_pitchfilter&sq=package:chromium&g=0&l=112
Bug: chromium:906379
Change-Id: Ia9711fdba80f091f86230cc84629406500e8e232
Reviewed-on: https://webrtc-review.googlesource.com/c/113810
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Harden against overflows of OperationID a bit better.
Rather than having a UAF when OperationID overflows instead overwrite
the old operation with the new one. Can still cause weirdness, but at
least won't result in UAF. Also update OperationID to uint64_t to
make sure we don't overflow to begin with.
Bug: 925864
Reviewed-on: https://chromium-review.googlesource.com/c/1441498
Change-Id: Ie13274f1966a6d751a0f5e0ceaf7554afc2e2f2f
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Clean up CanvasResourceDispatcher on finalizer
We may have pending mojo messages after GC, so we want to drop the
dispatcher as soon as possible.
Bug: 929757,913964
Reviewed-on: https://chromium-review.googlesource.com/c/1489175
Change-Id: I18e55fc594fab2a30d00d40e4d90f9584937e226
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Initialize line width clamp values
Bug: 906652
Reviewed-on: https://chromium-review.googlesource.com/c/1359307
Change-Id: Ic78fc4688977de77b835ed7b9eaa121a911f46c9
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Fixing BadMessageCallback usage by SessionStorage
Bug: 916523
Reviewed-on: https://chromium-review.googlesource.com/c/1401604
Change-Id: Ica75c27f4fa94752d83fe57c80d313efccfdea8c
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Fixed async BadMessage reporting
Bug: 868578
Reviewed-on: https://chromium-review.googlesource.com/1155483
Change-Id: I2254202ac07ac9db2e1bfb444c3245f550f691cc
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
