| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3757922:
Speculative fix for IsValidCodePointInIndex() range crash
Bug: 1333970
Cq-Include-Trybots: luci.chromium.try:linux-blink-web-tests-force-accessibility-rel
Change-Id: I5a4c78e708357074fdec1f7a18fa928e39f9c51a
Auto-Submit: Aaron Leventhal <aleventhal@chromium.org>
Reviewed-by: Nektarios Paisios <nektar@chromium.org>
Commit-Queue: Aaron Leventhal <aleventhal@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1025405}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/268460:
Disallow invalid arguments in RestoreEncodingLayers.
Changing DCHECK into CHECK for good measure.
Bug: chromium:1343889
Change-Id: I2cede85dc2d2a4238739f73afe25275047f4aa50
Reviewed-by: Ilya Nikolaevskiy <ilnik@webrtc.org>
Commit-Queue: Henrik Boström <hbos@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#37511}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3770271:
Use WeakPtr in AccountReconcilor to avoid UAF
(cherry picked from commit f65ea3435ff2a10b4e1ce1f855863e8eaa127a04)
Bug: 1341907
Change-Id: I14e8d263e3a5f073d61677fedd53c67395382742
Commit-Queue: David Roger <droger@chromium.org>
Reviewed-by: David Roger <droger@chromium.org>
Commit-Queue: Monica Basta <msalama@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1022147}
Reviewed-by: Monica Basta <msalama@chromium.org>
Cr-Commit-Position: refs/branch-heads/5112@{#1011}
Cr-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Internals
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3688608:
Sanitize default file name in windows select file dialog
On windows, '%' is a special character and can be used for environment
variables. So if the default file name is '%DATADIR%', it can actually
refer to another directory and thus causing weird behaviors.
And '%' cannot be escaped when used in the file dialog. Both "^%" and
"%%" don't work. This CL mitigates the issue by replacing '%' with '_'.
This only affects the default file name when showing the dialog. Power
users can still change the file name by adding '%' if needed.
BUG=1308422
Change-Id: Ibb275f5c3c2c9458c20d1e97ad527f7c95184eaa
Reviewed-by: Robert Liao <robliao@chromium.org>
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1014602}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3707218:
DOM Code conversion cleanups
Improvements to the DOM Code conversion APIs:
- All APIs now accept strings via StringPiece, and return them
as std::strings, since almost all callers store returned
values in std::strings anyway.
- Common contiguous DomCodes (e.g. US_A->US_Z) have their names
dynamically generated, rather than requiring a lookup through
the table.
Some incidental cleanups:
- Removed unused code-string to USB & native conversions.
- Tidied up comments to group conversions better.
(cherry picked from commit 31103fab10169feb448d4d0c18bc73ed946c6628)
Bug: 1321350
Change-Id: I67f2603c281fa11d1b4d8dce86f3455a1f7c75c2
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Michael Spang <spang@chromium.org>
Reviewed-by: Kevin Marshall <kmarshall@chromium.org>
Auto-Submit: Wez <wez@chromium.org>
Reviewed-by: Michael Spang <spang@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1013780}
Commit-Queue: Avi Drissman <avi@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Wez <wez@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Cr-Commit-Position: refs/branch-heads/5112@{#236}
Cr-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3648376:
Handle notifications sent by gesture provider during destruction
This CL clears `GestureRecognizerImpl::consumer_gesture_provider_`
explicitly so that the notifications from gesture provider during
destruction are handled by `GestureRecognizerImpl` properly.
Bug: 1325256
Change-Id: Iba3b645fc2ad18331947e5556015567a1e8eb513
Commit-Queue: Andrew Xu <andrewxu@chromium.org>
Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1008393}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3758626:
M104: Better define "first result" in PDFiumEngine::AddFindResult().
Currently, changing the PDF layout confuses AddFindResult() and causes
it to fail a DCHECK(). Adjust AddFindResult() to avoid the failing
DCHECK().
This is a cherry-pick of https://crrev.com/1021389 without the test
changes.
Bug: 1339745
Change-Id: I25c2b6b436700f9aeca4924fef662ad2909f0a8c
Reviewed-by: K. Moon <kmoon@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/branch-heads/5112@{#820}
Cr-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3693143:
[BackgroundFetch] Don't expose URL chain in case of CO redirect
Bug: 1278255
Change-Id: If853327b853e29792e5c8d1dfaeecf21d6fec004
Reviewed-by: Susanne Westphal <swestphal@google.com>
Commit-Queue: Rayan Kanso <rayankans@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1011409}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3712307:
[M96-LTS][Background fetch] passing update_first_party_url_on_redirect=false for fetch
M96 merge issues:
components/download/internal/common/download_utils.cc
Naming conflict for is_main_frame/is_outermost_main_frame
Background fetch doesn't work like regular download as it is not
considered a top frame navigation. This CL let background fetch to
pass update_first_party_url_on_redirect=false to DownloadURLParameters,
and handle it properly w.r.t samesite cookies.
BUG=1268580
Change-Id: I3a1cc33be8578d5d8c796dbbb21fa35a47bdda36
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1016316}
(cherry picked from commit bf1e93c6af21dad12088b615feda07a90a85c158)
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3708646:
WebGPU: Mark the context lost on GPU context lost
M102 merge issues:
- dawn_control_client_holder.h/cc:
GetWGPUInstance() not present in M102
Fixes a bug where completely destructing the context instead of
marking it lost when receiving a context lost notification freed
memory still accessible by the page.
Fixed: 1336014
Change-Id: I662e531102af91362b4f62700bfbee507fc44d1f
Commit-Queue: Austin Eng <enga@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1017003}
(cherry picked from commit 6c7f327b7a15aabd3fc5d57e9c05b95d02f1cd36)
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
| |
It used an inline variable, which requires C++17 to be used, which
Chromium does not do in the 94 branch yet.
Change-Id: If41f078c06e31a42a147ee42f2c115023c6264db
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally submitted at
https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2:
* src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
Fixes #1140.
Change-Id: I41ea64c6e68e7c5697463ef205aaa6283ca57773
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally submitted at
https://gitlab.freedesktop.org/freetype/freetype/-/commit/d014387ad4a5dd04d8e7f99587c7dacb70261924:
* src/base/ftobjs.c (ft_open_face_internal): Thinko.
Change-Id: I87abda1c902d1917bd9fbf7b156911a09ebe1b2b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally submitted at
https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5:
* src/base/ftobjs.c (ft_open_face_internal): Properly guard `face_index`.
We must ensure that the cast to `FT_Int` doesn't change the sign.
Fixes #1139.
Change-Id: Ic63e379d5c65bd56d5ca07b80a7015d9f5bc0051
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally submitted on
https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db:
Avoid invalid face index.
Fixes #1138.
* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
Check `face_index` before decrementing.
Change-Id: I1744d27542fc2dd17dada37fa0ade09a0b818b65
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3726349:
Fix incorrect text itemization for \r codepoint
M96 merge issues:
render_text_unittest.cc
Tests Clusterfuzz_Issue_1298286/1299054 aren't present
in M96 and caused a merge conflict.
The "\r" codepoint should be split to be rendered in a single
harfbuzz run (same as "\n").
We do recognize these sequences as newline:
\r
\n
\r\n
Previously, the itemization will leave the "\r" with the previous
run. This is leading to incorrect multiline lines splitting.
(cherry picked from commit eee0c5ca752ad50df9986c551cb98226ce078893)
Bug: 1287804
Change-Id: Idfc00a3cf147eb53258d5da9ea105e2d6dc25f05
Commit-Queue: Etienne Bergeron <etienneb@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1014955}
Reviewed-by: Etienne Bergeron <etienneb@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1662}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch orignally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3765222:
Fix dawn write handle data update OOB check
(cherry picked from commit 0ba6ae3d447de7bc599a191f6792a4e6676f10a3)
Bug: chromium:1340654
Change-Id: I9d87cb868eccc380f707ab6c3c6bdc26c386fbfc
Commit-Queue: Shrek Shao <shrekshao@google.com>
Cr-Original-Commit-Position: refs/heads/main@{#1021911}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1660}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3752921:
Mitigate bad cast in OffscreenCanvas::GetFontSelector
This change will cause the browser to crash if the execution context
is not a Window or WorkerGlobalScope. This is a temporary solution
to handle the case where the execution context is an
AudioWorkletGlobalScope. The longer term solution, which will be
implemented in a follow-up CL, is to block OffscreenCanvas objects from
being transferred to AudioWorklets, as required by the postMessage spec.
BUG=1334864
(cherry picked from commit 028c11e59fd41bc22eff06dbec10fe9b0e82bd04)
Change-Id: Ief5e37eca6dff14098b12cdbe6fc362c3dd87d1d
Auto-Submit: Justin Novosad <junov@chromium.org>
Reviewed-by: Juanmi Huertas <juanmihd@chromium.org>
Commit-Queue: Juanmi Huertas <juanmihd@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1017357}
Commit-Queue: Srinivas Sista <srinivassista@chromium.org>
Cr-Commit-Position: refs/branch-heads/5005@{#1254}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3755103:
Merged: [compiler] fix FrameState revisit bug in escape analysis
(cherry picked from commit 17da9e70833014e0a2646db5c11588f0aee02de7)
Bug: chromium:1340335, chromium:1315901
Change-Id: I81cdc6bc3d6c7441ebc333d33801329c05fbd5d4
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/branch-heads/10.2@{#25}
Cr-Branched-From: 374091f382e88095694c1283cbdc2acddc1b1417-refs/heads/10.2.154@{#1}
Cr-Branched-From: f0c353f6315eeb2212ba52478983a3b3af07b5b1-refs/heads/main@{#79976}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3766745:
[M96-LTS] Keep refptr to ServiceWorkerVersion in MaybeTimeoutRequest
The callback in ServiceWorkerVersion::MaybeTimeoutRequest may reduce the
reference to the version object, which can be the last reference to it.
In thet case, the object can be destroyed and the `inflight_requests_`
field access after the callback become invalid.
This CL keeps this to avoid the object destruction.
(cherry picked from commit 5926fa916d9ad53c77e31ee757e1979275d7466c)
Bug: 1339844
Change-Id: I6564627bad0527dea007ca73261c5636dab56755
Commit-Queue: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1023475}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1663}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3726008:
Use weak ptr for webview JavaScriptDialogHelper callback
M96 merge issues:
javascript_dialog_helper.h:
Conflicting types for web_view_guest_
This can be called asynchronously, potentially after the associated
WebViewGuest is destroyed.
(cherry picked from commit 1c09b9292dba7dfdc28b9bd09c61e3a0faf7b302)
Bug: 1336266
Change-Id: I8a4ec5ab124a9d5ca2ad45b1915666c8b7c98f79
Auto-Submit: Kevin McNee <mcnee@chromium.org>
Commit-Queue: James Maclean <wjmaclean@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1015960}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1665}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3687713:
Fix to invalidate cache when binding Transform Feedback.
Bug: chromium:1330379
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I091116286ac511c50f9abcffa4d3cf350be920b4
Commit-Queue: Jamie Madill <jmadill@chromium.org>
(cherry picked from commit d96cee6685099f6bcc392a4d20d28c8ec484673a)
(cherry picked from commit 9768648fffc94a434a7d400a2542ce3706224417)
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Auto-Submit: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/267628:
Ignore RID that appears without an a=simulcast entry
RID is defined for multiple usages in RFC 8851, but we only support
usage with a=simulcast as specified in RFC 8853.
Bug: chromium:1341043
Change-Id: Ie72074c5b394bdc41865938a86ec9c7629e1f5e0
Commit-Queue: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#37417}
(cherry picked from commit 1c5808145e8b151800b0320b8a7316a09b706488)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/267281:
Do not allow simulcast to be turned off using SDP munging
This is an error that puts the PC into an inconsistent state, so
causing a crash is the right thing to do.
Bug: chromium:1341043
Change-Id: Ie1eb89400ad87f0c83634b7073236b07e92ec7ab
Commit-Queue: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#37391}
(cherry picked from commit 3fe8b0d9a980642ee5ebb1f9e429378b063c1f07)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Partial cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3726007:
make CanCover() transitive
In addition to checking that a node is owned, CanCover() also needs to
check if there are any side-effects in between the current node and
the merged node. When merging inputs of inputs, this check was done
with the wrong side-effect level of the in-between node.
We partially fixed this before with `CanCoverTransitively`.
This CL addresses the issue by always comparing to the side-effect
level of the node from which we started, making `CanCoverTransitively`
superfluous.
(cherry picked from commit 6048f754931e0971cab58fb0de785482d175175b)
Bug: chromium:1336869
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I78479b32461ede81138f8b5d48d60058cfb5fa0a
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#81217}
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/branch-heads/9.6@{#70}
Cr-Branched-From: 0b7bda016178bf438f09b3c93da572ae3663a1f7-refs/heads/9.6.180@{#1}
Cr-Branched-From: 41a5a247d9430b953e38631e88d17790306f7a4c-refs/heads/main@{#77244}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3689639:
Add Stop method to BatchingMediaLog
Now that ~MediaLog is posted for a later destruction due to garbage
collector ownership of CodecLogger, it's possible for the
SendQueuedMediaEvents call from ~BatchingMediaLog to reference
InspectorMediaEventHandler::inspector_context_ after it has been freed.
This fix forces BatchingMediaLog to shut down it's logging capabilities
when the destruction call is caused by the garbage collector deletion
phase
R=liberato
Bug: 1333333
Change-Id: I0bdca72a71177c4c5a6a9dc692aad3de4c25f4e2
Commit-Queue: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Reviewed-by: Eugene Zemtsov <eugene@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1011247}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3691325:
Post media log destruction to avoid destruction
SendQueuedMediaEvents is able to tickle oilpan just enough to cause
the owning BatchingMediaLog to be destroyed in the middle of executing,
causing a UAF.
(cherry picked from commit 57e905d0943695fb96a1a1a251382d15a9b2fee1)
Bug: 1317714
Change-Id: Iac2f32aee70eee183be279b372beb2ff39e6c5a0
Reviewed-by: Frank Liberato <liberato@chromium.org>
Auto-Submit: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Reviewed-by: Thomas Guilbert <tguilbert@chromium.org>
Commit-Queue: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1009670}
Reviewed-by: Dan Sanders <sandersd@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Dan Sanders <sandersd@chromium.org>
Cr-Commit-Position: refs/branch-heads/5005@{#1126}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3599349:
Only allow capturing screenshots from surface for chrome extensions.
Bug: 1116450
Change-Id: Ia4e081dbd44e0d3e2f85248b9e4ec9306e3ceb72
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Auto-Submit: Danil Somsikov <dsv@chromium.org>
Commit-Queue: Danil Somsikov <dsv@chromium.org>
Cr-Commit-Position: refs/heads/main@{#995663}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3638698:
FSA: Sanitize .url files
Bug: 1307930
Change-Id: I7ed3cca5942a5334ba761d269bdd8961fa9d13fe
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Auto-Submit: Austin Sullivan <asully@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1002495}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3676863:
Set unregister_token to undefined when unregistering
(cherry picked from commit dd3289d7945dac855d1287cf4ea248883e908d54)
Bug: chromium:1321078
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I426327ffc3d7eebdb562c01a87039a93dfb79a88
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#80349}
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/9.6@{#68}
Cr-Branched-From: 0b7bda016178bf438f09b3c93da572ae3663a1f7-refs/heads/9.6.180@{#1}
Cr-Branched-From: 41a5a247d9430b953e38631e88d17790306f7a4c-refs/heads/main@{#77244}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3703779:
[M102] Ensure raw_ptr<T> and T* are treated identically in //base callback.
There are safety checks associated with raw pointers (e.g. ensuring
receiver pointers are not raw pointers). Make sure these checks are
applied whether the input type is T* or raw_ptr<T>.
- Implement base::IsPointer<T> and base::RemovePointer<T>, which are
similar to std::is_pointer<T> and std::remove_pointer<T>, except they
also consider raw_ptr<T> a raw pointer type.
- Fix failures from the strengthened asserts: WebAppInstallFinalizer
does not need a callback at all, while the privacy sandbox dialog
tests can safely use base::Unretained().
- Add test cases to cover this in the //base callback nocompile test
suite.
- Fix the existing nocompile tests, which did not escape `||` and
inadvertently matched any error text.
(cherry picked from commit 00c072a2c7f24921af3bbf8441abb34ecb0551a6)
Bug: 1335458
Change-Id: I470e3d5bc35ed52bf125136db738a868ef90b7e7
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1013266}
Cr-Commit-Position: refs/branch-heads/5005@{#1173}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a followup to https://crrev.com/c/3023887, which made operator==
constant time by using BoringSSL helpers. The same CL also aimed to make
operator!= constant time, but accidentally delegated to base::Token's
operator== which is not constant time.
Patch reviewed on: https://chromium-review.googlesource.com/c/chromium/src/+/3269926
Bug: 1004921
Task-number: QTBUG-104477
Change-Id: Ieda8fb6a736ced143831d9bcde75cddaaff50243
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Use union to wrap array as with neon intrinsics this gets
miss-compiled and ends up triggering alignment trap on arm32.
Note the same code without neon support works just fine.
Pick-to: 98-based 102-based
Fixes: QTBUG-104477
Fixes: QTBUG-103149
Change-Id: I9dd183c16874021e62135c5dcfa6865ab9783fcf
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bundled zlib when cross compiling with neon support
assumes armv8 and requires built-in intrinsics for the
ARMv8-A CRC32. However qt supports armv7 with neon support,
which will end up in false armv8 outcome architecture for
final library and will end up in unusable binaries for
armv7 platform.
Disable neon optimization for crc32, we should use
system zlib anyway which is fixed in other patches.
Task-number: QTBUG-103149
Change-Id: Ibfb5caa67cfea53b4c6a1bc1ed4948816c05ca38
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 88398c89a7b34606120ff919f873cb59ce3bcf2f)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Allow redirects from local schemes to local schemes, and clean up
the general logic. We still allow almost anything from custom url
schemes.
Fixes: QTBUG-99207
Change-Id: I7d1b7edc91f82064edbf6c1a41682d5874b42d12
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
(cherry picked from commit 3a4c9ba6936ec8b11a97ea0b3c684b3002f01a12)
|
| |
|
|
|
| |
Change-Id: Ib9ce0b7750ca2a033b04d46b1d77b525a3a03b83
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3683869:
Ignore eglBind/ReleaseTexImage calls for lost contexts.
eglBindTexImage and eglReleaseTexImage no-op when no context is
current. Extend this to lost contexts to match the behaviour of making
a GL call on a lost context.
This avoids potential unexpected bad accesses in the backends.
Bug: chromium:1316578
Change-Id: I7b309c297e0c803019720733dee2950abb4c4b5f
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Alexis Hétu <sugoi@google.com>
Reviewed-by: Alexis Hétu <sugoi@chromium.org>
Commit-Queue: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3651153:
D3D: Fix race condition with parallel shader compile.
Bug: chromium:1317673
Change-Id: I0fb7c9a66248852e41e8700e80c295393ef941e8
Reviewed-by: Jie A Chen <jie.a.chen@intel.com>
Reviewed-by: Lingfeng Yang <lfy@google.com>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3669596:
PaintOpReader: Harden PaintImage deserialization
This fix prevents the deserialization of PaintImage pixel data from
reading data out of bounds when the block of serialized pixel data isn't
large enough to cover the expected amount of data, given the size and
format of the image.
Bug: 1325298
Change-Id: Icbeb405d2031d7d8ce4537836d7996ce7885f6d1
Commit-Queue: Justin Novosad <junov@chromium.org>
Reviewed-by: Jonathan Ross <jonross@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1007804}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3584284:
UIDevTools: fix bounds check for websocket connections
Bug: 1313600
Change-Id: Ic97da6e5cf5595d530a100bc8bbbee12467cef05
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Leonard Grey <lgrey@chromium.org>
Cr-Commit-Position: refs/heads/main@{#991786}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3532010:
Fix COOP-based opener removal on FrameTreeNodes.
When a page A opens a page B, B can access A via window.opener. If
either of these pages navigate causing a BrowsingInstance swap, the
links need to be severed. Currently it only works well if B navigates.
If A navigates, we do not find the frames that were opened by it and
remove their openers on the browser side. This is now done in the
RenderFrameHostManager.
We also clarify how this information is carried to the renderer, which
was quite obscure and maybe even involuntary. Explains that the
RenderView suppression will trigger an opener clear.
BUG=1305394
Change-Id: I4bb2a9733c523dac78ffb270877ba07aba6984a4
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Arthur Hemery <ahemery@chromium.org>
Cr-Commit-Position: refs/heads/main@{#985876}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3669247:
Handle late ACKed touch events more properly
This CL adds an extra function named
`OnGestureProviderAuraWillBeDestroyed()` to `GestureProviderAuraClient`
so that `GestureProviderAuraClient` can response to destruction of
a `GestureProviderAura` instance.
See the comment 27 under this issue for more details.
(cherry picked from commit d2fdb99a2b5d87c75fef69968d4d477cbd66ebd9)
Bug: 1292264
Change-Id: I53502e896d3a36f9610ca48c11b07422e5b4ce03
Commit-Queue: Andrew Xu <andrewxu@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#984964}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1641}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3601727:
Introduce isLowEnergyDevice() for safely downward static_cast from BluetoothDeviceMac to BluetoothLowEnergyDeviceMac
device/bluetooth/bluetooth_adapter_mac.mm has two non safely downward static_cast BluetoothDevice to BluetoothLowEnergyDeviceMac
To avoid it, we introduce isLowEnergyDevice() to BluetoothDeviceMac so we could identify LE bluetooth device from classic bluetooth device then safely cast it downward.
Bug: 1318610
Change-Id: Iaf082fc2c40270237bbc0b000b80faa7f94b1026
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: Alvin Ji <alvinji@chromium.org>
Cr-Commit-Position: refs/heads/main@{#995419}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Transfer
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3623277:
Markup sanitization should iterate until markup is stable
There are cases where parsing a markup and then serializing it does not
round trip, which can be used to inject XSS. Current sanitization code
only does one round of parsing and serializing, which does not remove
XSS injections that hide deeper.
Hence this patch makes sanitization algorithm iterate until the markup
is stable, or declares failure if it doesn't stabilize after many tries.
(cherry picked from commit 19280353fb92d0ff7d048d7cec28d6a23befbce0)
Fixed: 1315563
Change-Id: I4a3ebe1fda6df0e04a24d863b2b48df2110af209
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#997032}
Commit-Queue: Zakhar Voit <voit@google.com>
Reviewed-by: Jana Grill <janagrill@google.com>
Owners-Override: Jana Grill <janagrill@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1632}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/third_party/ffmpeg/+/3625832:
Do not parse late SEI messages during decoding.
Bug: 1306751
Change-Id: I2088b9ff89bd8eee8ab82675258af302d9bfccf9
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch orignally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3552557:
Guard against nullptr RFH
Before b/218825270 the RFH was stored and used as a raw ptr. This
has since been changed. The resolution of the RFH from its global
id may have returned a nullptr. This guards against it.
Bug: 1306968
Change-Id: I1206a51c968ea8ac081b5056d88bfa26d9ccb9e1
Reviewed-by: Clemens Arbesser <arbesser@google.com>
Commit-Queue: Sandro Maggi <sandromaggi@google.com>
Cr-Commit-Position: refs/heads/main@{#985260}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://github.com/harfbuzz/harfbuzz/commit/03085132bac6bb3f69378cab3eaf5a57ad1362ff:
[buffer] Fix out-buffer under memory-alloc failure
This was broken in July refactoring of the buffer, and exposed to
ReverseChainSingleSubstFormat1 in 3807061
Fixes:
https: //bugs.chromium.org/p/oss-fuzz/issues/detail?id=38800
https: //bugs.chromium.org/p/chromium/issues/detail?id=1303552
Change-Id: Ia2944adf0c578a819024839a83941750c0020243
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3670161
Close a MessagePort if it is created in a destroyed context.
MessagePort assumes it is only destroyed either after ContextDestroyed,
or after the port has been closed explicitly. As it turns out ports that
were created in an already detached iframe would violate this invariant,
causing issues.
(cherry picked from commit 068f13cc5aa5f7a6e9faf28d8731275e64cb657b)
Bug: 1228661
Change-Id: Ib1abce15f1d1d15f044de19fe0534767db488af0
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#988859}
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Reviewed-by: Simon Hangl <simonha@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1642}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3089422:
FSA: Sanitize .scf files
.scf files can be used to execute code without opening the file.
Sanitize these files the same way we sanitize .lnk files.
Also updates filename sanitization logic to be consistent in blocking
.lnk and .local extensions on all OSes.
Bug: 1227995
Change-Id: I4b018f1ba524c783547e18630db9addc9fb126e6
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1002147}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3650697:
[M102] Fix validation cache when deleting a Transform Feedback.
Bug: chromium:1320024
Change-Id: I76ef85a3c65c663c138d8caebd4ef2c0da53cd4f
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
(cherry picked from commit 84e42c3b04da9e2c9d93d35bb6f2b1830fef22f4)
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
