| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Included file moved in 69-based.
Change-Id: Iefe7b0d72376baa35e70ce639a8af70466b966e9
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merged: [array] Ensure PrepareElementsForSort returns a legal value
PrepareElementsForSort must return a number less than or equal the array
length.
No-Try: true
No-Presubmit: true
No-Treechecks: true
Bug: chromium:897512, v8:7382
Change-Id: If5f9c4d052e623ab9f3300b8534603abbee859fa
Reviewed-on: https://chromium-review.googlesource.com/c/1297958
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#56982}
Reviewed-on: https://chromium-review.googlesource.com/c/1304354
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.0@{#67}
Cr-Branched-From:
6e2adae6f7f8e891cfd01f3280482b20590427a6-refs/heads/7.0.276@{#1}
Cr-Branched-From:
bc08a8624cbbea7a2d30071472bc73ad9544eadf-refs/heads/master@{#55424}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
|
| |
|
|
|
|
| |
Fixes: QTBUG-71295
Change-Id: Ia15d1ef8c7d84c53dcd52876e08fb8a480212c76
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pass unpack buffer as explicit parameter to texSubImage.
This allows us to override it in the incomplete texture init. Any
back-end that used incomplete textures was vulnerable to a bug where
the unpack buffer would be used to initialize the incomplete texture.
Cherry-picked to the chromium/3538 branch cleanly.
Bug: chromium:880906
Change-Id: Ifca9891ecc207a74673fe1e6ef3e0a2118837fb2
Reviewed-on: https://chromium-review.googlesource.com/1227033
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
check for overflow in maxedgecount
Bug: 848521
Change-Id: I285c683518400c276663b575d7ec0534d66e541a
Reviewed-on: https://skia-review.googlesource.com/146880
Auto-Submit: Mike Reed <reed@google.com>
Commit-Queue: Herb Derby <herb@google.com>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
fix dashimpl underflow
Previous impl would assert (and read past legal memory) for the new test.
Bug: skia: 8274
Bug: 875494
Change-Id: I26a56a166892444b34512a120940f7cfd6f453d8
Reviewed-on: https://skia-review.googlesource.com/148940
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Destroy KeyboardLockServiceImpl instance when RenderFrameHost goes away
This CL updates KeyboardLockServiceImpl to release its mojo binding if
the RenderFrameHost instance it is linked to is destroyed.
Bug: 888678
Change-Id: I96f8e67029389c7c34942d04242fb9bde1f5a0f3
Reviewed-on: https://chromium-review.googlesource.com/1246290
Commit-Queue: Joe Downing <joedow@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#594534}(cherry picked from commit 9d46e6e6ca8b9021b2d9f60bc3f3261b8718c616)
Reviewed-on: https://chromium-review.googlesource.com/1254503
Reviewed-by: Joe Downing <joedow@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#769}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a scaled-back version of a same-named previous CL. This version
only converts the DCHECK into a DLOG, but keep the not-so-robust error
recovery algorithm as-is.
The PaintChunkToCcLayer algorithm was originally designed for
SPv2 compositor, and it was expected the layerization algorithm should
never assign a chunk to a excessively clipped layer, thus the DCHECK.
Later this algorithm was adopted in SPv175 to be used with the
SPv1 compositor. There is a known bug that in certain corner case we
can fail to escape clip, and the bug is difficult to fix in the
legacy architecture. The DCHECK is expected to be a "soft" one that
we have a fail-safe path to recover in a sane way.
BUG=881788,853357
Reviewed-on: https://chromium-review.googlesource.com/1227062
Change-Id: Ifacb936064536c44bc544fa89de6e4d699d65f1d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a dialog is shown, drop fullscreen.
BUG=875066, 817809, 792876, 812769, 813815
TEST=included
This cherry-picks the part that is applicable to Qt WebEngine
Reviewed-on: https://chromium-review.googlesource.com/1185208
Reviewed-by: Sidney San Martín <sdy@chromium.org>
Commit-Queue: Avi Drissman <avi@chromium.org>
Change-Id: I525506d427f8d8db7be6d27562757dbe9653884d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
| |
Use the right frame load type enum and constant.
Change-Id: I2ab515831b9ddc3988827e378f8465bde7742a87
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
|
| |
|
|
|
|
|
|
| |
Commit ddd25ab971 introduced a build break because some const qualifiers
that were needed were not part of the patch.
Change-Id: I88e757885b92c0788a0adcee6732e5f2a7f213af
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
|
| |
|
|
|
|
|
|
| |
Only add the feature from the actual patch to the gpu driver bug
list.
Change-Id: Ib853bede7e69371e340f49ad8b062794d66cd7dd
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[M70] Add additional Lao character to IDN confusables
U+0E01 (ก) => n
Prior Lao/Thai entries were added in crrev.com/c/1058710.
Test: components_unittests --gtest_filter=*IDN*
Bug: 882078
Reviewed-on: https://chromium-review.googlesource.com/1220773
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Christopher Thompson <cthomp@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#591227}(cherry picked from commit 3983030c2ee3e54afa60fe24f23e4c98067a3634)
Reviewed-on: https://chromium-review.googlesource.com/1232679
Reviewed-by: Christopher Thompson <cthomp@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#514}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
Change-Id: I7e662fece358932d09f70ec242830016026dd1e1
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge "Speculative fix for crashes in HTMLImportsController::Dispose()." to M70 branch
Copy the loaders_ vector before iterating it.
This CL has no tests because we don't know stable reproduction.
Bug: 843151
Change-Id: I3d5e184657cbce56dcfca0c717d7a0c464e20efe
Reviewed-on: https://chromium-review.googlesource.com/1245017
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#594226}(cherry picked from commit 54139dd9a60d8fb63d2379a08e2f2750eac2d959)
Reviewed-on: https://chromium-review.googlesource.com/c/1270199
Reviewed-by: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#911}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security drop fullscreen for any nested WebContents level.
This relands 3dcaec6e30feebefc11e with a fix to the test.
BUG=873080
TEST=as in bug
Change-Id: Ifb23677fc981e8c821c0e985b99c856a22a19f2c
Reviewed-on: https://chromium-review.googlesource.com/1175925
Reviewed-by: Sidney San Martín <sdy@chromium.org>
Commit-Queue: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#583335}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement immutable texture base/max level clamping
It seems some drivers fail to handle that gracefully, so let's always clamp
to be on the safe side.
BUG=877874
TEST=test case in the bug, gpu_unittests
R=kbr@chromium.org
Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel
Reviewed-on: https://chromium-review.googlesource.com/1194994
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Commit-Queue: Zhenyao Mo <zmo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587264}
Change-Id: Ia409bc5607e2c9e17c7a6c95904b6e4d05e9e318
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
M70: Validate decoder pipelines.
PDF decoders, AKA filters, can be chained together. There can be
an arbitrary number of decoding / decompressing filters in the pipeline,
but there should be at most 1 image decoder, and the image decoder
should only be at the end of the chain.
BUG=chromium:880675
TBR=tsepez@chromium.org
Change-Id: Iffa27c70ec1ed7574e38e0de23413840ee900959
Reviewed-on: https://pdfium-review.googlesource.com/42711
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
(cherry picked from commit 5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400)
Reviewed-on: https://pdfium-review.googlesource.com/42970
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not forward resource timing to parent frame after back-forward navigation
LocalFrame has |should_send_resource_timing_info_to_parent_| flag not to
send timing info to parent except for the first navigation. This flag is
cleared when the first timing is sent to parent, however this does not happen
if iframe's first navigation was by back-forward navigation. For such
iframes, we shouldn't send timings to parent at all.
Bug: 876822
Reviewed-on: https://chromium-review.googlesource.com/1186215
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585736}
Change-Id: Iceb050ba3314de64e87f99f64d705a7e9c62d653
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
| |
Including fix for Chrome security issue 872189
Change-Id: I4c99151035f1df2a1fe6680bf6bf556509a318cc
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refcount AppCacheGroup correctly.
TBR=palmer@chromium.org
(cherry picked from commit 9d2ead1650a1c901754dd1a68705006a6934cffc)
Bug: 888926
Reviewed-on: https://chromium-review.googlesource.com/1246827
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Reviewed-by: Joshua Bell <jsbell@chromium.org>
Commit-Queue: Chris Palmer <palmer@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#594475}
Reviewed-on: https://chromium-review.googlesource.com/1252004
Cr-Commit-Position: refs/branch-heads/3538@{#733}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Change-Id: I3889bda2e12de992cd10487ac74c470ade0e5917
|
| |
|
|
|
|
| |
Task-number: QTBUG-69281
Change-Id: I0d8fe59caeb418533e4764f7f17a8bfe3ff0c72d
Reviewed-by: Kai Koehne <kai.koehne@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Backport] Drop 'const' from arguments that expect a deduced
function-ptr type
Apparently the cv-qualifier of a function type must match,
during deduction, see
http://www.open-std.org/jtc1/sc22/wg21/docs/cwg_active.html#1584
Recent Clang versions error about this so the code must be adjusted.
Bug: 840251
Reviewed-on: https://chromium-review.googlesource.com/1046588
Task-number: QTBUG-70981
Change-Id: I4f538e192745c1b2f6bb893441d52a06684028c7
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
|
| |
|
|
|
|
| |
Task-number: QTBUG-69281
Change-Id: I6ff926a0036c1df840c35192da71363ac240ce57
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
M69 Mega-patch for 868592 fix
This CL is a collection of cherry-picks related to crbug.com/868592 fix.
Specifically, this is:
- The original mega-patch crrev.com/222c9ba7c6
- creis@ follow-up fix crrev.com/27986c7c955
- kouhei@ follow-up fix crrev.com/6be8b5a07bdf
The original change descriptions are captured below % Change-Id lines
---
Speculative crash fix for navigator.serviceworker access during unload
This should fix crash/caab6eb137e58385
This CL addresses the unhandled case in crrev.com/582126
TBR=falken@chromium.org
Bug: 881126, 868592
Reviewed-on: https://chromium-review.googlesource.com/1207781
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#589419}(cherry picked from commit 6be8b5a07bdfa95c37e2da9cace7d7d4b69b31b5)
Reviewed-on: https://chromium-review.googlesource.com/1212368
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Cr-Commit-Position: refs/branch-heads/3545@{#2}
Cr-Branched-From: a2bbe9dedf867fccce6d8073dc8e9c864c662bfe-refs/heads/master@{#589377}
Speculative fix for additional History DocumentLoader crashes.
There is no guarantee that the DocumentLoader is always attached [1],
so let's introduce null checks in StateInternal and setScrollRestoration.
[1] The DocumentLoader may be detached while FrameLoader::PrepareForCommit.
BUG=879477, 872672
Reviewed-on: https://chromium-review.googlesource.com/1200075
Commit-Queue: Charlie Reis <creis@chromium.org>
Reviewed-by: Nate Chapin <japhet@chromium.org>
Cr-Commit-Position: refs/heads/master@{#588227}
Speculative fix for History::ScrollRestorationInternal null deref
This is a speculative fix for crash reported on crbug.com/872672 .
There is no guarantee that the DocumentLoader is always attached [1],
so let's introduce a null check.
[1] The DocumentLoader may be detached while FrameLoader::PrepareForCommit.
Bug: 872672
Reviewed-on: https://chromium-review.googlesource.com/1171972
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Cr-Commit-Position: refs/heads/master@{#582509}
(cherry picked from commit a2a107d712d0fb754cc03ccb36630fa3ddc90f14)
NavigatorServiceWorker: Avoid instantiating if being navigated away.
This CL fixes a clusterfuzz crash which fails to minimize.
Bug: 872320
Reviewed-on: https://chromium-review.googlesource.com/1170160
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Cr-Commit-Position: refs/heads/master@{#582126}
(cherry picked from commit d995adf5879e71074e33983b0b038d21b3f3be43)
Flush microtask queue before commit
Bug: 868592
Reviewed-on: https://chromium-review.googlesource.com/1164148
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Cr-Commit-Position: refs/heads/master@{#581124}
(cherry picked from commit 38894f66a9f1d3142746572da766de1b02f8e2ce)
Prevent promise reject to be sync scheduled during DocumentLoader detach
(% mod: revert fetch_manager.cc change)
(cherry picked from commit c415acc1e0cd8ec75e43bcb596f7bd76321f72f8)
Bug: 868592
Change-Id: I50029416f0441a9f09c538716684a01cb8af93e1
Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/1163235
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Cr-Original-Original-Commit-Position: refs/heads/master@{#580814}
Reviewed-on: https://chromium-review.googlesource.com/1184122
Cr-Original-Commit-Position: refs/branch-heads/3497@{#760}
Cr-Original-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753}
Reviewed-on: https://chromium-review.googlesource.com/1218183
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/branch-heads/3497@{#938}
Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
vp9: fix OOB read in decoder_peek_si_internal
Profile 1 or 3 bitstreams may require 11 bytes for the header in the
intra-only case.
Additionally add a check on the bit reader's error handler callback to
ensure it's non-NULL before calling to avoid future regressions.
This has existed since at least (pre-1.4.0):
09bf1d61c Changes hdr for profiles > 1 for intraonly frames
BUG=webm:1543
Change-Id: I9cda3b68c497ebfb8ff752e236380fcba5c38001
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keep reference to DOMStorageNamespace while it's being cloned
While DOMStorageNamespace::Clone constructs an instance, it binds it to
a callback, post it to a task runner and returns the instance as a raw
pointer. Note that base::BindOnce here retains a reference to |clone|
and releases the reference when the callback instance is destroyed.
However, if PostTaskAndReply there failed, the callback instance is
destroyed immediately and DOMStorageNamespace loses the last reference.
Then, DOMStorageNamespace::Clone may return a stale pointer.
This CL converts the return value to scoped_refptr, and has Clone() to
keep the reference to the resulting instance.
Bug: 866456, 867306
Change-Id: I54a330b2905c0d697ee31c3ab95764ecbb72abe1
Reviewed-on: https://chromium-review.googlesource.com/1146409
Reviewed-on: https://chromium-review.googlesource.com/1152588
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Fix heap-use-after-free by using weak factory instead of Unretained
Bug: 856578
Change-Id: I6e2bbb6c300f1be0f7935e3f204ae5887fe75533
Reviewed-by: Hector Dearman <hjd@chromium.org>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Fix handling invalid empty red packets
Bug: chromium:856823
Change-Id: Ie50e37f3377d5f7fce0ae17005bcd332af80ff9e
Reviewed-by: Åsa Persson <asapersson@webrtc.org>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Prevent sandboxed documents from reusing the default window
Bug: 377995
Change-Id: I5350c62072b46544331e40361b9d606d9e533ce3
Reviewed-on: https://chromium-review.googlesource.com/983558
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge to M69: Bounds check lineSrc in JBig2_Image.cpp.
No matter how the dimensions might be determined, we know the
hard end of the source line, and can use it for a bounds check.
We expect the size is quantized to a multiple of m_stride, so
as long as each block operates within an m_stride, the initial
check should be sufficient.
TBR=thestig@chromium.org
Bug: 867501
Change-Id: I6868aa8d85e2ea61a6468d4632a6498fddfca08b
Reviewed-on: https://pdfium-review.googlesource.com/39310
Reviewed-on: https://pdfium-review.googlesource.com/39570
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Handle wrong tag element count in littlecms.
BUG=chromium:864932
Change-Id: I19b6c2f6c70c9d2f642859f30299d0a0f9e4aa2d
Reviewed-on: https://pdfium-review.googlesource.com/38270
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add checks to make sure we don't overflow 32 bit int in GPU path renderers.
Bug: chromium:848716
Change-Id: I5b8fe036c666a1f379c4125115b2cec0295711b3
Reviewed-on: https://skia-review.googlesource.com/132268
Reviewed-by: Brian Salomon <bsalomon@google.com>
Commit-Queue: Greg Daniel <egdaniel@google.com>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not crash while reentrantly appending to style element.
When a node is inserted into a container, it is notified via
::InsertedInto. However, a node may request a second notification via
DidNotifySubtreeInsertionsToDocument, which occurs after all the children
have been notified as well. *StyleElement is currently using this
second notification.
This causes a problem, because *ScriptElement is using the same mechanism,
which in turn means that scripts can execute before the state of
*StyleElements are properly updated.
This patch avoids ::DidNotifySubtreeInsertionsToDocument, and instead
processes the stylesheet in ::InsertedInto. The original reason for using
::DidNotifySubtreeInsertionsToDocument in the first place appears to be
invalid now, as the test case is still passing.
R=futhark@chromium.org, hayato@chromium.org
Bug: 853709, 847570
Reviewed-on: https://chromium-review.googlesource.com/1104347
Change-Id: I1f8b3397f970c690d0f769788dbaa84136206816
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
| |
Includes fix for security issue 854883
Change-Id: I53b394402cb44a4b21ab2a27a90175103a810e38
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Merge to M69] Use unique processes for data URLs on restore.
Data URLs are usually put into the process that created them, but this
info is not tracked after a tab restore. Ensure that they do not end up
in the parent frame's process (or each other's process), in case they
are malicious.
BUG=863069
Change-Id: I899a3da54ea15c922092e02b7c152c5c7c2e342f
Reviewed-on: https://chromium-review.googlesource.com/1150767
Reviewed-on: https://chromium-review.googlesource.com/1167771
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid sharing process for blob URLs with null origin.
Previously, when a frame with a unique origin, such as from a data
URL, created a blob URL, the blob URL looked like blob:null/guid and
resulted in a site URL of "blob:" when navigated to. This incorrectly
allowed all such blob URLs to share a process, even if they were
created by different sites.
This CL changes the site URL assigned in such cases to be the full
blob URL, which includes the GUID. This avoids process sharing for
all blob URLs with unique origins.
This fix is conservative in the sense that it would also isolate
different blob URLs created by the same unique origin from each other.
This case isn't expected to be common, so it's unlikely to affect
process count. There's ongoing work to maintain a GUID for unique
origins, so longer-term, we could try using that to track down the
creator and potentially use that GUID in the site URL instead of the
blob URL's GUID, to avoid unnecessary process isolation in scenarios
like this.
Note that as part of this, we discovered a bug where data URLs aren't
able to script blob URLs that they create: https://crbug.com/865254.
This scripting bug should be fixed independently of this CL, and as
far as we can tell, this CL doesn't regress scripting cases like this
further.
Bug: 863623
Change-Id: I861330de193039ac9f6ef9039e7cd9a2c3d3d383
Reviewed-on: https://chromium-review.googlesource.com/1142389
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
| |
SiteInstance::GetSiteForURL.
Bug: 820070
Change-Id: I3fd1cd2fb5c53568a53a59046b8180a01d8b8877
Reviewed-on: https://chromium-review.googlesource.com/956308
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SiteInstance::GetSiteForURL.
file URIs should map to "file:///" site. The same site needs to also
be used for blob:file:///... URIs - this is what is fixed by this CL.
Bug: 697111
Change-Id: I03627c134d58a47e824eac593939385790aae5f2
Reviewed-on: https://chromium-review.googlesource.com/953129
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix HasSingleSecurityOrigin for HLS
HLS manifests can request segments from a different origin than the
original manifest's origin. We do not inspect HLS manifests within
Chromium, and instead delegate to Android's MediaPlayer. This means we
need to be conservative, and always assume segments might come from a
different origin. HasSingleSecurityOrigin should always return false
when decoding HLS.
Bug: 864283
Change-Id: I264048280792ce39e7f0938f677ee12d301688b6
Reviewed-on: https://chromium-review.googlesource.com/1142691
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Unwrap TL0 pic index to avoid having to work with a wrapped number.
This is to avoid clearing the |gof_info_| map when there are jumps in the
tl0 pic index.
Bug: chromium:855211
Change-Id: I762557070d65b3c535cb9a49498975bcd9c2c485
Reviewed-on: https://webrtc-review.googlesource.com/86943
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[mojo-core] Validate data pipe endpoint metadata
Ensures that we don't blindly trust specified buffer size and offset
metadata when deserializing data pipe consumer and producer handles.
TBR=rockot@chromium.org
(cherry picked from commit 66e24a8793615bd9d5c238b1745b093090e1f72d)
Bug: 877182
Change-Id: I10572a0627c282825593956b04ef235adb4add43
Reviewed-on: https://chromium-review.googlesource.com/1192922
Reviewed-on: https://chromium-review.googlesource.com/1196554
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Audio thread should not access destination node
The AudioDestinationNode is an object managed by Oilpan so the audio
thread should not access it. However, the audio thread needs
information (currentTime, etc) from the destination node. So instead
of accessing the audio destination handler (a scoped_refptr) via the
destination node, add a new member to the base audio context that
holds onto the destination handler.
The destination handler is not an oilpan object and lives at least as
long as the base audio context.
Bug: 860626, 860522, 863951
Change-Id: I5d4d5e82c09bea552f0866b52515878683b87f3a
Test: Test case from 860522 doesn't crash on asan build
Reviewed-on: https://chromium-review.googlesource.com/1138974
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
| |
Last leaf node's affix ID is currently always zero due to bad bounds check.
Task-number: QTBUG-70034
Change-Id: I4c7865cac4fb7a79811232000f613151875e7ee2
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Oilpan: Clear all Persistents on thread termination
Clear all persistents on thread termination, because when we
have a bug and it leaves a Persistent behind, it will not be
a stale pointer and just causes null dereference.
Since we disabled PersistentHeapCollections on non-main threads
we can assume all PersistentNode::Self() can be cast to
Persistent<DummyGCBase>
Bug: 831117
Reviewed-on: https://chromium-review.googlesource.com/1025547
-----------------------------------------------------------------
Oilpan: Clear all Persistents on thread termination.
Persistents should be cleared when NumberOfPersistents() != 0.
Bug: 831117
Reviewed-on: https://chromium-review.googlesource.com/1089460
-----------------------------------------------------------------
Change-Id: Ibe6f61a894195d240b288e995e633c4749870663
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
[oilpan] Detach V8 garbage colector before running termination GC
Any roots from V8 into Blink need to be cleared before running the termination
garbage collection to ensure that all objects die and finalizers are called.
Bug: chromium:831117
Reviewed-on: https://chromium-review.googlesource.com/1025032
Change-Id: I3e153584e1a8d0ea42675e6f6e94693295230f05
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce that WebUI documents cannot include web content.
This CL adds a new NavigationThrottle class for enforcing security
properties of navigations. The first case is checking that no web
content is navigated to in iframes on WebUI pages or no navigations
to web content are allowed in processes having WebUI bindings.
Bug: 683418
Reviewed-on: https://chromium-review.googlesource.com/726329
Change-Id: I79c2c78454283bc485e62a7b2250f75c220cd862
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fix destruction order in CPDF_Dibsource.
The order of the elements in the header is correct, but we
were clearing it early in the destructor itself.
Bug: 840695
Reviewed-on: https://pdfium-review.googlesource.com/32311
Change-Id: I86e3b7ac5754dc6cb1f45c7dc46433d9a0a3906b
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Retain pp::ImageData while there are pending paints against it.
The ImageData might get destroyed while the paints are still
pending. Typically, the paints are then cancelled thereafter so
no harm comes from the dangling references, but this patch avoids
creating them in the first place.
The remaining changes are consequences of ProgressivePaint
becoming non-POD, and converting to protected members. Also
use scoped FPDF classes while we're at it.
Bug: 838886
Reviewed-on: https://chromium-review.googlesource.com/1054502
----------------------------------------------------------------
Prove that the memory was good at FPDFBitmap_CreateEx() create time.
Diagnostic for the associated bug, not a bugfix. Helps rule out one
possible scenario.
Bug: chromium:838886
Reviewed-on: https://pdfium-review.googlesource.com/32055
----------------------------------------------------------------
Change-Id: If8c4c2bd87b8b77e1111f27acf3276a7ebd6698f
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reland "[oilpan] Fix GCInfoTable for multiple threads"
Previously, grow and access from different threads could lead to a race
on the table backing; see bug.
- Rework the table to work on an existing reservation.
- Commit upon growing, avoiding any copies.
Reland:
- Fix an issue for component builds were the singleton was instantiated
multiple times.
Bug: chromium:841280
Reviewed-on: https://chromium-review.googlesource.com/1068636
Change-Id: Iaddee6b594d6853dcbb29aec2c29330987c3b6a9
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
| |
Change-Id: I95e7288cbb89408fa5284adefe78a06d2b27eb6e
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
