| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2093604
https://chromium-review.googlesource.com/c/chromium/src/+/2104774
[Merge M80 minibranch] - Point usrsctp to a68325e7d9ed844cc84ec134192d788586ea6cc1.
(cherry picked from commit 3030db702eee4f24e74e84b66024bd0875fd5418)
Bug: 1059349
Change-Id: Ib13d240407297ee508865fdfc38425377a9d064b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2098260
https://chromium-review.googlesource.com/c/chromium/src/+/2104992
Make finished_source_handlers_ hold scoped_refptrs
Previously, finished_source_handlers_ held raw pointers to
AudioHandlers and assumed that active_source_handlers_ also had a
copy. But when the context goes away, active_source_handlers_ would
be cleared, but not finished_source_handlers_, leaving pointers to
deleted objects.
So do two things:
1. Change finished_source_handlers_ to hold scoped_refptrs to manage
lifetime of the objects
2. Clear finished_source_handler_ in ClearHandlersToBeDeleted()
Either of these fix the repro case, but let's do both. Don't want to
leaving dangling objects.
Manually tested the repro case which no longer reproduces.
Bug: 1059686
Change-Id: I11e999e6d7243351771d9530ceb924bd635578fd
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2082897
https://chromium-review.googlesource.com/c/chromium/src/+/2104662
Use SupportsWeakPtr for messaging from rendering thread to main thread
In cross-thread messaging, the associated execution context can be
already gone when a posted task is performed sometime later in the task
runner's queue.
By using WeakPtr, the task runner will not perform a scheduled task
in the queue when the target object is invalid.
Test: Locally confirmed that the repro does not crash.
Bug: 1057627
Change-Id: Ia794fe220ac9868584be4d3993790293daf52c8a
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2083436
https://chromium-review.googlesource.com/c/chromium/src/+/2104827
Break connections before removing from active_source_handlers_.
In DeferredTaskHandler::BreakConnections, we want to remove finished
handlers and break the connection. when a finished handler is removed
from active_source_handlers_, it might be deleted, but we were still
using that to create the connection. Instead, break the connection
first and then remove it.
Manually ran test from the bug and it passes with this change. Without
this, it failed right away.
Bug: 1057593
Change-Id: Id9254071e7860d593d6061fd395c00160002202b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2074807
https://chromium-review.googlesource.com/c/chromium/src/+/2104664
Use WeakPtr for cross-thread posting
{IIR,Biquad}FilterNodes check the state of the filter and notify the
main thread when it goes bad. In this process, the associated context
can be collected when a posted task is performed sometime later
in the task runner's queue.
By using WeakPtr, the task runner will not perform a scheduled task
in the queue when the target object is invalid anymore.
(cherry picked from commit 2cd0af7ea20547c2471483ef2233f3b068db93c3)
Test: Locally confirmed that the repro case does not crash after 30 min.
Bug: 1055788
Change-Id: I23e001ad6e900631d0e9e475f690c57f63639dcc
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2053167
https://chromium-review.googlesource.com/c/chromium/src/+/2104990
Verify if the context is still available.
Resolve conflict manually with git-drover
Bug: 1051748
Change-Id: Ia0c96282b89510369e31b559a4234571c57b40ef
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/v8/v8/+/2104887
Merged: [intl] Fix Intl.NumberFormat constructor
Revision: 09d14728ca251c955f4634036f8d72a4665e96c6
BUG=chromium:1052647
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
Change-Id: Iff7dbf9e6e3b071d5a98e61120f5c2aa69affe7f
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
|
|
|
|
|
|
|
| |
b88a10e7a666792cc8a2d9a9310748a79b1f032b accidentally removed a
return statement. Add it again.
Change-Id: I358f7929b42779e2bea64dcb306884d484cb2743
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hand merged from:
CacheStorage: Ignore code cache for origins that do not match the renderer.
This CL is inspired by the previously attempted crrev.com/c/1434754. That
was reverted due to excessive renderer crashes. As an interim step this CL
instead ignores code cache when the origin seems wrong. We also add a
UMA to see how often its triggering in practice so we can start trying to
isolate the unexpected circumstances.
Bug: 925035
Change-Id: Iec4d0206ba5ed74950537d74a4ad180ee6b98905
Commit-Queue: Ben Kelly <wanderview@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Robert Kaplow <rkaplow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#709036}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1712949:
Move CodeCacheHost and GeneratedCodeCache to UI thread
See the issue for more details. It doesn't look this needs to live on
IO thread, this patch moves all the code cache code onto UI thread
so that security check can become easier.
(Alternatively we can only move CodeCacheHost to UI thread
but leave everything else on IO thread or on a sequenced task runner.
e.g. https://chromium-review.googlesource.com/c/chromium/src/+/1705540)
Bug: 985681
Change-Id: I3a780902135b19d2c55a5b844c230aa694856667
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1869384:
IndexedDB: Mark transactions inactive during structured cloning.
Bug: 1016038
Change-Id: Icf24fb597c0dbfd83220fac20a557d05b0c9b96b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1922280:
Disallow middle dot (U+00B7) when unsafe in IDN display
This character ("·") can be used to spoof domain names. Only allow
if it's used to express Catalan character ela geminada on Catalan
domains (i.e. when used between 'l' characters).
According to usage logs, this change affects a single domain name
with a small number of users.
Bug: 1025442
Change-Id: Ic45ad4ddb87a46e5394581babce18988004782f8
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/65830
https://pdfium-review.googlesource.com/c/pdfium/+/66290:
M80: Avoid an integer overflow in OpenJPEG.
Patch in upstream commit 05f9b91e60debda0e83977e5e63b2e66486f7074.
TBR=tsepez@chromium.org
Bug: chromium:1047097
Change-Id: Ia9c3c9f3b130f87f47c5aaf5c3640c8008900ce4
Auto-Submit: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
(cherry picked from commit 65137d177ac2f6c1591a1f6e8b8809936bfd088d)
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/1925056:
Harden XLink defense-in-depth
This patch leverages the native `URL` API for URL parsing and
validation for XLink components. It also ensures XLinks get
rel=noopener.
Bug: chromium:1026293
Change-Id: Iad274bbde5d2ad9f0d8b22f35f3e36cba2aa76f1
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/160304:
Fixing a buffer overflow in Merge::Downsample
In the unlikely event that the decoded audio is really short, the
downsampling would read outside of the decoded audio vector. This CL
fixes that, and adds a unit test that verifies the fix (when running
with ASan).
Bug: chromium:1016506
Change-Id: I498b49ab4cf376d4680049fa6b0a67d7515b0e04
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/1903440:
[interpreter] Move function-entry stack check to start of bytecode array
The function-entry stack check should dominate all other
instructions in a function. Prior to this CL it was possible to create
paths not including a stack check due to SwitchOnGeneratorState: the
generator-creation branch had a stack check, while generator-resume
branches did not.
0 : af fb 00 01 SwitchOnGeneratorState r0, [0], [1] { 0: @22 }
4 : 27 fe fa Mov <closure>, r1
7 : 27 02 f9 Mov <this>, r2
10 : 64 0a fa 02 InvokeIntrinsic [_CreateJSGeneratorObject], r1-r2
14 : 26 fb Star r0
16 : a7 StackCheck
17 : b0 fb fb 01 00 SuspendGenerator r0, r0-r0, [0]
22 : b1 fb fb 01 ResumeGenerator r0, r0-r0
[... no stack check here ...]
This CL moves the stack check to the beginning of the bytecode array,
i.e. before SwitchOnGeneratorState.
Bug: chromium:1020031
Change-Id: I07ba6fdfa207309c2cc64b9c6e8a9cf171c84fb5
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/1948711:
[Turbofan] Fixes crash on missing BigInt.asUintN argument
Bug: chromium:1029576
Change-Id: I4645b9688fecccdf31b428f27ca0f4361c265a3b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1940722:
Fix parser mXSS sanitizer bypass for <p> and <br> within foreign context
Prior to this CL, the following code:
<svg></p></svg>
parsed to this innerHTML: <svg><p></p></svg>
This is in contrast to this code:
<svg><p></svg>
which parses to <svg></svg><p></p>
The fact that the </p> is left inside the <svg> allowed sanitizer
bypasses as detailed in [1]. Please also see [2] for the spec
discussion.
With this CL, </p> and </br> within a foreign context now cause
the closing of the foreign context.
[1] https://research.securitum.com/dompurify-bypass-using-mxss/
[2] https://github.com/whatwg/html/issues/5113
Bug: 1005713
Change-Id: Iecaced38ed06c74296731c0bdcc10d2bbb462ff8
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1881887:
Allow whole-script confusable Cyrillic domains only on Cyrillic TLDs
A whole-script confusable Cyrillic domain consists of entirely Cyrillic
characters that look identical to Latin characters (e.g. xn--80ak6aa92e[.]com
decodes to аррӏе[.]com where аррӏе is in fact '\x0430\x0440\x0440\x04cf\x0435').
A previous change allowed whole-script confusable Cyrillic characters on
non-ASCII top level domains only. This means that xn--80ak6aa92e[.]com remains
punycode (TLD is .com) but xn--80ak6aa92e[.]xn--p1ai is decoded as аррӏе[.]рф
(TLD is Cyrillic). However, this also allows spoofs in other non-ASCII TLDs
such as аррӏе[.]中国 so it's not a sufficient measure.
This change further limits allowable whole-script confusable Cyrillic domains
to Cyrillic TLDs (instead of non-ASCII) and a small list of additional TLDs
containing a large number of Cyrillic domains (bg, by, kz, pyc, ru, su,
ua, uz). The idea is that users familiar with Cyrillic are more likely
to encounter these TLDs and notice any discrepancies in the displayed
domain name.
Bug: 968505
Change-Id: I83dbb215c5177f3faa80e0e0c157aeb483fe7138
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1907071:
[net] Fix spoof attack on file:// URLs on POSIX systems
For file:// URLs on POSIX, we currently discard the host portion of the
URL, and treat all file:// URLs as local. On Windows, we use the host
portion as the SAMBA share, so this bug is inapplicable to Windows.
This allows us to have URLs like:
file://accounts.google.com/home/tommycli/Downloads/evil.html
This is a low severity bug, since it's quite hard to exploit, but we
should fix it anyways.
RFC 8089 doesn't actually prohibit our previous behavior, but it does
frown on it.
This CL *could* break file:// links that relied on the old behavior,
but those file:// links should probably be rightfully-broken, since
they didn't work on Windows anyways.
Bug: 881675
Change-Id: Iae7e2d8e67c619fbfed4bba9e722be77ed54d792
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/1910939:
[builtins] Ensure constructor has a prototype slot
Drive-by-cleanup: simplify related helper functions in CSA.
Bug: chromium:1022855
Change-Id: Iea0e090e319365d11cdd16603d67d402968b851a
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry pick of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/1922305
blink: Handle peekPixels failure in ImageDataBuffer and add msan checks.
R=fserb@chromium.org
Bug: 1018629
Auto-Submit: Khushal <khushalsagar@chromium.org>
Commit-Queue: Fernando Serboncini <fserb@chromium.org>
Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#718268}
Change-Id: Ied407cbaeeb920ffe0c25b39a03f485bebfe5bc0
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Blink (3/3)
Manual backport of patch originally reviewed on
Disable CSS @import rules in clipboard markup sanitization
While clipboard markup is allowed to carry style sheets to style the
elements to be pasted (e.g., when copying from Excel), @import rules
should be disabled for security reasons.
This patch disables @import rules when sanitizing the markup in a dummy
document to make sure we don't initiate any stylesheet loading during
the process.
Bug: 1017871:
Change-Id: Ibf997611a0879dd9bb789619044a416e139b0e3c
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Blink (2/3)
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1931412:
Strip SVGStyleElement in ReplaceSelectionCommand
crrev.com/c/1922919 added a stylesheet sanitizer for clipboard, but left
a loophole for SVGStyleElement. This patch also strips it.
Bug: 1017871
Change-Id: I8bd3ffbc8a9dc833b6cc2571c7e9ebf999bf495b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Blink (1/3)
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1934650:
Reland "Sanitize style elements in clipboard markup"
This reverts commit f6953a5e9d62cde66ea6edd2f4f46d1dcee7940b.
Reason for revert: Manually destroyed the dummy page to ensure no leak
Original change's description:
> Revert "Sanitize style elements in clipboard markup"
>
> This reverts commit d96236b5d2bad68a0cc8f62501ba15c38c8cf96a.
>
> Reason for revert: This may cause "WebKit Linux Leak" failure
> First failure: https://ci.chromium.org/p/chromium/builders/ci/WebKit%20Linux%20Leak/7276
>
> Original change's description:
> > Sanitize style elements in clipboard markup
> >
> > This patch sanitizes clipboard markup before pasting it into document
> > by removing all pasted style elements and serializing them onto
> > elements as inline style. In this way, we stop stylesheets in clipboard
> > markup from being applied to the original elements in the document.
> >
> > This patch follows the same approach as in WebKit [1]:
> > - First create a dummy document to insert the markup
> > - Then computes style and layout in the dummy document
> > - Re-serialize the dummy document as the markup to be inserted. This
> > reuses the code path that we serialize a selection range into
> > clipboard, where we need to serialize element computed style into
> > inline styles so that the element styles are preserved.
> > - Make sure all style elements are removed before inserting markup
> > into document
> >
> > This patch also adds a complete test to ensure that content pasted from
> > Excel is still properly styled, which is the main reason we used to
> > preserve style elements in clipboard markup [2].
> >
> > [1] https://trac.webkit.org/changeset/223440
> > [2] http://crbug.com/121163
> >
> > Bug: 1017871
> > Change-Id: I3bb5a4ae7530a3fdef5ba251975e004857c06f1e
> > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1922919
> > Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
> > Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
> > Reviewed-by: Kent Tamura <tkent@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#718281}
>
> TBR=yosin@chromium.org,tkent@chromium.org,xiaochengh@chromium.org
>
> # Not skipping CQ checks because original CL landed > 1 day ago.
>
> Bug: 1017871, 1027386
> Change-Id: I1d500647d6227c9be3ae14d9604ba702e9c29834
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1933452
> Reviewed-by: Owen Min <zmin@chromium.org>
> Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
> Commit-Queue: Owen Min <zmin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#718778}
TBR=yosin@chromium.org,tkent@chromium.org,zmin@chromium.org,xiaochengh@chromium.org
Cq-Include-Trybots=luci.chromium.try:layout_test_leak_detection
Bug: 1017871, 1027386
Change-Id: I3828df13d2c3ddf90df49b948302e5b59452ddfa
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1927207:
Pack CreateMarkup() optional parameters into CreateMarkupOptions
CreateMarkup() has too many option parameters. This patch packs them
into a CreateMarkupOptions object, to improve code readability and
make callers easier to call CreateMarkup() without the need to
understand all different parameters.
This is also a preparation for crrev.com/c/1922919 where we need to
add another parameter to CreateMarkup().
Change-Id: Ia97490279ec027b88c61fbc6de482b1310cabcf6
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1961843
https://chromium-review.googlesource.com/c/chromium/src/+/1999223:
Always repaint inspector overlay
TBR=wangxianzhu@chromium.org
(cherry picked from commit d947c9c1f136a657b9ac5f2e041e9a11826b4b63)
Bug: 1021766
Change-Id: I11025dedb76d06f28ccad03d614a18c4a2322faa
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1999300
https://chromium-review.googlesource.com/c/chromium/src/+/2007520:
AppCache: Remove nonstandard "isPattern" support
Chrome's AppCache implementation supported specifying namespaces as
regular expressions that match URLs. This extension was invoked by
adding the `isPattern` keyword after the namespace in the manifest.
Histograms indicate that there is no usage of this feature. Start the
removal process by removing parser support and having tests ensure
the parser treats such entries normally. Subsequent CLs will delete
the plumbing entirely.
(cherry picked from commit 034b02983e7b849eab657fcdb246106a37dbf3f3)
Bug: 1039869
Change-Id: I17d3a1a5417a6cb3c261d388760a65127c38de4a
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1924031:
Use unicode max codepoint for delimiter instead of ORC, and skip buffers with null NGOffsetMapping
It's possible to try to find the Object Replacement Character (ORC), so
we should not use that as a delimiter of invalid elements as we might
wrongfully think that the delimiters are an actual match, causing
crashes.
Additionally in some cases layout might fail causing the FindBuffer to
have null NGOffsetMapping, causing crashes. In this case we should skip
the entire block as we can't get the ranges correctly.
Bug: 1020105, 1002753, 1024256
Change-Id: I3beb2231aa06c98906291760e0a60f89b50288e2
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1904761:
Disallow Latin Small Letter Schwa (U+0259) for domains outside .az TLD
The letter "ə" (U+0259) can be confused with both "e" and "a" when used
in domain names. IDN spoof checker currently doesn't have a way of
treating a single character as confusable with multiple characters, so
the only option is to map this letter to either "e" or "a" but not both.
This is obviously not desirable since the Schwa can be used to spoof the
non-mapped character.
As a result, there is no straightforward solution other than limiting the
character to .az domains (The letter is used commonly in Azerbaijani
language).
This fix affects ~250 registered domains containing the letter "ə".
However, only ~40 of these domains serve some sort of content, the rest
are either parked or don't serve content. Furthermore, only 1 of these
domains appear in usage logs and the domain is not widely used, so this
is probably a safe change.
Bug: 1017707
Change-Id: I18a32d193e9290babd9199c7d55d127f7b33bd42
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1881344:
Restrict Latin Small Letter Eth (U+00F0) to Icelandic domains
crrev.com/c/1879992 restricted Latin Small Letter Thorn to Icelandic
domains. This CL does the same for Eth (ð) as it can be confused with
the characters "o" and "d" in some fonts.
This change affects less than 10 real world domains with limited popularity.
Bug: 1017707, 929711
Change-Id: I8f0394d4c1531eb2051d38c78afe00f550d3da73
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1879992:
Restrict Latin Small Letter Thorn (U+00FE) to Icelandic domains
This character (þ) can be confused with both b and p when used in a domain
name. IDN spoof checker doesn't have a good way of flagging a character as
confusable with multiple characters, so it can't catch spoofs containing
this character. As a practical fix, this CL restricts this character to
domains under Iceland's ccTLD (.is). With this change, a domain name containing
"þ" with a non-.is TLD will be displayed in punycode in the UI.
This change affects less than 10 real world domains with limited popularity.
Bug: 798892, 843352, 904327, 1017707
Change-Id: I7ade7305a4235e51ed3c7d0a6acb1ce6df7544f1
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1994288:
[resource-timing] Error status code nav requests add entry to parent
In [1] we made sure that subresource requests that get a failing status
code still get their resource-timing entries reported.
However, it seems like we failed to do the same with navigation
requests that are typically reported to their parents.
This CL fixes that.
[1] https://chromium-review.googlesource.com/c/chromium/src/+/1796544
(cherry picked from commit add3de3e61bdd06d217307eca97f35e38f257aa9)
Bug: 1038036
Change-Id: Ibbe908e21faad41cb6e28f6deb76dbaa368064a0
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/63933:
M80: Avoid regenerating revision 5 and 6 encryption dictionaries.
Unlike revision 2 and 3, revision 5 and 6 encryption is not tied to the
document ID in the trailer. Thus regenerating the encryption dictionary
when the ID changes is completely unnecessary. Avoid doing this.
Unlike https://pdfium-review.googlesource.com/c/pdfium/+/63933, this
merge CL does not include the tests.
Bug: chromium:1032090
Change-Id: I7f855cd31968f28668c0cf0ded8286d17fc990ad
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2023350:
M80 merge: Preserve scissor for RPDQs with filters
Cherry pick of https://chromium-review.googlesource.com/c/chromium/src/+/2019804
If the RPDQ has a filter, it's touched pixels are not actually restricted
to the visible rect of the quad. In that case it is incorrect to explicitly
clip the visible rect to the scissor and not set the scissor as a clipRect.
This CL makes it so the scissor is remembered and is applied post-filtering,
so effects like drop shadows are properly clipped to the window content.
Bug: 1035271
Change-Id: Iaba086c2d6f679c659e99410a2ab3dffa7c7cc42
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1916467:
Prevent sandboxed frames from navigating to `javascript:`.
Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags
can cause JavaScript execution in their origin by navigating to a
`javascript:` URL via `target=_blank` or similar. This is technically
correct, but surprising.
https://github.com/whatwg/html/pull/5083 aims to tighten that check to
match developers' expectations that `javascript:` URLs controlled by a
page that's been sandboxed away from script will not execute.
Bug: 1014371
Change-Id: Id3e9ebf7f4082c96a92bdaccaea1dd73f5c9b54b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed
https://chromium-review.googlesource.com/c/chromium/src/+/1972849
https://chromium-review.googlesource.com/c/chromium/src/+/1986791:
Override scroll{Width,Height} in suggest state
We have added
input::-internal-input-suggested,
textarea::-internal-input-suggested {
font: -webkit-small-control !important;
}
to html.css to prevent that the scrollWidth/scrollHeight attributes of
an input element disclose information about autofill content that is in
suggest (preview) state.
This CL mocks out the scrollWidth/scrollHeight values in preview state
and may allow us to disable the font overriding again.
TBR=kojii@chromium.org
(cherry picked from commit 39f06061af8da287363cba093071ec348ef642c2)
Bug: 1035058
Change-Id: Ib7b56127f780a19672beb61e4b760a13e3f260cd
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/1956529
https://chromium-review.googlesource.com/c/chromium/src/+/1992764:
DevTools: check session can inspect URL we're about to navigate to
TBR=rdevlin.cronin@chromium.org
(cherry picked from commit 0788b1d419f78050f1114fffefd1f68cd88d1dab)
Bug: 1030411
Change-Id: I31477509283e166cf51f58d617df95628dcb0f60
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2003564
https://chromium-review.googlesource.com/c/chromium/src/+/2008320:
Add a graph lock in PannerHandler::SetPanningModel()
We need the graph lock to secure the panner backend because
BaseAudioContext::Handle{Pre,Post}RenderTasks() from the audio thread
can touch it.
(cherry picked from commit 00962dd2d61776b03be93557683d8a301e4bb572)
Test: ran two repro cases from the report over 1 hour and TSAN survived.
Bug: 1042254
Change-Id: Ie768f00455198ebd4aa376f85da4fa4a66366061
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restore tracing service.
Seems std::tuple in gcc 5 does not support direct construction of the elements,
so instead the elements have to be convertible and movable.
Task-number: QTBUG-81767
Change-Id: I6f700e0776c082cec82e1b1c8731d77a26f783d1
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Kirill Burtsev <kirill.burtsev@qt.io>
(cherry picked from commit 468c292d227f555b929911c533db2e465a1489a0)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2002388:
Merged: Squashed multiple commits.
Merged: [turbofan] fix type widening bug in RedundancyElimination
Revision: 3f7e99ac460c3ca689aac76c39fbdf1852c9a7be
Merged: [turbofan] fix type widening bug in RedundancyElimination, completely
Revision: 69b195c935b28857ee8e85c22af14837a0ce2c62
BUG=chromium:1031909
Change-Id: I471c05fa3d5e83bb5a8eb1ca23d92a9a142ed60a
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2055989
https://chromium-review.googlesource.com/c/chromium/src/+/2075339:
MediaElementAudioSourceNode always sets is_origin_tainted
When a source changes for a MediaElementAudioSourceNode, the number of
channels and sample rate can be the same as the previous source.
However, we were skipping updating |is_origin_tainted_| in this case,
which allowed audio through even though we printed a message that CORS
prevented this.
Now always update |is_origin_tainted_| right away.
(cherry picked from commit ace7aab359d2fa00ef71e168418ae76df853445b)
Bug: 1050996
Change-Id: If1f96d95d01700a9f178a98168401c6a1f3501a6
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/166463:
RtpReferenceFrameFinder: protect against crashes due to large temporal idx value on the wire
Bug: chromium:1042933
Change-Id: I262c26961a35a6005e05738b5ed296d69f4cecda
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/166441:
Add safety checks in RtpPacket::ZeroMutableExtensions and fuzz it
Bug: chromium:1042535
Change-Id: I9573ef438dc76782bb8d5ba06e79fc83611118f8
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/deps/icu/+/2036290:
Cherrypick fix for SEGV_MAPERR
Avoid int32_t overflow in length addition
See
https://bugs.chromium.org/p/chromium/issues/detail?id=1044570
https://unicode-org.atlassian.net/browse/ICU-20958
https://github.com/unicode-org/icu/pull/971
Bug: chromium:1044570
Change-Id: I8be1a586e38da8cbf85a2f9420cc5a7d0d68b642
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge M80: "Neuter DefaultDecoderFactory after MediaFactory destruction."
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1990200
Since we started allowing asynchronous stop of media::PipelineImpl, we
have released the DefaultDecoderFactory on the media thread assuming it
was safe to continue usage after ~MediaFactory. It turns out this is not
the case for the MojoDecoderFactory used by DefaultDecoderFactory.
To fix, we now neuter the DefaultDecoderFactory in ~MediaFactory to
prevent decoders from being created. This is done under a lock since the
decoder creation methods are called from the media thread and
~MediaFactory happens on the render thread at time of ~RenderFrame.
TBR=<U+200B>xhwang
(cherry picked from commit 7b100c28d219f682763522ed0a3e30e231c1176b)
Fixed: 1029865
Change-Id: I3cde99102863565c05f9da042f27eaac982bcc28
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2042409
https://chromium-review.googlesource.com/c/chromium/src/+/2055005
Do not resume OfflineAudioContext when it is cleared
Previously OfflineAudioContext::resumeContext() method did not check
if the context is cleared by ExecutionContext::ContextDestroyed().
Such case is possible when the audio context is a part of a detached
iframe.
This CL changes the check so we can verify if the context's resources
is still available. Otherwise, we can reject the resume promise
resolver.
(cherry picked from commit 5d595814f7262727112fc068ad6d4bc9ec319df4)
Test: Locally confirmed ASAN does not crash with the repro case.
Bug: 1048473
Change-Id: I24b498b5c1a197aa2c671532a466fb188800b1e9
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2032471
https://chromium-review.googlesource.com/c/chromium/src/+/2060221:
Streams: Convert state DCHECKs to CHECKs
Merge to release branch 3987. Original description:
For "cheap" checks of state in the streams implementation, use CHECKs
instead of DCHECKs. This will improve robustness against logic errors.
BUG=1045931
TBR=yhirano@chromium.org
(cherry picked from commit 122b074f0354079f3d9044cc14890dcfd2d72918)
Change-Id: Ide564096a4aeb05e0e09a8fad9056b617dbcaf31
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2056854:
Merged: [turbofan] Fix bug in Typer::TypeInductionVariablePhi
Revision: a2e971c56d1c46f7c71ccaf33057057308cc8484
BUG=chromium:1051017
Change-Id: I97c258009f938b5739312b35ae825a5f9ca22e5e
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2062404:
Merged: [turbofan] Fix bug in receiver maps inference
Revision: fb0a60e15695466621cf65932f9152935d859447
BUG=chromium:1053604
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=mvstanton@chromium.org
Change-Id: If3d0f772f76e7b4879c5c3cb132b9bd276792c6c
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|