| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Change-Id: Ifc0bd4a88a477de6bb786f5fec6f2c2e3278d44a
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
| |
Correct check from is_desktop_linux to is_linux, if the code isn't needed
it isn't included in if the first place.
Change-Id: I97523bbf476e95057abfee99914bb9118be7fd2a
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
| |
Change-Id: I227e5119d943938c07b386a85a24494a55acb5b9
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
| |
Change-Id: I13e2d365fd7c13e7aa18c2a5882fb71267fdcd60
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also reverts
"Disable font subsetting to support system harfbuzz < 2.4.0"
sfntly has been removed from Chromium and now it uses HarfBuzz as
the font subsetter.
See https://crbug.com/931719
Change-Id: I55255a82fdb7c10ca69678e2cd04672b520fc6f8
Fixes: QTBUG-88976
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
| |
QtZlib is a part of QtCore, and we need also shim headers
since v8 will refer to zlib in 3rdaprty.
Task-number: QTBUG-87154
Change-Id: I85c063b77eacd8dafae59cc1ef2b391e3f7c1ce0
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Most subprojects need jpeg shim headers, however pdfium
does not require those.
Task-number: QTBUG-87154
Change-Id: I9c41aa357f96ae28cc22031ddd3acf93a7f1dee6
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Pdfium extensions can be compiled with system libpng or internal
pdfium bundled libpng, which is different than chromium's
third_party libpng (where shim headers are used).
To keep changes to minimum update only pdfium third party build.
Task-number: QTBUG-87154
Change-Id: I87668d2a8e45089193bc369e3c202440e398d68d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For static build of pdfium we need to take deps
form qtbase, pdfium uses freetype, which needs harfbuzz,
Update build for freetype and harfbuzz in third party, so
code can be compiled with that headers.
It seems if qtfreetype is used we no longer need harfbuzz
dependency, but harfbuzz build changes are introduced for
completeness.
Note we are only interested in include path, since qmake is doing
final link, otherwise lib_dirs can be passed in same manner.
Task-number: QTBUG-87154
Change-Id: I46ade3cfe134d5102a941270fbb90a1fa455e46a
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
| |
Fixes: QTBUG-88708
Change-Id: I3554ceec0437801b4861f68edd504d01fc01cf93
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
| |
Fixes: QTBUG-88116
Change-Id: I935babf51c2670fad7cc7950a2fe07eb2829c4cb
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug: 1098738
Change-Id: I25b84537a445ecb8f80241c98d4753932f5f7c90
Commit-Queue: Nico Weber <thakis@chromium.org>
Commit-Queue: Mark Mentovai <mark@chromium.org>
Auto-Submit: Nico Weber <thakis@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#781835}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2474784:
[codegen] Skip invalid optimization in tail calls
Preparing for tail call is usually done by emitting the gap moves and
then moving the stack pointer to its new position. An optimization
consists in moving the stack pointer first and transforming some of the
moves into pushes. In the attached case it looks like this (arm):
138 add sp, sp, #40
13c str r6, [sp, #-4]!
140 str r6, [sp, #-4]!
144 str r6, [sp, #-4]!
148 str r6, [sp, #-4]!
14c str r6, [sp, #-4]!
...
160 vldr d1, [sp - 4*3]
The last line is a gap reload, but because the stack pointer was already
moved, the slot is now below the stack pointer. This is invalid and
triggers this DCHECK:
Fatal error in ../../v8/src/codegen/arm/assembler-arm.cc, line 402
Debug check failed: 0 <= offset (0 vs. -12).
A comment already explains that we skip the optimization if the gap
contains stack moves to prevent this, but the code only checks for
non-FP slots. This is fixed by replacing "source.IsStackSlot()" with
"source.IsAnyStackSlot()":
108 vldr d1, [sp + 4*2]
...
118 str r0, [sp, #+36]
11c str r0, [sp, #+32]
120 str r0, [sp, #+28]
124 str r0, [sp, #+24]
128 str r0, [sp, #+20]
...
134 add sp, sp, #20
R=jgruber@chromium.org
Bug: chromium:1137608
Change-Id: If2b85dde49bf31a6bd3f5e0255407f9390727f9d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2513324:
Prevent overflow of drag image on Windows.
Bug: 1144489
Change-Id: I130adffc1c69073295537aaff3ce7054260064fc
Reviewed-by: Darwin Huang <huangdarwin@chromium.org>
Commit-Queue: Adrian Taylor <adetaylor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#823018}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2507715:
[map] Try to in-place transition during map update
When searching for a target map during map update, attempt to
update field representations in-place to the more general
representation, where possible.
Bug: chromium:1143772
Change-Id: I6a43c94910a1d2d8f8b0ad89048f94b51461f76c
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70887}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/186720:
Allow RTCP packets longer than 1500 bytes in RTC event log.
Bug: chromium:1134107
Change-Id: I05da32c57537c3c2fddae96918ff4e4685d62043
Reviewed-by: Elad Alon <eladalon@webrtc.org>
Commit-Queue: Björn Terelius <terelius@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#32315}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/2485581:
Fix missing validation cache update on VAO binding.
Bug: chromium:1139398
Change-Id: I85a0d7a72bc2c97b07ebc5f86effd8e36aefd544
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
| |
Change-Id: I81fdf3689074b7b1e5d6a548f7b9d7f41ebbcbf7
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2278597:
Large cursor fallback: ensure correct coordinate space for OOPIFs
A previous change ensured that large custom cursors > 32x32
would be dropped if they are not fully contained with the visual
viewport. However, the computation did not account properly for OOPIFs,
where cursor coordinates were not adjusted to the viewport offset.
This CL further adjusts the cursor rect by translating it to the root
view's coordinate space via LocalToAncestorPoint, before
checking for containment within the visual viewport.
Bug: 1099276
Change-Id: I0a03e7cc249cd785f9e76f931cfc7931b127d56b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2350395:
Add a per-process limit on open UDP sockets.
This adds a default limit of 6000 on the open UDP sockets throughout
the entire process, configurable with the "LimitOpenUDPSockets" feature.
An "open UDP socket" specifically means a net::UDPSocket which
successfully called Open(), and has not yet called Close().
Once the limit has been reached, opening UDP socket will fail with
ERR_INSUFFICIENT_RESOURCES.
In Chrome Browser, UDP sockets are brokered through a single process
(that hosting the Network Service), so this is functionally a
browser-wide limit too.
Bug: 1083278
Change-Id: Ib95ab14b7ccf5e15410b9df9537c66c858de2d7d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2309004:
Remove SimpleSerialize() and SimpleDeserialize().
By handling serialization of each type explicitly, we avoid serializing
padding bytes.
Bug: 973801,1106091
Change-Id: I9f4e6b82fb484b9256b25b531cc2d51c800425bb
Commit-Queue: Khushal <khushalsagar@chromium.org>
Reviewed-by: Khushal <khushalsagar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791110}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Partial backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/184240:
Fix for OnSctpInboundPacket being called after transport destruction.
OnSctpInboundPacket is called not only for incoming packets, but for
notifications, which can be delivered on the usrsctp timer thread.
I suspect that these notifications can be delivered after we attempt to
close the socket, because if we attempt to close it while the timer
thread holds a reference, it isn't actually destroyed until the timer
thread finishes its operation.
Bug: chromium:1127774
Change-Id: Id6a883b14796e8f5bf1c2990f3d9d389d72c8a46
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/184283:
Check length before dereferencing SCTP notifications.
Bug: chromium:1127774
Change-Id: I6ccf1f5246dfacb26f480bac899f295f89b53d08
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
| |
The constants were moved into the blink::mojom namespace.
Change-Id: Id302cdc95048f3dd6aceb2fb183a31555e11181b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2472397:
Validate input of MediaStreamDispatcherHost::OpenDevice()
This method forwards to MediaStreamManager::OpenDevice(), which
DCHECKs for the stream type to be device video or audio capture
(i.e., webcam or mic). However, MSDH admits other stream types,
which cause MSM::OpenDevice to hit this DCHECK.
This CL ensures that a message containing an incorrect stream type,
which could be sent by a malicious renderer, results in killing the
renderer process.
Bug: 1135018
Change-Id: I3884dde95d92c41f44966a8ab1dd7bdfd4b23b9b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
(cherry picked from commit 6475589b7edc2f70f1b9fd4c1cf49b39d82b267b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry pick of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/75090:
Reverse order of CPWL_ListCtrl and CPWL_List_Notify cleanup
(Speculative) fix for the crash in 1137630, since it only reproduces
sporadically on my system, but hasn't re-occured since applying the
patch.
Bug: chromium:1137630
Change-Id: I4f52c7109eca00dfa8faee9bc6341cd94c25b60c
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2454732:
Prevent double deletion in PrintRenderFrameHelper.
Bug: 1134960
Change-Id: I765cc3f1463fce4b8d7c2ca99f429031566a4645
Reviewed-by: Jesse Schettler <jschettler@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/heads/master@{#814756}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2321339:
Check FPDFText_GetCharBox() return value in pdfium_page.cc.
Make sure the call succeeds before continuing, to avoid potentially
using uninitialized values.
Bug: 1108351
Change-Id: Ife6f8b861a53cad0bbaec8130eef0dd1341ab71c
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2330314:
[FileAPI] Split BlobUrlRegistry of from BlobStorageRegistry.
In preparation for making BlobUrlRegistry per storage partition, this
cleans up the code a bit by moving all the blob URL logic to a separate
class. This CL itself should not have any behavior changes, it is purely
moving code around.
Also fixes some naming inconsistencies (URL vs Url among others).
Bug: 1106890
Change-Id: I0e7f9f8597d280ee2f69286c5a35cbb3997c9d9f
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2330311:
[FileAPI] Refactor how BlobURLLoaderFactory works.
Rather than resolving a mojo Blob to a BlobDataHandle, just forward the
request to the Blob and let the blob create the URL Loader. This way we
decouple BlobURLLoaderFactory from any blob internals, paving the way
for further separating out the blob URL registry from the rest of the
blob system, making it easier to change where parts of the blob system
live (for example moving Blob URLs to be per storage partition, or in
the future perhaps per agent cluster).
This does increase binary size significantly because the added mojom
method results in java bindings being generated for a lot of interfaces
and structs that were previously not generated. In the future this
increase can be eliminated by making it possible to tag methods in
mojom files with what languages they should create bindings for, or by
rewriting BlobURLLoader itself to operate on a mojo Blob, rather than
forward the entire URLRequest to the mojo blob (https://crbug.com/1111835).
Bug: 1106890
Binary-Size: Size increase is unavoidable (see above).
Change-Id: I4fa3c6a5ddf6f8be5ce299e9d1fd95eaef75ec5e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2357520:
Do not accept dialogs on key-repeat
This prevents dialogs from being instantly accepted on Mac if holding
VKEY_RETURN as the dialog pops up.
Specifically it addresses a security issue where people can be tricked
into holding enter while the site pops up a folder-selector dialog.
The attack worked as following. The attacker tricks the victim into
holding VKEY_RETURN. While the key is being held, the attacker triggers
folder upload, which the OS auto-accepts by holding VKEY_RETURN. Before
this change, FolderUploadConfirmationView would trigger on Mac with this
VKEY_RETURN.
With this change, the victim at least has to re-press VKEY_RETURN, which
they are presumably at least more likely to notice.
This also adds initialization of the EF_IS_REPEAT flag on Mac from
[NSEvent isARepeat]. Hopefully that doesn't have wider negative
consequences where ui::Event and NSEvent disagrees on the definition of
a repeat event.
Bug: 1097724
Change-Id: I3bb0589867cbfa059a2406e73ef43e66b5326fbc
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2316105:
Make CSP default-src without 'unsafe-eval' block eval in iframes
This CL fixes the fallback behaviour of the Content Security Policy
script-src to default-src with regards to blocking eval in iframes
and, under certain conditions, when navigating to a new page.
Bug: 1107824
Change-Id: Ia5cbe82188fde25cec8ccb5a09322e598a419434
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2407065:
Avoid use-after-free
SetNotWaitingForResponse can trigger a message pump which can then free
the object which |this| points to. This use-after-free can be avoided by
not dereferencing |this| after the call, by ensuring that calling
SetNotWaitingForResponse is the last thing done.
Bug: 1125199
Change-Id: Ie1289c93112151978e6daaa1d24326770028c529
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2296549:
TransformStream deserialize: perform additional validation
The TransformStream deserialization code did not check for a message
port index of 0xffffffff. Add a check for it.
Also add a unit test for this condition.
BUG=1104103
Change-Id: Ic04af9d7a27171c471c0125662ee68dccb88abb4
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual Backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2355534:
Network Service: Add method validation as the secondary check
Today, the method valid of the HTTP request is validated in
Blink for user exposed APIs such as Fetch and XHR to conform
the RFC 7230. But it's still possible that compromised
renderers insert arbitrary ASCII strings to the method value.
This patch adds the same RFC 7230 token check in the network
service as the secondary check.
Bug: 1110195
Change-Id: Ia99a986f82034875f7e8c0b2224f2260a99eeffa
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2385885:
Update ReferenceSpace reset to operate on a copy
When a reference space's origin is reset, an event is dispatched to the
page. This allows additional javascript to run, which could request a
new reference space. Depending on the timing of this new reference space
request returning, it would cause the reference_spaces_ list to be
modified, and thus invalidate the iterators.
Fix this by iterating over a copy of the list.
Fixed: 1123522
Change-Id: I121a5fa3dde1cfc18abbef579148a2ace86f73f5
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2416383:
Merged: [turbofan] Fix bug in inlining
Revision: 219b28bfe2ea76de63f034eb75b67e8ded339d94
BUG=chromium:1127319
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=tebbi@chromium.org
Change-Id: I98e77bac81e2cf822a4a4987115e0cf01b1dbc52
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2410743:
Add mutex for allowing the graph to be pulled
Basically add a mutex to protect access to
allow_pulling_audio_graph_. The main thread waits until it has the
lock before setting this. This prevents the main thread from deleting
things while the audio thread is pulling on the graph.
A try lock is used so as not to block the audio thread if it can't get
lock.
This is applied to both real time and offline contexts which required
moving the original real-time-only implementation to
audio_destination_node so we can use the same methods for the offline
context.
Tested the repro case from 1125635, and the issue does not reproduce.
We're assuming this will fix 1115901, but I've not been able to
reproduce that locally.
Bug: 1125635, 1115901
Change-Id: I1037d8c44225c6dcc8fe906c29a5a86740a15e1d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2405644:
Disallow creation of CanvasResourceProviders for zero sized images
Bug: 1126424
Change-Id: I17ddbdce78d89a997a73c37f18cd945b83936f7f
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally committed on
https://github.com/sctplab/usrsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019:
Fix a use-after-free bug for the userland stack.
Thanks to Mark Wodrich from Google for finding and reporting the
bug.
Cherry pick fix for usrsctp UAF bug to M86.
The commit being cherry picked is:
https://github.com/sctplab/usrsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019
TBR=hta@chromium.org
Bug: chromium:1124659
Change-Id: I229c8a01fd051b1dfe499a609f72484ce7611af3
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
(cherry picked from commit 0f55630c2f4e811da4e674b217add4d8022efcac)
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2385921:
Avoid fixing/rewriting/mutating invalid URLs in RewriteURLIfNecessary.
This CL changes BrowserURLHandlerImpl::RewriteURLIfNecessary so that it
returns early(and doesn't mutate the |url| in the in-out argument) if
|url| is invalid. This helps avoid scenarios where
RewriteUrlForNavigation (in navigation_controller_impl.cc) ends up
generating a NavigationEntry with an invalid virtual URL that
(accidentally/incorrectly) gets rewritten into a valid URL.
Bug: 1116280
Change-Id: I114cf8c8d9459b6931ae659f62a100679b994d5e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of fix in freetype:
Fix heap buffer overflow (#59308).
This is CVE-2020-15999.
* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
Change-Id: I4f5fd188f268de8929d2759f64cec7cb55644c42
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2212807
[IDN Spoof Checks] Add U+0A5C to digit lookalikes.
This CL adds U+0A5C as a lookalike character to the digit 3. This
change appears to impact no domains seen in UKM.
Fixed: 1085315
Change-Id: Iea9930363d853f154e2d781646a1b0b5da7fbbfd
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It asserts with MSVC 32bit but it might fail with other configurations
too because the RendererAppContainer feature will have more than
one instance in the memory and it can break pointer-based identity
lookup (see documentation of base::Feature in
chromium/base/feature_list.h).
Make the Feature instance static to ensure it has the same address for
each of the IsAppContainerEnabled() calls.
Change-Id: I937cbd7c4dd46df2d4b48c4af239db1e6e8feb6f
Fixes: QTBUG-86945
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2378889:
Check for context destroyed in MediaKeys
Don't allow calls to proceed once the associated content has been
destroyed.
Bug: 1121414
Test: example in the bug no longer crashes
Change-Id: I3bdeb86f2020f684958b624fcc30438babfb5004
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2377811:
[ElementCapture] Do not produce frames if media player is tainted
This prevents potential cross-origin mid-stream redirects from
braking the cross-origin restrictions.
Bug: 1111149
Change-Id: I18d05a5836b9a390dec50e10c43d3d2b9ec5915a
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2398701:
Reland Run ObfuscatedFileUtilMemoryDelegate entirely on TaskRunner.
MemoryFileStreamWriter called some ObfuscatedFileUtilMemoryDelegate
functions through IO thread while other functions in OFUMD are called
on a threadpool sequence. This could result in races in updating
directory structure.
To fix the issue, MemoryFileStreamWriter and MemoryFileStreamReader are
updated to call all OFUMD on the default task runner of the file system
context.
This CL was landed in crrev.com/c/2308721 and reverted due to flakiness.
The flaky crashes are believed to be because the buffer passed to
MemoryFileStreamReader::Read and MemoryFileStreamWrite::Write are not
thread safe.
Patchset1 is a copy of the previous CL and the issue is fixed in the
next patchsets.
Bug: 1100136
Change-Id: I619b82c2f4d23a020e9ce7e5e6c16980907b501b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2393001:
serial: Check that port is open before reading or writing
This change adds checks to the platform-specific implementations
of Read() and Write() to make sure that the file descriptor is
valid before. This makes the assumptions validated by later DCHECK
correct.
This cannot be done in the platform-independent layer because test
code depends on being able to call some SerialIoHandler methods
without an actual file descriptor.
Bug: 1121836
Change-Id: If182404cf10a2f3b445b9c80b75fed5df6b5ab4b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
| |
Otherwise we can end up rejecting pre-upgraded HTTP/2 requests.
Task-number: QTBUG-86824
Change-Id: I0d7e4a716729c4bba8fff8351d08c54285319a60
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2380855:
Delegate TargetHandler::Session permission checks to the root client
Bug: 1114636
Change-Id: Iba3865206d7e80b363ec69180ac05e20b56aade2
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
