| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
Protect against deleting a current XFB buffer.
Backport review link:
https://chromium-review.googlesource.com/c/angle/angle/+/3514175
Bug: chromium:1295411
Change-Id: If14da241289a5616e087e84edd85b29a27d49d65
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add missing buffer validation to BeginTransformFeedback.
A change to Vulkan exposed this missing validation. In the Vulkan
back-end we do some caching on BeginXFB, which would perform an
invalid memory access. Adding the missing validation correctly
traps the error before we reach the back-end.
Backport review link:
https://chromium-review.googlesource.com/c/angle/angle/+/2937022
Bug: chromium:1171685
Bug: angleproject:4622
Change-Id: I1f9e89c9904c836ca7b58ed39baaef5fbea51824
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
| |
Fix angle build after CVE-2022-0104 backport.
Change-Id: I33c5ea8802e1dc957b1713a6fe8f8ff363908494
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
| |
Task-number: QTBUG-100672
Change-Id: I3081d927ad4bf151486eb1de5e7491a08a41b073
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
(cherry picked from commit 7e3cb70a2c4408f18e53d467329cf3a9edfcfe13)
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't use a deleted RenderFrameHost.
Since we do not check for frame liveness, a RenderFrameHost might be
deleted (in the use-after-free sense) without another call to
RenderFrameDeleted. So, WeakPtr it to avoid these cases.
Bug: 1299422
Task-number: QTBUG-101946
Change-Id: Ie4fe85f88ef80f4e4c3d0452397c0e5050ed881c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
| |
[runtime] Fix handling of interceptors
Change-Id: I36b218f25c0dff6f5a39931e7536c6588ff46eef
Reviewed-by: Igor Sheludko <ishell@chromium.org>
(cherry picked from commit b85cb23217f629522702c19381db9c65accc1fba)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Due to a clang bug, this warning gets raised to error level.
Change-Id: Ic040e157e0d0f9295671f9da5ac84b45eb70c094
Pick-to: 94-based 98-based
Fixes: QTBUG-101672
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Compilation of sandbox fails when using dynamic stack size in glibc
2.34 or newer. This is because the value is not a literal anymore but
obtained through sysconf.
To avoid this, use memset to put zeros in the buffer.
Change-Id: Iff7ddca815378ab1de2f3ca2d200d8db75f42dd2
Review-URL: https://chromium-review.googlesource.com/c/chromium/src/+/3436947
Cr-Commit-Position: refs/heads/main@{#967943}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit b789116ca6111fa26c7a6d6ea22513b95c3573af)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
|
| |
|
|
|
| |
Change-Id: I54ed80ac1ec1ffe2d4ad29812e5b8197a9bdabde
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3373583:
FS: Fix FileUtil lifetime issue
Keeps FileSystemContext alive while while resolving a URL on an open
file system, removing the possibility of the file system being
destroyed while a URL is being resolved on it.
Bug: 1275622, 1289394
Change-Id: Ic1b97552f9d41a61163d72ff8c605699f673f55f
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Commit-Queue: Austin Sullivan <asully@chromium.org>
Cr-Commit-Position: refs/heads/main@{#968470}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3247534:
Cancel WebPagePopup immediately on WebViewImpl::Close.
If we have a WebPagePopup cancel it immediately. Detaching it from
the layout was the handled via Detaching the layout nodes but that
is slightly complex. Call cancel before we destroy the layout tree.
BUG=1250227
Change-Id: I8707e59a3c99a57a16d8b8d8cb35213a33365833
Reviewed-by: Stefan Zager <szager@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Cr-Commit-Position: refs/heads/main@{#955417}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally committed on
https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40:
lib: Detect and prevent integer overflow in XML_GetBuffer (CVE-2022-23852)
Change-Id: I238e6d37190d9d6ac679d8575ca9a69ecb466dc1
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3230016:
Reland "Consistently invalidate Mojo connections when render frame is deleted."
This is a reland of cab52ad80cb4985de0c9431d761fe9c909bbfb8f, but also
resets a few additional fields that hold Mojo endpoints to the renderer.
Original change's description:
> Consistently invalidate Mojo connections when render frame is deleted.
>
> Bug: 1260007, 1260134
> Change-Id: I2ae77fcbf04b557f7f6e68b55d6c2905708fc220
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3225563
> Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
> Commit-Queue: Daniel Cheng <dcheng@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#932196}
Bug: 1260007, 1260134
Change-Id: Ie04adf7240c2a62ccecca42da554259b0dbbbd7f
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#933654}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3444340:
Vulkan: Fix vkCmdResolveImage offsets
glBlitFramebuffer takes identical regions for src and dst when
resolving. vkCmdResolveImage should use the clipped area instead of
using the actual offsets passed to this function.
Bug: chromium:1292537
Change-Id: I13b91a4e14bdb3fcbf8f01edb36d7fb4110429ea
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3373944:
gamepad: Return an invalid handle after ReportBadMessage
Bug: 1285449
Change-Id: I746c539577f7bdf69cbe4212ac380e0c92a5c771
Auto-Submit: Matt Reynolds <mattreynolds@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#961125}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
| |
Needs the same adaptation as the patch for 87-based.
Change-Id: I8ef67a0e88c0b10b39b9f067d44b2d58932481b3
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromiu/src/+/3414765:
Code health cleanup: replacing animations.
Animation::Update performed a synchronous processing of the finish
microtask to ensure that finished events where dispatched ahead of
replace events. This step does not align with the spec. Instead we
should be queuing the replace event. Microtasks will be processed in
the correct order.
Spec link: https://www.w3.org/TR/web-animations-1/#timelines
Change-Id: Ibe7753e792fb6cf905bbe6815a080a8cc51c2803
Bug: 1290858, 1296150
Change-Id: Ibe7753e792fb6cf905bbe6815a080a8cc51c2803
Reviewed-by: Mustaq Ahmed <mustaq@chromium.org>
Commit-Queue: Kevin Ellis <kevers@chromium.org>
Cr-Commit-Position: refs/heads/main@{#964223}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3414063:
Fix potential handle reuse in Mojo
Fixed: 1270333
Change-Id: Ife188d519092e4e634355fd53d97c85009771b76
Auto-Submit: Ken Rockot <rockot@google.com>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#962946}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3413372:
Viz: Fix UAF on context loss
Fixed: 1250655
Change-Id: I2898316635d370fa36b94e0ae2564ed357745b2c
Auto-Submit: Ken Rockot <rockot@google.com>
Reviewed-by: Kyle Charbonneau <kylechar@chromium.org>
Commit-Queue: Kyle Charbonneau <kylechar@chromium.org>
Cr-Commit-Position: refs/heads/main@{#963012}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3427561:
Vulkan: Fix vkCmdResolveImage extents
The source framebuffer's extents were accidentally used instead of the
blit area extents.
Bug: chromium:1288020
Change-Id: Ib723db50d9687fee0453d027141a94ea26d8a4b8
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3309035:
D3D11: Fix OOB access in vertex conversion code.
This could happen when using certain combinations of stride and
offset. Fix the issue by using checked math.
Bug: chromium:1274499
Change-Id: Idba3beedad10b0c0cac2dcbecba8e420c5baa6da
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Commit-Queue: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/webm/libvpx/+/3288148:
vp9 encoder: fix row-mt crash w/thread config change
previously row-mt would allocate thread data once, so increasing the
number of threads with a config change would cause a heap overflow.
Bug: chromium:1261415
Bug: chromium:1270689
Change-Id: I3c5ec8444ae91964fa34a19dd780bd2cbb0368bf
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3341553:
Keep a set of previously dropped peers
Test that a given node name hasn't been seen before.
A side effect of this fix is that re-invitation will not work anymore.
BUG=chromium:1274113
Change-Id: Ibdc50291efa1f6298614b163b544ad980615a981
Reviewed-by: Ken Rockot <rockot@google.com>
Commit-Queue: Stephen Röttger <sroettger@google.com>
Cr-Commit-Position: refs/heads/main@{#956441}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
| |
Patch got prematurely merged and needs a fix to build on 90-based.
Change-Id: I150e62b91c021bd53208234b2fcae541f816e654
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3276832:
Fix dangerous lambda capture in BaseRenderingContext2D
We had a lambda that was capturing a local variable by address in a
context where it is possible for the lambda to be executed
asynchronously. This could cause memory to be read after being popped
off the stack.
This is a quick bandaid solution. The more permanent solution is to
refactor the code to use a pattern that avoids injecting capturing
lambdas into WTF::Bind Callbacks that are executed asynchronously.
BUG=1268448
Change-Id: I1b08392847e13f4039ec34eee6a66239096b1bf1
Commit-Queue: Justin Novosad <junov@chromium.org>
Commit-Queue: Aaron Krajeski <aaronhk@chromium.org>
Auto-Submit: Justin Novosad <junov@chromium.org>
Reviewed-by: Aaron Krajeski <aaronhk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#940945}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3307486:
Crash immediately on AX error when AX inspect features are used
Fixes a UAF in the accessibility event recorder when an
event came in after an AccessibilityFatalError(), The UAF occurs
when attempt was made to access the raw pointer manager_,
which was previously released by the manager's owner RenderFrameHostImpl
when ::AccessibilityFatalError() tried to gracefully reset
accessibility without crashing the renderer. Now,
AccessibilityFatalError() forces a crash when any developer feature
such as the event recorder is used.
There is an benefit of this approach: any AccessibilityFatalError()
that occurs during content_browsertests or after a developer has used
chrome://accessibility will crash immediately.
Better to crash immediately than to try to swallow bad serializations.
Note that the fail fast flag is purposely kept on, because using
chrome://accessibility shows that the user is a developer.
Bug: 1270095
Change-Id: Ib14c39d3f674713c07769eb37d5221a5353277d7
Auto-Submit: Aaron Leventhal <aleventhal@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Nektarios Paisios <nektar@chromium.org>
Commit-Queue: Aaron Leventhal <aleventhal@chromium.org>
Cr-Commit-Position: refs/heads/main@{#947745}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3279680:
Fix tracking of entered contexts
The entered contexts stack must be in sync with the flags stack.
Bug: chromium:1269225
Change-Id: Ibb522286b47866d5f13aaec1a0a02914c13a5545
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77882}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3408176:
Fix base::Unretained usage in TemplateURLFetcher (UAF bug)
The base::Unretained usage here is problematic when Chrome is shutting
down, leading to UAF bugs.
This CL fixes that using weak pointers in all the three locations where
we previously used base::Unretained.
Bug: 1289523
Change-Id: Ie91416d09efe3ff127abc00ec88e8e37acf039a8
Auto-Submit: Tommy Li <tommycli@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/main@{#962132}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3361198:
Fix lifetime bug in PrefetchURLLoader
PrefetchURLLoader is now owned by PrefetchURLLoaderService, which is no
longer refcounted. This makes the lifetime much easier to reason about.
Bug: 1283371
Change-Id: Iaa58c1f44cc9f066459ce344012f57faca533197
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org>
Commit-Queue: Clark DuVall <cduvall@chromium.org>
Cr-Commit-Position: refs/heads/main@{#955986}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3306578:
Fix UAF's in token fetcher code
SafeBrowsingPrimaryAccountTokenFetcher currently has UAF's in two flows:
(1) the access token being fetched and the client synchronously
destroying the fetcher from within its callback on this event
(1) the access token fetch timing out and the client synchronously
destroying the fetcher from within its callback on this event
These UAF's date back quite a while (they predate
https://chromium-review.googlesource.com/c/chromium/src/+/2624630).
They do not currently appear to result in crashes, which is why they've
been able to stay in the codebase for so long :).
This CL fixes the issues and adds tests of the problematic cases. To
deal with the fact that the problematic flows don't cause crashes, we
added DCHECKs that the state was as expected on the problematic
accesses and verified that the DCHECKs triggered in these tests prior
to the production changes in this CL.
The specific fixes are as follows:
(1) Have SafeBrowsingPrimaryAccountTokenFetcher clear internal state
*before* notifying the token fetch tracker that the access token has
been fetched
(2) Have SafeBrowsingPrimaryAccountTokenFetcher bind its callback that
is invoked by the tracker on token fetch timeout via a WeakPtr,
ensuring that it won't be invoked if the client callback that is also
invoked on the same event has resulted in the synchronous destruction
of this object. Note that we could also have changed the order in which
these callbacks are invoked by SafeBrowsingTokenFetchTracker, but this
approach is more direct and less fragile.
Bug: 1271747
Change-Id: I885a6fb16918f9302e915b8fffb612c2f1c409c3
Reviewed-by: Xinghui Lu <xinghuilu@chromium.org>
Commit-Queue: Colin Blundell <blundell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#946907}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3378182:
Not to send Payment apps for permission check when service worker errors
Before the change, when a payment app was being registered while the
window was shutting down, the payment apps would still be sent for
permission checks, causing a crash.
After the change, in the same situation, the payment apps would not be
sent for permission checks.
Bug: 1252716
Change-Id: I9f0f80eadfdc598ee5f1c6e41fd56975b32df2a0
Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Commit-Queue: Liquan (Max) Gu <maxlg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#957248}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3376968:
Prevent use-after-free if a KeyedService is accessed after shutdown
KeyedServices should not get created during shutdown. This is prevented
in debug builds by a NOTREACHED() but only leads to a silent crash
report in release builds. Considering that this can lead to security
bugs, we should have a hard CHECK(false) to prevent services from being
created during shutdown.
Bug: 1252716
Change-Id: I079cb6d8da8bcebb0b0e369ad4f67e2764fbc986
Reviewed-by: Sylvain Defresne <sdefresne@chromium.org>
Reviewed-by: Colin Blundell <blundell@chromium.org>
Commit-Queue: Christian Dullweber <dullweber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#957059}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3293412:
[Fixit] Make sandbox + COOP break the opener.
Sandbox flags and COOP cannot currently live on the same page. This was
decided when first implementing COOP. If COOP and sandboxing flags are
present on the same top level window, we return an error page instead,
and COOP has no effect.
Exploits have been discovered recently about abusing an opened window
and history to be able to guess the cross-origin url using the history
API. See:
https://bugs.chromium.org/p/chromium/issues/detail?id=1208614
Error pages were left out from the fix, because it would be inelegant
to insert error pages into history after a successful reload. That means
error pages can potentially be used to guess a cross-origin URL.
If in general this is acceptable, in our case its worse for two reasons:
- COOP is used to protect pages that are usually more valuable or hold
important data.
- It is possible to reach an error page after response without relying
on timing, etc.
Therefore we'd like to sever the opener when we fail after receiving a
response, if the target page did set COOP. Basically we'd like to change
the spec to enforce COOP even when we fail because of COOP+sandbox.
Spec discussion can be found here:
https://github.com/whatwg/html/issues/7345
On the implementation side, this patch adds the WPTs necessary to the
spec change, and the modified behavior.
We add a setter to the swap parameter to be able to only activate that
without breaking the COOP: Unsafe-none for error pages invariant. This
applies to final responses and redirects.
This does not alter the reload behavior, as this only happens for cases
where reloads would not be successful anyway.
Bug: 1256823
Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
Commit-Queue: Arthur Hemery <ahemery@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#946387}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3379089:
Ensure lifetime of DesktopCaptureDevice::Core member
Due to the destruction order of the DesktopCaptureDevice::Core member
and it's owning thread, combined with the use of Base::Unretained, it is
possible for the Core object (which was passed to the thread with an
unretained), to be destroyed before the thread. This can result, in some
cases, with the thread attempting to still process the queued task, but
with a now-destroyed object. Two changes are made to ensure that this
cannot happen:
1) The currently unused WeakPtrFactory on the Core object is used to
ensure that any tasks attempting to be run after the core object is
destroyed fail.
2) The ordering of the members is flipped so that if a case *is* hit
where the DesktopCaptureDevice is destroyed without a
StopAndDeallocate call, that the thread is stopped first, further
guaranteeing that no DesktopCaptureDevice members are accessed by it
during the device's destruction.
Fixed: 1244205
Change-Id: I9837e722a2fe0327d68662c2d297eb1f377d3631
Reviewed-by: Mark Foltz <mfoltz@chromium.org>
Commit-Queue: Alexander Cooper <alcooper@chromium.org>
Cr-Commit-Position: refs/heads/main@{#958760}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3361538:
CHECK page on thumbnail requests
Elevate DCHECK to CHECK.
Fixed: 1283198
Change-Id: Iacb3da961cfb44f94f7a377e225270a57809ef9c
Auto-Submit: Daniel Hosseinian <dhoss@chromium.org>
Reviewed-by: K. Moon <kmoon@chromium.org>
Commit-Queue: K. Moon <kmoon@chromium.org>
Cr-Commit-Position: refs/heads/main@{#954552}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3389722:
[scheduler] Refactor lifecycle observers as callbacks
Merge to release branch 4664.
Note: changes to reclaimable_codec.* are omitted from cherry-picked CL
as the observer was added later.
Before this CL, FrameOrWorkerScheduler lifecycle callbacks were
implemented as an observer interface and we held a raw pointer to the
observer. These observers could be either on-heap or off-heap objects
which violates the rule of not storing raw pointers to on-heap objects
since this risks UAF.
To work around this, this CL changes the lifecycle observers to
callbacks, with the observers using WrapWeakPersistent with Bind where
needed. This is relatively clean since the observer interface only has
one method. We could alternatively store WeakPersistent references
to the on-heap obejcts, but this is more complicated since we need to
handle both on-heap and off-heap obejcts (possible, but probably overly
complicated for this case).
(cherry picked from commit 3c60616245d4928ee89ad842e1031bd8d3a6121d)
Bug: 1212957
Change-Id: I89ec5ae4effbb6c35e45a91f0253326951182215
Reviewed-by: Alexander Timin <altimin@chromium.org>
Reviewed-by: Nate Chapin <japhet@chromium.org>
Reviewed-by: Chrome Cunningham <chcunningham@chromium.org>
Commit-Queue: Scott Haseley <shaseley@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#957925}
Cr-Commit-Position: refs/branch-heads/4664@{#1411}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3351409:
DevTools: correctly null-terminate text and unmodifiedText when dispatching key event
Bug: 1276331
Change-Id: I8918bcf783764e553b43f040bf39ac6c081a489e
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Cr-Commit-Position: refs/heads/main@{#953265}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/88290:
Use safe arithmetic in CJBig2_Context::ParseSymbolDict()
These should be mitigated by size checks higher up, but it wouldn't
hurt to be sure.
Bug: chromium:1280743
Change-Id: I03c46e3d11316a9f9634256bd0e2394548d2681e
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3368601:
Fix out-of-bounds crashes in TableView
BUG=1283805, 1283807
TEST=Manual, added a unittest.
Change-Id: I127b7d9683c716ebfc2df4eaa47257785c7786f0
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Commit-Queue: Ahmed Fakhry <afakhry@chromium.org>
Cr-Commit-Position: refs/heads/main@{#956343}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3379268:
ServiceWorkerContainerHost::EnsureFileAccess: abort request processing if the requesting process lacks file access
Bug: 1282354
Change-Id: Ia37ef5b97eedb0d2ad25ffe2869844a40e5be862
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Chris Bookholt <bookholt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#957344}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3350824:
blob: return after ReportBadMessage
This should have been added in https://crrev.com/c/3264353
Bug: 1272083, 1281084
Change-Id: Ia5c4e5a0ab6620453df5aa5f7e8f717074c10195
Auto-Submit: Austin Sullivan <asully@chromium.org>
Reviewed-by: Joshua Bell <jsbell@chromium.org>
Commit-Queue: Joshua Bell <jsbell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#953035}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3367466:
Use RFH global id to ensure the RFH is valid.
Observing via RenderFrameDeleted and RenderFrameHostChanged is not
sufficient for validating the RFH is still valid, because the frames
can belong to inner WebContents. As suggested in
https://crrev.com/c/2449389, storing a GlobalFrameRoutingId is the
preferred method of keeping a reference to a RFH.
Bug: 1284367
Change-Id: I3afb40e394d6e2e7fd19b2704e0dd68fa23c7bb2
Reviewed-by: Daniel Rubery <drubery@chromium.org>
Commit-Queue: Xinghui Lu <xinghuilu@chromium.org>
Cr-Commit-Position: refs/heads/main@{#956061}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
| |
And let local schemes also have local access.
Change-Id: I0d0a18af6d091d4edb09db0a3796403cb2ad00fb
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
(cherry picked from commit 206bed415635ff7bd6d4486df225cc549e86d35a)
|
| |
|
|
|
|
|
|
| |
We use this for our QtWebEngine remote access control
Change-Id: Idd88004960f22ca197fc0645848bba12b66697b9
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
(cherry picked from commit 5a6feebc7c69290cad6b7a5453b744656772a4f0)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Skia expects Nearest mipmap mode for Medium quality, see
SkImageShader::onMakeContext(). The mismatch may cause slow down in
scaling large images because of using SkVMBlitter for better quality.
This is a fixup of https://crrev.com/c/2888866
Change-Id: I33773c383eb4179c46bcc94b1cbc41fbcbfe3dd6
Fixes: QTBUG-99130
Bug: none
Review-URL: https://chromium-review.googlesource.com/c/chromium/src/+/3377983
Cr-Commit-Position: refs/heads/main@{#963327}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 985b58f8c423a0c9e455fb804cf59e5d302dcb1e)
|
| |
|
|
|
|
|
|
|
| |
Avoid jumbo-build of module_win.cc as it uses GUID and gets confused by base::GUID
Task-number: QTBUG-100058
Change-Id: I0559584d9751f94b91c478681126b46908928207
(cherry picked from commit f321266511558471575a5f71b83fe34783fd6840)
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3215079:
DevTools: only allow certain protocol commands to certain clients
Bug: 1256885
Change-Id: Ieccc5b897ca7d60ac40db98ce34d13b6a02b3b7b
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Reviewed-by: Danil Somsikov <dsv@chromium.org>
Reviewed-by: Alex Rudenko <alexrudenko@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/main@{#931377}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3320870:
- Don't explicitly clip scissor for large transforms
This adds a check to CanExplicitlyScissor that confirms that the device
space scissor rect, transformed to the quad's local space, can be
transformed back to device space and equal the same pixel bounds.
Without this check, sufficiently large scales and translates could
cause the local-space coordinates of the scissor rect to be in a float
range that does not have single-pixel precision, meaning it could round
significantly. Clipping the quad's coordinates to those rounded edges
and then transforming to device space can result in coordinates that
fall outside the original device-space scissor rect.
If however, we ensure we can round-trip the scissor coordinates, then
any clipping to the quad's coordinates will also be projected to within
the scissor rect as well.
(cherry picked from commit ab1b76f3e7cdad702c562f0b43bf3367caff4812)
Bug: 1272250
Change-Id: I7c37c54efd082723797ccf32b5d19ef285c520c1
Commit-Queue: Michael Ludwig <michaelludwig@google.com>
Reviewed-by: Brian Salomon <bsalomon@google.com>
Reviewed-by: Kyle Charbonneau <kylechar@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#946552}
Auto-Submit: Michael Ludwig <michaelludwig@google.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/branch-heads/4692@{#786}
Cr-Branched-From: 038cd96142d384c0d2238973f1cb277725a62eba-refs/heads/main@{#938553}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3025026:
SkiaRenderer: don't explicitly apply scissor if it creates subpixel geometry
If skia-renderer explicitly applies the clip, then Skia only sees the
geometry and uses hairline aa methods when it's subpixel. Hairline
rendering outsets beyond 1/2px to ensure pixel centers are covered,
but this means the rendered geometry isn't equivalent to the intended
intersection of clip + draw rects. When regular non-hairline methods are
used for non-subpixel geometry, they are compatible.
This CL checks that the device bounds after the clip are at least a
pixel in each dimension in order to apply the scissor manually. If not,
it passes it down the Skia so that Skia knows not to use hairline
rendering methods.
In order to fully resolve the linked issue, there is also a related
change in Skia: https://skia-review.googlesource.com/c/skia/+/426437
which is needed to ensure skia does not itself ignore or geometrically
apply the clip to subpixel rects before rasterization.
Bug: 1210170
Change-Id: Idd67653162d42d0bc350d5976d7a8e16b832066a
Reviewed-by: kylechar <kylechar@chromium.org>
Commit-Queue: Michael Ludwig <michaelludwig@google.com>
Cr-Commit-Position: refs/heads/master@{#901489}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3193885:
Fire iframe onload for cross-origin-initiated same-document navigations
A cross-origin initiator can check whether or not onload fired to
guess the url of a target frame. Always firing onload makes it
appear to be a cross-document navigation, even when it wasn't.
Bug: 1248444
Change-Id: I79249cb441f61ac6cab65ab9e5dd4a44b291bc4a
Commit-Queue: Nate Chapin <japhet@chromium.org>
Reviewed-by: Rakina Zata Amni <rakina@chromium.org>
Cr-Commit-Position: refs/heads/main@{#931681}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
