Commits:
-
03212ecd
by Mike Conley at 2025-11-10T09:19:58+01:00
Bug 1880634 - Use chrome-only dispatch for the MozTogglePictureInPicture event. r=niklas
Differential Revision: https://phabricator.services.mozilla.com/D202063
-
0784b098
by Nika Layzell at 2025-11-10T11:13:28+01:00
Bug 1987977 - Add extra fd validation to ChannelPosix, r=ipc-reviewers,jld
Every attached FD has a guaranteed 4 bytes of payload, so this check
should be redundant unless a message payload is manually constructed or
corrupted.
Differential Revision: https://phabricator.services.mozilla.com/D265038
5 changed files:
Changes:
browser/actors/ContextMenuChild.sys.mjs
| ... |
... |
@@ -128,7 +128,10 @@ export class ContextMenuChild extends JSWindowActorChild { |
|
128
|
128
|
},
|
|
129
|
129
|
this.contentWindow
|
|
130
|
130
|
);
|
|
131
|
|
- media.dispatchEvent(event);
|
|
|
131
|
+ this.contentWindow.windowUtils.dispatchEventToChromeOnly(
|
|
|
132
|
+ media,
|
|
|
133
|
+ event
|
|
|
134
|
+ );
|
|
132
|
135
|
break;
|
|
133
|
136
|
}
|
|
134
|
137
|
}
|
ipc/chromium/src/chrome/common/ipc_channel_posix.cc
| ... |
... |
@@ -479,8 +479,9 @@ bool Channel::ChannelImpl::ProcessIncomingMessages() { |
|
479
|
479
|
error = "Message needs unreceived descriptors";
|
|
480
|
480
|
}
|
|
481
|
481
|
|
|
482
|
|
- if (m.header()->num_handles >
|
|
483
|
|
- IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE) {
|
|
|
482
|
+ size_t maxHandles = std::min<size_t>(
|
|
|
483
|
+ m.size(), IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE);
|
|
|
484
|
+ if (m.header()->num_handles > maxHandles) {
|
|
484
|
485
|
// There are too many descriptors in this message
|
|
485
|
486
|
error = "Message requires an excessive number of descriptors";
|
|
486
|
487
|
}
|
| ... |
... |
@@ -596,8 +597,9 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages() { |
|
596
|
597
|
}
|
|
597
|
598
|
#endif
|
|
598
|
599
|
|
|
599
|
|
- if (msg->attached_handles_.Length() >
|
|
600
|
|
- IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE) {
|
|
|
600
|
+ size_t maxHandles = std::min<size_t>(
|
|
|
601
|
+ msg->size(), IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE);
|
|
|
602
|
+ if (msg->attached_handles_.Length() > maxHandles) {
|
|
601
|
603
|
MOZ_DIAGNOSTIC_ASSERT(false, "Too many file descriptors!");
|
|
602
|
604
|
CHROMIUM_LOG(FATAL) << "Too many file descriptors!";
|
|
603
|
605
|
// This should not be reached.
|
toolkit/actors/PictureInPictureChild.sys.mjs
| ... |
... |
@@ -182,7 +182,10 @@ export class PictureInPictureLauncherChild extends JSWindowActorChild { |
|
182
|
182
|
detail: { reason },
|
|
183
|
183
|
}
|
|
184
|
184
|
);
|
|
185
|
|
- video.dispatchEvent(stopPipEvent);
|
|
|
185
|
+ this.contentWindow.windowUtils.dispatchEventToChromeOnly(
|
|
|
186
|
+ video,
|
|
|
187
|
+ stopPipEvent
|
|
|
188
|
+ );
|
|
186
|
189
|
return;
|
|
187
|
190
|
}
|
|
188
|
191
|
|
| ... |
... |
@@ -673,7 +676,7 @@ export class PictureInPictureToggleChild extends JSWindowActorChild { |
|
673
|
676
|
detail: { reason: "urlBar" },
|
|
674
|
677
|
}
|
|
675
|
678
|
);
|
|
676
|
|
- video.dispatchEvent(pipEvent);
|
|
|
679
|
+ this.contentWindow.windowUtils.dispatchEventToChromeOnly(video, pipEvent);
|
|
677
|
680
|
}
|
|
678
|
681
|
}
|
|
679
|
682
|
|
| ... |
... |
@@ -1066,7 +1069,7 @@ export class PictureInPictureToggleChild extends JSWindowActorChild { |
|
1066
|
1069
|
detail: { reason: "toggle" },
|
|
1067
|
1070
|
}
|
|
1068
|
1071
|
);
|
|
1069
|
|
- video.dispatchEvent(pipEvent);
|
|
|
1072
|
+ this.contentWindow.windowUtils.dispatchEventToChromeOnly(video, pipEvent);
|
|
1070
|
1073
|
|
|
1071
|
1074
|
// Since we've initiated Picture-in-Picture, we can go ahead and
|
|
1072
|
1075
|
// hide the toggle now.
|
toolkit/components/pictureinpicture/tests/click-event-helper.js
| ... |
... |
@@ -2,13 +2,20 @@ |
|
2
|
2
|
http://creativecommons.org/publicdomain/zero/1.0/ */
|
|
3
|
3
|
|
|
4
|
4
|
/**
|
|
5
|
|
- * This helper script is used to record mouse button events for
|
|
6
|
|
- * Picture-in-Picture toggle click tests. Anytime the toggle is
|
|
7
|
|
- * clicked, we expect none of the events to be fired. Otherwise,
|
|
8
|
|
- * all events should be fired when clicking.
|
|
|
5
|
+ * This helper script is used to record events for Picture-in-Picture toggle
|
|
|
6
|
+ * click tests. Anytime the toggle is clicked, we expect none of the events to
|
|
|
7
|
+ * be fired. Otherwise, all (except MozTogglePictureInPicture) events should be
|
|
|
8
|
+ * fired when clicking on web content.
|
|
9
|
9
|
*/
|
|
10
|
10
|
|
|
11
|
|
-let eventTypes = ["pointerdown", "mousedown", "pointerup", "mouseup", "click"];
|
|
|
11
|
+let eventTypes = [
|
|
|
12
|
+ "MozTogglePictureInPicture",
|
|
|
13
|
+ "pointerdown",
|
|
|
14
|
+ "mousedown",
|
|
|
15
|
+ "pointerup",
|
|
|
16
|
+ "mouseup",
|
|
|
17
|
+ "click",
|
|
|
18
|
+];
|
|
12
|
19
|
|
|
13
|
20
|
for (let event of eventTypes) {
|
|
14
|
21
|
addEventListener(event, recordEvent, { capture: true });
|
toolkit/components/pictureinpicture/tests/head.js
| ... |
... |
@@ -139,7 +139,7 @@ async function triggerPictureInPicture(browser, videoID, triggerFn) { |
|
139
|
139
|
let event = new content.CustomEvent("MozTogglePictureInPicture", {
|
|
140
|
140
|
bubbles: true,
|
|
141
|
141
|
});
|
|
142
|
|
- video.dispatchEvent(event);
|
|
|
142
|
+ content.windowUtils.dispatchEventToChromeOnly(video, event);
|
|
143
|
143
|
await ContentTaskUtils.waitForCondition(() => {
|
|
144
|
144
|
return video.isCloningElementVisually;
|
|
145
|
145
|
}, "Video is being cloned visually.");
|
|