Commits:
-
35a291da
by Mike Conley at 2025-11-10T11:48:22+01:00
Bug 1880634 - Use chrome-only dispatch for the MozTogglePictureInPicture event. r=niklas
Differential Revision: https://phabricator.services.mozilla.com/D202063
-
629f8c06
by Nika Layzell at 2025-11-10T11:48:30+01:00
Bug 1987977 - Add extra fd validation to ChannelPosix, r=ipc-reviewers,jld
Every attached FD has a guaranteed 4 bytes of payload, so this check
should be redundant unless a message payload is manually constructed or
corrupted.
Differential Revision: https://phabricator.services.mozilla.com/D265038
5 changed files:
Changes:
browser/actors/ContextMenuChild.sys.mjs
| ... |
... |
@@ -121,7 +121,10 @@ export class ContextMenuChild extends JSWindowActorChild { |
|
121
|
121
|
},
|
|
122
|
122
|
this.contentWindow
|
|
123
|
123
|
);
|
|
124
|
|
- media.dispatchEvent(event);
|
|
|
124
|
+ this.contentWindow.windowUtils.dispatchEventToChromeOnly(
|
|
|
125
|
+ media,
|
|
|
126
|
+ event
|
|
|
127
|
+ );
|
|
125
|
128
|
break;
|
|
126
|
129
|
}
|
|
127
|
130
|
}
|
ipc/chromium/src/chrome/common/ipc_channel_posix.cc
| ... |
... |
@@ -419,8 +419,9 @@ bool Channel::ChannelImpl::ProcessIncomingMessages() { |
|
419
|
419
|
error = "Message needs unreceived descriptors";
|
|
420
|
420
|
}
|
|
421
|
421
|
|
|
422
|
|
- if (m.header()->num_handles >
|
|
423
|
|
- IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE) {
|
|
|
422
|
+ size_t maxHandles = std::min<size_t>(
|
|
|
423
|
+ m.size(), IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE);
|
|
|
424
|
+ if (m.header()->num_handles > maxHandles) {
|
|
424
|
425
|
// There are too many descriptors in this message
|
|
425
|
426
|
error = "Message requires an excessive number of descriptors";
|
|
426
|
427
|
}
|
| ... |
... |
@@ -536,8 +537,9 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages() { |
|
536
|
537
|
}
|
|
537
|
538
|
#endif
|
|
538
|
539
|
|
|
539
|
|
- if (msg->attached_handles_.Length() >
|
|
540
|
|
- IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE) {
|
|
|
540
|
+ size_t maxHandles = std::min<size_t>(
|
|
|
541
|
+ msg->size(), IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE);
|
|
|
542
|
+ if (msg->attached_handles_.Length() > maxHandles) {
|
|
541
|
543
|
MOZ_DIAGNOSTIC_CRASH("Too many file descriptors!");
|
|
542
|
544
|
CHROMIUM_LOG(FATAL) << "Too many file descriptors!";
|
|
543
|
545
|
// This should not be reached.
|
toolkit/actors/PictureInPictureChild.sys.mjs
| ... |
... |
@@ -191,7 +191,10 @@ export class PictureInPictureLauncherChild extends JSWindowActorChild { |
|
191
|
191
|
detail: { reason },
|
|
192
|
192
|
}
|
|
193
|
193
|
);
|
|
194
|
|
- video.dispatchEvent(stopPipEvent);
|
|
|
194
|
+ this.contentWindow.windowUtils.dispatchEventToChromeOnly(
|
|
|
195
|
+ video,
|
|
|
196
|
+ stopPipEvent
|
|
|
197
|
+ );
|
|
195
|
198
|
return;
|
|
196
|
199
|
}
|
|
197
|
200
|
|
| ... |
... |
@@ -703,7 +706,7 @@ export class PictureInPictureToggleChild extends JSWindowActorChild { |
|
703
|
706
|
detail: { reason: "UrlBar", eventExtraKeys },
|
|
704
|
707
|
}
|
|
705
|
708
|
);
|
|
706
|
|
- video.dispatchEvent(pipEvent);
|
|
|
709
|
+ this.contentWindow.windowUtils.dispatchEventToChromeOnly(video, pipEvent);
|
|
707
|
710
|
}
|
|
708
|
711
|
}
|
|
709
|
712
|
|
| ... |
... |
@@ -1092,7 +1095,7 @@ export class PictureInPictureToggleChild extends JSWindowActorChild { |
|
1092
|
1095
|
detail: { reason: "Toggle" },
|
|
1093
|
1096
|
}
|
|
1094
|
1097
|
);
|
|
1095
|
|
- video.dispatchEvent(pipEvent);
|
|
|
1098
|
+ this.contentWindow.windowUtils.dispatchEventToChromeOnly(video, pipEvent);
|
|
1096
|
1099
|
|
|
1097
|
1100
|
// Since we've initiated Picture-in-Picture, we can go ahead and
|
|
1098
|
1101
|
// hide the toggle now.
|
toolkit/components/pictureinpicture/tests/click-event-helper.js
| ... |
... |
@@ -2,13 +2,20 @@ |
|
2
|
2
|
http://creativecommons.org/publicdomain/zero/1.0/ */
|
|
3
|
3
|
|
|
4
|
4
|
/**
|
|
5
|
|
- * This helper script is used to record mouse button events for
|
|
6
|
|
- * Picture-in-Picture toggle click tests. Anytime the toggle is
|
|
7
|
|
- * clicked, we expect none of the events to be fired. Otherwise,
|
|
8
|
|
- * all events should be fired when clicking.
|
|
|
5
|
+ * This helper script is used to record events for Picture-in-Picture toggle
|
|
|
6
|
+ * click tests. Anytime the toggle is clicked, we expect none of the events to
|
|
|
7
|
+ * be fired. Otherwise, all (except MozTogglePictureInPicture) events should be
|
|
|
8
|
+ * fired when clicking on web content.
|
|
9
|
9
|
*/
|
|
10
|
10
|
|
|
11
|
|
-let eventTypes = ["pointerdown", "mousedown", "pointerup", "mouseup", "click"];
|
|
|
11
|
+let eventTypes = [
|
|
|
12
|
+ "MozTogglePictureInPicture",
|
|
|
13
|
+ "pointerdown",
|
|
|
14
|
+ "mousedown",
|
|
|
15
|
+ "pointerup",
|
|
|
16
|
+ "mouseup",
|
|
|
17
|
+ "click",
|
|
|
18
|
+];
|
|
12
|
19
|
|
|
13
|
20
|
for (let event of eventTypes) {
|
|
14
|
21
|
addEventListener(event, recordEvent, { capture: true });
|
toolkit/components/pictureinpicture/tests/head.js
| ... |
... |
@@ -139,7 +139,7 @@ async function triggerPictureInPicture(browser, videoID, triggerFn) { |
|
139
|
139
|
let event = new content.CustomEvent("MozTogglePictureInPicture", {
|
|
140
|
140
|
bubbles: true,
|
|
141
|
141
|
});
|
|
142
|
|
- video.dispatchEvent(event);
|
|
|
142
|
+ content.windowUtils.dispatchEventToChromeOnly(video, event);
|
|
143
|
143
|
await ContentTaskUtils.waitForCondition(() => {
|
|
144
|
144
|
return video.isCloningElementVisually;
|
|
145
|
145
|
}, "Video is being cloned visually.");
|
|