Commits:
-
e31cc1a1
by Brad Werth at 2026-02-23T09:34:57+01:00
Bug 2006199: Use gzip stream total_out for SVG document parsing. r=jfkthame
With this change, the assert is no longer necessary, because the stream
tells us how many elements to process. A crashtest is included.
Differential Revision: https://phabricator.services.mozilla.com/D276726
-
1e13a3d1
by Valentin Gosu at 2026-02-23T09:35:16+01:00
Bug 2008426 - No sniffing for JAR channels a=dmeehan DONTBUILD
When the content type is determined to be UNKNOWN_CONTENT_TYPE
and the content is coming from a JAR file we shouldn't attempt
to do content sniffing. JAR files should always have the correct
file extension.
Original Revision: https://phabricator.services.mozilla.com/D278098
Differential Revision: https://phabricator.services.mozilla.com/D279874
-
ad371e9b
by Nika Layzell at 2026-02-23T09:35:21+01:00
Bug 2008912 - (ESR140) New checks for synced contexts a=dmeehan DONTBUILD
Differential Revision: https://phabricator.services.mozilla.com/D279771
-
761453a4
by Frederik Braun at 2026-02-23T09:35:27+01:00
Bug 2012331 - ensure consistent MediaKeys lifetime a=dmeehan DONTBUILD
Original Revision: https://phabricator.services.mozilla.com/D280379
Differential Revision: https://phabricator.services.mozilla.com/D282593
10 changed files:
Changes:
docshell/base/BrowsingContext.cpp
| ... |
... |
@@ -3801,6 +3801,10 @@ bool IPDLParamTraits<dom::MaybeDiscarded<dom::BrowsingContext>>::Read( |
|
3801
|
3801
|
if (id == 0) {
|
|
3802
|
3802
|
*aResult = nullptr;
|
|
3803
|
3803
|
} else if (RefPtr<dom::BrowsingContext> bc = dom::BrowsingContext::Get(id)) {
|
|
|
3804
|
+ if (!bc->Group()->IsKnownForMessageReader(aReader)) {
|
|
|
3805
|
+ return false;
|
|
|
3806
|
+ }
|
|
|
3807
|
+
|
|
3804
|
3808
|
*aResult = std::move(bc);
|
|
3805
|
3809
|
} else {
|
|
3806
|
3810
|
aResult->SetDiscarded(id);
|
docshell/base/BrowsingContextGroup.cpp
| ... |
... |
@@ -259,6 +259,42 @@ ContentParent* BrowsingContextGroup::GetHostProcess( |
|
259
|
259
|
return mHosts.GetWeak(aRemoteType);
|
|
260
|
260
|
}
|
|
261
|
261
|
|
|
|
262
|
+bool BrowsingContextGroup::IsKnownForMessageReader(
|
|
|
263
|
+ IPC::MessageReader* aReader) {
|
|
|
264
|
+ if (!aReader->GetActor()) {
|
|
|
265
|
+ aReader->FatalError(
|
|
|
266
|
+ "No actor for BrowsingContextGroup::IsKnownForMessageReader");
|
|
|
267
|
+ return false;
|
|
|
268
|
+ }
|
|
|
269
|
+
|
|
|
270
|
+ mozilla::ipc::IToplevelProtocol* topActor =
|
|
|
271
|
+ aReader->GetActor()->ToplevelProtocol();
|
|
|
272
|
+ switch (topActor->GetProtocolId()) {
|
|
|
273
|
+ case PInProcessMsgStart:
|
|
|
274
|
+ // PInProcess always exists only within a single process, so we don't need
|
|
|
275
|
+ // to do any validation on it.
|
|
|
276
|
+ return true;
|
|
|
277
|
+
|
|
|
278
|
+ case PContentMsgStart:
|
|
|
279
|
+ // The process should only be able to name this BCG if it is
|
|
|
280
|
+ // subscribed, or if the BCG has been destroyed (and has therefore
|
|
|
281
|
+ // stopped tracking subscribers).
|
|
|
282
|
+ if (topActor->GetSide() == mozilla::ipc::ParentSide && !mDestroyed &&
|
|
|
283
|
+ !mSubscribers.Contains(static_cast<ContentParent*>(topActor))) {
|
|
|
284
|
+ aReader->FatalError(
|
|
|
285
|
+ "Process is not subscribed to this BrowsingContextGroup");
|
|
|
286
|
+ return false;
|
|
|
287
|
+ }
|
|
|
288
|
+ return true;
|
|
|
289
|
+
|
|
|
290
|
+ default:
|
|
|
291
|
+ aReader->FatalError(
|
|
|
292
|
+ "Unsupported toplevel actor for "
|
|
|
293
|
+ "BrowsingContextGroup::IsKnownForMessageReader");
|
|
|
294
|
+ return false;
|
|
|
295
|
+ }
|
|
|
296
|
+}
|
|
|
297
|
+
|
|
262
|
298
|
void BrowsingContextGroup::UpdateToplevelsSuspendedIfNeeded() {
|
|
263
|
299
|
if (!StaticPrefs::dom_suspend_inactive_enabled()) {
|
|
264
|
300
|
return;
|
| ... |
... |
@@ -304,8 +340,8 @@ void BrowsingContextGroup::Destroy() { |
|
304
|
340
|
!sBrowsingContextGroups->Contains(Id()) ||
|
|
305
|
341
|
*sBrowsingContextGroups->Lookup(Id()) != this);
|
|
306
|
342
|
}
|
|
307
|
|
- mDestroyed = true;
|
|
308
|
343
|
#endif
|
|
|
344
|
+ mDestroyed = true;
|
|
309
|
345
|
|
|
310
|
346
|
// Make sure to call `RemoveBrowsingContextGroup` for every entry in both
|
|
311
|
347
|
// `mHosts` and `mSubscribers`. This will visit most entries twice, but
|
docshell/base/BrowsingContextGroup.h
| ... |
... |
@@ -74,6 +74,12 @@ class BrowsingContextGroup final : public nsWrapperCache { |
|
74
|
74
|
// BrowsingContextGroup, if possible.
|
|
75
|
75
|
ContentParent* GetHostProcess(const nsACString& aRemoteType);
|
|
76
|
76
|
|
|
|
77
|
+ // Check if the process which sent the message being read from aReader is
|
|
|
78
|
+ // aware of this BrowsingContextGroup's existence.
|
|
|
79
|
+ // If this returns false, it will first set a fatal error on aReader with more
|
|
|
80
|
+ // details.
|
|
|
81
|
+ bool IsKnownForMessageReader(IPC::MessageReader* aReader);
|
|
|
82
|
+
|
|
77
|
83
|
// When a BrowsingContext is being discarded, we may want to keep the
|
|
78
|
84
|
// corresponding BrowsingContextGroup alive until the other process
|
|
79
|
85
|
// acknowledges that the BrowsingContext has been discarded. A `KeepAlive`
|
| ... |
... |
@@ -226,9 +232,7 @@ class BrowsingContextGroup final : public nsWrapperCache { |
|
226
|
232
|
|
|
227
|
233
|
uint32_t mKeepAliveCount = 0;
|
|
228
|
234
|
|
|
229
|
|
-#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
|
|
230
|
235
|
bool mDestroyed = false;
|
|
231
|
|
-#endif
|
|
232
|
236
|
|
|
233
|
237
|
// A BrowsingContextGroup contains a series of {Browsing,Window}Context
|
|
234
|
238
|
// objects. They are addressed using a hashtable to avoid linear lookup when
|
docshell/base/WindowContext.cpp
| ... |
... |
@@ -629,6 +629,10 @@ bool IPDLParamTraits<dom::MaybeDiscarded<dom::WindowContext>>::Read( |
|
629
|
629
|
if (id == 0) {
|
|
630
|
630
|
*aResult = nullptr;
|
|
631
|
631
|
} else if (RefPtr<dom::WindowContext> wc = dom::WindowContext::GetById(id)) {
|
|
|
632
|
+ if (!wc->Group()->IsKnownForMessageReader(aReader)) {
|
|
|
633
|
+ return false;
|
|
|
634
|
+ }
|
|
|
635
|
+
|
|
632
|
636
|
*aResult = std::move(wc);
|
|
633
|
637
|
} else {
|
|
634
|
638
|
aResult->SetDiscarded(id);
|
dom/media/eme/MediaKeys.cpp
| ... |
... |
@@ -327,6 +327,7 @@ void MediaKeys::RejectPromise(PromiseId aId, ErrorResult&& aException, |
|
327
|
327
|
this, aId, errorCodeAsInt);
|
|
328
|
328
|
return;
|
|
329
|
329
|
}
|
|
|
330
|
+ RefPtr<MediaKeys> keys(this);
|
|
330
|
331
|
|
|
331
|
332
|
// This promise could be a createSession or loadSession promise,
|
|
332
|
333
|
// so we might have a pending session waiting to be resolved into
|
| ... |
... |
@@ -381,6 +382,7 @@ void MediaKeys::ResolvePromise(PromiseId aId) { |
|
381
|
382
|
if (!promise) {
|
|
382
|
383
|
return;
|
|
383
|
384
|
}
|
|
|
385
|
+ RefPtr<MediaKeys> keys(this);
|
|
384
|
386
|
|
|
385
|
387
|
uint32_t token = 0;
|
|
386
|
388
|
if (!mPromiseIdToken.Get(aId, &token)) {
|
gfx/tests/crashtests/2006199.html
|
|
1
|
+<!DOCTYPE html>
|
|
|
2
|
+<style>
|
|
|
3
|
+@font-face {
|
|
|
4
|
+ font-family: 'PoCFont';
|
|
|
5
|
+ src: url('badsvgfont.ttf');
|
|
|
6
|
+}
|
|
|
7
|
+</style>
|
|
|
8
|
+<div style="font-family: PoCFont; font-size: 100px;">L</div> |
gfx/tests/crashtests/badsvgfont.ttf
No preview for this file type
gfx/tests/crashtests/crashtests.list
| ... |
... |
@@ -225,4 +225,5 @@ load 1797099-1.html |
|
225
|
225
|
load 1799495-1.html
|
|
226
|
226
|
load 1802382-1.html
|
|
227
|
227
|
load 1808830.html
|
|
|
228
|
+load 2006199.html
|
|
228
|
229
|
|
gfx/thebes/gfxSVGGlyphs.cpp
| ... |
... |
@@ -292,8 +292,7 @@ gfxSVGGlyphsDocument::gfxSVGGlyphsDocument(const uint8_t* aBuffer, |
|
292
|
292
|
if (Z_OK == inflateInit2(&s, 16 + MAX_WBITS)) {
|
|
293
|
293
|
int result = inflate(&s, Z_FINISH);
|
|
294
|
294
|
if (Z_STREAM_END == result) {
|
|
295
|
|
- MOZ_ASSERT(size_t(s.next_out - outBuf.Elements()) == origLen);
|
|
296
|
|
- ParseDocument(outBuf.Elements(), outBuf.Length());
|
|
|
295
|
+ ParseDocument(outBuf.Elements(), s.total_out);
|
|
297
|
296
|
} else {
|
|
298
|
297
|
NS_WARNING("Failed to decompress SVG glyphs document");
|
|
299
|
298
|
}
|
uriloader/base/nsURILoader.cpp
| ... |
... |
@@ -16,6 +16,7 @@ |
|
16
|
16
|
#include "nsIInterfaceRequestor.h"
|
|
17
|
17
|
#include "nsIInterfaceRequestorUtils.h"
|
|
18
|
18
|
#include "nsIInputStream.h"
|
|
|
19
|
+#include "nsIJARChannel.h"
|
|
19
|
20
|
#include "nsIStreamConverterService.h"
|
|
20
|
21
|
#include "nsIWeakReferenceUtils.h"
|
|
21
|
22
|
#include "nsIHttpChannel.h"
|
| ... |
... |
@@ -554,6 +555,15 @@ nsresult nsDocumentOpenInfo::TryStreamConversion(nsIChannel* aChannel) { |
|
554
|
555
|
srcContentType.AssignLiteral(UNKNOWN_CONTENT_TYPE);
|
|
555
|
556
|
}
|
|
556
|
557
|
|
|
|
558
|
+ // If this is an unknown content type loaded from a JAR file
|
|
|
559
|
+ // don't attempt to sniff it.
|
|
|
560
|
+ if (srcContentType.EqualsLiteral(UNKNOWN_CONTENT_TYPE)) {
|
|
|
561
|
+ if (nsCOMPtr<nsIJARChannel> jar = do_QueryInterface(aChannel)) {
|
|
|
562
|
+ m_targetStreamListener = nullptr;
|
|
|
563
|
+ return NS_ERROR_NOT_AVAILABLE;
|
|
|
564
|
+ }
|
|
|
565
|
+ }
|
|
|
566
|
+
|
|
557
|
567
|
nsresult rv =
|
|
558
|
568
|
ConvertData(aChannel, m_contentListener, srcContentType, anyType);
|
|
559
|
569
|
if (NS_FAILED(rv)) {
|
|