ma1 pushed to branch tor-browser-115.33.0esr-13.5-1 at The Tor Project / Applications / Tor Browser

Commits:

10 changed files:

Changes:

  • docshell/base/BrowsingContext.cpp
    ... ... @@ -3801,6 +3801,10 @@ bool IPDLParamTraits<dom::MaybeDiscarded<dom::BrowsingContext>>::Read(
    3801 3801 
       if (id == 0) {
    3802 3802 
         *aResult = nullptr;
    3803 3803 
       } else if (RefPtr<dom::BrowsingContext> bc = dom::BrowsingContext::Get(id)) {
    3804 
    +    if (!bc->Group()->IsKnownForMessageReader(aReader)) {
    3805 
    +      return false;
    3806 
    +    }
    3807 
    +
    3804 3808 
         *aResult = std::move(bc);
    3805 3809 
       } else {
    3806 3810 
         aResult->SetDiscarded(id);

  • docshell/base/BrowsingContextGroup.cpp
    ... ... @@ -259,6 +259,42 @@ ContentParent* BrowsingContextGroup::GetHostProcess(
    259 259 
       return mHosts.GetWeak(aRemoteType);
    260 260 
     }
    261 261
    262 
    +bool BrowsingContextGroup::IsKnownForMessageReader(
    263 
    +    IPC::MessageReader* aReader) {
    264 
    +  if (!aReader->GetActor()) {
    265 
    +    aReader->FatalError(
    266 
    +        "No actor for BrowsingContextGroup::IsKnownForMessageReader");
    267 
    +    return false;
    268 
    +  }
    269 
    +
    270 
    +  mozilla::ipc::IToplevelProtocol* topActor =
    271 
    +      aReader->GetActor()->ToplevelProtocol();
    272 
    +  switch (topActor->GetProtocolId()) {
    273 
    +    case PInProcessMsgStart:
    274 
    +      // PInProcess always exists only within a single process, so we don't need
    275 
    +      // to do any validation on it.
    276 
    +      return true;
    277 
    +
    278 
    +    case PContentMsgStart:
    279 
    +      // The process should only be able to name this BCG if it is
    280 
    +      // subscribed, or if the BCG has been destroyed (and has therefore
    281 
    +      // stopped tracking subscribers).
    282 
    +      if (topActor->GetSide() == mozilla::ipc::ParentSide && !mDestroyed &&
    283 
    +          !mSubscribers.Contains(static_cast<ContentParent*>(topActor))) {
    284 
    +        aReader->FatalError(
    285 
    +            "Process is not subscribed to this BrowsingContextGroup");
    286 
    +        return false;
    287 
    +      }
    288 
    +      return true;
    289 
    +
    290 
    +    default:
    291 
    +      aReader->FatalError(
    292 
    +          "Unsupported toplevel actor for "
    293 
    +          "BrowsingContextGroup::IsKnownForMessageReader");
    294 
    +      return false;
    295 
    +  }
    296 
    +}
    297 
    +
    262 298 
     void BrowsingContextGroup::UpdateToplevelsSuspendedIfNeeded() {
    263 299 
       if (!StaticPrefs::dom_suspend_inactive_enabled()) {
    264 300 
         return;
    ... ... @@ -304,8 +340,8 @@ void BrowsingContextGroup::Destroy() {
    304 340 
                                  !sBrowsingContextGroups->Contains(Id()) ||
    305 341 
                                      *sBrowsingContextGroups->Lookup(Id()) != this);
    306 342 
       }
    307 
    -  mDestroyed = true;
    308 343 
     #endif
    344 
    +  mDestroyed = true;
    309 345
    310 346 
       // Make sure to call `RemoveBrowsingContextGroup` for every entry in both
    311 347 
       // `mHosts` and `mSubscribers`. This will visit most entries twice, but

  • docshell/base/BrowsingContextGroup.h
    ... ... @@ -74,6 +74,12 @@ class BrowsingContextGroup final : public nsWrapperCache {
    74 74 
       // BrowsingContextGroup, if possible.
    75 75 
       ContentParent* GetHostProcess(const nsACString& aRemoteType);
    76 76
    77 
    +  // Check if the process which sent the message being read from aReader is
    78 
    +  // aware of this BrowsingContextGroup's existence.
    79 
    +  // If this returns false, it will first set a fatal error on aReader with more
    80 
    +  // details.
    81 
    +  bool IsKnownForMessageReader(IPC::MessageReader* aReader);
    82 
    +
    77 83 
       // When a BrowsingContext is being discarded, we may want to keep the
    78 84 
       // corresponding BrowsingContextGroup alive until the other process
    79 85 
       // acknowledges that the BrowsingContext has been discarded. A `KeepAlive`
    ... ... @@ -226,9 +232,7 @@ class BrowsingContextGroup final : public nsWrapperCache {
    226 232
    227 233 
       uint32_t mKeepAliveCount = 0;
    228 234
    229 
    -#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
    230 235 
       bool mDestroyed = false;
    231 
    -#endif
    232 236
    233 237 
       // A BrowsingContextGroup contains a series of {Browsing,Window}Context
    234 238 
       // objects. They are addressed using a hashtable to avoid linear lookup when

  • docshell/base/WindowContext.cpp
    ... ... @@ -629,6 +629,10 @@ bool IPDLParamTraits<dom::MaybeDiscarded<dom::WindowContext>>::Read(
    629 629 
       if (id == 0) {
    630 630 
         *aResult = nullptr;
    631 631 
       } else if (RefPtr<dom::WindowContext> wc = dom::WindowContext::GetById(id)) {
    632 
    +    if (!wc->Group()->IsKnownForMessageReader(aReader)) {
    633 
    +      return false;
    634 
    +    }
    635 
    +
    632 636 
         *aResult = std::move(wc);
    633 637 
       } else {
    634 638 
         aResult->SetDiscarded(id);

  • dom/media/eme/MediaKeys.cpp
    ... ... @@ -327,6 +327,7 @@ void MediaKeys::RejectPromise(PromiseId aId, ErrorResult&& aException,
    327 327 
                 this, aId, errorCodeAsInt);
    328 328 
         return;
    329 329 
       }
    330 
    +  RefPtr<MediaKeys> keys(this);
    330 331
    331 332 
       // This promise could be a createSession or loadSession promise,
    332 333 
       // so we might have a pending session waiting to be resolved into
    ... ... @@ -381,6 +382,7 @@ void MediaKeys::ResolvePromise(PromiseId aId) {
    381 382 
       if (!promise) {
    382 383 
         return;
    383 384 
       }
    385 
    +  RefPtr<MediaKeys> keys(this);
    384 386
    385 387 
       uint32_t token = 0;
    386 388 
       if (!mPromiseIdToken.Get(aId, &token)) {

  • gfx/tests/crashtests/2006199.html
    1 
    +<!DOCTYPE html>
    2 
    +<style>
    3 
    +@font-face {
    4 
    +    font-family: 'PoCFont';
    5 
    +    src: url('badsvgfont.ttf');
    6 
    +}
    7 
    +</style>
    8 
    +<div style="font-family: PoCFont; font-size: 100px;">L</div>

  • gfx/tests/crashtests/badsvgfont.ttf
    No preview for this file type
  • gfx/tests/crashtests/crashtests.list
    ... ... @@ -225,4 +225,5 @@ load 1797099-1.html
    225 225 
     load 1799495-1.html
    226 226 
     load 1802382-1.html
    227 227 
     load 1808830.html
    228 
    +load 2006199.html
    228 229

  • gfx/thebes/gfxSVGGlyphs.cpp
    ... ... @@ -292,8 +292,7 @@ gfxSVGGlyphsDocument::gfxSVGGlyphsDocument(const uint8_t* aBuffer,
    292 292 
           if (Z_OK == inflateInit2(&s, 16 + MAX_WBITS)) {
    293 293 
             int result = inflate(&s, Z_FINISH);
    294 294 
             if (Z_STREAM_END == result) {
    295 
    -          MOZ_ASSERT(size_t(s.next_out - outBuf.Elements()) == origLen);
    296 
    -          ParseDocument(outBuf.Elements(), outBuf.Length());
    295 
    +          ParseDocument(outBuf.Elements(), s.total_out);
    297 296 
             } else {
    298 297 
               NS_WARNING("Failed to decompress SVG glyphs document");
    299 298 
             }

  • uriloader/base/nsURILoader.cpp
    ... ... @@ -16,6 +16,7 @@
    16 16 
     #include "nsIInterfaceRequestor.h"
    17 17 
     #include "nsIInterfaceRequestorUtils.h"
    18 18 
     #include "nsIInputStream.h"
    19 
    +#include "nsIJARChannel.h"
    19 20 
     #include "nsIStreamConverterService.h"
    20 21 
     #include "nsIWeakReferenceUtils.h"
    21 22 
     #include "nsIHttpChannel.h"
    ... ... @@ -554,6 +555,15 @@ nsresult nsDocumentOpenInfo::TryStreamConversion(nsIChannel* aChannel) {
    554 555 
         srcContentType.AssignLiteral(UNKNOWN_CONTENT_TYPE);
    555 556 
       }
    556 557
    558 
    +  // If this is an unknown content type loaded from a JAR file
    559 
    +  // don't attempt to sniff it.
    560 
    +  if (srcContentType.EqualsLiteral(UNKNOWN_CONTENT_TYPE)) {
    561 
    +    if (nsCOMPtr<nsIJARChannel> jar = do_QueryInterface(aChannel)) {
    562 
    +      m_targetStreamListener = nullptr;
    563 
    +      return NS_ERROR_NOT_AVAILABLE;
    564 
    +    }
    565 
    +  }
    566 
    +
    557 567 
       nsresult rv =
    558 568 
           ConvertData(aChannel, m_contentListener, srcContentType, anyType);
    559 569 
       if (NS_FAILED(rv)) {


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help Notification message regarding https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/04b15ac2f86cbb3e09a60a00ae6e44a220bdd7ca...761453a45da962ce5d9b41c2b0125d682a6e9734 at 1771836393