[Git][tpo/applications/tor-browser][tor-browser-115.33.0esr-13.5-1] 4 commits: Bug 2006199: Use gzip stream total_out for SVG document parsing. r=jfkthame

23 Feb 2026


      ma1 pushed to branch tor-browser-115.33.0esr-13.5-1 at The Tor Project / Applications / Tor Browser


Commits:
e31cc1a1 by Brad Werth at 2026-02-23T09:34:57+01:00
Bug 2006199: Use gzip stream total_out for SVG document parsing. r=jfkthame

With this change, the assert is no longer necessary, because the stream
tells us how many elements to process. A crashtest is included.

Differential Revision: https://phabricator.services.mozilla.com/D276726

- - - - -
1e13a3d1 by Valentin Gosu at 2026-02-23T09:35:16+01:00
Bug 2008426 - No sniffing for JAR channels  a=dmeehan DONTBUILD

When the content type is determined to be UNKNOWN_CONTENT_TYPE
and the content is coming from a JAR file we shouldn't attempt
to do content sniffing. JAR files should always have the correct
file extension.

Original Revision: https://phabricator.services.mozilla.com/D278098

Differential Revision: https://phabricator.services.mozilla.com/D279874

- - - - -
ad371e9b by Nika Layzell at 2026-02-23T09:35:21+01:00
Bug 2008912 - (ESR140) New checks for synced contexts  a=dmeehan DONTBUILD

Differential Revision: https://phabricator.services.mozilla.com/D279771

- - - - -
761453a4 by Frederik Braun at 2026-02-23T09:35:27+01:00
Bug 2012331 - ensure consistent MediaKeys lifetime  a=dmeehan DONTBUILD

Original Revision: https://phabricator.services.mozilla.com/D280379

Differential Revision: https://phabricator.services.mozilla.com/D282593

- - - - -


10 changed files:

- docshell/base/BrowsingContext.cpp
- docshell/base/BrowsingContextGroup.cpp
- docshell/base/BrowsingContextGroup.h
- docshell/base/WindowContext.cpp
- dom/media/eme/MediaKeys.cpp
- + gfx/tests/crashtests/2006199.html
- + gfx/tests/crashtests/badsvgfont.ttf
- gfx/tests/crashtests/crashtests.list
- gfx/thebes/gfxSVGGlyphs.cpp
- uriloader/base/nsURILoader.cpp


Changes:

=====================================
docshell/base/BrowsingContext.cpp
=====================================
@@ -3801,6 +3801,10 @@ bool IPDLParamTraits<dom::MaybeDiscarded<dom::BrowsingContext>>::Read(
   if (id == 0) {
     *aResult = nullptr;
   } else if (RefPtr<dom::BrowsingContext> bc = dom::BrowsingContext::Get(id)) {
+    if (!bc->Group()->IsKnownForMessageReader(aReader)) {
+      return false;
+    }
+
     *aResult = std::move(bc);
   } else {
     aResult->SetDiscarded(id);


=====================================
docshell/base/BrowsingContextGroup.cpp
=====================================
@@ -259,6 +259,42 @@ ContentParent* BrowsingContextGroup::GetHostProcess(
   return mHosts.GetWeak(aRemoteType);
 }
 
+bool BrowsingContextGroup::IsKnownForMessageReader(
+    IPC::MessageReader* aReader) {
+  if (!aReader->GetActor()) {
+    aReader->FatalError(
+        "No actor for BrowsingContextGroup::IsKnownForMessageReader");
+    return false;
+  }
+
+  mozilla::ipc::IToplevelProtocol* topActor =
+      aReader->GetActor()->ToplevelProtocol();
+  switch (topActor->GetProtocolId()) {
+    case PInProcessMsgStart:
+      // PInProcess always exists only within a single process, so we don't need
+      // to do any validation on it.
+      return true;
+
+    case PContentMsgStart:
+      // The process should only be able to name this BCG if it is
+      // subscribed, or if the BCG has been destroyed (and has therefore
+      // stopped tracking subscribers).
+      if (topActor->GetSide() == mozilla::ipc::ParentSide && !mDestroyed &&
+          !mSubscribers.Contains(static_cast<ContentParent*>(topActor))) {
+        aReader->FatalError(
+            "Process is not subscribed to this BrowsingContextGroup");
+        return false;
+      }
+      return true;
+
+    default:
+      aReader->FatalError(
+          "Unsupported toplevel actor for "
+          "BrowsingContextGroup::IsKnownForMessageReader");
+      return false;
+  }
+}
+
 void BrowsingContextGroup::UpdateToplevelsSuspendedIfNeeded() {
   if (!StaticPrefs::dom_suspend_inactive_enabled()) {
     return;
@@ -304,8 +340,8 @@ void BrowsingContextGroup::Destroy() {
                              !sBrowsingContextGroups->Contains(Id()) ||
                                  *sBrowsingContextGroups->Lookup(Id()) != this);
   }
-  mDestroyed = true;
 #endif
+  mDestroyed = true;
 
   // Make sure to call `RemoveBrowsingContextGroup` for every entry in both
   // `mHosts` and `mSubscribers`. This will visit most entries twice, but


=====================================
docshell/base/BrowsingContextGroup.h
=====================================
@@ -74,6 +74,12 @@ class BrowsingContextGroup final : public nsWrapperCache {
   // BrowsingContextGroup, if possible.
   ContentParent* GetHostProcess(const nsACString& aRemoteType);
 
+  // Check if the process which sent the message being read from aReader is
+  // aware of this BrowsingContextGroup's existence.
+  // If this returns false, it will first set a fatal error on aReader with more
+  // details.
+  bool IsKnownForMessageReader(IPC::MessageReader* aReader);
+
   // When a BrowsingContext is being discarded, we may want to keep the
   // corresponding BrowsingContextGroup alive until the other process
   // acknowledges that the BrowsingContext has been discarded. A `KeepAlive`
@@ -226,9 +232,7 @@ class BrowsingContextGroup final : public nsWrapperCache {
 
   uint32_t mKeepAliveCount = 0;
 
-#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
   bool mDestroyed = false;
-#endif
 
   // A BrowsingContextGroup contains a series of {Browsing,Window}Context
   // objects. They are addressed using a hashtable to avoid linear lookup when


=====================================
docshell/base/WindowContext.cpp
=====================================
@@ -629,6 +629,10 @@ bool IPDLParamTraits<dom::MaybeDiscarded<dom::WindowContext>>::Read(
   if (id == 0) {
     *aResult = nullptr;
   } else if (RefPtr<dom::WindowContext> wc = dom::WindowContext::GetById(id)) {
+    if (!wc->Group()->IsKnownForMessageReader(aReader)) {
+      return false;
+    }
+
     *aResult = std::move(wc);
   } else {
     aResult->SetDiscarded(id);


=====================================
dom/media/eme/MediaKeys.cpp
=====================================
@@ -327,6 +327,7 @@ void MediaKeys::RejectPromise(PromiseId aId, ErrorResult&& aException,
             this, aId, errorCodeAsInt);
     return;
   }
+  RefPtr<MediaKeys> keys(this);
 
   // This promise could be a createSession or loadSession promise,
   // so we might have a pending session waiting to be resolved into
@@ -381,6 +382,7 @@ void MediaKeys::ResolvePromise(PromiseId aId) {
   if (!promise) {
     return;
   }
+  RefPtr<MediaKeys> keys(this);
 
   uint32_t token = 0;
   if (!mPromiseIdToken.Get(aId, &token)) {


=====================================
gfx/tests/crashtests/2006199.html
=====================================
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<style>
+@font-face {
+    font-family: 'PoCFont';
+    src: url('badsvgfont.ttf');
+}
+</style>
+<div style="font-family: PoCFont; font-size: 100px;">L</div>


=====================================
gfx/tests/crashtests/badsvgfont.ttf
=====================================
Binary files /dev/null and b/gfx/tests/crashtests/badsvgfont.ttf differ


=====================================
gfx/tests/crashtests/crashtests.list
=====================================
@@ -225,4 +225,5 @@ load 1797099-1.html
 load 1799495-1.html
 load 1802382-1.html
 load 1808830.html
+load 2006199.html
 


=====================================
gfx/thebes/gfxSVGGlyphs.cpp
=====================================
@@ -292,8 +292,7 @@ gfxSVGGlyphsDocument::gfxSVGGlyphsDocument(const uint8_t* aBuffer,
       if (Z_OK == inflateInit2(&s, 16 + MAX_WBITS)) {
         int result = inflate(&s, Z_FINISH);
         if (Z_STREAM_END == result) {
-          MOZ_ASSERT(size_t(s.next_out - outBuf.Elements()) == origLen);
-          ParseDocument(outBuf.Elements(), outBuf.Length());
+          ParseDocument(outBuf.Elements(), s.total_out);
         } else {
           NS_WARNING("Failed to decompress SVG glyphs document");
         }


=====================================
uriloader/base/nsURILoader.cpp
=====================================
@@ -16,6 +16,7 @@
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsIInputStream.h"
+#include "nsIJARChannel.h"
 #include "nsIStreamConverterService.h"
 #include "nsIWeakReferenceUtils.h"
 #include "nsIHttpChannel.h"
@@ -554,6 +555,15 @@ nsresult nsDocumentOpenInfo::TryStreamConversion(nsIChannel* aChannel) {
     srcContentType.AssignLiteral(UNKNOWN_CONTENT_TYPE);
   }
 
+  // If this is an unknown content type loaded from a JAR file
+  // don't attempt to sniff it.
+  if (srcContentType.EqualsLiteral(UNKNOWN_CONTENT_TYPE)) {
+    if (nsCOMPtr<nsIJARChannel> jar = do_QueryInterface(aChannel)) {
+      m_targetStreamListener = nullptr;
+      return NS_ERROR_NOT_AVAILABLE;
+    }
+  }
+
   nsresult rv =
       ConvertData(aChannel, m_contentListener, srcContentType, anyType);
   if (NS_FAILED(rv)) {



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/04b15ac...

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/04b15ac...
You're receiving this email because of your account on gitlab.torproject.org.

    

ma1 (＠ma1)

tags

participants (1)