ma1 pushed to branch tor-browser-140.10.0esr-15.0-1 at The Tor Project / Applications / Tor Browser Commits: e2741a54 by Paul Adenot at 2026-04-19T23:49:27+02:00 Bug 1536243 - Use av_mallocz to zero FFmpeg extradata padding. r=media-playback-reviewers,jolin Differential Revision: https://phabricator.services.mozilla.com/D287605 - - - - - 8c5103cf by Randell Jesup at 2026-04-20T00:00:05+02:00 Bug 1577576: return an error on an invalid frame ID in HTTP2 r=necko-reviewers,valentin Differential Revision: https://phabricator.services.mozilla.com/D284287 - - - - - d5c57b24 by Olli Pettay at 2026-04-20T00:07:15+02:00 Bug 1880429, clear source browsing context early, if possible, r=nika Differential Revision: https://phabricator.services.mozilla.com/D242075 - - - - - 03c44569 by Roger Yang at 2026-04-20T00:11:44+02:00 Bug 1992585 - Set AppLinks intent selector to null. a=diannaS DONTBUILD Original Revision: https://phabricator.services.mozilla.com/D290907 Differential Revision: https://phabricator.services.mozilla.com/D293455 - - - - - 426584f2 by Artur Iunusov at 2026-04-20T00:23:53+02:00 Bug 2010310 - Add CanNavigate() check in RecvLoadURI() and RecvInternalLoad(), r=smaug,tschuster Differential Revision: https://phabricator.services.mozilla.com/D280216 - - - - - ef1379a9 by Jens Stutte at 2026-04-20T07:45:03+02:00 Bug 2016901 - Fix potential race in NSSIOLayer. r=keeler Differential Revision: https://phabricator.services.mozilla.com/D283409 - - - - - 6fb72382 by Byron Campen at 2026-04-20T10:02:02+02:00 Bug 2021768: Use unsigned char for these. a=diannaS Original Revision: https://phabricator.services.mozilla.com/D287613 Differential Revision: https://phabricator.services.mozilla.com/D289861 - - - - - 8e9a8b1a by alastor0325 at 2026-04-20T10:03:38+02:00 Bug 2021788 - Guard against signed long overflow in WMFVideoMFTManager::CreateBasicVideoFrame(). r=media-playback-reviewers,jolin Guard CreateBasicVideoFrame() against invalid strides by rejecting non-positive values early, widening the y_size and v_size multiplications to int64_t, validating the results fit in uint32_t before narrowing, and casting stride to int64_t before computing halfStride to avoid overflow when stride == INT32_MAX. IMF2DBuffer::Lock2D can return a negative stride for bottom-up images. Multiplying a negative or large LONG stride by the frame height using signed 32-bit arithmetic is undefined behaviour and produces a huge uint32_t offset that is then used to index into the locked IMF buffer, causing an OOB read. Differential Revision: https://phabricator.services.mozilla.com/D288533 - - - - - 7f21a247 by Valentin Gosu at 2026-04-20T10:18:39+02:00 Bug 2022726 - Do not allow trrServer in DNS request issued by content process r=necko-reviewers,kershaw Differential Revision: https://phabricator.services.mozilla.com/D288150 - - - - - cdd82806 by Karl Tomlinson at 2026-04-20T15:18:21+02:00 Bug 2022746 Convert pointer to boolean instead of comparing with 0 r=media-playback-reviewers,padenot "When testing a pointer, use (!myPtr) or (myPtr)" https://firefox-source-docs.mozilla.org/code-quality/coding-style/coding_sty... Differential Revision: https://phabricator.services.mozilla.com/D288804 - - - - - 5ea14afd by Karl Tomlinson at 2026-04-20T15:18:25+02:00 Bug 2022746 move reftest-wait to html element r=media-playback-reviewers,padenot The test did crash without this, but is more thorough with a functional reftest-wait and saves the same bug being copied to other tests. Also remove the play() and the await for its Promise. With https://github.com/mozilla/nestegg/pull/77, the demux error is detected before "canplay". The test still crashes in builds without the code fixes. Differential Revision: https://phabricator.services.mozilla.com/D288803 - - - - - e6ebd5c1 by Valentin Gosu at 2026-04-20T15:18:30+02:00 Bug 2023302 - null check mResponseHead when calling ClearHeaders r=necko-reviewers,jesup Differential Revision: https://phabricator.services.mozilla.com/D288411 - - - - - 4b0a1b03 by Andrew Osmond at 2026-04-20T15:18:35+02:00 Bug 2024238. a=diannaS DONTBUILD Original Revision: https://phabricator.services.mozilla.com/D292321 Differential Revision: https://phabricator.services.mozilla.com/D292963 - - - - - 0cf51ee7 by Chris Martin at 2026-04-20T15:18:40+02:00 Bug 2024240 - Clean up LinuxGamepadService lifecycle interactions with event dispatching. a=diannaS DONTBUILD Original Revision: https://phabricator.services.mozilla.com/D290238 Differential Revision: https://phabricator.services.mozilla.com/D291596 - - - - - acadd394 by Randell Jesup at 2026-04-20T15:18:44+02:00 Bug 2024265: Clean up locking in nsSocketTransport r=necko-reviewers,kershaw Differential Revision: https://phabricator.services.mozilla.com/D288563 - - - - - cae9cb19 by Valentin Gosu at 2026-04-20T15:18:49+02:00 Bug 2024760 - Handle WebSocketChannel::IsPersistentFramePtr correctly a=diannaS DONTBUILD Original Revision: https://phabricator.services.mozilla.com/D288874 Differential Revision: https://phabricator.services.mozilla.com/D290871 - - - - - cf4fc436 by Tom Schuster at 2026-04-20T15:18:53+02:00 Bug 2025281 - Cleanup MediaIPCUtils. a=diannaS Original Revision: https://phabricator.services.mozilla.com/D289190 Differential Revision: https://phabricator.services.mozilla.com/D290479 - - - - - c5ebbeca by Lee Salzman at 2026-04-20T15:18:58+02:00 Bug 2026297. a=diannaS DONTBUILD Original Revision: https://phabricator.services.mozilla.com/D290596 Differential Revision: https://phabricator.services.mozilla.com/D290953 - - - - - fc6539f8 by Lee Salzman at 2026-04-20T15:19:02+02:00 Bug 2026601. a=diannaS DONTBUILD Original Revision: https://phabricator.services.mozilla.com/D290285 Differential Revision: https://phabricator.services.mozilla.com/D290952 - - - - - 587a0a51 by Timothy Nikkel at 2026-04-20T15:19:07+02:00 Bug 2027287. a=diannaS DONTBUILD Differential Revision: https://phabricator.services.mozilla.com/D291073 - - - - - 1d36e06d by hackademix at 2026-04-20T15:19:12+02:00 Bug 2029301 backport pending ffmpeg update. - - - - - 96936861 by Jonathan Kew at 2026-04-20T15:19:16+02:00 Bug 2029446 - Don't create frames for elements that are not allowed in an svg-glyphs document. a=RyanVM DONTBUILD Original Revision: https://phabricator.services.mozilla.com/D293133 Differential Revision: https://phabricator.services.mozilla.com/D293514 - - - - - e0f4ddd5 by Jonathan Kew at 2026-04-20T15:19:21+02:00 Bug 2029446 - Don't hold on to EntryHandles while creating an svg-glyphs document. a=RyanVM DONTBUILD (clauditor-suggested fix) Original Revision: https://phabricator.services.mozilla.com/D293134 Differential Revision: https://phabricator.services.mozilla.com/D293515 - - - - - 75db1632 by Emilio Cobos Álvarez at 2026-04-20T15:19:26+02:00 Bug 2029699 - Simplify InlineBackgroundData handling. a=diannaS DONTBUILD Original Revision: https://phabricator.services.mozilla.com/D292380 Differential Revision: https://phabricator.services.mozilla.com/D293141 - - - - - 40 changed files: - dom/base/PostMessageEvent.cpp - dom/base/nsContentUtils.cpp - dom/base/nsContentUtils.h - dom/gamepad/linux/LinuxGamepad.cpp - dom/ipc/WindowGlobalChild.cpp - dom/ipc/WindowGlobalParent.cpp - dom/media/gmp/GMPVideoEncoderChild.cpp - dom/media/ipc/MediaIPCUtils.h - dom/media/platforms/ffmpeg/FFmpegDataDecoder.cpp - dom/media/platforms/ffmpeg/FFmpegLibWrapper.cpp - dom/media/platforms/ffmpeg/FFmpegLibWrapper.h - dom/media/platforms/wmf/WMFVideoMFTManager.cpp - + dom/media/test/crashtests/1536243.html - + dom/media/test/crashtests/1536243.mp4 - + dom/media/test/crashtests/2022746.html - dom/media/test/crashtests/crashtests.list - dom/media/webm/WebMDemuxer.cpp - dom/media/webrtc/jsapi/RTCDTMFSender.cpp - gfx/2d/FilterNodeSoftware.cpp - gfx/2d/RecordedEventImpl.h - gfx/thebes/gfxSVGGlyphs.cpp - gfx/ycbcr/scale_yuv_argb.cpp - layout/base/nsCSSFrameConstructor.cpp - layout/painting/nsCSSRendering.cpp - layout/painting/nsCSSRendering.h - layout/painting/nsDisplayList.cpp - media/ffvpx/libavcodec/av1dec.c - mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt - netwerk/base/nsSocketTransport2.cpp - netwerk/base/nsSocketTransport2.h - netwerk/ipc/NeckoParent.cpp - netwerk/protocol/http/Http2Session.cpp - netwerk/protocol/http/nsHttpChannel.cpp - netwerk/protocol/websocket/WebSocketChannel.cpp - netwerk/test/unit/http2_test_common.js - netwerk/test/unit/test_http2.js - netwerk/test/unit/test_http2_with_proxy.js - security/manager/ssl/nsNSSIOLayer.cpp - security/manager/ssl/nsNSSIOLayer.h - testing/xpcshell/moz-http2/moz-http2.js The diff was not included because it is too large. View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/1fb85f3... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/1fb85f3... You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications: https://gitlab.torproject.org/-/profile/notifications | Help: https://gitlab.torproject.org/help