ma1 pushed to branch mullvad-browser-140.5.0esr-15.0-1 at The Tor Project / Applications / Mullvad Browser Commits: 35a291da by Mike Conley at 2025-11-10T11:48:22+01:00 Bug 1880634 - Use chrome-only dispatch for the MozTogglePictureInPicture event. r=niklas Differential Revision: https://phabricator.services.mozilla.com/D202063 - - - - - 629f8c06 by Nika Layzell at 2025-11-10T11:48:30+01:00 Bug 1987977 - Add extra fd validation to ChannelPosix, r=ipc-reviewers,jld Every attached FD has a guaranteed 4 bytes of payload, so this check should be redundant unless a message payload is manually constructed or corrupted. Differential Revision: https://phabricator.services.mozilla.com/D265038 - - - - - 5 changed files: - browser/actors/ContextMenuChild.sys.mjs - ipc/chromium/src/chrome/common/ipc_channel_posix.cc - toolkit/actors/PictureInPictureChild.sys.mjs - toolkit/components/pictureinpicture/tests/click-event-helper.js - toolkit/components/pictureinpicture/tests/head.js Changes: ===================================== browser/actors/ContextMenuChild.sys.mjs ===================================== @@ -121,7 +121,10 @@ export class ContextMenuChild extends JSWindowActorChild { }, this.contentWindow ); - media.dispatchEvent(event); + this.contentWindow.windowUtils.dispatchEventToChromeOnly( + media, + event + ); break; } } ===================================== ipc/chromium/src/chrome/common/ipc_channel_posix.cc ===================================== @@ -419,8 +419,9 @@ bool Channel::ChannelImpl::ProcessIncomingMessages() { error = "Message needs unreceived descriptors"; } - if (m.header()->num_handles > - IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE) { + size_t maxHandles = std::min<size_t>( + m.size(), IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE); + if (m.header()->num_handles > maxHandles) { // There are too many descriptors in this message error = "Message requires an excessive number of descriptors"; } @@ -536,8 +537,9 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages() { } #endif - if (msg->attached_handles_.Length() > - IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE) { + size_t maxHandles = std::min<size_t>( + msg->size(), IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE); + if (msg->attached_handles_.Length() > maxHandles) { MOZ_DIAGNOSTIC_CRASH("Too many file descriptors!"); CHROMIUM_LOG(FATAL) << "Too many file descriptors!"; // This should not be reached. ===================================== toolkit/actors/PictureInPictureChild.sys.mjs ===================================== @@ -191,7 +191,10 @@ export class PictureInPictureLauncherChild extends JSWindowActorChild { detail: { reason }, } ); - video.dispatchEvent(stopPipEvent); + this.contentWindow.windowUtils.dispatchEventToChromeOnly( + video, + stopPipEvent + ); return; } @@ -703,7 +706,7 @@ export class PictureInPictureToggleChild extends JSWindowActorChild { detail: { reason: "UrlBar", eventExtraKeys }, } ); - video.dispatchEvent(pipEvent); + this.contentWindow.windowUtils.dispatchEventToChromeOnly(video, pipEvent); } } @@ -1092,7 +1095,7 @@ export class PictureInPictureToggleChild extends JSWindowActorChild { detail: { reason: "Toggle" }, } ); - video.dispatchEvent(pipEvent); + this.contentWindow.windowUtils.dispatchEventToChromeOnly(video, pipEvent); // Since we've initiated Picture-in-Picture, we can go ahead and // hide the toggle now. ===================================== toolkit/components/pictureinpicture/tests/click-event-helper.js ===================================== @@ -2,13 +2,20 @@ http://creativecommons.org/publicdomain/zero/1.0/ */ /** - * This helper script is used to record mouse button events for - * Picture-in-Picture toggle click tests. Anytime the toggle is - * clicked, we expect none of the events to be fired. Otherwise, - * all events should be fired when clicking. + * This helper script is used to record events for Picture-in-Picture toggle + * click tests. Anytime the toggle is clicked, we expect none of the events to + * be fired. Otherwise, all (except MozTogglePictureInPicture) events should be + * fired when clicking on web content. */ -let eventTypes = ["pointerdown", "mousedown", "pointerup", "mouseup", "click"]; +let eventTypes = [ + "MozTogglePictureInPicture", + "pointerdown", + "mousedown", + "pointerup", + "mouseup", + "click", +]; for (let event of eventTypes) { addEventListener(event, recordEvent, { capture: true }); ===================================== toolkit/components/pictureinpicture/tests/head.js ===================================== @@ -139,7 +139,7 @@ async function triggerPictureInPicture(browser, videoID, triggerFn) { let event = new content.CustomEvent("MozTogglePictureInPicture", { bubbles: true, }); - video.dispatchEvent(event); + content.windowUtils.dispatchEventToChromeOnly(video, event); await ContentTaskUtils.waitForCondition(() => { return video.isCloningElementVisually; }, "Video is being cloned visually."); View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/0ce... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/0ce... You're receiving this email because of your account on gitlab.torproject.org.