diff --git a/libqt5-qtwebengine.changes b/libqt5-qtwebengine.changes index 5fdf83f..51da3a6 100644 --- a/libqt5-qtwebengine.changes +++ b/libqt5-qtwebengine.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Fri Mar 23 08:14:18 UTC 2018 - wbauer@tmo.at + +- Also adjust the minimum versions of the private-headers-devel + subpackage's requirements + +------------------------------------------------------------------- +Thu Mar 22 22:40:32 UTC 2018 - kamikazow@opensuse.org + +- Apply a fix to make QtWE-using applications actually compile against it + +------------------------------------------------------------------- +Sun Mar 18 22:57:09 UTC 2018 - kamikazow@opensuse.org + +- Forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146) + * qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch from Fedora + * qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch from Fedora + +------------------------------------------------------------------- +Wed Feb 14 15:47:56 CET 2018 - fabian@ritter-vogt.de + +- Update to 5.10.1 + * New bugfix release + * For more details please see: + * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.10.1/?h=v5.10.1 + ------------------------------------------------------------------- Fri Feb 2 10:43:48 UTC 2018 - dimstar@opensuse.org diff --git a/libqt5-qtwebengine.spec b/libqt5-qtwebengine.spec index 974f07d..287deea 100644 --- a/libqt5-qtwebengine.spec +++ b/libqt5-qtwebengine.spec @@ -50,22 +50,27 @@ %endif Name: libqt5-qtwebengine -Version: 5.10.0 +Version: 5.10.1 Release: 0 Summary: Qt 5 WebEngine Library License: LGPL-2.1-with-Qt-Company-Qt-exception-1.1 or LGPL-3.0-with-Qt-Company-Qt-exception-1.1 Group: Development/Libraries/X11 Url: https://www.qt.io %define base_name libqt5 -%define real_version 5.10.0 -%define so_version 5.10.0 -%define tar_version qtwebengine-everywhere-src-5.10.0 +%define real_version 5.10.1 +%define so_version 5.10.1 +%define tar_version qtwebengine-everywhere-src-5.10.1 Source: https://download.qt.io/official_releases/qt/5.10/%{real_version}/submodules/%{tar_version}.tar.xz Source1: baselibs.conf # PATCH-FIX-UPSTREAM armv6-ffmpeg-no-thumb.patch - Fix ffmpeg configuration for armv6 Patch1: armv6-ffmpeg-no-thumb.patch # PATCH-FIX-UPSTREAM disable-gpu-when-using-nouveau-boo-1005323.diff Patch2: disable-gpu-when-using-nouveau-boo-1005323.diff +# PATCH-FIX-UPSTREAM qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch +# - forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146) +# see the patch metadata for the list of fixed CVEs and Chromium bug IDs +Patch3: qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch +Patch4: qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch # PATCH-FIX-UPSTREAM harmony-fix.diff -- Show the patent-free LCD rendering. Without this patch, only grayscale rendering is used. (for freetype-2.8.1) boo#1061344 Patch5: harmony-fix.diff # http://www.chromium.org/blink not ported to PowerPC @@ -87,12 +92,12 @@ BuildRequires: libgcrypt-devel BuildRequires: libicu-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel -BuildRequires: libqt5-qtbase-private-headers-devel >= %{version} -BuildRequires: libqt5-qtdeclarative-private-headers-devel >= %{version} -BuildRequires: libqt5-qttools-private-headers-devel >= %{version} -BuildRequires: libqt5-qtlocation-private-headers-devel >= %{version} -BuildRequires: libqt5-qtwebchannel-private-headers-devel >= %{version} -BuildRequires: libqt5-qtxmlpatterns-private-headers-devel >= %{version} +BuildRequires: libqt5-qtbase-private-headers-devel >= 5.9 +BuildRequires: libqt5-qtdeclarative-private-headers-devel >= 5.9 +BuildRequires: libqt5-qttools-private-headers-devel >= 5.9 +BuildRequires: libqt5-qtlocation-private-headers-devel >= 5.9 +BuildRequires: libqt5-qtwebchannel-private-headers-devel >= 5.9 +BuildRequires: libqt5-qtxmlpatterns-private-headers-devel >= 5.9 BuildRequires: libQt5QuickControls2-devel BuildRequires: pam-devel BuildRequires: pciutils-devel @@ -103,6 +108,7 @@ BuildRequires: python-devel BuildRequires: python-xml BuildRequires: re2c BuildRequires: re2-devel +BuildRequires: sed BuildRequires: snappy-devel BuildRequires: sqlite3-devel BuildRequires: update-desktop-files @@ -219,8 +225,8 @@ Summary: Non-ABI stable experimental API for the Qt5 WebEngine library Group: Development/Libraries/C and C++ BuildArch: noarch Requires: %{name}-devel = %{version} -Requires: libqt5-qtbase-private-headers-devel >= %{version} -Requires: libqt5-qtdeclarative-private-headers-devel >= %{version} +%requires_ge libqt5-qtbase-private-headers-devel +%requires_ge libqt5-qtdeclarative-private-headers-devel %description private-headers-devel This package provides private headers of libqt5-qtwebengine that are normally @@ -242,6 +248,8 @@ Examples for the libqt5-qtwebengine module. sed -i 's|$(STRIP)|strip|g' src/core/core_module.pro %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 %patch5 -p1 # QTBUG-61128 sed -i -e '/toolprefix = /d' -e 's/\${toolprefix}//g' \ @@ -310,6 +318,15 @@ rm -f %{buildroot}%{_libqt5_libdir}/lib*.la # webenginecore expects icudatl.dat at this location # ln -sf %{_datadir}/icu/*/icudt*l.dat %{buildroot}%{_datadir}/qt5/icudtl.dat +# ---------- Workarounds for older Qt versions --------- +## adjust cmake dep(s) to allow for using the same Qt5 that was used to build it +sed -i -r '/ EXACT\)/d' \ + %{buildroot}%{_libqt5_libdir}/cmake/Qt5WebEngine*/Qt5WebEngine*Config.cmake + +sed -i '/find_package/!b;n;s/'%{version}/$(rpm -q --qf %%{version} libQt5Core5)/ \ + %{buildroot}%{_libqt5_libdir}/cmake/Qt5WebEngine*/Qt5WebEngine*Config.cmake +# ------------------------------------------------------ + %post -p /sbin/ldconfig %postun -p /sbin/ldconfig diff --git a/qtwebengine-everywhere-src-5.10.0.tar.xz b/qtwebengine-everywhere-src-5.10.0.tar.xz deleted file mode 100644 index 481bf5d..0000000 --- a/qtwebengine-everywhere-src-5.10.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a8bf5989ef847a249bbc1f391743a36971825b896747d073e30dbcdefc9567f9 -size 209737304 diff --git a/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch b/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch new file mode 100644 index 0000000..ba687ef --- /dev/null +++ b/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch @@ -0,0 +1,64 @@ +From 1fd21185614dcae0c7a6e5647ba56cff0120f563 Mon Sep 17 00:00:00 2001 +Message-Id: <1fd21185614dcae0c7a6e5647ba56cff0120f563.1521386919.git.kevin.kofler@chello.at> +From: Michal Klocek +Date: Wed, 7 Mar 2018 18:36:25 +0100 +Subject: [PATCH] Implement IsMostRecentDownloadItemAtFilePath call + +Implement IsMostRecentDownloadItemAtFilePath +for download_manager_delegate_qt. This is required for +CVE-2018-6033. + +Change-Id: I9f48dfa159d684f0fda894e68b81ff622aceaae2 +Reviewed-by: Allan Sandfeld Jensen +--- + src/core/download_manager_delegate_qt.cpp | 20 ++++++++++++++++++++ + src/core/download_manager_delegate_qt.h | 2 ++ + 2 files changed, 22 insertions(+) + +diff --git a/src/core/download_manager_delegate_qt.cpp b/src/core/download_manager_delegate_qt.cpp +index 40df9b3a..487a831e 100644 +--- a/src/core/download_manager_delegate_qt.cpp ++++ b/src/core/download_manager_delegate_qt.cpp +@@ -293,6 +293,26 @@ void DownloadManagerDelegateQt::ChooseSavePath(content::WebContents *web_content + m_weakPtrFactory.GetWeakPtr())); + } + ++bool DownloadManagerDelegateQt::IsMostRecentDownloadItemAtFilePath(content::DownloadItem *download) ++{ ++ content::BrowserContext *context = download->GetBrowserContext(); ++ std::vector all_downloads; ++ ++ content::DownloadManager* manager = ++ content::BrowserContext::GetDownloadManager(context); ++ if (manager) ++ manager->GetAllDownloads(&all_downloads); ++ ++ for (const auto* item : all_downloads) { ++ if (item->GetGuid() == download->GetGuid() || ++ item->GetTargetFilePath() != download->GetTargetFilePath()) ++ continue; ++ if (item->GetState() == content::DownloadItem::IN_PROGRESS) ++ return false; ++ } ++ return true; ++} ++ + void DownloadManagerDelegateQt::savePackageDownloadCreated(content::DownloadItem *item) + { + OnDownloadUpdated(item); +diff --git a/src/core/download_manager_delegate_qt.h b/src/core/download_manager_delegate_qt.h +index df43211e..7563d5d3 100644 +--- a/src/core/download_manager_delegate_qt.h ++++ b/src/core/download_manager_delegate_qt.h +@@ -81,6 +81,8 @@ public: + const base::FilePath::StringType &default_extension, + bool can_save_as_complete, + const content::SavePackagePathPickedCallback &callback) override; ++ bool IsMostRecentDownloadItemAtFilePath(content::DownloadItem* download) override; ++ + + void cancelDownload(quint32 downloadId); + void pauseDownload(quint32 downloadId); +-- +2.14.3 + diff --git a/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch b/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch new file mode 100644 index 0000000..96adb72 --- /dev/null +++ b/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch @@ -0,0 +1,1245 @@ +From d58330a607981f2e12c65c4b72ecbc36c5c52801 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Michal Klocek +Date: Thu, 8 Mar 2018 11:26:33 +0100 +Subject: [PATCH] Backport security fixes from QtWebEngine 5.9.5 (minus FFmpeg + fix) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[Backport] CVE-2017-15429 + +Only open windows with js URLs if the entered window has access + +It's not enough to check that the current window has access, if other +security checks failed and the entered window shouldn't have access to +the current window. + +BUG=788453 +R=haraken@chromium.org,mkwst@chromium.org + +Change-Id: Iea10c52f20bdc49f00eba067cab69dab06f79f01 +Reviewed-on: https://chromium-review.googlesource.com/792934 +Commit-Queue: Jochen Eisinger +Reviewed-by: Mike West +Reviewed-by: Kentaro Hara +Reviewed-by: Yuki Shiino +Cr-Commit-Position: refs/heads/master@{#519683} +Reviewed-by: Allan Sandfeld Jensen + +[Backport] CVE-2018-6069 + +check for bad buffers in Unpack8 + +Bug:799918 +Change-Id: I0502a487d67ce757bf818823cf0ad46b7703294c +Reviewed-on: https://skia-review.googlesource.com/92841 +Commit-Queue: Mike Reed +Reviewed-by: Florin Malita +Reviewed-by: Allan Sandfeld Jensen + +[Backport] CVE-2018-6071 + +detect too many points + +Bug:777318 +Change-Id: Idb52688b6ee4ae020004400da995620c1f548559 +Reviewed-on: https://skia-review.googlesource.com/73821 +Commit-Queue: Mike Reed +Reviewed-by: Herb Derby +Reviewed-by: Allan Sandfeld Jensen + +[Backport] Security Bug 770734 + +Fix a crash in TemplateURLParser. + +It was caused by dereferencing an invalid URL during parsing. + +Bug: 770734 +Change-Id: I4fedd3f310aaf7e1e1d2384aa64939d46b8b2a5a +Reviewed-on: https://chromium-review.googlesource.com/773902 +Commit-Queue: Vasilii Sukhanov +Reviewed-by: Peter Kasting +Cr-Commit-Position: refs/heads/master@{#517751} +Reviewed-by: Allan Sandfeld Jensen + +[Backport] Security Bug 774833 + +Intl.DateTimeFormat: throw RangeError for non-finite input + +intl.js throws an exception when datetime-value to format is +Infinity or NaN, but there was a way to thwart the check. + +Moreover, intl.js and runtime-intl.cc have unnecessary conversions +of 'Number->Date->Number'. I removed the unnecessary conversion +and made 'Number' be passed to %InternalDateFormat. With this +streamlining, the work-around mentioned above does not work +anymore. + +Add a check in runtime_intl.cc for Infinity/NaN and throw a +RangeError. + +Add invalid-time test for invalid datetime-values passed to +Intl.DateTimeFormat.format(). + +Bug: chromium:774833 +Test: intl/date-format/invalid-time.js +Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng +Change-Id: Idc575e532a86ee110dc4bb945ae023d6516650ee +Reviewed-on: https://chromium-review.googlesource.com/724860 +Commit-Queue: Jungshik Shin +Reviewed-by: Adam Klein +Cr-Commit-Position: refs/heads/master@{#48765} +Reviewed-by: Allan Sandfeld Jensen + +[Backport] CVE-2018-6073 + +Fix CopyTexImage behavior when cubemap workaround is involved. + +The bug is, we need to reset PIXEL_UNPACK_BUFFER as well as UNPACK params +in order to upload data to textures correctly. + +BUG=804118 +TEST=tests in the bug +R=piman@chromium.org +TBR=zmo@chromium.org +NOTRY=true + +(cherry picked from commit a89aa4642cefb79e312c95ca3c66bbaff5263a22) + +Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel +Change-Id: I743f03cdc98b2c6993449ca615b246eb42ef4dfa +Reviewed-on: https://chromium-review.googlesource.com/892282 +Commit-Queue: Zhenyao Mo +Reviewed-by: Antoine Labour +Reviewed-by: Kai Ninomiya +Cr-Original-Commit-Position: refs/heads/master@{#532749} +Reviewed-on: https://chromium-review.googlesource.com/895907 +Reviewed-by: Zhenyao Mo +Cr-Commit-Position: refs/branch-heads/3325@{#208} +Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} +Reviewed-by: Allan Sandfeld Jensen + +[Backport] CVE-2018-6076 + +Percent-encode UTF8 characters in URL fragment identifiers. + +This brings us into line with Firefox, Safari, and the spec. + +Bug: 758523 +Reviewed-on: https://chromium-review.googlesource.com/668363 +Commit-Queue: Mike West +Reviewed-by: Jochen Eisinger +Reviewed-by: Andy Paicu +Cr-Commit-Position: refs/heads/master@{#507481} + +Encode ' ', '"', '<', '>', and '`' in URL fragments. + +Implements the changes to fragment processing described in +https://github.com/whatwg/url/pull/347, which adds a new "fragment +percent-encode set" which contains the C0 control percent-encode set, +along with: + +* 0x20 SPACE +* 0x22 (") +* 0x3C (<) +* 0x3E (>) +* 0x60 (`) + +This brings our implementation into line with Firefox. + +Bug: 758523 +Reviewed-on: https://chromium-review.googlesource.com/719004 +Commit-Queue: Mike West +Reviewed-by: Jochen Eisinger +Cr-Commit-Position: refs/heads/master@{#523383} + +Change-Id: I25de642017ccb69473626a327ad194b3431a11ed +Reviewed-by: Allan Sandfeld Jensen + +[Backport] CVE-2018-6079 + +Fix tabs sharing TEXTURE_2D_ARRAY/TEXTURE_3D data. + +In linux and android, we are seeing an issue where texture data from one +tab overwrites the texture data of another tab. This is happening for apps +which are using webgl2 texture of type TEXTURE_2D_ARRAY/TEXTURE_3D. +Due to a bug in virtual context save/restore code for above texture formats, +the texture data is not properly restored while switching tabs. Hence +texture data from one tab overwrites other. + +This CL has fix for that issue, an update for existing test expectations +and a new unit test for this bug. + +Bug: 788448 +Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel +Change-Id: Ie933984cdd2d1381f42eb4638f730c8245207a28 +Reviewed-on: https://chromium-review.googlesource.com/930327 +Reviewed-by: Zhenyao Mo +Commit-Queue: vikas soni +Cr-Original-Commit-Position: refs/heads/master@{#539111}(cherry picked from commit d128139d53e9268e87921e82d89b3f2053cb83fd) +Reviewed-on: https://chromium-review.googlesource.com/939878 +Cr-Commit-Position: refs/branch-heads/3325@{#610} +Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} +Reviewed-by: Allan Sandfeld Jensen + +[Backport] CVE-2018-6081 + +Fix XSS in supervised user interstitial + +BUG=797525 + +Change-Id: Ib5cfa732b0f4de8645031c0166e4d67633a65c93 +Reviewed-on: https://chromium-review.googlesource.com/844075 +Reviewed-by: Bernhard Bauer +Commit-Queue: Rob Wu +Cr-Commit-Position: refs/heads/master@{#526158} +Reviewed-by: Allan Sandfeld Jensen + +[Backport] CVE-2018-6082 + +Remove port 22 from the set of allowed FTP ports. + +The collision with SSH ports caused some possible concerns with being +able to enumerate internal hosts. Analysis shows that Internet hosts +supporting FTP over port 22 are a small fraction, and likely not +accessed over the web. + +Bug: 767354 +Change-Id: I8958b4cc818b34127fd739d2dea58f498fb073c0 +Reviewed-on: https://chromium-review.googlesource.com/860753 +Reviewed-by: Matt Menke +Commit-Queue: Christopher Thompson +Cr-Commit-Position: refs/heads/master@{#528461} +Reviewed-by: Allan Sandfeld Jensen + +[Backport] CVE-2018-6064 + +[elements] Fix Object.entries/values with changing elements + +Drive-by-cleanup: +- Add InternalElementsAccessor to expose protected instance methods +to ElementsAccessor subclasses. +- Make some more ElementsAccessor methods protected that take the +raw entry as parameter. + +Bug: chromium:798644 +Change-Id: Iffd00f1953461e8dd22c123e62298410fb6e049c +Reviewed-on: https://chromium-review.googlesource.com/856816 +Commit-Queue: Camillo Bruni +Reviewed-by: Jakob Kummerow +Cr-Commit-Position: refs/heads/master@{#50480} +Reviewed-by: Allan Sandfeld Jensen + +[Backport] CVE-2018-6062 + +use safemath::mull for buffer sizes + +Bug:780104 +Change-Id: Ic683abd9c7d15ebb01b6e5d40dbeb6e76f102eff +Reviewed-on: https://skia-review.googlesource.com/95760 +Reviewed-by: Brian Salomon +Commit-Queue: Mike Reed +(cherry picked from commit fe266c2bce2b8ac4ef953f16c8e1a7801da9c57d) +Reviewed-on: https://skia-review.googlesource.com/101780 +Reviewed-by: Allan Sandfeld Jensen + +[Backport] CVE-2018-6060 + +Keep AudioHandlers alive until they can be safely deleted. + +When an AudioNode is disposed, the handler is also disposed. But add +the handler to the orphan list so that the handler stays alive until +the context can safely delete it. If we don't do this, the handler +may get deleted while the audio thread is processing the handler (due +to, say, channel count changes and such). + +For an realtime context, save the handler if the context is not closed. +(Nothing will clean up the handler if the context is closed.) + +For an offline context, only need to do this when the context is +running because the context is guaranteed to be stopped if we're not +in the running state. Hence, there's no possibility of deleting the +handler while the graph is running. + +Bug: 780919 +Change-Id: Id8ba47f48504c5681121facebfc5acb85b05de87 +Reviewed-on: https://chromium-review.googlesource.com/868841 +Reviewed-by: Hongchan Choi +Commit-Queue: Raymond Toy +Cr-Original-Commit-Position: refs/heads/master@{#530892}(cherry picked from commit ebcf9595bf908b515ffcd31374b071697a69faed) +Reviewed-on: https://chromium-review.googlesource.com/893626 +Reviewed-by: Raymond Toy +Cr-Commit-Position: refs/branch-heads/3325@{#180} +Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} +Reviewed-by: Allan Sandfeld Jensen + +[Backport] Security Bug 798410 + +Crash fix for th with role gridcell in a table with nontraditional css + +Do not assume we can use ToLayoutCell() in an object that can be created +for an ARIA cell and may not be associated with an actual table cell. + +Bug: 798410 +Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3 +Reviewed-on: https://chromium-review.googlesource.com/906953 +Commit-Queue: Aaron Leventhal +Reviewed-by: Nektarios Paisios +Cr-Original-Commit-Position: refs/heads/master@{#535462}(cherry picked from commit b0d1618cc5e95f77c152022232257b61b61a952e) +Reviewed-on: https://chromium-review.googlesource.com/916527 +Reviewed-by: Aaron Leventhal +Cr-Commit-Position: refs/branch-heads/3325@{#447} +Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} +Reviewed-by: Allan Sandfeld Jensen + +[Backport] Security Bug 789764 + +[parser] Fix func numbering inside for in. + +BUG=chromium:789764 + +Change-Id: I6a466660159721683c4979af32019d740094151b +Reviewed-on: https://chromium-review.googlesource.com/803217 +Reviewed-by: Ross McIlroy +Reviewed-by: Jochen Eisinger +Commit-Queue: Marja Hölttä +Cr-Commit-Position: refs/heads/master@{#49795} +Reviewed-by: Allan Sandfeld Jensen +--- + .../search_engines/template_url_parser.cc | 2 +- + .../supervised_user_block_interstitial.js | 8 +-- + .../gpu/command_buffer/service/context_state.cc | 34 +++++++++- + .../gpu/command_buffer/service/texture_manager.cc | 6 +- + chromium/net/base/port_util.cc | 3 +- + .../bindings/core/v8/custom/V8WindowCustom.cpp | 9 +++ + .../WebKit/Source/core/frame/LocalFrameView.cpp | 5 +- + .../Source/modules/accessibility/AXTableCell.cpp | 8 +++ + .../WebKit/Source/modules/webaudio/AudioNode.cpp | 41 ++++++++++-- + chromium/third_party/skia/include/core/SkTypes.h | 1 + + chromium/third_party/skia/src/core/SkMath.cpp | 16 +++++ + chromium/third_party/skia/src/core/SkPathRef.cpp | 22 +++++-- + chromium/third_party/skia/src/core/SkSafeMath.h | 19 ++++++ + .../third_party/skia/src/effects/SkPackBits.cpp | 5 +- + chromium/third_party/skia/src/effects/SkPackBits.h | 2 +- + .../third_party/skia/src/gpu/GrBufferAllocPool.cpp | 6 +- + chromium/url/url_canon_etc.cc | 61 ++++++++++++----- + chromium/v8/src/ast/ast-traversal-visitor.h | 1 + + chromium/v8/src/elements.cc | 76 ++++++++++++++++++---- + chromium/v8/src/elements.h | 17 ++--- + chromium/v8/src/js/intl.js | 8 +-- + chromium/v8/src/runtime/runtime-intl.cc | 25 ++++--- + 22 files changed, 293 insertions(+), 82 deletions(-) + +diff --git a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc +index 64b1385e05..476d879b5f 100644 +--- a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc ++++ b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc +@@ -438,7 +438,7 @@ void TemplateURLParsingContext::ProcessURLParams() { + return; + + GURL url(is_suggest_url_ ? data_.suggestions_url : data_.url()); +- if (url.is_empty()) ++ if (!url.is_valid()) + return; + + // If there is a parameter filter, parse the existing URL and remove any +diff --git a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js +index d6b9327584..bee21be919 100644 +--- a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js ++++ b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js +@@ -67,8 +67,8 @@ function initialize() { + $('custodian-avatar-img').style.content = + makeImageSet(avatarURL1x, avatarURL2x); + } +- $('custodian-name').innerHTML = custodianName; +- $('custodian-email').innerHTML = loadTimeData.getString('custodianEmail'); ++ $('custodian-name').textContent = custodianName; ++ $('custodian-email').textContent = loadTimeData.getString('custodianEmail'); + var secondAvatarURL1x = loadTimeData.getString('secondAvatarURL1x'); + var secondAvatarURL2x = loadTimeData.getString('secondAvatarURL2x'); + var secondCustodianName = loadTimeData.getString('secondCustodianName'); +@@ -79,8 +79,8 @@ function initialize() { + $('second-custodian-avatar-img').style.content = + makeImageSet(secondAvatarURL1x, secondAvatarURL2x); + } +- $('second-custodian-name').innerHTML = secondCustodianName; +- $('second-custodian-email').innerHTML = loadTimeData.getString( ++ $('second-custodian-name').textContent = secondCustodianName; ++ $('second-custodian-email').textContent = loadTimeData.getString( + 'secondCustodianEmail'); + } + } +diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc +index 3c71d38b25..1b1d647c36 100644 +--- a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc ++++ b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc +@@ -29,6 +29,16 @@ GLuint Get2dServiceId(const TextureUnit& unit) { + ? unit.bound_texture_2d->service_id() : 0; + } + ++GLuint Get2dArrayServiceId(const TextureUnit& unit) { ++ return unit.bound_texture_2d_array.get() ++ ? unit.bound_texture_2d_array->service_id() ++ : 0; ++} ++ ++GLuint Get3dServiceId(const TextureUnit& unit) { ++ return unit.bound_texture_3d.get() ? unit.bound_texture_3d->service_id() : 0; ++} ++ + GLuint GetCubeServiceId(const TextureUnit& unit) { + return unit.bound_texture_cube_map.get() + ? unit.bound_texture_cube_map->service_id() : 0; +@@ -239,6 +249,8 @@ void ContextState::RestoreTextureUnitBindings( + DCHECK_LT(unit, texture_units.size()); + const TextureUnit& texture_unit = texture_units[unit]; + GLuint service_id_2d = Get2dServiceId(texture_unit); ++ GLuint service_id_2d_array = Get2dArrayServiceId(texture_unit); ++ GLuint service_id_3d = Get3dServiceId(texture_unit); + GLuint service_id_cube = GetCubeServiceId(texture_unit); + GLuint service_id_oes = GetOesServiceId(texture_unit); + GLuint service_id_arb = GetArbServiceId(texture_unit); +@@ -249,10 +261,22 @@ void ContextState::RestoreTextureUnitBindings( + feature_info_->feature_flags().oes_egl_image_external || + feature_info_->feature_flags().nv_egl_stream_consumer_external; + bool bind_texture_arb = feature_info_->feature_flags().arb_texture_rectangle; ++ // TEXTURE_2D_ARRAY and TEXTURE_3D are only applicable from ES3 version. ++ // So set it to FALSE by default. ++ bool bind_texture_2d_array = false; ++ bool bind_texture_3d = false; ++ // set the variables to true only if the application is ES3 or newer ++ if (feature_info_->IsES3Capable()) { ++ bind_texture_2d_array = true; ++ bind_texture_3d = true; ++ } + + if (prev_state) { + const TextureUnit& prev_unit = prev_state->texture_units[unit]; + bind_texture_2d = service_id_2d != Get2dServiceId(prev_unit); ++ bind_texture_2d_array = ++ service_id_2d_array != Get2dArrayServiceId(prev_unit); ++ bind_texture_3d = service_id_3d != Get3dServiceId(prev_unit); + bind_texture_cube = service_id_cube != GetCubeServiceId(prev_unit); + bind_texture_oes = + bind_texture_oes && service_id_oes != GetOesServiceId(prev_unit); +@@ -261,8 +285,8 @@ void ContextState::RestoreTextureUnitBindings( + } + + // Early-out if nothing has changed from the previous state. +- if (!bind_texture_2d && !bind_texture_cube +- && !bind_texture_oes && !bind_texture_arb) { ++ if (!bind_texture_2d && !bind_texture_2d_array && !bind_texture_3d && ++ !bind_texture_cube && !bind_texture_oes && !bind_texture_arb) { + return; + } + +@@ -279,6 +303,12 @@ void ContextState::RestoreTextureUnitBindings( + if (bind_texture_arb) { + glBindTexture(GL_TEXTURE_RECTANGLE_ARB, service_id_arb); + } ++ if (bind_texture_2d_array) { ++ glBindTexture(GL_TEXTURE_2D_ARRAY, service_id_2d_array); ++ } ++ if (bind_texture_3d) { ++ glBindTexture(GL_TEXTURE_3D, service_id_3d); ++ } + } + + void ContextState::RestoreSamplerBinding(GLuint unit, +diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc +index f56e04f411..cac58af031 100644 +--- a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc ++++ b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc +@@ -2634,9 +2634,6 @@ void TextureManager::DoCubeMapWorkaround( + TextureRef* texture_ref, + const char* function_name, + const DoTexImageArguments& args) { +- // This workaround code does not work with an unpack buffer bound. +- ScopedResetPixelUnpackBuffer scoped_reset_pbo(state); +- + std::vector undefined_faces; + Texture* texture = texture_ref->texture(); + if (texture_state->force_cube_complete || +@@ -2668,6 +2665,8 @@ void TextureManager::DoCubeMapWorkaround( + DoTexImageArguments new_args = args; + std::unique_ptr zero(new char[args.pixels_size]); + memset(zero.get(), 0, args.pixels_size); ++ // Need to clear PIXEL_UNPACK_BUFFER and UNPACK params for data uploading. ++ state->PushTextureDecompressionUnpackState(); + for (GLenum face : undefined_faces) { + new_args.target = face; + new_args.pixels = zero.get(); +@@ -2675,6 +2674,7 @@ void TextureManager::DoCubeMapWorkaround( + function_name, texture_ref, new_args); + texture->MarkLevelAsInternalWorkaround(face, args.level); + } ++ state->RestoreUnpackState(); + } + + void TextureManager::ValidateAndDoTexImage( +diff --git a/src/3rdparty/chromium/net/base/port_util.cc b/src/3rdparty/chromium/net/base/port_util.cc +index 543d9db943..83c9821398 100644 +--- a/src/3rdparty/chromium/net/base/port_util.cc ++++ b/src/3rdparty/chromium/net/base/port_util.cc +@@ -90,10 +90,9 @@ const int kRestrictedPorts[] = { + // KURL::port()) + }; + +-// FTP overrides the following restricted ports. ++// FTP overrides the following restricted port. + const int kAllowedFtpPorts[] = { + 21, // ftp data +- 22, // ssh + }; + + base::LazyInstance>::Leaky g_explicitly_allowed_ports = +diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp +index 90883c712f..9abef3a420 100644 +--- a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp ++++ b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp +@@ -262,6 +262,15 @@ void V8Window::openMethodCustom( + return; + } + ++ // If the bindings implementation is 100% correct, the current realm and the ++ // entered realm should be same origin-domain. However, to be on the safe ++ // side and add some defense in depth, we'll check against the entered realm ++ // as well here. ++ if (!BindingSecurity::ShouldAllowAccessTo(EnteredDOMWindow(info.GetIsolate()), ++ impl, exception_state)) { ++ return; ++ } ++ + TOSTRING_VOID(V8StringResource, + url_string, info[0]); + AtomicString frame_name; +diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp +index 8ce1574d45..1c5b193eda 100644 +--- a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp ++++ b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp +@@ -1862,9 +1862,12 @@ void LocalFrameView::ProcessUrlFragment(const KURL& url, + !frame_->GetDocument()->IsSVGDocument()) + return; + ++ // Try the raw fragment for HTML documents, but skip it for `svgView()`: + String fragment_identifier = url.FragmentIdentifier(); +- if (ProcessUrlFragmentHelper(fragment_identifier, behavior)) ++ if (!frame_->GetDocument()->IsSVGDocument() && ++ ProcessUrlFragmentHelper(fragment_identifier, behavior)) { + return; ++ } + + // Try again after decoding the ref, based on the document's encoding. + if (frame_->GetDocument()->Encoding().IsValid()) { +diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp +index bbe7147921..1b88d0bd4e 100644 +--- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp ++++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp +@@ -156,6 +156,14 @@ AccessibilityRole AXTableCell::ScanToDecideHeaderRole() { + if (IsColumnHeaderCell()) + return kColumnHeaderRole; + ++ // This occurs in an edge case that mixes non-table CSS into a ++ // table, and , see bug 798410. ++ // The odd CSS causes the to not be a LayoutTableCell, ++ // and the ARIA role causes it to fall through to here, because ++ // it is not an ARIA/HTML column/row header. ++ if (!layout_object_ || !layout_object_->IsTableCell()) ++ return kCellRole; // . ++ + // Check the previous cell and the next cell on the same row. + LayoutTableCell* layout_cell = ToLayoutTableCell(layout_object_); + AccessibilityRole header_role = kCellRole; +diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp +index 64cc1d575f..b764fb6145 100644 +--- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp ++++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp +@@ -64,6 +64,15 @@ AudioHandler::AudioHandler(NodeType node_type, + } + #endif + InstanceCounters::IncrementCounter(InstanceCounters::kAudioHandlerCounter); ++ ++#if DEBUG_AUDIONODE_REFERENCES ++ fprintf( ++ stderr, ++ "[%16p]: %16p: %2d: AudioHandler::AudioHandler() %d [%d] total: %u\n", ++ Context(), this, GetNodeType(), connection_ref_count_, ++ node_count_[GetNodeType()], ++ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter)); ++#endif + } + + AudioHandler::~AudioHandler() { +@@ -73,9 +82,13 @@ AudioHandler::~AudioHandler() { + InstanceCounters::DecrementCounter(InstanceCounters::kAudioHandlerCounter); + #if DEBUG_AUDIONODE_REFERENCES + --node_count_[GetNodeType()]; +- fprintf(stderr, "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d]\n", +- Context(), this, GetNodeType(), connection_ref_count_, +- node_count_[GetNodeType()]); ++ fprintf( ++ stderr, ++ "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d] remaining: " ++ "%u\n", ++ Context(), this, GetNodeType(), connection_ref_count_, ++ node_count_[GetNodeType()], ++ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter)); + #endif + } + +@@ -542,9 +555,25 @@ void AudioNode::Dispose() { + #endif + BaseAudioContext::AutoLocker locker(context()); + Handler().Dispose(); +- if (context()->ContextState() == BaseAudioContext::kRunning) { +- context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( +- std::move(handler_)); ++ if (context()->HasRealtimeConstraint()) { ++ // Add the handler to the orphan list if the context is not ++ // closed. (Nothing will clean up the orphan list if the context ++ // is closed.) These will get cleaned up in the post render task ++ // if audio thread is running or when the context is colleced (in ++ // the worst case). ++ if (context()->ContextState() != BaseAudioContext::kClosed) { ++ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( ++ std::move(handler_)); ++ } ++ } else { ++ // For an offline context, only need to save the handler when the ++ // context is running. The change in the context state is ++ // synchronous with the main thread (even though the offline ++ // thread is not synchronized to the main thread). ++ if (context()->ContextState() == BaseAudioContext::kRunning) { ++ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( ++ std::move(handler_)); ++ } + } + } + +diff --git a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h +index 1dd672bea4..a3e295e285 100644 +--- a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h ++++ b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h +@@ -235,6 +235,7 @@ template D SkTo(S s) { + #define SK_MaxU32 0xFFFFFFFF + #define SK_MinU32 0 + #define SK_NaN32 ((int) (1U << 31)) ++#define SK_MaxSizeT SIZE_MAX + + /** Returns true if the value can be represented with signed 16bits + */ +diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp +index 6eff790c85..947c125b27 100644 +--- a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp ++++ b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp +@@ -10,6 +10,8 @@ + #include "SkFloatBits.h" + #include "SkFloatingPoint.h" + #include "SkScalar.h" ++#include "SkSafeMath.h" ++ + + #define sub_shift(zeros, x, n) \ + zeros -= n; \ +@@ -84,3 +86,17 @@ float SkScalarSinCos(float radians, float* cosValue) { + } + return sinValue; + } ++ ++/////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++size_t SkSafeMath::Add(size_t x, size_t y) { ++ SkSafeMath tmp; ++ size_t sum = tmp.add(x, y); ++ return tmp.ok() ? sum : SK_MaxSizeT; ++} ++ ++size_t SkSafeMath::Mul(size_t x, size_t y) { ++ SkSafeMath tmp; ++ size_t prod = tmp.mul(x, y); ++ return tmp.ok() ? prod : SK_MaxSizeT; ++} +diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp +index 094e6717e6..33008ead35 100644 +--- a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp ++++ b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp +@@ -9,7 +9,7 @@ + #include "SkOnce.h" + #include "SkPath.h" + #include "SkPathRef.h" +-#include ++#include "SkSafeMath.h" + + ////////////////////////////////////////////////////////////////////////////// + SkPathRef::Editor::Editor(sk_sp* pathRef, +@@ -195,22 +195,23 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr + return false; + } + ++ SkSafeMath safe; + int ptCount = 0; + int conicCount = 0; + for (int i = 0; i < vCount; ++i) { + switch (verbs[i]) { + case SkPath::kMove_Verb: + case SkPath::kLine_Verb: +- ptCount += 1; ++ ptCount = safe.addInt(ptCount, 1); + break; + case SkPath::kConic_Verb: + conicCount += 1; + // fall-through + case SkPath::kQuad_Verb: +- ptCount += 2; ++ ptCount = safe.addInt(ptCount, 2); + break; + case SkPath::kCubic_Verb: +- ptCount += 3; ++ ptCount = safe.addInt(ptCount, 3); + break; + case SkPath::kClose_Verb: + break; +@@ -218,6 +219,9 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr + return false; + } + } ++ if (!safe) { ++ return false; ++ } + *ptCountPtr = ptCount; + *conicCountPtr = conicCount; + return true; +@@ -554,12 +558,18 @@ SkPoint* SkPathRef::growForVerb(int /* SkPath::Verb*/ verb, SkScalar weight) { + dirtyAfterEdit = false; + pCnt = 0; + } ++ SkSafeMath safe; ++ int newPointCnt = safe.addInt(fPointCnt, pCnt); ++ int newVerbCnt = safe.addInt(fVerbCnt, 1); ++ if (!safe) { ++ SK_ABORT("cannot grow path"); ++ } + size_t space = sizeof(uint8_t) + pCnt * sizeof (SkPoint); + this->makeSpace(space); + this->fVerbs[~fVerbCnt] = verb; + SkPoint* ret = fPoints + fPointCnt; +- fVerbCnt += 1; +- fPointCnt += pCnt; ++ fVerbCnt = newVerbCnt; ++ fPointCnt = newPointCnt; + fFreeSpace -= space; + fBoundsIsDirty = true; // this also invalidates fIsFinite + if (dirtyAfterEdit) { +diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h +index 91200fbb56..74089633ae 100644 +--- a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h ++++ b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h +@@ -28,6 +28,25 @@ public: + return result; + } + ++ /** ++ * Return a + b, unless this result is an overflow/underflow. In those cases, fOK will ++ * be set to false, and it is undefined what this returns. ++ */ ++ int addInt(int a, int b) { ++ if (b < 0 && a < std::numeric_limits::min() - b) { ++ fOK = false; ++ return a; ++ } else if (b > 0 && a > std::numeric_limits::max() - b) { ++ fOK = false; ++ return a; ++ } ++ return a + b; ++ } ++ ++ // These saturate to their results ++ static size_t Add(size_t x, size_t y); ++ static size_t Mul(size_t x, size_t y); ++ + private: + uint32_t mul32(uint32_t x, uint32_t y) { + uint64_t bx = x; +diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp +index 286d9d140c..d2dfed9de1 100644 +--- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp ++++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp +@@ -88,13 +88,13 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize, + unsigned n = *src++; + if (n <= 127) { // repeat count (n + 1) + n += 1; +- if (dst >(endDst - n)) { ++ if (dst > (endDst - n) || src >= stop) { + return 0; + } + memset(dst, *src++, n); + } else { // same count (n - 127) + n -= 127; +- if (dst > (endDst - n)) { ++ if (dst > (endDst - n) || src > (stop - n)) { + return 0; + } + memcpy(dst, src, n); +@@ -103,5 +103,6 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize, + dst += n; + } + SkASSERT(src <= stop); ++ SkASSERT(dst <= endDst); + return SkToInt(dst - origDst); + } +diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h +index 2dc7677afc..773b13e0c1 100644 +--- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h ++++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h +@@ -36,7 +36,7 @@ public: + @param srcSize Number of bytes of src to unpack + @param dst Buffer (allocated by caller) to expand the src[] into. + @param dstSize Number of bytes in the output buffer. +- @return the number of bytes written into dst. ++ @return the number of bytes written into dst, or 0 if srcSize or dstSize are too small. + */ + static int Unpack8(const uint8_t src[], size_t srcSize, uint8_t dst[], + size_t dstSize); +diff --git a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp +index 3096ae5eeb..050b5db164 100644 +--- a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp ++++ b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp +@@ -13,7 +13,7 @@ + #include "GrGpu.h" + #include "GrResourceProvider.h" + #include "GrTypes.h" +- ++#include "SkSafeMath.h" + #include "SkTraceEvent.h" + + #ifdef SK_DEBUG +@@ -393,7 +393,7 @@ void* GrVertexBufferAllocPool::makeSpace(size_t vertexSize, + SkASSERT(startVertex); + + size_t offset SK_INIT_TO_AVOID_WARNING; +- void* ptr = INHERITED::makeSpace(vertexSize * vertexCount, ++ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(vertexSize, vertexCount), + vertexSize, + buffer, + &offset); +@@ -447,7 +447,7 @@ void* GrIndexBufferAllocPool::makeSpace(int indexCount, + SkASSERT(startIndex); + + size_t offset SK_INIT_TO_AVOID_WARNING; +- void* ptr = INHERITED::makeSpace(indexCount * sizeof(uint16_t), ++ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(indexCount, sizeof(uint16_t)), + sizeof(uint16_t), + buffer, + &offset); +diff --git a/src/3rdparty/chromium/url/url_canon_etc.cc b/src/3rdparty/chromium/url/url_canon_etc.cc +index 31e9fb5cfa..bbc46270a1 100644 +--- a/src/3rdparty/chromium/url/url_canon_etc.cc ++++ b/src/3rdparty/chromium/url/url_canon_etc.cc +@@ -233,6 +233,43 @@ bool DoPort(const CHAR* spec, + return true; + } + ++// clang-format off ++// Percent-escape all "C0 controls" (0x00-0x1F) ++// https://infra.spec.whatwg.org/#c0-control along with the characters ' ' ++// (0x20), '"' (0x22), '<' (0x3C), '>' (0x3E), and '`' (0x60): ++const bool kShouldEscapeCharInRef[0x80] = { ++// Control characters (0x00-0x1F) ++ true, true, true, true, true, true, true, true, ++ true, true, true, true, true, true, true, true, ++ true, true, true, true, true, true, true, true, ++ true, true, true, true, true, true, true, true, ++// ' ' ! " # $ % & ' ++ true, false, true, false, false, false, false, false, ++// ( ) * + , - . / ++ false, false, false, false, false, false, false, false, ++// 0 1 2 3 4 5 6 7 ++ false, false, false, false, false, false, false, false, ++// 8 9 : ; < = > ? ++ false, false, false, false, true, false, true, false, ++// @ A B C D E F G ++ false, false, false, false, false, false, false, false, ++// H I J K L M N O ++ false, false, false, false, false, false, false, false, ++// P Q R S T U V W ++ false, false, false, false, false, false, false, false, ++// X Y Z [ \ ] ^ _ ++ false, false, false, false, false, false, false, false, ++// ` a b c d e f g ++ true, false, false, false, false, false, false, false, ++// h i j k l m n o ++ false, false, false, false, false, false, false, false, ++// p q r s t u v w ++ false, false, false, false, false, false, false, false, ++// x y z { | } ~ ++ false, false, false, false, false, false, false ++}; ++// clang-format on ++ + template + void DoCanonicalizeRef(const CHAR* spec, + const Component& ref, +@@ -255,22 +292,16 @@ void DoCanonicalizeRef(const CHAR* spec, + if (spec[i] == 0) { + // IE just strips NULLs, so we do too. + continue; +- } else if (static_cast(spec[i]) < 0x20) { +- // Unline IE seems to, we escape control characters. This will probably +- // make the reference fragment unusable on a web page, but people +- // shouldn't be using control characters in their anchor names. +- AppendEscapedChar(static_cast(spec[i]), output); +- } else if (static_cast(spec[i]) < 0x80) { +- // Normal ASCII characters are just appended. +- output->push_back(static_cast(spec[i])); ++ } ++ ++ UCHAR current_char = static_cast(spec[i]); ++ if (current_char < 0x80) { ++ if (kShouldEscapeCharInRef[current_char]) ++ AppendEscapedChar(static_cast(spec[i]), output); ++ else ++ output->push_back(static_cast(spec[i])); + } else { +- // Non-ASCII characters are appended unescaped, but only when they are +- // valid. Invalid Unicode characters are replaced with the "invalid +- // character" as IE seems to (ReadUTFChar puts the unicode replacement +- // character in the output on failure for us). +- unsigned code_point; +- ReadUTFChar(spec, &i, end, &code_point); +- AppendUTF8Value(code_point, output); ++ AppendUTF8EscapedChar(spec, &i, end, output); + } + } + +diff --git a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h +index 5eee300cc3..7026268b77 100644 +--- a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h ++++ b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h +@@ -248,6 +248,7 @@ void AstTraversalVisitor::VisitForStatement(ForStatement* stmt) { + template + void AstTraversalVisitor::VisitForInStatement(ForInStatement* stmt) { + PROCESS_NODE(stmt); ++ RECURSE(Visit(stmt->each())); + RECURSE(Visit(stmt->enumerable())); + RECURSE(Visit(stmt->body())); + } +diff --git a/src/3rdparty/chromium/v8/src/elements.cc b/src/3rdparty/chromium/v8/src/elements.cc +index 716cc00b9a..bc89c77047 100644 +--- a/src/3rdparty/chromium/v8/src/elements.cc ++++ b/src/3rdparty/chromium/v8/src/elements.cc +@@ -518,6 +518,21 @@ static Maybe IndexOfValueSlowPath(Isolate* isolate, + return Just(-1); + } + ++// The InternalElementsAccessor is a helper class to expose otherwise protected ++// methods to its subclasses. Namely, we don't want to publicly expose methods ++// that take an entry (instead of an index) as an argument. ++class InternalElementsAccessor : public ElementsAccessor { ++ public: ++ explicit InternalElementsAccessor(const char* name) ++ : ElementsAccessor(name) {} ++ ++ virtual uint32_t GetEntryForIndex(Isolate* isolate, JSObject* holder, ++ FixedArrayBase* backing_store, ++ uint32_t index) = 0; ++ ++ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; ++}; ++ + // Base class for element handler implementations. Contains the + // the common logic for objects with different ElementsKinds. + // Subclasses must specialize method for which the element +@@ -536,10 +551,10 @@ static Maybe IndexOfValueSlowPath(Isolate* isolate, + // CRTP to guarantee aggressive compile time optimizations (i.e. inlining and + // specialization of SomeElementsAccessor methods). + template +-class ElementsAccessorBase : public ElementsAccessor { ++class ElementsAccessorBase : public InternalElementsAccessor { + public: + explicit ElementsAccessorBase(const char* name) +- : ElementsAccessor(name) { } ++ : InternalElementsAccessor(name) {} + + typedef ElementsTraitsParam ElementsTraits; + typedef typename ElementsTraitsParam::BackingStore BackingStore; +@@ -1040,35 +1055,67 @@ class ElementsAccessorBase : public ElementsAccessor { + Isolate* isolate, Handle object, + Handle values_or_entries, bool get_entries, int* nof_items, + PropertyFilter filter) { +- int count = 0; ++ DCHECK_EQ(*nof_items, 0); + KeyAccumulator accumulator(isolate, KeyCollectionMode::kOwnOnly, + ALL_PROPERTIES); + Subclass::CollectElementIndicesImpl( + object, handle(object->elements(), isolate), &accumulator); + Handle keys = accumulator.GetKeys(); + +- for (int i = 0; i < keys->length(); ++i) { ++ int count = 0; ++ int i = 0; ++ Handle original_map(object->map(), isolate); ++ ++ for (; i < keys->length(); ++i) { + Handle key(keys->get(i), isolate); +- Handle value; + uint32_t index; + if (!key->ToUint32(&index)) continue; + ++ DCHECK_EQ(object->map(), *original_map); + uint32_t entry = Subclass::GetEntryForIndexImpl( + isolate, *object, object->elements(), index, filter); + if (entry == kMaxUInt32) continue; + + PropertyDetails details = Subclass::GetDetailsImpl(*object, entry); + ++ Handle value; + if (details.kind() == kData) { + value = Subclass::GetImpl(isolate, object->elements(), entry); + } else { ++ // This might modify the elements and/or change the elements kind. + LookupIterator it(isolate, object, index, LookupIterator::OWN); + ASSIGN_RETURN_ON_EXCEPTION_VALUE( + isolate, value, Object::GetProperty(&it), Nothing()); + } +- if (get_entries) { +- value = MakeEntryPair(isolate, index, value); ++ if (get_entries) value = MakeEntryPair(isolate, index, value); ++ values_or_entries->set(count++, *value); ++ if (object->map() != *original_map) break; ++ } ++ ++ // Slow path caused by changes in elements kind during iteration. ++ for (; i < keys->length(); i++) { ++ Handle key(keys->get(i), isolate); ++ uint32_t index; ++ if (!key->ToUint32(&index)) continue; ++ ++ if (filter & ONLY_ENUMERABLE) { ++ InternalElementsAccessor* accessor = ++ reinterpret_cast( ++ object->GetElementsAccessor()); ++ ++ uint32_t entry = accessor->GetEntryForIndex(isolate, *object, ++ object->elements(), index); ++ if (entry == kMaxUInt32) continue; ++ PropertyDetails details = accessor->GetDetails(*object, entry); ++ if (!details.IsEnumerable()) continue; + } ++ ++ Handle value; ++ LookupIterator it(isolate, object, index, LookupIterator::OWN); ++ ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, value, Object::GetProperty(&it), ++ Nothing()); ++ ++ if (get_entries) value = MakeEntryPair(isolate, index, value); + values_or_entries->set(count++, *value); + } + +@@ -1668,12 +1715,13 @@ class DictionaryElementsAccessor + return result; + } + } +- ++ Handle original_map(receiver->map(), isolate); + Handle dictionary( + SeededNumberDictionary::cast(receiver->elements()), isolate); + // Iterate through entire range, as accessing elements out of order is + // observable + for (uint32_t k = start_from; k < length; ++k) { ++ DCHECK_EQ(receiver->map(), *original_map); + int entry = dictionary->FindEntry(isolate, k); + if (entry == SeededNumberDictionary::kNotFound) { + if (search_for_hole) return Just(true); +@@ -1738,15 +1786,15 @@ class DictionaryElementsAccessor + uint32_t start_from, uint32_t length) { + DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver)); + ++ Handle original_map(receiver->map(), isolate); + Handle dictionary( + SeededNumberDictionary::cast(receiver->elements()), isolate); + // Iterate through entire range, as accessing elements out of order is + // observable. + for (uint32_t k = start_from; k < length; ++k) { ++ DCHECK_EQ(receiver->map(), *original_map); + int entry = dictionary->FindEntry(isolate, k); +- if (entry == SeededNumberDictionary::kNotFound) { +- continue; +- } ++ if (entry == SeededNumberDictionary::kNotFound) continue; + + PropertyDetails details = GetDetailsImpl(*dictionary, entry); + switch (details.kind()) { +@@ -3622,12 +3670,13 @@ class SloppyArgumentsElementsAccessor + Handle value, + uint32_t start_from, uint32_t length) { + DCHECK(JSObject::PrototypeHasNoElements(isolate, *object)); +- Handle original_map = handle(object->map(), isolate); ++ Handle original_map(object->map(), isolate); + Handle elements( + SloppyArgumentsElements::cast(object->elements()), isolate); + bool search_for_hole = value->IsUndefined(isolate); + + for (uint32_t k = start_from; k < length; ++k) { ++ DCHECK_EQ(object->map(), *original_map); + uint32_t entry = + GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES); + if (entry == kMaxUInt32) { +@@ -3663,11 +3712,12 @@ class SloppyArgumentsElementsAccessor + Handle value, + uint32_t start_from, uint32_t length) { + DCHECK(JSObject::PrototypeHasNoElements(isolate, *object)); +- Handle original_map = handle(object->map(), isolate); ++ Handle original_map(object->map(), isolate); + Handle elements( + SloppyArgumentsElements::cast(object->elements()), isolate); + + for (uint32_t k = start_from; k < length; ++k) { ++ DCHECK_EQ(object->map(), *original_map); + uint32_t entry = + GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES); + if (entry == kMaxUInt32) { +diff --git a/src/3rdparty/chromium/v8/src/elements.h b/src/3rdparty/chromium/v8/src/elements.h +index 9e64764bb0..350264daae 100644 +--- a/src/3rdparty/chromium/v8/src/elements.h ++++ b/src/3rdparty/chromium/v8/src/elements.h +@@ -52,7 +52,6 @@ class ElementsAccessor { + + virtual Handle Get(Handle holder, uint32_t entry) = 0; + +- virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; + virtual bool HasAccessors(JSObject* holder) = 0; + virtual uint32_t NumberOfElements(JSObject* holder) = 0; + +@@ -63,8 +62,6 @@ class ElementsAccessor { + // element that is non-deletable. + virtual void SetLength(Handle holder, uint32_t new_length) = 0; + +- // Deletes an element in an object. +- virtual void Delete(Handle holder, uint32_t entry) = 0; + + // If kCopyToEnd is specified as the copy_size to CopyElements, it copies all + // of elements from source after source_start to the destination array. +@@ -122,11 +119,6 @@ class ElementsAccessor { + + virtual void Set(Handle holder, uint32_t entry, Object* value) = 0; + +- virtual void Reconfigure(Handle object, +- Handle backing_store, uint32_t entry, +- Handle value, +- PropertyAttributes attributes) = 0; +- + virtual void Add(Handle object, uint32_t index, + Handle value, PropertyAttributes attributes, + uint32_t new_capacity) = 0; +@@ -208,6 +200,15 @@ class ElementsAccessor { + FixedArrayBase* backing_store, + uint32_t index) = 0; + ++ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; ++ virtual void Reconfigure(Handle object, ++ Handle backing_store, uint32_t entry, ++ Handle value, ++ PropertyAttributes attributes) = 0; ++ ++ // Deletes an element in an object. ++ virtual void Delete(Handle holder, uint32_t entry) = 0; ++ + // NOTE: this method violates the handlified function signature convention: + // raw pointer parameter |source_holder| in the function that allocates. + // This is done intentionally to avoid ArrayConcat() builtin performance +diff --git a/src/3rdparty/chromium/v8/src/js/intl.js b/src/3rdparty/chromium/v8/src/js/intl.js +index 1579337fc1..7fc137f5c7 100644 +--- a/src/3rdparty/chromium/v8/src/js/intl.js ++++ b/src/3rdparty/chromium/v8/src/js/intl.js +@@ -1682,9 +1682,7 @@ function formatDate(formatter, dateValue) { + dateMs = TO_NUMBER(dateValue); + } + +- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange); +- +- return %InternalDateFormat(formatter, new GlobalDate(dateMs)); ++ return %InternalDateFormat(formatter, dateMs); + } + + DEFINE_METHOD( +@@ -1706,9 +1704,7 @@ DEFINE_METHOD( + dateMs = TO_NUMBER(dateValue); + } + +- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange); +- +- return %InternalDateFormatToParts(this, new GlobalDate(dateMs)); ++ return %InternalDateFormatToParts(this, dateMs); + } + ); + +diff --git a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc +index 4bd6bebdc7..875fd719ef 100644 +--- a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc ++++ b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc +@@ -7,7 +7,7 @@ + #endif // V8_INTL_SUPPORT + + #include "src/runtime/runtime-utils.h" +- ++#include + #include + + #include "src/api-natives.h" +@@ -247,17 +247,21 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormat) { + DCHECK_EQ(2, args.length()); + + CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0); +- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1); ++ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1); + +- Handle value; +- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date)); ++ double date_value = date->Number(); ++ // Check for +-Infinity and Nan ++ if (!std::isfinite(date_value)) { ++ THROW_NEW_ERROR_RETURN_FAILURE( ++ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue)); ++ } + + icu::SimpleDateFormat* date_format = + DateFormat::UnpackDateFormat(isolate, date_format_holder); + CHECK_NOT_NULL(date_format); + + icu::UnicodeString result; +- date_format->format(value->Number(), result); ++ date_format->format(date_value, result); + + RETURN_RESULT_OR_FAILURE( + isolate, isolate->factory()->NewStringFromTwoByte(Vector( +@@ -349,10 +353,13 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) { + DCHECK_EQ(2, args.length()); + + CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0); +- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1); ++ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1); + +- Handle value; +- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date)); ++ double date_value = date->Number(); ++ if (!std::isfinite(date_value)) { ++ THROW_NEW_ERROR_RETURN_FAILURE( ++ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue)); ++ } + + icu::SimpleDateFormat* date_format = + DateFormat::UnpackDateFormat(isolate, date_format_holder); +@@ -362,7 +369,7 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) { + icu::FieldPositionIterator fp_iter; + icu::FieldPosition fp; + UErrorCode status = U_ZERO_ERROR; +- date_format->format(value->Number(), formatted, &fp_iter, status); ++ date_format->format(date_value, formatted, &fp_iter, status); + if (U_FAILURE(status)) return isolate->heap()->undefined_value(); + + Handle result = factory->NewJSArray(0); +-- +2.14.3 + diff --git a/qtwebengine-everywhere-src-5.10.1.tar.xz b/qtwebengine-everywhere-src-5.10.1.tar.xz new file mode 100644 index 0000000..2caab9f --- /dev/null +++ b/qtwebengine-everywhere-src-5.10.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:12644f8d2ba8354a2a533d5a7f3f5139c6ff168c2f51aa3e21b701db6dbc01de +size 209844952