From dd6fcc2b840e9355994c8368bca499590576b17715b5fa739f319618e9d504d4 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sat, 2 Jun 2018 09:53:21 +0000 Subject: [PATCH] Accepting request 612996 from KDE:Qt5 - Fix %postun: Comment in wrong section - Update to 5.11.0 * New bugfix release * For more details please see: * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.11.0/?h=v5.11.0 - Use %autopatch - Use %license - Update to 5.11.0-rc * New bugfix release * No changelog available - Update to 5.11.0-beta4 * New bugfix release * No changelog available - Update to 5.11.0-beta3 * New bugfix release * No changelog available - Refresh patches: * no-return-in-nonvoid-function.diff - Update to 5.11.0-beta2 * New bugfix release * No changelog available - Remove patches, now upstream: * qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch * qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch OBS-URL: https://build.opensuse.org/request/show/612996 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libqt5-qtwebengine?expand=0&rev=35 --- armv6-ffmpeg-no-thumb.patch | 10 +- libqt5-qtwebengine.changes | 75 + libqt5-qtwebengine.spec | 59 +- no-return-in-nonvoid-function.diff | 10 +- ...-everywhere-src-5.10.1-CVE-2018-6033.patch | 64 - ...everywhere-src-5.10.1-security-5.9.5.patch | 1245 ----------------- qtwebengine-everywhere-src-5.10.1.tar.xz | 3 - qtwebengine-everywhere-src-5.11.0.tar.xz | 3 + 8 files changed, 126 insertions(+), 1343 deletions(-) delete mode 100644 qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch delete mode 100644 qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch delete mode 100644 qtwebengine-everywhere-src-5.10.1.tar.xz create mode 100644 qtwebengine-everywhere-src-5.11.0.tar.xz diff --git a/armv6-ffmpeg-no-thumb.patch b/armv6-ffmpeg-no-thumb.patch index 6babccf..a459331 100644 --- a/armv6-ffmpeg-no-thumb.patch +++ b/armv6-ffmpeg-no-thumb.patch @@ -1,11 +1,11 @@ -Index: qtwebengine-everywhere-src-5.10.0/src/3rdparty/chromium/third_party/ffmpeg/chromium/config/Chromium/linux/arm/config.h +Index: qtwebengine-everywhere-src-5.11.0-alpha/src/3rdparty/chromium/third_party/ffmpeg/chromium/config/Chromium/linux/arm/config.h =================================================================== ---- qtwebengine-everywhere-src-5.10.0.orig/src/3rdparty/chromium/third_party/ffmpeg/chromium/config/Chromium/linux/arm/config.h -+++ qtwebengine-everywhere-src-5.10.0/src/3rdparty/chromium/third_party/ffmpeg/chromium/config/Chromium/linux/arm/config.h -@@ -560,7 +560,7 @@ +--- qtwebengine-everywhere-src-5.11.0-alpha.orig/src/3rdparty/chromium/third_party/ffmpeg/chromium/config/Chromium/linux/arm/config.h ++++ qtwebengine-everywhere-src-5.11.0-alpha/src/3rdparty/chromium/third_party/ffmpeg/chromium/config/Chromium/linux/arm/config.h +@@ -566,7 +566,7 @@ + #define CONFIG_NEON_CLOBBER_TEST 0 #define CONFIG_OSSFUZZ 0 #define CONFIG_PIC 1 - #define CONFIG_RAISE_MAJOR 0 -#define CONFIG_THUMB 1 +#define CONFIG_THUMB 0 #define CONFIG_VALGRIND_BACKTRACE 0 diff --git a/libqt5-qtwebengine.changes b/libqt5-qtwebengine.changes index 5390d45..95758d9 100644 --- a/libqt5-qtwebengine.changes +++ b/libqt5-qtwebengine.changes @@ -1,13 +1,55 @@ +------------------------------------------------------------------- +Wed May 30 07:54:28 UTC 2018 - fabian@ritter-vogt.de + +- Fix %postun: Comment in wrong section + +------------------------------------------------------------------- +Tue May 22 16:59:28 CEST 2018 - fabian@ritter-vogt.de + +- Update to 5.11.0 + * New bugfix release + * For more details please see: + * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.11.0/?h=v5.11.0 + +------------------------------------------------------------------- +Thu May 17 15:21:39 UTC 2018 - fabian@ritter-vogt.de + +- Use %autopatch +- Use %license + +------------------------------------------------------------------- +Tue May 8 11:02:00 CEST 2018 - fabian@ritter-vogt.de + +- Update to 5.11.0-rc + * New bugfix release + * No changelog available + ------------------------------------------------------------------- Mon May 7 12:13:15 UTC 2018 - guillaume.gardet@opensuse.org - Fix armv6 by removing unneeded additionnal RPM_OPT_FLAGS +------------------------------------------------------------------- +Mon Apr 23 08:59:37 CEST 2018 - fabian@ritter-vogt.de + +- Update to 5.11.0-beta4 + * New bugfix release + * No changelog available + ------------------------------------------------------------------- Wed Apr 11 11:00:17 UTC 2018 - mliska@suse.cz - Add no-return-in-nonvoid-function.diff in order to fix boo#1087068. +------------------------------------------------------------------- +Wed Apr 11 09:15:40 CEST 2018 - fabian@ritter-vogt.de + +- Update to 5.11.0-beta3 + * New bugfix release + * No changelog available +- Refresh patches: + * no-return-in-nonvoid-function.diff + ------------------------------------------------------------------- Thu Mar 29 13:20:53 UTC 2018 - kamikazow@opensuse.org @@ -18,6 +60,16 @@ Thu Mar 29 13:20:53 UTC 2018 - kamikazow@opensuse.org back to KHTML), therefore no "with-Qt-Company-Qt-exception-1.1" because those 3rd parties never granted them. +------------------------------------------------------------------- +Wed Mar 28 09:18:01 CEST 2018 - fabian@ritter-vogt.de + +- Update to 5.11.0-beta2 + * New bugfix release + * No changelog available +- Remove patches, now upstream: + * qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch + * qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch + ------------------------------------------------------------------- Tue Mar 27 15:34:51 UTC 2018 - wbauer@tmo.at @@ -51,6 +103,29 @@ Sun Mar 18 22:57:09 UTC 2018 - kamikazow@opensuse.org * qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch from Fedora * qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch from Fedora +------------------------------------------------------------------- +Tue Mar 13 13:40:53 UTC 2018 - christophe@krop.fr + +- Fix the license tag. + +------------------------------------------------------------------- +Thu Mar 1 09:56:21 CET 2018 - fabian@ritter-vogt.de + +- Update to 5.11.0-beta1 + * New feature release + * For more details please see: + * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.11.0-beta1/?h=v5.11.0-beta1 + +------------------------------------------------------------------- +Tue Feb 20 14:32:19 CET 2018 - fabian@ritter-vogt.de + +- Update to 5.11.0-alpha + * New feature release + * For more details please see: + * https://wiki.qt.io/New_Features_in_Qt_5.11 +- Refresh patches: + * armv6-ffmpeg-no-thumb.patch + ------------------------------------------------------------------- Wed Feb 14 15:47:56 CET 2018 - fabian@ritter-vogt.de diff --git a/libqt5-qtwebengine.spec b/libqt5-qtwebengine.spec index 865f38c..ca590c0 100644 --- a/libqt5-qtwebengine.spec +++ b/libqt5-qtwebengine.spec @@ -13,6 +13,9 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + %define qt5_snapshot 0 @@ -50,27 +53,22 @@ %global _qtwebengine_dictionaries_dir %{_libqt5_datadir}/qtwebengine_dictionaries Name: libqt5-qtwebengine -Version: 5.10.1 +Version: 5.11.0 Release: 0 Summary: Qt 5 WebEngine Library License: LGPL-3.0-only or GPL-2.0-only or GPL-3.0-only Group: Development/Libraries/X11 Url: https://www.qt.io %define base_name libqt5 -%define real_version 5.10.1 -%define so_version 5.10.1 -%define tar_version qtwebengine-everywhere-src-5.10.1 -Source: https://download.qt.io/official_releases/qt/5.10/%{real_version}/submodules/%{tar_version}.tar.xz +%define real_version 5.11.0 +%define so_version 5.11.0 +%define tar_version qtwebengine-everywhere-src-5.11.0 +Source: https://download.qt.io/official_releases/qt/5.11/%{real_version}/submodules/%{tar_version}.tar.xz Source1: baselibs.conf # PATCH-FIX-UPSTREAM armv6-ffmpeg-no-thumb.patch - Fix ffmpeg configuration for armv6 Patch1: armv6-ffmpeg-no-thumb.patch # PATCH-FIX-UPSTREAM disable-gpu-when-using-nouveau-boo-1005323.diff Patch2: disable-gpu-when-using-nouveau-boo-1005323.diff -# PATCH-FIX-UPSTREAM qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch -# - forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146) -# see the patch metadata for the list of fixed CVEs and Chromium bug IDs -Patch3: qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch -Patch4: qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch # PATCH-FIX-UPSTREAM harmony-fix.diff -- Show the patent-free LCD rendering. Without this patch, only grayscale rendering is used. (for freetype-2.8.1) boo#1061344 Patch5: harmony-fix.diff Patch6: no-return-in-nonvoid-function.diff @@ -133,6 +131,10 @@ BuildRequires: pkgconfig(gobject-2.0) BuildRequires: pkgconfig(gthread-2.0) BuildRequires: pkgconfig(jsoncpp) BuildRequires: binutils-gold +%if 0%{?suse_version} < 1330 +# It does not build with the default compiler (GCC 4.8) on Leap 42.x +BuildRequires: gcc7-c++ +%endif BuildRequires: pkgconfig(libcrypto) BuildRequires: pkgconfig(libdrm) BuildRequires: pkgconfig(libevent) @@ -244,12 +246,8 @@ Examples for the libqt5-qtwebengine module. %prep %setup -q -n %{tar_version} sed -i 's|$(STRIP)|strip|g' src/core/core_module.pro -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 +%autopatch -p1 + # QTBUG-61128 sed -i -e '/toolprefix = /d' -e 's/\${toolprefix}//g' \ src/3rdparty/chromium/build/toolchain/linux/BUILD.gn @@ -260,6 +258,15 @@ sed -i -e '/toolprefix = /d' -e 's/\${toolprefix}//g' \ mkdir .git %endif +%if 0%{?suse_version} < 1330 +# WE checks the version of GCC qtbase was built with, not the version it's building with. +# ARGH! +echo "QT_GCC_MAJOR_VERSION = 7" > qtwebengine_new.pro +echo "QT_GCC_MINOR_VERSION = 2" >> qtwebengine_new.pro +cat qtwebengine.pro >> qtwebengine_new.pro +mv qtwebengine{_new,}.pro +%endif + %ifnarch x86_64 RPM_OPT_FLAGS="$RPM_OPT_FLAGS " export RPM_OPT_FLAGS=${RPM_OPT_FLAGS/-g / } @@ -267,6 +274,9 @@ export RPM_OPT_FLAGS=${RPM_OPT_FLAGS/-g / } # It does not actually include proprietary codecs, it only makes it attempt to use ffmpeg %qmake5 QMAKE_CFLAGS="$RPM_OPT_FLAGS" \ QMAKE_LFLAGS+="-Wl,--no-keep-memory -Wl,--hash-size=31 -Wl,--reduce-memory-overheads" \ +%if 0%{?suse_version} < 1330 + QMAKE_CC=gcc-7 QMAKE_CXX=g++-7 CONFIG+=c++14 \ +%endif qtwebengine.pro -- \ -webengine-alsa -no-webengine-embedded-build \ %if %{with system_icu} @@ -298,6 +308,11 @@ fi # processess instead of its defaults. export NINJAFLAGS="-j $makeproc" +%if 0%{?suse_version} < 1330 + export CC=gcc-7 + export CXX=g++-7 +%endif + make -j$makeproc VERBOSE=1 %install @@ -316,7 +331,7 @@ rm -f %{buildroot}%{_libqt5_libdir}/lib*.la sed -i -r '/ EXACT\)/d' \ %{buildroot}%{_libqt5_libdir}/cmake/Qt5WebEngine*/Qt5WebEngine*Config.cmake -sed -i '/find_package/!b;n;s/'%{version}/$(rpm -q --qf %%{version} libQt5Core5)/ \ +sed -i '/find_package/!b;n;s/'%{so_version}/$(rpm -q --qf %%{version} libQt5Core5 | sed 's/~.*$//')/ \ %{buildroot}%{_libqt5_libdir}/cmake/Qt5WebEngine*/Qt5WebEngine*Config.cmake # Hunspell dictionaries will be converted and put here on package installation @@ -327,8 +342,8 @@ mkdir -p %{buildroot}%{_qtwebengine_dictionaries_dir} %postun -p /sbin/ldconfig %if 0%{?suse_version} >= 1500 -# Convert Hunspell dictionaries on package installation %filetriggerin -- %{_datadir}/hunspell +# Convert Hunspell dictionaries on package installation while read filename ; do case "$filename" in *.dic) @@ -341,7 +356,7 @@ done %files %defattr(-,root,root,755) -%doc LICENSE.* +%license LICENSE.* %{_libqt5_libdir}/libQt*Web*.so.* %{_datadir}/qt5/ %dir %{_libqt5_libexecdir} @@ -353,12 +368,12 @@ done %files private-headers-devel %defattr(-,root,root,755) -%doc LICENSE.* +%license LICENSE.* %{_libqt5_includedir}/*/%{so_version} %files devel %defattr(-,root,root,755) -%doc LICENSE.* +%license LICENSE.* %exclude %{_libqt5_includedir}/*/%{so_version} %{_libqt5_includedir}/*/ %{_libqt5_libdir}/cmake/Qt5*/ @@ -369,7 +384,7 @@ done %files examples %defattr(-,root,root,755) -%doc LICENSE.* +%license LICENSE.* %{_libqt5_examplesdir}/ %changelog diff --git a/no-return-in-nonvoid-function.diff b/no-return-in-nonvoid-function.diff index af2380a..de1c097 100644 --- a/no-return-in-nonvoid-function.diff +++ b/no-return-in-nonvoid-function.diff @@ -1,10 +1,12 @@ ---- a/src/3rdparty/chromium/third_party/protobuf/src/google/protobuf/compiler/js/js_generator.cc 2018-04-11 10:36:36.215724331 +0000 -+++ b/src/3rdparty/chromium/third_party/protobuf/src/google/protobuf/compiler/js/js_generator.cc 2018-04-11 10:37:01.204216307 +0000 -@@ -488,6 +488,7 @@ +Index: qtwebengine-everywhere-src-5.11.0-rc/src/3rdparty/chromium/third_party/protobuf/src/google/protobuf/compiler/js/js_generator.cc +=================================================================== +--- qtwebengine-everywhere-src-5.11.0-rc.orig/src/3rdparty/chromium/third_party/protobuf/src/google/protobuf/compiler/js/js_generator.cc ++++ qtwebengine-everywhere-src-5.11.0-rc/src/3rdparty/chromium/third_party/protobuf/src/google/protobuf/compiler/js/js_generator.cc +@@ -505,6 +505,7 @@ string JSByteGetterSuffix(BytesMode byte return "U8"; default: assert(false); + __builtin_unreachable (); } + return ""; } - diff --git a/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch b/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch deleted file mode 100644 index ba687ef..0000000 --- a/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 1fd21185614dcae0c7a6e5647ba56cff0120f563 Mon Sep 17 00:00:00 2001 -Message-Id: <1fd21185614dcae0c7a6e5647ba56cff0120f563.1521386919.git.kevin.kofler@chello.at> -From: Michal Klocek -Date: Wed, 7 Mar 2018 18:36:25 +0100 -Subject: [PATCH] Implement IsMostRecentDownloadItemAtFilePath call - -Implement IsMostRecentDownloadItemAtFilePath -for download_manager_delegate_qt. This is required for -CVE-2018-6033. - -Change-Id: I9f48dfa159d684f0fda894e68b81ff622aceaae2 -Reviewed-by: Allan Sandfeld Jensen ---- - src/core/download_manager_delegate_qt.cpp | 20 ++++++++++++++++++++ - src/core/download_manager_delegate_qt.h | 2 ++ - 2 files changed, 22 insertions(+) - -diff --git a/src/core/download_manager_delegate_qt.cpp b/src/core/download_manager_delegate_qt.cpp -index 40df9b3a..487a831e 100644 ---- a/src/core/download_manager_delegate_qt.cpp -+++ b/src/core/download_manager_delegate_qt.cpp -@@ -293,6 +293,26 @@ void DownloadManagerDelegateQt::ChooseSavePath(content::WebContents *web_content - m_weakPtrFactory.GetWeakPtr())); - } - -+bool DownloadManagerDelegateQt::IsMostRecentDownloadItemAtFilePath(content::DownloadItem *download) -+{ -+ content::BrowserContext *context = download->GetBrowserContext(); -+ std::vector all_downloads; -+ -+ content::DownloadManager* manager = -+ content::BrowserContext::GetDownloadManager(context); -+ if (manager) -+ manager->GetAllDownloads(&all_downloads); -+ -+ for (const auto* item : all_downloads) { -+ if (item->GetGuid() == download->GetGuid() || -+ item->GetTargetFilePath() != download->GetTargetFilePath()) -+ continue; -+ if (item->GetState() == content::DownloadItem::IN_PROGRESS) -+ return false; -+ } -+ return true; -+} -+ - void DownloadManagerDelegateQt::savePackageDownloadCreated(content::DownloadItem *item) - { - OnDownloadUpdated(item); -diff --git a/src/core/download_manager_delegate_qt.h b/src/core/download_manager_delegate_qt.h -index df43211e..7563d5d3 100644 ---- a/src/core/download_manager_delegate_qt.h -+++ b/src/core/download_manager_delegate_qt.h -@@ -81,6 +81,8 @@ public: - const base::FilePath::StringType &default_extension, - bool can_save_as_complete, - const content::SavePackagePathPickedCallback &callback) override; -+ bool IsMostRecentDownloadItemAtFilePath(content::DownloadItem* download) override; -+ - - void cancelDownload(quint32 downloadId); - void pauseDownload(quint32 downloadId); --- -2.14.3 - diff --git a/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch b/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch deleted file mode 100644 index 96adb72..0000000 --- a/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch +++ /dev/null @@ -1,1245 +0,0 @@ -From d58330a607981f2e12c65c4b72ecbc36c5c52801 Mon Sep 17 00:00:00 2001 -Message-Id: -From: Michal Klocek -Date: Thu, 8 Mar 2018 11:26:33 +0100 -Subject: [PATCH] Backport security fixes from QtWebEngine 5.9.5 (minus FFmpeg - fix) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[Backport] CVE-2017-15429 - -Only open windows with js URLs if the entered window has access - -It's not enough to check that the current window has access, if other -security checks failed and the entered window shouldn't have access to -the current window. - -BUG=788453 -R=haraken@chromium.org,mkwst@chromium.org - -Change-Id: Iea10c52f20bdc49f00eba067cab69dab06f79f01 -Reviewed-on: https://chromium-review.googlesource.com/792934 -Commit-Queue: Jochen Eisinger -Reviewed-by: Mike West -Reviewed-by: Kentaro Hara -Reviewed-by: Yuki Shiino -Cr-Commit-Position: refs/heads/master@{#519683} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6069 - -check for bad buffers in Unpack8 - -Bug:799918 -Change-Id: I0502a487d67ce757bf818823cf0ad46b7703294c -Reviewed-on: https://skia-review.googlesource.com/92841 -Commit-Queue: Mike Reed -Reviewed-by: Florin Malita -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6071 - -detect too many points - -Bug:777318 -Change-Id: Idb52688b6ee4ae020004400da995620c1f548559 -Reviewed-on: https://skia-review.googlesource.com/73821 -Commit-Queue: Mike Reed -Reviewed-by: Herb Derby -Reviewed-by: Allan Sandfeld Jensen - -[Backport] Security Bug 770734 - -Fix a crash in TemplateURLParser. - -It was caused by dereferencing an invalid URL during parsing. - -Bug: 770734 -Change-Id: I4fedd3f310aaf7e1e1d2384aa64939d46b8b2a5a -Reviewed-on: https://chromium-review.googlesource.com/773902 -Commit-Queue: Vasilii Sukhanov -Reviewed-by: Peter Kasting -Cr-Commit-Position: refs/heads/master@{#517751} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] Security Bug 774833 - -Intl.DateTimeFormat: throw RangeError for non-finite input - -intl.js throws an exception when datetime-value to format is -Infinity or NaN, but there was a way to thwart the check. - -Moreover, intl.js and runtime-intl.cc have unnecessary conversions -of 'Number->Date->Number'. I removed the unnecessary conversion -and made 'Number' be passed to %InternalDateFormat. With this -streamlining, the work-around mentioned above does not work -anymore. - -Add a check in runtime_intl.cc for Infinity/NaN and throw a -RangeError. - -Add invalid-time test for invalid datetime-values passed to -Intl.DateTimeFormat.format(). - -Bug: chromium:774833 -Test: intl/date-format/invalid-time.js -Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng -Change-Id: Idc575e532a86ee110dc4bb945ae023d6516650ee -Reviewed-on: https://chromium-review.googlesource.com/724860 -Commit-Queue: Jungshik Shin -Reviewed-by: Adam Klein -Cr-Commit-Position: refs/heads/master@{#48765} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6073 - -Fix CopyTexImage behavior when cubemap workaround is involved. - -The bug is, we need to reset PIXEL_UNPACK_BUFFER as well as UNPACK params -in order to upload data to textures correctly. - -BUG=804118 -TEST=tests in the bug -R=piman@chromium.org -TBR=zmo@chromium.org -NOTRY=true - -(cherry picked from commit a89aa4642cefb79e312c95ca3c66bbaff5263a22) - -Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel -Change-Id: I743f03cdc98b2c6993449ca615b246eb42ef4dfa -Reviewed-on: https://chromium-review.googlesource.com/892282 -Commit-Queue: Zhenyao Mo -Reviewed-by: Antoine Labour -Reviewed-by: Kai Ninomiya -Cr-Original-Commit-Position: refs/heads/master@{#532749} -Reviewed-on: https://chromium-review.googlesource.com/895907 -Reviewed-by: Zhenyao Mo -Cr-Commit-Position: refs/branch-heads/3325@{#208} -Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6076 - -Percent-encode UTF8 characters in URL fragment identifiers. - -This brings us into line with Firefox, Safari, and the spec. - -Bug: 758523 -Reviewed-on: https://chromium-review.googlesource.com/668363 -Commit-Queue: Mike West -Reviewed-by: Jochen Eisinger -Reviewed-by: Andy Paicu -Cr-Commit-Position: refs/heads/master@{#507481} - -Encode ' ', '"', '<', '>', and '`' in URL fragments. - -Implements the changes to fragment processing described in -https://github.com/whatwg/url/pull/347, which adds a new "fragment -percent-encode set" which contains the C0 control percent-encode set, -along with: - -* 0x20 SPACE -* 0x22 (") -* 0x3C (<) -* 0x3E (>) -* 0x60 (`) - -This brings our implementation into line with Firefox. - -Bug: 758523 -Reviewed-on: https://chromium-review.googlesource.com/719004 -Commit-Queue: Mike West -Reviewed-by: Jochen Eisinger -Cr-Commit-Position: refs/heads/master@{#523383} - -Change-Id: I25de642017ccb69473626a327ad194b3431a11ed -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6079 - -Fix tabs sharing TEXTURE_2D_ARRAY/TEXTURE_3D data. - -In linux and android, we are seeing an issue where texture data from one -tab overwrites the texture data of another tab. This is happening for apps -which are using webgl2 texture of type TEXTURE_2D_ARRAY/TEXTURE_3D. -Due to a bug in virtual context save/restore code for above texture formats, -the texture data is not properly restored while switching tabs. Hence -texture data from one tab overwrites other. - -This CL has fix for that issue, an update for existing test expectations -and a new unit test for this bug. - -Bug: 788448 -Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel -Change-Id: Ie933984cdd2d1381f42eb4638f730c8245207a28 -Reviewed-on: https://chromium-review.googlesource.com/930327 -Reviewed-by: Zhenyao Mo -Commit-Queue: vikas soni -Cr-Original-Commit-Position: refs/heads/master@{#539111}(cherry picked from commit d128139d53e9268e87921e82d89b3f2053cb83fd) -Reviewed-on: https://chromium-review.googlesource.com/939878 -Cr-Commit-Position: refs/branch-heads/3325@{#610} -Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6081 - -Fix XSS in supervised user interstitial - -BUG=797525 - -Change-Id: Ib5cfa732b0f4de8645031c0166e4d67633a65c93 -Reviewed-on: https://chromium-review.googlesource.com/844075 -Reviewed-by: Bernhard Bauer -Commit-Queue: Rob Wu -Cr-Commit-Position: refs/heads/master@{#526158} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6082 - -Remove port 22 from the set of allowed FTP ports. - -The collision with SSH ports caused some possible concerns with being -able to enumerate internal hosts. Analysis shows that Internet hosts -supporting FTP over port 22 are a small fraction, and likely not -accessed over the web. - -Bug: 767354 -Change-Id: I8958b4cc818b34127fd739d2dea58f498fb073c0 -Reviewed-on: https://chromium-review.googlesource.com/860753 -Reviewed-by: Matt Menke -Commit-Queue: Christopher Thompson -Cr-Commit-Position: refs/heads/master@{#528461} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6064 - -[elements] Fix Object.entries/values with changing elements - -Drive-by-cleanup: -- Add InternalElementsAccessor to expose protected instance methods -to ElementsAccessor subclasses. -- Make some more ElementsAccessor methods protected that take the -raw entry as parameter. - -Bug: chromium:798644 -Change-Id: Iffd00f1953461e8dd22c123e62298410fb6e049c -Reviewed-on: https://chromium-review.googlesource.com/856816 -Commit-Queue: Camillo Bruni -Reviewed-by: Jakob Kummerow -Cr-Commit-Position: refs/heads/master@{#50480} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6062 - -use safemath::mull for buffer sizes - -Bug:780104 -Change-Id: Ic683abd9c7d15ebb01b6e5d40dbeb6e76f102eff -Reviewed-on: https://skia-review.googlesource.com/95760 -Reviewed-by: Brian Salomon -Commit-Queue: Mike Reed -(cherry picked from commit fe266c2bce2b8ac4ef953f16c8e1a7801da9c57d) -Reviewed-on: https://skia-review.googlesource.com/101780 -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6060 - -Keep AudioHandlers alive until they can be safely deleted. - -When an AudioNode is disposed, the handler is also disposed. But add -the handler to the orphan list so that the handler stays alive until -the context can safely delete it. If we don't do this, the handler -may get deleted while the audio thread is processing the handler (due -to, say, channel count changes and such). - -For an realtime context, save the handler if the context is not closed. -(Nothing will clean up the handler if the context is closed.) - -For an offline context, only need to do this when the context is -running because the context is guaranteed to be stopped if we're not -in the running state. Hence, there's no possibility of deleting the -handler while the graph is running. - -Bug: 780919 -Change-Id: Id8ba47f48504c5681121facebfc5acb85b05de87 -Reviewed-on: https://chromium-review.googlesource.com/868841 -Reviewed-by: Hongchan Choi -Commit-Queue: Raymond Toy -Cr-Original-Commit-Position: refs/heads/master@{#530892}(cherry picked from commit ebcf9595bf908b515ffcd31374b071697a69faed) -Reviewed-on: https://chromium-review.googlesource.com/893626 -Reviewed-by: Raymond Toy -Cr-Commit-Position: refs/branch-heads/3325@{#180} -Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] Security Bug 798410 - -Crash fix for th with role gridcell in a table with nontraditional css - -Do not assume we can use ToLayoutCell() in an object that can be created -for an ARIA cell and may not be associated with an actual table cell. - -Bug: 798410 -Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3 -Reviewed-on: https://chromium-review.googlesource.com/906953 -Commit-Queue: Aaron Leventhal -Reviewed-by: Nektarios Paisios -Cr-Original-Commit-Position: refs/heads/master@{#535462}(cherry picked from commit b0d1618cc5e95f77c152022232257b61b61a952e) -Reviewed-on: https://chromium-review.googlesource.com/916527 -Reviewed-by: Aaron Leventhal -Cr-Commit-Position: refs/branch-heads/3325@{#447} -Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] Security Bug 789764 - -[parser] Fix func numbering inside for in. - -BUG=chromium:789764 - -Change-Id: I6a466660159721683c4979af32019d740094151b -Reviewed-on: https://chromium-review.googlesource.com/803217 -Reviewed-by: Ross McIlroy -Reviewed-by: Jochen Eisinger -Commit-Queue: Marja Hölttä -Cr-Commit-Position: refs/heads/master@{#49795} -Reviewed-by: Allan Sandfeld Jensen ---- - .../search_engines/template_url_parser.cc | 2 +- - .../supervised_user_block_interstitial.js | 8 +-- - .../gpu/command_buffer/service/context_state.cc | 34 +++++++++- - .../gpu/command_buffer/service/texture_manager.cc | 6 +- - chromium/net/base/port_util.cc | 3 +- - .../bindings/core/v8/custom/V8WindowCustom.cpp | 9 +++ - .../WebKit/Source/core/frame/LocalFrameView.cpp | 5 +- - .../Source/modules/accessibility/AXTableCell.cpp | 8 +++ - .../WebKit/Source/modules/webaudio/AudioNode.cpp | 41 ++++++++++-- - chromium/third_party/skia/include/core/SkTypes.h | 1 + - chromium/third_party/skia/src/core/SkMath.cpp | 16 +++++ - chromium/third_party/skia/src/core/SkPathRef.cpp | 22 +++++-- - chromium/third_party/skia/src/core/SkSafeMath.h | 19 ++++++ - .../third_party/skia/src/effects/SkPackBits.cpp | 5 +- - chromium/third_party/skia/src/effects/SkPackBits.h | 2 +- - .../third_party/skia/src/gpu/GrBufferAllocPool.cpp | 6 +- - chromium/url/url_canon_etc.cc | 61 ++++++++++++----- - chromium/v8/src/ast/ast-traversal-visitor.h | 1 + - chromium/v8/src/elements.cc | 76 ++++++++++++++++++---- - chromium/v8/src/elements.h | 17 ++--- - chromium/v8/src/js/intl.js | 8 +-- - chromium/v8/src/runtime/runtime-intl.cc | 25 ++++--- - 22 files changed, 293 insertions(+), 82 deletions(-) - -diff --git a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc -index 64b1385e05..476d879b5f 100644 ---- a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc -+++ b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc -@@ -438,7 +438,7 @@ void TemplateURLParsingContext::ProcessURLParams() { - return; - - GURL url(is_suggest_url_ ? data_.suggestions_url : data_.url()); -- if (url.is_empty()) -+ if (!url.is_valid()) - return; - - // If there is a parameter filter, parse the existing URL and remove any -diff --git a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js -index d6b9327584..bee21be919 100644 ---- a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js -+++ b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js -@@ -67,8 +67,8 @@ function initialize() { - $('custodian-avatar-img').style.content = - makeImageSet(avatarURL1x, avatarURL2x); - } -- $('custodian-name').innerHTML = custodianName; -- $('custodian-email').innerHTML = loadTimeData.getString('custodianEmail'); -+ $('custodian-name').textContent = custodianName; -+ $('custodian-email').textContent = loadTimeData.getString('custodianEmail'); - var secondAvatarURL1x = loadTimeData.getString('secondAvatarURL1x'); - var secondAvatarURL2x = loadTimeData.getString('secondAvatarURL2x'); - var secondCustodianName = loadTimeData.getString('secondCustodianName'); -@@ -79,8 +79,8 @@ function initialize() { - $('second-custodian-avatar-img').style.content = - makeImageSet(secondAvatarURL1x, secondAvatarURL2x); - } -- $('second-custodian-name').innerHTML = secondCustodianName; -- $('second-custodian-email').innerHTML = loadTimeData.getString( -+ $('second-custodian-name').textContent = secondCustodianName; -+ $('second-custodian-email').textContent = loadTimeData.getString( - 'secondCustodianEmail'); - } - } -diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc -index 3c71d38b25..1b1d647c36 100644 ---- a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc -+++ b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc -@@ -29,6 +29,16 @@ GLuint Get2dServiceId(const TextureUnit& unit) { - ? unit.bound_texture_2d->service_id() : 0; - } - -+GLuint Get2dArrayServiceId(const TextureUnit& unit) { -+ return unit.bound_texture_2d_array.get() -+ ? unit.bound_texture_2d_array->service_id() -+ : 0; -+} -+ -+GLuint Get3dServiceId(const TextureUnit& unit) { -+ return unit.bound_texture_3d.get() ? unit.bound_texture_3d->service_id() : 0; -+} -+ - GLuint GetCubeServiceId(const TextureUnit& unit) { - return unit.bound_texture_cube_map.get() - ? unit.bound_texture_cube_map->service_id() : 0; -@@ -239,6 +249,8 @@ void ContextState::RestoreTextureUnitBindings( - DCHECK_LT(unit, texture_units.size()); - const TextureUnit& texture_unit = texture_units[unit]; - GLuint service_id_2d = Get2dServiceId(texture_unit); -+ GLuint service_id_2d_array = Get2dArrayServiceId(texture_unit); -+ GLuint service_id_3d = Get3dServiceId(texture_unit); - GLuint service_id_cube = GetCubeServiceId(texture_unit); - GLuint service_id_oes = GetOesServiceId(texture_unit); - GLuint service_id_arb = GetArbServiceId(texture_unit); -@@ -249,10 +261,22 @@ void ContextState::RestoreTextureUnitBindings( - feature_info_->feature_flags().oes_egl_image_external || - feature_info_->feature_flags().nv_egl_stream_consumer_external; - bool bind_texture_arb = feature_info_->feature_flags().arb_texture_rectangle; -+ // TEXTURE_2D_ARRAY and TEXTURE_3D are only applicable from ES3 version. -+ // So set it to FALSE by default. -+ bool bind_texture_2d_array = false; -+ bool bind_texture_3d = false; -+ // set the variables to true only if the application is ES3 or newer -+ if (feature_info_->IsES3Capable()) { -+ bind_texture_2d_array = true; -+ bind_texture_3d = true; -+ } - - if (prev_state) { - const TextureUnit& prev_unit = prev_state->texture_units[unit]; - bind_texture_2d = service_id_2d != Get2dServiceId(prev_unit); -+ bind_texture_2d_array = -+ service_id_2d_array != Get2dArrayServiceId(prev_unit); -+ bind_texture_3d = service_id_3d != Get3dServiceId(prev_unit); - bind_texture_cube = service_id_cube != GetCubeServiceId(prev_unit); - bind_texture_oes = - bind_texture_oes && service_id_oes != GetOesServiceId(prev_unit); -@@ -261,8 +285,8 @@ void ContextState::RestoreTextureUnitBindings( - } - - // Early-out if nothing has changed from the previous state. -- if (!bind_texture_2d && !bind_texture_cube -- && !bind_texture_oes && !bind_texture_arb) { -+ if (!bind_texture_2d && !bind_texture_2d_array && !bind_texture_3d && -+ !bind_texture_cube && !bind_texture_oes && !bind_texture_arb) { - return; - } - -@@ -279,6 +303,12 @@ void ContextState::RestoreTextureUnitBindings( - if (bind_texture_arb) { - glBindTexture(GL_TEXTURE_RECTANGLE_ARB, service_id_arb); - } -+ if (bind_texture_2d_array) { -+ glBindTexture(GL_TEXTURE_2D_ARRAY, service_id_2d_array); -+ } -+ if (bind_texture_3d) { -+ glBindTexture(GL_TEXTURE_3D, service_id_3d); -+ } - } - - void ContextState::RestoreSamplerBinding(GLuint unit, -diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc -index f56e04f411..cac58af031 100644 ---- a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc -+++ b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc -@@ -2634,9 +2634,6 @@ void TextureManager::DoCubeMapWorkaround( - TextureRef* texture_ref, - const char* function_name, - const DoTexImageArguments& args) { -- // This workaround code does not work with an unpack buffer bound. -- ScopedResetPixelUnpackBuffer scoped_reset_pbo(state); -- - std::vector undefined_faces; - Texture* texture = texture_ref->texture(); - if (texture_state->force_cube_complete || -@@ -2668,6 +2665,8 @@ void TextureManager::DoCubeMapWorkaround( - DoTexImageArguments new_args = args; - std::unique_ptr zero(new char[args.pixels_size]); - memset(zero.get(), 0, args.pixels_size); -+ // Need to clear PIXEL_UNPACK_BUFFER and UNPACK params for data uploading. -+ state->PushTextureDecompressionUnpackState(); - for (GLenum face : undefined_faces) { - new_args.target = face; - new_args.pixels = zero.get(); -@@ -2675,6 +2674,7 @@ void TextureManager::DoCubeMapWorkaround( - function_name, texture_ref, new_args); - texture->MarkLevelAsInternalWorkaround(face, args.level); - } -+ state->RestoreUnpackState(); - } - - void TextureManager::ValidateAndDoTexImage( -diff --git a/src/3rdparty/chromium/net/base/port_util.cc b/src/3rdparty/chromium/net/base/port_util.cc -index 543d9db943..83c9821398 100644 ---- a/src/3rdparty/chromium/net/base/port_util.cc -+++ b/src/3rdparty/chromium/net/base/port_util.cc -@@ -90,10 +90,9 @@ const int kRestrictedPorts[] = { - // KURL::port()) - }; - --// FTP overrides the following restricted ports. -+// FTP overrides the following restricted port. - const int kAllowedFtpPorts[] = { - 21, // ftp data -- 22, // ssh - }; - - base::LazyInstance>::Leaky g_explicitly_allowed_ports = -diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp -index 90883c712f..9abef3a420 100644 ---- a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp -+++ b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp -@@ -262,6 +262,15 @@ void V8Window::openMethodCustom( - return; - } - -+ // If the bindings implementation is 100% correct, the current realm and the -+ // entered realm should be same origin-domain. However, to be on the safe -+ // side and add some defense in depth, we'll check against the entered realm -+ // as well here. -+ if (!BindingSecurity::ShouldAllowAccessTo(EnteredDOMWindow(info.GetIsolate()), -+ impl, exception_state)) { -+ return; -+ } -+ - TOSTRING_VOID(V8StringResource, - url_string, info[0]); - AtomicString frame_name; -diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp -index 8ce1574d45..1c5b193eda 100644 ---- a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp -+++ b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp -@@ -1862,9 +1862,12 @@ void LocalFrameView::ProcessUrlFragment(const KURL& url, - !frame_->GetDocument()->IsSVGDocument()) - return; - -+ // Try the raw fragment for HTML documents, but skip it for `svgView()`: - String fragment_identifier = url.FragmentIdentifier(); -- if (ProcessUrlFragmentHelper(fragment_identifier, behavior)) -+ if (!frame_->GetDocument()->IsSVGDocument() && -+ ProcessUrlFragmentHelper(fragment_identifier, behavior)) { - return; -+ } - - // Try again after decoding the ref, based on the document's encoding. - if (frame_->GetDocument()->Encoding().IsValid()) { -diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp -index bbe7147921..1b88d0bd4e 100644 ---- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp -+++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp -@@ -156,6 +156,14 @@ AccessibilityRole AXTableCell::ScanToDecideHeaderRole() { - if (IsColumnHeaderCell()) - return kColumnHeaderRole; - -+ // This occurs in an edge case that mixes non-table CSS into a -+ // table, and , see bug 798410. -+ // The odd CSS causes the to not be a LayoutTableCell, -+ // and the ARIA role causes it to fall through to here, because -+ // it is not an ARIA/HTML column/row header. -+ if (!layout_object_ || !layout_object_->IsTableCell()) -+ return kCellRole; // . -+ - // Check the previous cell and the next cell on the same row. - LayoutTableCell* layout_cell = ToLayoutTableCell(layout_object_); - AccessibilityRole header_role = kCellRole; -diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp -index 64cc1d575f..b764fb6145 100644 ---- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp -+++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp -@@ -64,6 +64,15 @@ AudioHandler::AudioHandler(NodeType node_type, - } - #endif - InstanceCounters::IncrementCounter(InstanceCounters::kAudioHandlerCounter); -+ -+#if DEBUG_AUDIONODE_REFERENCES -+ fprintf( -+ stderr, -+ "[%16p]: %16p: %2d: AudioHandler::AudioHandler() %d [%d] total: %u\n", -+ Context(), this, GetNodeType(), connection_ref_count_, -+ node_count_[GetNodeType()], -+ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter)); -+#endif - } - - AudioHandler::~AudioHandler() { -@@ -73,9 +82,13 @@ AudioHandler::~AudioHandler() { - InstanceCounters::DecrementCounter(InstanceCounters::kAudioHandlerCounter); - #if DEBUG_AUDIONODE_REFERENCES - --node_count_[GetNodeType()]; -- fprintf(stderr, "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d]\n", -- Context(), this, GetNodeType(), connection_ref_count_, -- node_count_[GetNodeType()]); -+ fprintf( -+ stderr, -+ "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d] remaining: " -+ "%u\n", -+ Context(), this, GetNodeType(), connection_ref_count_, -+ node_count_[GetNodeType()], -+ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter)); - #endif - } - -@@ -542,9 +555,25 @@ void AudioNode::Dispose() { - #endif - BaseAudioContext::AutoLocker locker(context()); - Handler().Dispose(); -- if (context()->ContextState() == BaseAudioContext::kRunning) { -- context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( -- std::move(handler_)); -+ if (context()->HasRealtimeConstraint()) { -+ // Add the handler to the orphan list if the context is not -+ // closed. (Nothing will clean up the orphan list if the context -+ // is closed.) These will get cleaned up in the post render task -+ // if audio thread is running or when the context is colleced (in -+ // the worst case). -+ if (context()->ContextState() != BaseAudioContext::kClosed) { -+ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( -+ std::move(handler_)); -+ } -+ } else { -+ // For an offline context, only need to save the handler when the -+ // context is running. The change in the context state is -+ // synchronous with the main thread (even though the offline -+ // thread is not synchronized to the main thread). -+ if (context()->ContextState() == BaseAudioContext::kRunning) { -+ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( -+ std::move(handler_)); -+ } - } - } - -diff --git a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h -index 1dd672bea4..a3e295e285 100644 ---- a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h -+++ b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h -@@ -235,6 +235,7 @@ template D SkTo(S s) { - #define SK_MaxU32 0xFFFFFFFF - #define SK_MinU32 0 - #define SK_NaN32 ((int) (1U << 31)) -+#define SK_MaxSizeT SIZE_MAX - - /** Returns true if the value can be represented with signed 16bits - */ -diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp -index 6eff790c85..947c125b27 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp -+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp -@@ -10,6 +10,8 @@ - #include "SkFloatBits.h" - #include "SkFloatingPoint.h" - #include "SkScalar.h" -+#include "SkSafeMath.h" -+ - - #define sub_shift(zeros, x, n) \ - zeros -= n; \ -@@ -84,3 +86,17 @@ float SkScalarSinCos(float radians, float* cosValue) { - } - return sinValue; - } -+ -+/////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+size_t SkSafeMath::Add(size_t x, size_t y) { -+ SkSafeMath tmp; -+ size_t sum = tmp.add(x, y); -+ return tmp.ok() ? sum : SK_MaxSizeT; -+} -+ -+size_t SkSafeMath::Mul(size_t x, size_t y) { -+ SkSafeMath tmp; -+ size_t prod = tmp.mul(x, y); -+ return tmp.ok() ? prod : SK_MaxSizeT; -+} -diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp -index 094e6717e6..33008ead35 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp -+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp -@@ -9,7 +9,7 @@ - #include "SkOnce.h" - #include "SkPath.h" - #include "SkPathRef.h" --#include -+#include "SkSafeMath.h" - - ////////////////////////////////////////////////////////////////////////////// - SkPathRef::Editor::Editor(sk_sp* pathRef, -@@ -195,22 +195,23 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr - return false; - } - -+ SkSafeMath safe; - int ptCount = 0; - int conicCount = 0; - for (int i = 0; i < vCount; ++i) { - switch (verbs[i]) { - case SkPath::kMove_Verb: - case SkPath::kLine_Verb: -- ptCount += 1; -+ ptCount = safe.addInt(ptCount, 1); - break; - case SkPath::kConic_Verb: - conicCount += 1; - // fall-through - case SkPath::kQuad_Verb: -- ptCount += 2; -+ ptCount = safe.addInt(ptCount, 2); - break; - case SkPath::kCubic_Verb: -- ptCount += 3; -+ ptCount = safe.addInt(ptCount, 3); - break; - case SkPath::kClose_Verb: - break; -@@ -218,6 +219,9 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr - return false; - } - } -+ if (!safe) { -+ return false; -+ } - *ptCountPtr = ptCount; - *conicCountPtr = conicCount; - return true; -@@ -554,12 +558,18 @@ SkPoint* SkPathRef::growForVerb(int /* SkPath::Verb*/ verb, SkScalar weight) { - dirtyAfterEdit = false; - pCnt = 0; - } -+ SkSafeMath safe; -+ int newPointCnt = safe.addInt(fPointCnt, pCnt); -+ int newVerbCnt = safe.addInt(fVerbCnt, 1); -+ if (!safe) { -+ SK_ABORT("cannot grow path"); -+ } - size_t space = sizeof(uint8_t) + pCnt * sizeof (SkPoint); - this->makeSpace(space); - this->fVerbs[~fVerbCnt] = verb; - SkPoint* ret = fPoints + fPointCnt; -- fVerbCnt += 1; -- fPointCnt += pCnt; -+ fVerbCnt = newVerbCnt; -+ fPointCnt = newPointCnt; - fFreeSpace -= space; - fBoundsIsDirty = true; // this also invalidates fIsFinite - if (dirtyAfterEdit) { -diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h -index 91200fbb56..74089633ae 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h -+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h -@@ -28,6 +28,25 @@ public: - return result; - } - -+ /** -+ * Return a + b, unless this result is an overflow/underflow. In those cases, fOK will -+ * be set to false, and it is undefined what this returns. -+ */ -+ int addInt(int a, int b) { -+ if (b < 0 && a < std::numeric_limits::min() - b) { -+ fOK = false; -+ return a; -+ } else if (b > 0 && a > std::numeric_limits::max() - b) { -+ fOK = false; -+ return a; -+ } -+ return a + b; -+ } -+ -+ // These saturate to their results -+ static size_t Add(size_t x, size_t y); -+ static size_t Mul(size_t x, size_t y); -+ - private: - uint32_t mul32(uint32_t x, uint32_t y) { - uint64_t bx = x; -diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp -index 286d9d140c..d2dfed9de1 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp -+++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp -@@ -88,13 +88,13 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize, - unsigned n = *src++; - if (n <= 127) { // repeat count (n + 1) - n += 1; -- if (dst >(endDst - n)) { -+ if (dst > (endDst - n) || src >= stop) { - return 0; - } - memset(dst, *src++, n); - } else { // same count (n - 127) - n -= 127; -- if (dst > (endDst - n)) { -+ if (dst > (endDst - n) || src > (stop - n)) { - return 0; - } - memcpy(dst, src, n); -@@ -103,5 +103,6 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize, - dst += n; - } - SkASSERT(src <= stop); -+ SkASSERT(dst <= endDst); - return SkToInt(dst - origDst); - } -diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h -index 2dc7677afc..773b13e0c1 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h -+++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h -@@ -36,7 +36,7 @@ public: - @param srcSize Number of bytes of src to unpack - @param dst Buffer (allocated by caller) to expand the src[] into. - @param dstSize Number of bytes in the output buffer. -- @return the number of bytes written into dst. -+ @return the number of bytes written into dst, or 0 if srcSize or dstSize are too small. - */ - static int Unpack8(const uint8_t src[], size_t srcSize, uint8_t dst[], - size_t dstSize); -diff --git a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp -index 3096ae5eeb..050b5db164 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp -+++ b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp -@@ -13,7 +13,7 @@ - #include "GrGpu.h" - #include "GrResourceProvider.h" - #include "GrTypes.h" -- -+#include "SkSafeMath.h" - #include "SkTraceEvent.h" - - #ifdef SK_DEBUG -@@ -393,7 +393,7 @@ void* GrVertexBufferAllocPool::makeSpace(size_t vertexSize, - SkASSERT(startVertex); - - size_t offset SK_INIT_TO_AVOID_WARNING; -- void* ptr = INHERITED::makeSpace(vertexSize * vertexCount, -+ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(vertexSize, vertexCount), - vertexSize, - buffer, - &offset); -@@ -447,7 +447,7 @@ void* GrIndexBufferAllocPool::makeSpace(int indexCount, - SkASSERT(startIndex); - - size_t offset SK_INIT_TO_AVOID_WARNING; -- void* ptr = INHERITED::makeSpace(indexCount * sizeof(uint16_t), -+ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(indexCount, sizeof(uint16_t)), - sizeof(uint16_t), - buffer, - &offset); -diff --git a/src/3rdparty/chromium/url/url_canon_etc.cc b/src/3rdparty/chromium/url/url_canon_etc.cc -index 31e9fb5cfa..bbc46270a1 100644 ---- a/src/3rdparty/chromium/url/url_canon_etc.cc -+++ b/src/3rdparty/chromium/url/url_canon_etc.cc -@@ -233,6 +233,43 @@ bool DoPort(const CHAR* spec, - return true; - } - -+// clang-format off -+// Percent-escape all "C0 controls" (0x00-0x1F) -+// https://infra.spec.whatwg.org/#c0-control along with the characters ' ' -+// (0x20), '"' (0x22), '<' (0x3C), '>' (0x3E), and '`' (0x60): -+const bool kShouldEscapeCharInRef[0x80] = { -+// Control characters (0x00-0x1F) -+ true, true, true, true, true, true, true, true, -+ true, true, true, true, true, true, true, true, -+ true, true, true, true, true, true, true, true, -+ true, true, true, true, true, true, true, true, -+// ' ' ! " # $ % & ' -+ true, false, true, false, false, false, false, false, -+// ( ) * + , - . / -+ false, false, false, false, false, false, false, false, -+// 0 1 2 3 4 5 6 7 -+ false, false, false, false, false, false, false, false, -+// 8 9 : ; < = > ? -+ false, false, false, false, true, false, true, false, -+// @ A B C D E F G -+ false, false, false, false, false, false, false, false, -+// H I J K L M N O -+ false, false, false, false, false, false, false, false, -+// P Q R S T U V W -+ false, false, false, false, false, false, false, false, -+// X Y Z [ \ ] ^ _ -+ false, false, false, false, false, false, false, false, -+// ` a b c d e f g -+ true, false, false, false, false, false, false, false, -+// h i j k l m n o -+ false, false, false, false, false, false, false, false, -+// p q r s t u v w -+ false, false, false, false, false, false, false, false, -+// x y z { | } ~ -+ false, false, false, false, false, false, false -+}; -+// clang-format on -+ - template - void DoCanonicalizeRef(const CHAR* spec, - const Component& ref, -@@ -255,22 +292,16 @@ void DoCanonicalizeRef(const CHAR* spec, - if (spec[i] == 0) { - // IE just strips NULLs, so we do too. - continue; -- } else if (static_cast(spec[i]) < 0x20) { -- // Unline IE seems to, we escape control characters. This will probably -- // make the reference fragment unusable on a web page, but people -- // shouldn't be using control characters in their anchor names. -- AppendEscapedChar(static_cast(spec[i]), output); -- } else if (static_cast(spec[i]) < 0x80) { -- // Normal ASCII characters are just appended. -- output->push_back(static_cast(spec[i])); -+ } -+ -+ UCHAR current_char = static_cast(spec[i]); -+ if (current_char < 0x80) { -+ if (kShouldEscapeCharInRef[current_char]) -+ AppendEscapedChar(static_cast(spec[i]), output); -+ else -+ output->push_back(static_cast(spec[i])); - } else { -- // Non-ASCII characters are appended unescaped, but only when they are -- // valid. Invalid Unicode characters are replaced with the "invalid -- // character" as IE seems to (ReadUTFChar puts the unicode replacement -- // character in the output on failure for us). -- unsigned code_point; -- ReadUTFChar(spec, &i, end, &code_point); -- AppendUTF8Value(code_point, output); -+ AppendUTF8EscapedChar(spec, &i, end, output); - } - } - -diff --git a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h -index 5eee300cc3..7026268b77 100644 ---- a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h -+++ b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h -@@ -248,6 +248,7 @@ void AstTraversalVisitor::VisitForStatement(ForStatement* stmt) { - template - void AstTraversalVisitor::VisitForInStatement(ForInStatement* stmt) { - PROCESS_NODE(stmt); -+ RECURSE(Visit(stmt->each())); - RECURSE(Visit(stmt->enumerable())); - RECURSE(Visit(stmt->body())); - } -diff --git a/src/3rdparty/chromium/v8/src/elements.cc b/src/3rdparty/chromium/v8/src/elements.cc -index 716cc00b9a..bc89c77047 100644 ---- a/src/3rdparty/chromium/v8/src/elements.cc -+++ b/src/3rdparty/chromium/v8/src/elements.cc -@@ -518,6 +518,21 @@ static Maybe IndexOfValueSlowPath(Isolate* isolate, - return Just(-1); - } - -+// The InternalElementsAccessor is a helper class to expose otherwise protected -+// methods to its subclasses. Namely, we don't want to publicly expose methods -+// that take an entry (instead of an index) as an argument. -+class InternalElementsAccessor : public ElementsAccessor { -+ public: -+ explicit InternalElementsAccessor(const char* name) -+ : ElementsAccessor(name) {} -+ -+ virtual uint32_t GetEntryForIndex(Isolate* isolate, JSObject* holder, -+ FixedArrayBase* backing_store, -+ uint32_t index) = 0; -+ -+ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; -+}; -+ - // Base class for element handler implementations. Contains the - // the common logic for objects with different ElementsKinds. - // Subclasses must specialize method for which the element -@@ -536,10 +551,10 @@ static Maybe IndexOfValueSlowPath(Isolate* isolate, - // CRTP to guarantee aggressive compile time optimizations (i.e. inlining and - // specialization of SomeElementsAccessor methods). - template --class ElementsAccessorBase : public ElementsAccessor { -+class ElementsAccessorBase : public InternalElementsAccessor { - public: - explicit ElementsAccessorBase(const char* name) -- : ElementsAccessor(name) { } -+ : InternalElementsAccessor(name) {} - - typedef ElementsTraitsParam ElementsTraits; - typedef typename ElementsTraitsParam::BackingStore BackingStore; -@@ -1040,35 +1055,67 @@ class ElementsAccessorBase : public ElementsAccessor { - Isolate* isolate, Handle object, - Handle values_or_entries, bool get_entries, int* nof_items, - PropertyFilter filter) { -- int count = 0; -+ DCHECK_EQ(*nof_items, 0); - KeyAccumulator accumulator(isolate, KeyCollectionMode::kOwnOnly, - ALL_PROPERTIES); - Subclass::CollectElementIndicesImpl( - object, handle(object->elements(), isolate), &accumulator); - Handle keys = accumulator.GetKeys(); - -- for (int i = 0; i < keys->length(); ++i) { -+ int count = 0; -+ int i = 0; -+ Handle original_map(object->map(), isolate); -+ -+ for (; i < keys->length(); ++i) { - Handle key(keys->get(i), isolate); -- Handle value; - uint32_t index; - if (!key->ToUint32(&index)) continue; - -+ DCHECK_EQ(object->map(), *original_map); - uint32_t entry = Subclass::GetEntryForIndexImpl( - isolate, *object, object->elements(), index, filter); - if (entry == kMaxUInt32) continue; - - PropertyDetails details = Subclass::GetDetailsImpl(*object, entry); - -+ Handle value; - if (details.kind() == kData) { - value = Subclass::GetImpl(isolate, object->elements(), entry); - } else { -+ // This might modify the elements and/or change the elements kind. - LookupIterator it(isolate, object, index, LookupIterator::OWN); - ASSIGN_RETURN_ON_EXCEPTION_VALUE( - isolate, value, Object::GetProperty(&it), Nothing()); - } -- if (get_entries) { -- value = MakeEntryPair(isolate, index, value); -+ if (get_entries) value = MakeEntryPair(isolate, index, value); -+ values_or_entries->set(count++, *value); -+ if (object->map() != *original_map) break; -+ } -+ -+ // Slow path caused by changes in elements kind during iteration. -+ for (; i < keys->length(); i++) { -+ Handle key(keys->get(i), isolate); -+ uint32_t index; -+ if (!key->ToUint32(&index)) continue; -+ -+ if (filter & ONLY_ENUMERABLE) { -+ InternalElementsAccessor* accessor = -+ reinterpret_cast( -+ object->GetElementsAccessor()); -+ -+ uint32_t entry = accessor->GetEntryForIndex(isolate, *object, -+ object->elements(), index); -+ if (entry == kMaxUInt32) continue; -+ PropertyDetails details = accessor->GetDetails(*object, entry); -+ if (!details.IsEnumerable()) continue; - } -+ -+ Handle value; -+ LookupIterator it(isolate, object, index, LookupIterator::OWN); -+ ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, value, Object::GetProperty(&it), -+ Nothing()); -+ -+ if (get_entries) value = MakeEntryPair(isolate, index, value); - values_or_entries->set(count++, *value); - } - -@@ -1668,12 +1715,13 @@ class DictionaryElementsAccessor - return result; - } - } -- -+ Handle original_map(receiver->map(), isolate); - Handle dictionary( - SeededNumberDictionary::cast(receiver->elements()), isolate); - // Iterate through entire range, as accessing elements out of order is - // observable - for (uint32_t k = start_from; k < length; ++k) { -+ DCHECK_EQ(receiver->map(), *original_map); - int entry = dictionary->FindEntry(isolate, k); - if (entry == SeededNumberDictionary::kNotFound) { - if (search_for_hole) return Just(true); -@@ -1738,15 +1786,15 @@ class DictionaryElementsAccessor - uint32_t start_from, uint32_t length) { - DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver)); - -+ Handle original_map(receiver->map(), isolate); - Handle dictionary( - SeededNumberDictionary::cast(receiver->elements()), isolate); - // Iterate through entire range, as accessing elements out of order is - // observable. - for (uint32_t k = start_from; k < length; ++k) { -+ DCHECK_EQ(receiver->map(), *original_map); - int entry = dictionary->FindEntry(isolate, k); -- if (entry == SeededNumberDictionary::kNotFound) { -- continue; -- } -+ if (entry == SeededNumberDictionary::kNotFound) continue; - - PropertyDetails details = GetDetailsImpl(*dictionary, entry); - switch (details.kind()) { -@@ -3622,12 +3670,13 @@ class SloppyArgumentsElementsAccessor - Handle value, - uint32_t start_from, uint32_t length) { - DCHECK(JSObject::PrototypeHasNoElements(isolate, *object)); -- Handle original_map = handle(object->map(), isolate); -+ Handle original_map(object->map(), isolate); - Handle elements( - SloppyArgumentsElements::cast(object->elements()), isolate); - bool search_for_hole = value->IsUndefined(isolate); - - for (uint32_t k = start_from; k < length; ++k) { -+ DCHECK_EQ(object->map(), *original_map); - uint32_t entry = - GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES); - if (entry == kMaxUInt32) { -@@ -3663,11 +3712,12 @@ class SloppyArgumentsElementsAccessor - Handle value, - uint32_t start_from, uint32_t length) { - DCHECK(JSObject::PrototypeHasNoElements(isolate, *object)); -- Handle original_map = handle(object->map(), isolate); -+ Handle original_map(object->map(), isolate); - Handle elements( - SloppyArgumentsElements::cast(object->elements()), isolate); - - for (uint32_t k = start_from; k < length; ++k) { -+ DCHECK_EQ(object->map(), *original_map); - uint32_t entry = - GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES); - if (entry == kMaxUInt32) { -diff --git a/src/3rdparty/chromium/v8/src/elements.h b/src/3rdparty/chromium/v8/src/elements.h -index 9e64764bb0..350264daae 100644 ---- a/src/3rdparty/chromium/v8/src/elements.h -+++ b/src/3rdparty/chromium/v8/src/elements.h -@@ -52,7 +52,6 @@ class ElementsAccessor { - - virtual Handle Get(Handle holder, uint32_t entry) = 0; - -- virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; - virtual bool HasAccessors(JSObject* holder) = 0; - virtual uint32_t NumberOfElements(JSObject* holder) = 0; - -@@ -63,8 +62,6 @@ class ElementsAccessor { - // element that is non-deletable. - virtual void SetLength(Handle holder, uint32_t new_length) = 0; - -- // Deletes an element in an object. -- virtual void Delete(Handle holder, uint32_t entry) = 0; - - // If kCopyToEnd is specified as the copy_size to CopyElements, it copies all - // of elements from source after source_start to the destination array. -@@ -122,11 +119,6 @@ class ElementsAccessor { - - virtual void Set(Handle holder, uint32_t entry, Object* value) = 0; - -- virtual void Reconfigure(Handle object, -- Handle backing_store, uint32_t entry, -- Handle value, -- PropertyAttributes attributes) = 0; -- - virtual void Add(Handle object, uint32_t index, - Handle value, PropertyAttributes attributes, - uint32_t new_capacity) = 0; -@@ -208,6 +200,15 @@ class ElementsAccessor { - FixedArrayBase* backing_store, - uint32_t index) = 0; - -+ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; -+ virtual void Reconfigure(Handle object, -+ Handle backing_store, uint32_t entry, -+ Handle value, -+ PropertyAttributes attributes) = 0; -+ -+ // Deletes an element in an object. -+ virtual void Delete(Handle holder, uint32_t entry) = 0; -+ - // NOTE: this method violates the handlified function signature convention: - // raw pointer parameter |source_holder| in the function that allocates. - // This is done intentionally to avoid ArrayConcat() builtin performance -diff --git a/src/3rdparty/chromium/v8/src/js/intl.js b/src/3rdparty/chromium/v8/src/js/intl.js -index 1579337fc1..7fc137f5c7 100644 ---- a/src/3rdparty/chromium/v8/src/js/intl.js -+++ b/src/3rdparty/chromium/v8/src/js/intl.js -@@ -1682,9 +1682,7 @@ function formatDate(formatter, dateValue) { - dateMs = TO_NUMBER(dateValue); - } - -- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange); -- -- return %InternalDateFormat(formatter, new GlobalDate(dateMs)); -+ return %InternalDateFormat(formatter, dateMs); - } - - DEFINE_METHOD( -@@ -1706,9 +1704,7 @@ DEFINE_METHOD( - dateMs = TO_NUMBER(dateValue); - } - -- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange); -- -- return %InternalDateFormatToParts(this, new GlobalDate(dateMs)); -+ return %InternalDateFormatToParts(this, dateMs); - } - ); - -diff --git a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc -index 4bd6bebdc7..875fd719ef 100644 ---- a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc -+++ b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc -@@ -7,7 +7,7 @@ - #endif // V8_INTL_SUPPORT - - #include "src/runtime/runtime-utils.h" -- -+#include - #include - - #include "src/api-natives.h" -@@ -247,17 +247,21 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormat) { - DCHECK_EQ(2, args.length()); - - CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0); -- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1); -+ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1); - -- Handle value; -- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date)); -+ double date_value = date->Number(); -+ // Check for +-Infinity and Nan -+ if (!std::isfinite(date_value)) { -+ THROW_NEW_ERROR_RETURN_FAILURE( -+ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue)); -+ } - - icu::SimpleDateFormat* date_format = - DateFormat::UnpackDateFormat(isolate, date_format_holder); - CHECK_NOT_NULL(date_format); - - icu::UnicodeString result; -- date_format->format(value->Number(), result); -+ date_format->format(date_value, result); - - RETURN_RESULT_OR_FAILURE( - isolate, isolate->factory()->NewStringFromTwoByte(Vector( -@@ -349,10 +353,13 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) { - DCHECK_EQ(2, args.length()); - - CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0); -- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1); -+ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1); - -- Handle value; -- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date)); -+ double date_value = date->Number(); -+ if (!std::isfinite(date_value)) { -+ THROW_NEW_ERROR_RETURN_FAILURE( -+ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue)); -+ } - - icu::SimpleDateFormat* date_format = - DateFormat::UnpackDateFormat(isolate, date_format_holder); -@@ -362,7 +369,7 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) { - icu::FieldPositionIterator fp_iter; - icu::FieldPosition fp; - UErrorCode status = U_ZERO_ERROR; -- date_format->format(value->Number(), formatted, &fp_iter, status); -+ date_format->format(date_value, formatted, &fp_iter, status); - if (U_FAILURE(status)) return isolate->heap()->undefined_value(); - - Handle result = factory->NewJSArray(0); --- -2.14.3 - diff --git a/qtwebengine-everywhere-src-5.10.1.tar.xz b/qtwebengine-everywhere-src-5.10.1.tar.xz deleted file mode 100644 index 2caab9f..0000000 --- a/qtwebengine-everywhere-src-5.10.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:12644f8d2ba8354a2a533d5a7f3f5139c6ff168c2f51aa3e21b701db6dbc01de -size 209844952 diff --git a/qtwebengine-everywhere-src-5.11.0.tar.xz b/qtwebengine-everywhere-src-5.11.0.tar.xz new file mode 100644 index 0000000..0515681 --- /dev/null +++ b/qtwebengine-everywhere-src-5.11.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5dd754d603c66d36e93b96b4f7c24a6e6269ae6a1682a524b8baa664d5c44b45 +size 233619512