1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
|
Security patches since 6.9.2 release
CVE-2025-8879: Heap buffer overflow in libaom
CVE-2025-8880: Race in V8
CVE-2025-8881: Inappropriate implementation in File Picker
CVE-2025-8901: Out of bounds write in ANGLE
https://github.com/qt/qtwebengine-chromium/compare/136d7fe8aa41c9d4cd764a6b890af9699f5141dd..130-based.diff
diff --git a/chromium/content/browser/web_contents/file_chooser_impl.cc b/chromium/content/browser/web_contents/file_chooser_impl.cc
index 7e2391bd1afd..d366c5d26bba 100644
--- src/3rdparty/chromium/content/browser/web_contents/file_chooser_impl.cc
+++ src/3rdparty/chromium/content/browser/web_contents/file_chooser_impl.cc
@@ -169,6 +169,12 @@ void FileChooserImpl::OpenFileChooser(blink::mojom::FileChooserParamsPtr params,
return;
}
+ // Do not allow open dialogs to have renderer-controlled default_file_name.
+ // See https://crbug.com/433800617 for context.
+ if (params->mode != blink::mojom::FileChooserParams::Mode::kSave) {
+ params->default_file_name = base::FilePath();
+ }
+
// Don't allow page with open FileChooser to enter BackForwardCache to avoid
// any unexpected behaviour from BackForwardCache.
BackForwardCache::DisableForRenderFrameHost(
diff --git a/chromium/media/audio/audio_input_device.cc b/chromium/media/audio/audio_input_device.cc
index a7d8e1098241..44abd451c397 100644
--- src/3rdparty/chromium/media/audio/audio_input_device.cc
+++ src/3rdparty/chromium/media/audio/audio_input_device.cc
@@ -482,7 +482,7 @@ void AudioInputDevice::AudioThreadCallback::Process(uint32_t pending_data) {
const base::TimeTicks capture_time =
base::TimeTicks() + base::Microseconds(buffer->params.capture_time_us);
const base::TimeTicks now_time = base::TimeTicks::Now();
- DCHECK_GE(now_time, capture_time);
+ // DCHECK_GE(now_time, capture_time);
AudioGlitchInfo glitch_info{
.duration = base::Microseconds(buffer->params.glitch_duration_us),
diff --git a/chromium/third_party/angle/src/compiler/translator/Compiler.cpp b/chromium/third_party/angle/src/compiler/translator/Compiler.cpp
index 107f61cf4603..04b698b7fc08 100644
--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp
+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp
@@ -775,24 +775,6 @@ bool TCompiler::checkAndSimplifyAST(TIntermBlock *root,
return false;
}
- // For now, rewrite pixel local storage before collecting variables or any operations on images.
- //
- // TODO(anglebug.com/40096838):
- // Should this actually run after collecting variables?
- // Do we need more introspection?
- // Do we want to hide rewritten shader image uniforms from glGetActiveUniform?
- if (hasPixelLocalStorageUniforms())
- {
- ASSERT(
- IsExtensionEnabled(mExtensionBehavior, TExtension::ANGLE_shader_pixel_local_storage));
- if (!RewritePixelLocalStorage(this, root, getSymbolTable(), compileOptions,
- getShaderVersion()))
- {
- mDiagnostics.globalError("internal compiler error translating pixel local storage");
- return false;
- }
- }
-
if (shouldRunLoopAndIndexingValidation(compileOptions) &&
!ValidateLimitations(root, mShaderType, &mSymbolTable, &mDiagnostics))
{
@@ -939,6 +921,24 @@ bool TCompiler::checkAndSimplifyAST(TIntermBlock *root,
return false;
}
+ // For now, rewrite pixel local storage before collecting variables or any operations on images.
+ //
+ // TODO(anglebug.com/40096838):
+ // Should this actually run after collecting variables?
+ // Do we need more introspection?
+ // Do we want to hide rewritten shader image uniforms from glGetActiveUniform?
+ if (hasPixelLocalStorageUniforms())
+ {
+ ASSERT(
+ IsExtensionEnabled(mExtensionBehavior, TExtension::ANGLE_shader_pixel_local_storage));
+ if (!RewritePixelLocalStorage(this, root, getSymbolTable(), compileOptions,
+ getShaderVersion()))
+ {
+ mDiagnostics.globalError("internal compiler error translating pixel local storage");
+ return false;
+ }
+ }
+
// Clamping uniform array bounds needs to happen after validateLimitations pass.
if (compileOptions.clampIndirectArrayBounds)
{
diff --git a/chromium/third_party/angle/src/compiler/translator/ValidateOutputs.cpp b/chromium/third_party/angle/src/compiler/translator/ValidateOutputs.cpp
index 927783db73f6..d3481f1a4d1f 100644
--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ValidateOutputs.cpp
+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ValidateOutputs.cpp
@@ -72,15 +72,19 @@ ValidateOutputsTraverser::ValidateOutputsTraverser(const TExtensionBehavior &ext
void ValidateOutputsTraverser::visitSymbol(TIntermSymbol *symbol)
{
if (symbol->variable().symbolType() == SymbolType::Empty)
+ {
return;
+ }
if (mVisitedSymbols.count(symbol->uniqueId().get()) == 1)
+ {
return;
+ }
mVisitedSymbols.insert(symbol->uniqueId().get());
TQualifier qualifier = symbol->getQualifier();
- if (qualifier == EvqFragmentOut)
+ if (qualifier == EvqFragmentOut || qualifier == EvqFragmentInOut)
{
const TLayoutQualifier &layoutQualifier = symbol->getType().getLayoutQualifier();
if (layoutQualifier.location != -1)
diff --git a/chromium/third_party/blink/public/mojom/choosers/file_chooser.mojom b/chromium/third_party/blink/public/mojom/choosers/file_chooser.mojom
index 22ccb9cc709f..f323fa2aa2eb 100644
--- src/3rdparty/chromium/third_party/blink/public/mojom/choosers/file_chooser.mojom
+++ src/3rdparty/chromium/third_party/blink/public/mojom/choosers/file_chooser.mojom
@@ -25,7 +25,7 @@ struct FileChooserParams {
kUploadFolder,
// Allows picking a nonexistent file, and prompts to overwrite if the file
- // already exists. This is not for Blink but for PPAPI.
+ // already exists.
kSave,
};
Mode mode = kOpen;
@@ -34,7 +34,8 @@ struct FileChooserParams {
// which will be either "Open" or "Save" depending on the mode.
mojo_base.mojom.String16 title;
- // Default file name to select in the dialog with kSave mode.
+ // Default file name to select in the dialog with kSave mode. This value
+ // is cleared if mode is not kSave.
mojo_base.mojom.FilePath default_file_name;
// |selected_files| has filenames which a file upload control already
diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
index 4fd5ec6bf54b..82a48c39cb10 100644
--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
@@ -3236,8 +3236,9 @@ static void rc_scene_detection_onepass_rt(AV1_COMP *cpi,
// non-zero sad exists along bottom border even though source is static.
const int border =
rc->prev_frame_is_dropped || cpi->svc.number_temporal_layers > 1;
- // Store blkwise SAD for later use
- if (width == cm->render_width && height == cm->render_height) {
+ // Store blkwise SAD for later use. Disable for spatial layers for now.
+ if (width == cm->render_width && height == cm->render_height &&
+ cpi->svc.number_spatial_layers == 1) {
if (cpi->src_sad_blk_64x64 == NULL) {
CHECK_MEM_ERROR(cm, cpi->src_sad_blk_64x64,
(uint64_t *)aom_calloc(sb_cols * sb_rows,
diff --git a/chromium/v8/src/wasm/streaming-decoder.cc b/chromium/v8/src/wasm/streaming-decoder.cc
index f3745b4c055a..ce5dad96d52f 100644
--- src/3rdparty/chromium/v8/src/wasm/streaming-decoder.cc
+++ src/3rdparty/chromium/v8/src/wasm/streaming-decoder.cc
@@ -230,45 +230,61 @@ class V8_EXPORT_PRIVATE AsyncStreamingDecoder : public StreamingDecoder {
};
void AsyncStreamingDecoder::OnBytesReceived(base::Vector<const uint8_t> bytes) {
- DCHECK(!full_wire_bytes_.empty());
+ TRACE_STREAMING("OnBytesReceived(%zu bytes)\n", bytes.size());
+
+ // Note: The bytes are passed by the embedder, and they might point into the
+ // sandbox. Hence we copy them once and then process those copied bytes, to
+ // avoid being vulnerable to concurrent modification.
+ // Since we might not be able to store the bytes contiguously in memory,
+ // remember up to two byte vectors to process after copying.
+ base::Vector<const uint8_t> copied_bytes[2] = {{}, {}};
+
// Fill the previous vector, growing up to 16kB. After that, allocate new
// vectors on overflow.
+ DCHECK(!full_wire_bytes_.empty());
+ std::vector<uint8_t>* last_wire_byte_vector = &full_wire_bytes_.back();
+ size_t existing_vector_size = last_wire_byte_vector->size();
size_t remaining_capacity =
- std::max(full_wire_bytes_.back().capacity(), size_t{16} * KB) -
- full_wire_bytes_.back().size();
+ std::max(last_wire_byte_vector->capacity(), size_t{16} * KB) -
+ existing_vector_size;
size_t bytes_for_existing_vector = std::min(remaining_capacity, bytes.size());
- full_wire_bytes_.back().insert(full_wire_bytes_.back().end(), bytes.data(),
- bytes.data() + bytes_for_existing_vector);
+ last_wire_byte_vector->insert(last_wire_byte_vector->end(), bytes.data(),
+ bytes.data() + bytes_for_existing_vector);
+ copied_bytes[0] =
+ base::VectorOf(last_wire_byte_vector->data() + existing_vector_size,
+ bytes_for_existing_vector);
if (bytes.size() > bytes_for_existing_vector) {
// The previous vector's capacity is not enough to hold all new bytes, and
// it's bigger than 16kB, so expensive to copy. Allocate a new vector for
// the remaining bytes, growing exponentially.
size_t new_capacity = std::max(bytes.size() - bytes_for_existing_vector,
- 2 * full_wire_bytes_.back().capacity());
+ 2 * last_wire_byte_vector->capacity());
full_wire_bytes_.emplace_back();
- full_wire_bytes_.back().reserve(new_capacity);
- full_wire_bytes_.back().insert(full_wire_bytes_.back().end(),
- bytes.data() + bytes_for_existing_vector,
- bytes.end());
+ last_wire_byte_vector = &full_wire_bytes_.back();
+ last_wire_byte_vector->reserve(new_capacity);
+ last_wire_byte_vector->insert(last_wire_byte_vector->end(),
+ bytes.data() + bytes_for_existing_vector,
+ bytes.end());
+ copied_bytes[1] = base::VectorOf(*last_wire_byte_vector);
}
+ // Do not access `bytes` any more after copying.
+ DCHECK_EQ(bytes.size(), copied_bytes[0].size() + copied_bytes[1].size());
+ bytes = {};
if (deserializing()) return;
- TRACE_STREAMING("OnBytesReceived(%zu bytes)\n", bytes.size());
-
- size_t current = 0;
- while (ok() && current < bytes.size()) {
- size_t num_bytes =
- state_->ReadBytes(this, bytes.SubVector(current, bytes.size()));
- current += num_bytes;
- module_offset_ += num_bytes;
- if (state_->offset() == state_->buffer().size()) {
- state_ = state_->Next(this);
+ for (base::Vector<const uint8_t> vec : copied_bytes) {
+ size_t current = 0;
+ while (ok() && current < vec.size()) {
+ size_t num_bytes = state_->ReadBytes(this, vec.SubVectorFrom(current));
+ current += num_bytes;
+ module_offset_ += num_bytes;
+ if (state_->offset() == state_->buffer().size()) {
+ state_ = state_->Next(this);
+ }
}
}
- if (ok()) {
- processor_->OnFinishedChunk();
- }
+ if (ok()) processor_->OnFinishedChunk();
}
size_t AsyncStreamingDecoder::DecodingState::ReadBytes(
|
