M1739352 M1732572(partial) M1730120 M1738237 M1737009 M1717318(partial) M1586061

2025-01-29 12:30:48 +00:00 · 2022-01-02 16:52:20 -08:00 · 2022-01-02 16:52:20 -08:00 · 03ffdeadba
commit 03ffdeadba
parent f98a834454
8 changed files with 38 additions and 7 deletions
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -9219,7 +9219,11 @@ nsDocShell::SetupNewViewer(nsIContentViewer* aNewViewer)
  mContentViewer->SetNavigationTiming(mTiming);

  if (NS_FAILED(mContentViewer->Init(widget, bounds))) {
+    nsCOMPtr<nsIContentViewer> viewer = mContentViewer;
+    viewer->Close(nullptr);
+    viewer->Destroy();
    mContentViewer = nullptr;
+    mCurrentURI = nullptr;
    NS_WARNING("ContentViewer Initialization failed");
    return NS_ERROR_FAILURE;
  }
--- a/dom/base/nsStructuredCloneContainer.cpp
+++ b/dom/base/nsStructuredCloneContainer.cpp
@ -133,6 +133,10 @@ nsStructuredCloneContainer::GetDataAsBase64(nsAString &aOut)
  if (!DataLength()) {
    return NS_ERROR_FAILURE;
  }
+  CheckedInt<nsAutoCString::size_type> sizeCheck(DataLength());
+  if (MOZ_UNLIKELY(!sizeCheck.isValid())) {
+    return NS_ERROR_FAILURE;
+  }

  if (HasClonedDOMObjects()) {
    return NS_ERROR_FAILURE;
--- a/dom/base/nsTextFragment.cpp
+++ b/dom/base/nsTextFragment.cpp
@ -209,6 +209,11 @@ FirstNon8Bit(const char16_t *str, const char16_t *end)
 bool
 nsTextFragment::SetTo(const char16_t* aBuffer, int32_t aLength, bool aUpdateBidi)
 {
+  if (MOZ_UNLIKELY(aLength < 0 || static_cast<uint32_t>(aLength) >
+                                      NS_MAX_TEXT_FRAGMENT_LENGTH)) {
+    return false;
+  }
+
  ReleaseText();

  if (aLength == 0) {
@ -337,9 +342,16 @@ nsTextFragment::CopyTo(char16_t *aDest, int32_t aOffset, int32_t aCount)
 bool
 nsTextFragment::Append(const char16_t* aBuffer, uint32_t aLength, bool aUpdateBidi)
 {
+  if (!aLength) {
+    return true;
+  }
+
  // This is a common case because some callsites create a textnode
  // with a value by creating the node and then calling AppendData.
  if (mState.mLength == 0) {
+    if (MOZ_UNLIKELY(aLength > INT32_MAX)) {
+      return false;
+    }
    return SetTo(aBuffer, aLength, aUpdateBidi);
  }

--- a/layout/base/nsDocumentViewer.cpp
+++ b/layout/base/nsDocumentViewer.cpp
@ -1540,8 +1540,6 @@ DetachContainerRecurse(nsIDocShell *aShell)
 NS_IMETHODIMP
 nsDocumentViewer::Destroy()
 {
-  NS_ASSERTION(mDocument, "No document in Destroy()!");
-
 #ifdef NS_PRINTING
  // Here is where we check to see if the document was still being prepared 
  // for printing when it was asked to be destroy from someone externally
--- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
@ -423,8 +423,9 @@ PeerConnectionImpl::~PeerConnectionImpl()
    destroy_timecard(mTimeCard);
    mTimeCard = nullptr;
  }
-  // This aborts if not on main thread (in Debug builds)
-  PC_AUTO_ENTER_API_CALL_NO_CHECK();
+
+  MOZ_ASSERT(NS_IsMainThread());
+
  if (PeerConnectionCtx::isActive()) {
    PeerConnectionCtx::GetInstance()->mPeerConnections.erase(mHandle);
  } else {
@ -2605,7 +2606,7 @@ PeerConnectionImpl::CloseInt()
 void
 PeerConnectionImpl::ShutdownMedia()
 {
-  PC_AUTO_ENTER_API_CALL_NO_CHECK();
+  MOZ_ASSERT(NS_IsMainThread());

  if (!mMedia)
    return;
--- a/toolkit/xre/nsNativeAppSupportCocoa.mm
+++ b/toolkit/xre/nsNativeAppSupportCocoa.mm
@ -142,7 +142,7 @@ nsNativeAppSupportCocoa::ReOpen()

      nsCOMPtr<nsIWidget> widget = nullptr;
      baseWindow->GetMainWidget(getter_AddRefs(widget));
-      if (!widget) {
+      if (!widget || !widget->IsVisible()) {
        windowList->HasMoreElements(&more);
        continue;
      }
--- a/widget/cocoa/nsCursorManager.mm
+++ b/widget/cocoa/nsCursorManager.mm
@ -246,6 +246,11 @@ static const nsCursor sCustomCursor = eCursorCount;
  //if (sCursorImgContainer == aCursorImage && sCursorScaleFactor == scaleFactor && mCurrentMacCursor) {
  if (sCursorImgContainer == aCursorImage && mCurrentMacCursor) {
    // [self setMacCursor:mCurrentMacCursor]; // bug 1736049
+
+    // Native dragging can unset our cursor apparently (see bug 1739352).
+    if (MOZ_UNLIKELY(![mCurrentMacCursor isSet])) {
+      [mCurrentMacCursor set];
+    }
    return NS_OK;
  }
  
@ -254,7 +259,7 @@ static const nsCursor sCustomCursor = eCursorCount;
  aCursorImage->GetWidth(&width);
  aCursorImage->GetHeight(&height);
  // prevent DoS attacks
-  if (width > 128 || height > 128) {
+  if (MOZ_UNLIKELY(width > 128 || height > 128)) {
    return NS_OK;
  }

--- a/xpfe/appshell/nsAppShellService.cpp
+++ b/xpfe/appshell/nsAppShellService.cpp
@ -110,6 +110,13 @@ nsAppShellService::EnsurePrivateHiddenWindow()
 nsresult
 nsAppShellService::CreateHiddenWindowHelper(bool aIsPrivate)
 {
+  if (!aIsPrivate && mHiddenWindow) {
+    return NS_OK;
+  }
+  if (aIsPrivate && mHiddenPrivateWindow) {
+    return NS_OK;
+  }
+
  nsresult rv;
  int32_t initialHeight = 100, initialWidth = 100;