From 03ffdeadbae08dab6997ffc5903e86d6916c9e49 Mon Sep 17 00:00:00 2001 From: Cameron Kaiser Date: Sun, 2 Jan 2022 16:52:20 -0800 Subject: [PATCH] M1739352 M1732572(partial) M1730120 M1738237 M1737009 M1717318(partial) M1586061 --- docshell/base/nsDocShell.cpp | 4 ++++ dom/base/nsStructuredCloneContainer.cpp | 4 ++++ dom/base/nsTextFragment.cpp | 12 ++++++++++++ layout/base/nsDocumentViewer.cpp | 2 -- .../src/peerconnection/PeerConnectionImpl.cpp | 7 ++++--- toolkit/xre/nsNativeAppSupportCocoa.mm | 2 +- widget/cocoa/nsCursorManager.mm | 7 ++++++- xpfe/appshell/nsAppShellService.cpp | 7 +++++++ 8 files changed, 38 insertions(+), 7 deletions(-) diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp index de02b1110..4557962e9 100644 --- a/docshell/base/nsDocShell.cpp +++ b/docshell/base/nsDocShell.cpp @@ -9219,7 +9219,11 @@ nsDocShell::SetupNewViewer(nsIContentViewer* aNewViewer) mContentViewer->SetNavigationTiming(mTiming); if (NS_FAILED(mContentViewer->Init(widget, bounds))) { + nsCOMPtr viewer = mContentViewer; + viewer->Close(nullptr); + viewer->Destroy(); mContentViewer = nullptr; + mCurrentURI = nullptr; NS_WARNING("ContentViewer Initialization failed"); return NS_ERROR_FAILURE; } diff --git a/dom/base/nsStructuredCloneContainer.cpp b/dom/base/nsStructuredCloneContainer.cpp index 430bfe3b3..5521fb91a 100644 --- a/dom/base/nsStructuredCloneContainer.cpp +++ b/dom/base/nsStructuredCloneContainer.cpp @@ -133,6 +133,10 @@ nsStructuredCloneContainer::GetDataAsBase64(nsAString &aOut) if (!DataLength()) { return NS_ERROR_FAILURE; } + CheckedInt sizeCheck(DataLength()); + if (MOZ_UNLIKELY(!sizeCheck.isValid())) { + return NS_ERROR_FAILURE; + } if (HasClonedDOMObjects()) { return NS_ERROR_FAILURE; diff --git a/dom/base/nsTextFragment.cpp b/dom/base/nsTextFragment.cpp index 0b8e2f045..c51a74adf 100644 --- a/dom/base/nsTextFragment.cpp +++ b/dom/base/nsTextFragment.cpp @@ -209,6 +209,11 @@ FirstNon8Bit(const char16_t *str, const char16_t *end) bool nsTextFragment::SetTo(const char16_t* aBuffer, int32_t aLength, bool aUpdateBidi) { + if (MOZ_UNLIKELY(aLength < 0 || static_cast(aLength) > + NS_MAX_TEXT_FRAGMENT_LENGTH)) { + return false; + } + ReleaseText(); if (aLength == 0) { @@ -337,9 +342,16 @@ nsTextFragment::CopyTo(char16_t *aDest, int32_t aOffset, int32_t aCount) bool nsTextFragment::Append(const char16_t* aBuffer, uint32_t aLength, bool aUpdateBidi) { + if (!aLength) { + return true; + } + // This is a common case because some callsites create a textnode // with a value by creating the node and then calling AppendData. if (mState.mLength == 0) { + if (MOZ_UNLIKELY(aLength > INT32_MAX)) { + return false; + } return SetTo(aBuffer, aLength, aUpdateBidi); } diff --git a/layout/base/nsDocumentViewer.cpp b/layout/base/nsDocumentViewer.cpp index 897304c70..9945a1066 100644 --- a/layout/base/nsDocumentViewer.cpp +++ b/layout/base/nsDocumentViewer.cpp @@ -1540,8 +1540,6 @@ DetachContainerRecurse(nsIDocShell *aShell) NS_IMETHODIMP nsDocumentViewer::Destroy() { - NS_ASSERTION(mDocument, "No document in Destroy()!"); - #ifdef NS_PRINTING // Here is where we check to see if the document was still being prepared // for printing when it was asked to be destroy from someone externally diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp index 14b7d61aa..ffb6d5386 100644 --- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp +++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp @@ -423,8 +423,9 @@ PeerConnectionImpl::~PeerConnectionImpl() destroy_timecard(mTimeCard); mTimeCard = nullptr; } - // This aborts if not on main thread (in Debug builds) - PC_AUTO_ENTER_API_CALL_NO_CHECK(); + + MOZ_ASSERT(NS_IsMainThread()); + if (PeerConnectionCtx::isActive()) { PeerConnectionCtx::GetInstance()->mPeerConnections.erase(mHandle); } else { @@ -2605,7 +2606,7 @@ PeerConnectionImpl::CloseInt() void PeerConnectionImpl::ShutdownMedia() { - PC_AUTO_ENTER_API_CALL_NO_CHECK(); + MOZ_ASSERT(NS_IsMainThread()); if (!mMedia) return; diff --git a/toolkit/xre/nsNativeAppSupportCocoa.mm b/toolkit/xre/nsNativeAppSupportCocoa.mm index f165608e6..9b5c0e9e2 100644 --- a/toolkit/xre/nsNativeAppSupportCocoa.mm +++ b/toolkit/xre/nsNativeAppSupportCocoa.mm @@ -142,7 +142,7 @@ nsNativeAppSupportCocoa::ReOpen() nsCOMPtr widget = nullptr; baseWindow->GetMainWidget(getter_AddRefs(widget)); - if (!widget) { + if (!widget || !widget->IsVisible()) { windowList->HasMoreElements(&more); continue; } diff --git a/widget/cocoa/nsCursorManager.mm b/widget/cocoa/nsCursorManager.mm index 3e1ede3eb..8bcde7588 100644 --- a/widget/cocoa/nsCursorManager.mm +++ b/widget/cocoa/nsCursorManager.mm @@ -246,6 +246,11 @@ static const nsCursor sCustomCursor = eCursorCount; //if (sCursorImgContainer == aCursorImage && sCursorScaleFactor == scaleFactor && mCurrentMacCursor) { if (sCursorImgContainer == aCursorImage && mCurrentMacCursor) { // [self setMacCursor:mCurrentMacCursor]; // bug 1736049 + + // Native dragging can unset our cursor apparently (see bug 1739352). + if (MOZ_UNLIKELY(![mCurrentMacCursor isSet])) { + [mCurrentMacCursor set]; + } return NS_OK; } @@ -254,7 +259,7 @@ static const nsCursor sCustomCursor = eCursorCount; aCursorImage->GetWidth(&width); aCursorImage->GetHeight(&height); // prevent DoS attacks - if (width > 128 || height > 128) { + if (MOZ_UNLIKELY(width > 128 || height > 128)) { return NS_OK; } diff --git a/xpfe/appshell/nsAppShellService.cpp b/xpfe/appshell/nsAppShellService.cpp index 5632ae8b2..04fd13229 100644 --- a/xpfe/appshell/nsAppShellService.cpp +++ b/xpfe/appshell/nsAppShellService.cpp @@ -110,6 +110,13 @@ nsAppShellService::EnsurePrivateHiddenWindow() nsresult nsAppShellService::CreateHiddenWindowHelper(bool aIsPrivate) { + if (!aIsPrivate && mHiddenWindow) { + return NS_OK; + } + if (aIsPrivate && mHiddenPrivateWindow) { + return NS_OK; + } + nsresult rv; int32_t initialHeight = 100, initialWidth = 100;