chore: cherry-pick 6 changes from Release-3-M119 #40644
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
electron/security#432 - 971d6055e7b7 from openscreen
[Cast Streaming] fix heap use-after-freeThis patch fixes a use after free, caused by using an iterator
after it has been invalidated by a call to std::map::erase().
Bug: 1491210
Change-Id: I0c546eb6474af82f052b89e819a4886a004270f0
Reviewed-on: https://chromium-review.googlesource.com/c/openscreen/+/4981212
Reviewed-by: Mark Foltz mfoltz@chromium.org
Commit-Queue: Jordan Bayles jophba@chromium.org
Reviewed-by: Muyao Xu muyaoxu@google.com
electron/security#430 - 3f45b1af5e41 from chromium
Check context status before creating new platform destinationRealtimeAudioDestinationHandler::SetSinkDescriptor creates new
destination platofrm without validating context status. This can
reactivate the audio rendering thread when AudioContext is already in
closed state.
(cherry picked from commit 0f9bb9a1083865d4e51059e588f27f729ab32753)
Bug: 1500856
Change-Id: If1fd531324b56fcdc38d315fd84d4cec577a14bc
Test: Locally confirmed with ASAN
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5021160
Reviewed-by: Alvin Ji alvinji@chromium.org
Commit-Queue: Alvin Ji alvinji@chromium.org
Reviewed-by: Hongchan Choi hongchan@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1223168}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5026373
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Commit-Queue: Hongchan Choi hongchan@chromium.org
Cr-Commit-Position: refs/branch-heads/6099@{#607}
Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}
electron/security#431 - e13061c50998 from chromium
[M118] Reland: Fix IPC Channel pipe teardownThis is a reland with the new test temporarily disabled on Android
until it can run without disrupting other tests.
(cherry picked from commit cd4c1f165c16c6d8161b5372ef7f61c715e01a42)
Fixed: 1494461
Change-Id: If1d83c2dce62020f78dd50abc460973759002a1a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5015115
Commit-Queue: Ken Rockot rockot@google.com
Reviewed-by: Robert Sesek rsesek@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1221953}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5037764
Reviewed-by: Daniel Cheng dcheng@chromium.org
Auto-Submit: Ken Rockot rockot@google.com
Commit-Queue: Daniel Cheng dcheng@chromium.org
Cr-Commit-Position: refs/branch-heads/5993@{#1618}
Cr-Branched-From: 511350718e646be62331ae9d7213d10ec320d514-refs/heads/main@{#1192594}
electron/security#432 - 6169a1fabae1 from skia
Avoid combining extremely large meshes.Bug: chromium:1505053
Change-Id: I42f2ff872bbf054686ec7af0cc85ff63055fcfbf
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/782936
Commit-Queue: Michael Ludwig michaelludwig@google.com
Reviewed-by: Michael Ludwig michaelludwig@google.com
Auto-Submit: John Stiles johnstiles@google.com
electron/security#429 - 6cc0d9aa5b3fb from libavif
Remove potential out of bound access to alphaItemIndicesIt is possible to craft a file that has more alpha auxiliary items
than color items and trigger an out of bound access into
alphaItemIndices in the for loop.
Fix is to ensure that each color grid item has exactly one alpha
grid item. Also, ensure that there are exactly the same number of
color grids as informed in the grid config before trying to
find the alpha item.
Also, update a diagnostic error message to cover all cases (i.e.)
there can be more grids than necessary as well.
Bug: 1501766, 1501770
Reviewed-on: https://chromium.googlesource.com/external/github.com/AOMediaCodec/libavif.git/+/6d62963f74aa76dbe05ac8c84bed94dece9ddde5
[118] Manual Backport: https://chromium.googlesource.com/external/github.com/AOMediaCodec/libavif.git/+/b2d36b1c3bfc806694cd4ff0cb188270823fe6d8
electron/security#429 - 922fca786b61a from libavif
Do not store item pointers until all items are createdCalling avifMetaFindOrCreateItem() could invalidate all the
existing item pointers that are being stored by the caller (since
the function could resize the item array).
This patch fixes avifDecoderReset by storing the item indices
instead of item pointers until all the items are either created
or found.
Bug: 1501766, 1501770
Reviewed-on: https://chromium.googlesource.com/external/github.com/AOMediaCodec/libavif.git/+/2041109967c1746178c736e0a1504d9c97b51a5c
[118] Manual Backport: https://chromium.googlesource.com/external/github.com/AOMediaCodec/libavif.git/+/922fca786b61a83cfa0a7198bfcb61ece511394d
Notes: