summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'www-client/chromium/files/chromium-114-sigsegv-dom.patch')
-rw-r--r--www-client/chromium/files/chromium-114-sigsegv-dom.patch73
1 files changed, 73 insertions, 0 deletions
diff --git a/www-client/chromium/files/chromium-114-sigsegv-dom.patch b/www-client/chromium/files/chromium-114-sigsegv-dom.patch
new file mode 100644
index 000000000000..fe4c2809693c
--- /dev/null
+++ b/www-client/chromium/files/chromium-114-sigsegv-dom.patch
@@ -0,0 +1,73 @@
+https://chromium.googlesource.com/chromium/src.git/+/2af2d08972d14d5bdd91e0515eb5b15b4444aee9
+blink::HTMLMediaElement::ShouldReusePlayer: avoid dereferencing a potentally NULL domWindow
+
+The domWindow() method of the Document class can potentially return nullptr
+as noted in renderer/core/dom/document.h
+
+> // A document may or may not have a browsing context
+> // (https://html.spec.whatwg.org/#browsing-context). A document with a browsing
+> // context is created by navigation, and has a non-null domWindow(), GetFrame(),
+> // Loader(), etc., and is visible to the user. It will have a valid
+> // GetExecutionContext(), which will be equal to domWindow(). If the Document
+> // constructor receives a DocumentInit created WithDocumentLoader(), it will
+> // have a browsing context.
+> // Documents created by all other APIs do not have a browsing context. These
+> // Documents still have a valid GetExecutionContext() (i.e., the domWindow() of
+> // the Document in which they were created), so they can still access
+> // script, but return null for domWindow(), GetFrame() and Loader(). Generally,
+> // they should not downcast the ExecutionContext to a LocalDOMWindow and access
+> // the properties of the window directly.
+
+Upon checking further, the offending document returns null for GetFrame() and
+Loader() aswell so this was likely just an oversight and no invariants are being
+violated
+
+Introduced in https://chromium-review.googlesource.com/c/chromium/src/+/4202152
+
+More details https://bugs.chromium.org/p/chromium/issues/detail?id=1447388
+
+Fixed: 1447388
+Change-Id: I85a6ef52baaac0ec7f5ec188d5d5bb2c518a8ecd
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4546610
+Reviewed-by: Fredrik Söderquist <fs@opera.com>
+Commit-Queue: Fredrik Söderquist <fs@opera.com>
+Cr-Commit-Position: refs/heads/main@{#1147184}
+
+--- a/AUTHORS
++++ b/AUTHORS
+
+@@ -1012,6 +1012,7 @@
+ Prashant Hiremath <prashhir@cisco.com>
+ Prashant Nevase <prashant.n@samsung.com>
+ Prashant Patil <prashant.patil@imgtec.com>
++Pratham <prathamIN@proton.me>
+ Praveen Akkiraju <praveen.anp@samsung.com>
+ Preeti Nayak <preeti.nayak@samsung.com>
+ Pritam Nikam <pritam.nikam@samsung.com>
+
+--- a/third_party/blink/renderer/core/html/media/html_media_element.cc
++++ b/third_party/blink/renderer/core/html/media/html_media_element.cc
+
+@@ -648,6 +648,11 @@
+
+ bool HTMLMediaElement::ShouldReusePlayer(Document& old_document,
+ Document& new_document) const {
++ // A NULL frame implies a NULL domWindow, so just check one of them
++ if (!old_document.GetFrame() || !new_document.GetFrame()) {
++ return false;
++ }
++
+ // Don't reuse player if the Document Picture-in-Picture API is disabled for
+ // both documents.
+ if (!RuntimeEnabledFeatures::DocumentPictureInPictureAPIEnabled(
+@@ -657,10 +662,6 @@
+ return false;
+ }
+
+- if (!old_document.GetFrame() || !new_document.GetFrame()) {
+- return false;
+- }
+-
+ auto* new_origin = new_document.GetFrame()
+ ->LocalFrameRoot()
+ .GetSecurityContext()