This is a workaround until we can implement a proper <input type=text>
in terms of LibWeb primitives.
This makes google.com not crash in multi-process mode (but there is no
search box.)
The OOPWV will now detect WebContent process crashes/disconnections and
simply create a new WebContent process in its place. We also generate a
little error page with a link to the crashing URL so you can reload and
try again.
This a huge step forward for OOPWV since it now has a feature that IPWV
can never replicate. :^)
If a window is being torn down during app shutdown, the global
application pointer may be nulled out already. So let's handle that
case gracefully in Window::hide().
Image boxes want to know whether they are inside the visible viewport.
This is used to pause/resume animations, and to update the purgeable
memory volatility state.
Previously we would traverse the entire layout tree on every resize,
calling a helper on each ImageBox. Make those boxes register with the
frame they are interested in instead, saving us all that traversal.
This also makes it easier for other parts of the code to learn about
viewport changes in the future. :^)
Remap the list of atexit handlers as read-only while we're not actively
writing to it. This prevents an attacker from using a memory write
primitive to gain code execution via the atexit list.
This is based on a technique used in OpenBSD. :^)
Section names are referred to by offset and length. We do not check
(and probably should not check) whether these names overlap in any way.
This opened the door to many sections (in this example: about 2700)
forcing ELF::Image::m_sections to contain endless copies of the same
huge string (in this case: 882K).
Fix this by loading only the first PAGE_SIZE bytes of each name.
Since section names are only relevant for relocations and debug
information and most section names are hard-coded (and far below 4096
bytes) anyway, this should be no restriction at all for 'normal'
executables.
Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29187
I overlooked a corner case where we might call the built-in ctz() on zero.
Furthermore, the calculation of the shift was wrong and the results were often
unusable.
Both issue were caused by a forgotten 36daeee34f.
This time I made sure to look at bmpsuite_files first, and now they look good.
Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28985
Previously regions were stored in a vector and then a pointer to
regions in this vector were taken and stored. The problem is the vector
were still appended after pointers were taken, if enough regions were
present the vector would grow so large that it needed a resize, this
cause his memory to moved and now the previous pointers are now
pointing to old memory we just freed.
Fixes#5160
The ImageDecoder service now returns a list of image frames, each with
a duration value.
The code for in-process image decoding is removed from LibWeb, an all
image decode requests are sent out-of-process to ImageDecoder. :^)
This won't scale super well to very long and/or large animations, but
we can work on improving that separately. The main goal here is simply
to stop doing any image decoding inside LibWeb.
Fixes#5165.
Painter currently tries to load fonts, which won't work if we're in a
tightly pledged process.
It was only used to fill a rect with transparent pixels, so just do
that manually instead.
To support upcoming W^X changes in the kernel, the dynamic loader needs
to be careful about the order in which permissions are added to shared
library text segments.
We now start by mapping text segments read-only (no-write, no-exec).
If relocations are needed, we make them writable, and then finally,
for all text segments, we finish by making them read+exec.
This fills in a bunch of the FIXMEs that was in prepare_script.
execute_script is almost finished, it's just missing the module side.
As an aside, let's not assert when inserting a script element with
innerHTML.
Use mmap() with the new MAP_RANDOMIZED flag to load shared libraries at
random addresses in each process.
To avoid address space collisions, we start by doing a large chunk mmap
that covers enough VM for both text and data, then we unmap and remap
the data segment separately, once we know everything will fit.
This is pretty cool! :^)
This can be used to request random VM placement instead of the highly
predictable regular mmap(nullptr, ...) VM allocation strategy.
It will soon be used to implement ASLR in the dynamic loader. :^)
If it's missing we get an empty value, but we can't use that with
to_string_without_side_effects() so we have to use undefined as the
default.
Fixes#5142.
We were calling directly up to Cell, skipping over ScopeObject.
This made us not mark the scope chain parent for lexical environments,
sometimes causing them to get GC'd and use-after-free'd.
Found by Fuzzilli.
Fixes#5140.
This parser will be used by the C++ langauge server to provide better
auto-complete (& maybe also other things in the future).
It is designed to be error tolerant, and keeps track of the position
spans of the AST nodes, which should be useful later for incremental
parsing.
Code meant for the move_to_next_word functions which set the cursor to
the last character in the file if it was reached was copied into the
move_to_previous_word functions which lead them not moving when
the function was called from the end of the file.
...and functions implemented in terms of it: blit_brightened(),
blit_dimmed(), blit_disabled().
In theory, this should stop the window server from asserting when
an application becomes unresponsive, but that feature seems to be
broken for unrelated reasons atm (#5111).
If you tried to move a cursor down when the last row is selected, the
index becomes invalid without updating the selection. On the next
cursor movement the invalid index is then reset to {0, 0}, selecting
the first row instead.
This is in the else block of a `(source.has_alpha_channel() || opacity != 1.0f)`
conditional, so it's guaranteed that !source.has_alpha_channel() in
here, which means source.format() can't be RGBA32.
No behavior change.
