In order to avoid DLL preloading attacks, we should be careful about where we
load DLLs from. These packages load graphics DLLs, which may be provided by the
OS, by a graphics vendor, or even by individual applications. As such, we can't
restrict loading them to just system32-provided paths. Instead, we invoke
LoadLibraryEx [0] with the LOAD_LIBRARY_SEARCH_DEFAULT_DIRS path, which will search
system32, application-defined paths, and the path of the primary application
executable. This mode ignores the system %PATH% variable, which dramatically
reduces the attack surface of malicious or unintended DLLs.
Applications may add custom paths to the search list by calling the standard
windows AddDllDirectory function [1] prior to attempting to initialize GL.
Thanks to Mohsen Mirzakhani and Utkarsh Satya Prakash for bringing this to
our attention.
[0] https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexa
[1] https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-adddlldirectory
Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>
It's currently failing, and upgrading it may fix it.
While here, track lates FreeBSD to avoid upgrade toil.
Signed-off-by: Elias Naur <mail@eliasnaur.com>
In order to avoid DLL preloading attacks, we should always load our system
dependencies using the helper that only searches the system library path.
Thanks to Mohsen Mirzakhani and Utkarsh Satya Prakash for bringing this to
our attention.
Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>
This commit makes the editor widget suppress the trimming of trailing whitespace
so that the spaces can be selected intuitively.
Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>
This commit adds a shaping parameter that disables the trimming of trailing
whitespace from lines. Text editors and similar use-cases want trailing whitspace
glyphs to be selectable, which means they must occupy space.
Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>
The typesetting package has smarter line wrapping now, which is making our
test text require fewer lines to display. We needed to update the expected
data accordingly.
I've also added a feature that takes a screenshot of the rendered output of
one of our most complex cursoring tests. This will make it much easier to
verify its behavior in the future. This feature currently only triggers if
the test case fails.
Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>
We've migrated the processing of bidi run ordering into the upstream typesetting
package, so now we can just consume the already-ordered runs instead of computing
their ordering ourselves.
Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>
This change generates keypress and release events for modifier keys in macOS.
Specifically the Control, Alt, Shift and Command keys.
Signed-off-by: Jeff Williams <kanobe@gmail.com>
The compute renderer is a failed experiment: a better port of the
Vello vector renderer exists[0] and the upcoming Go 1.24 release
no longer builds the gioui.org/cpu module because of #60725.
Remove it.
[0] https://github.com/dominikh/jello
Signed-off-by: Elias Naur <mail@eliasnaur.com>
Setting the callback handler to nil in DestroyEvent should have no effect,
but may help debugging #603.
Also don't call the default window handler for WM_DESTROY since we're
already handling it.
References: https://todo.sr.ht/~eliasnaur/gio/603
Signed-off-by: Elias Naur <mail@eliasnaur.com>
Widgets such as Editor use certain key events such as the backspace key
to implement text editing. On macOS, such key events are sometimes used
by an input method, and in those cases the key effect would be applied
twice: first by the IME and then the Editor.
Report such key events through the doCommandBySelector callback, which
receives key events not handled by the IME.
References: https://todo.sr.ht/~eliasnaur/gio/616
Signed-off-by: Elias Naur <mail@eliasnaur.com>
Previously, setHighRefreshRate requires APIs restricted
to Android 30, or higher.
Tested on Android 6.0.1 (released on 2015).
Signed-off-by: inkeliz <inkeliz@inkeliz.com>
This commit updates our typesetting dependency to avoid a crash when shaping GNU
unifont. Thanks to Jeff Williams for raising the issue on the mailing list.
Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>
Note that you should use different Themes, with different Shapers, for
different top-level windows, and explain why.
Signed-off-by: Larry Clapp <larry@theclapp.org>
When a GPU error occurs forcing the reporting of a DestroyEvent is not
appropriate, because the backend that controls the underlying window
is not aware of the error and will continue to report events.
Replace the crude DestroyEvent by stashing the error and asking the
window nicely to close. The, report the stashed error in the
otherwise regular DestroyEvent.
Hopefully, this second attempt fixes#603.
Fixes: https://todo.sr.ht/~eliasnaur/gio/603
Signed-off-by: Elias Naur <mail@eliasnaur.com>
Change f7aa4b5c8 changed the fullscreen implementation to no longer require
the position and size of the fullscreen window.
Signed-off-by: Elias Naur <mail@eliasnaur.com>
As suggested by ~egonelbre, Decorations should not be the source of truth
for the windows state, because external gestures may also change state.
This breaking change removes Decorations.Perform and exposes Maximized
as a bool which is the user's responsibility to set.
Fixes: https://todo.sr.ht/~eliasnaur/gio/600
Signed-off-by: Elias Naur <mail@eliasnaur.com>
Before this change, the window state was explicitly updated whenever
Window.Option was called. However, the system may also change window
state as a result of user gestures, but those changes did not result in
ConfigEvents reflecting them.
Remove the explicit state updates and track them when the system tells
us it has changed.
This is a step towards fixing #600 which require accurate window state
tracking.
References: https://todo.sr.ht/~eliasnaur/gio/600
Signed-off-by: Elias Naur <mail@eliasnaur.com>
There may be a window of time from WM_DESTROY is received to the WM_QUIT
message is delivered by PostQuitMessage. If so, we must not call w.draw.
Fixes: https://todo.sr.ht/~eliasnaur/gio/603
Signed-off-by: Elias Naur <mail@eliasnaur.com>
This commit zeroes the accumulated scroll distance on the window before invoking the
event delivery code, since the event delivery code is able to call back into the scroll
processing. Prior to this change, the callback could re-processing the scroll delta
while magnifying it by a factor of 10.
Fixes: https://todo.sr.ht/~eliasnaur/gio/599
Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>
This commit ensures that it is safe to invoke Invalidate() from another goroutine
while a Gio window may be in the process of closing. It can be difficult to prevent
this from happening, as window handles can easily be managed by a type that doesn't
know the exact moment of window close (it might be waiting on the window event loop
to return, but that hasn't happened yet). Without this change, the nil window
driver results in a panic in this situation.
Co-authored-by: Chris Waldon <christopher.waldon.dev@gmail.com>
Signed-off-by: Elias Naur <mail@eliasnaur.com>
Custom rendering applications need to be prepared to handle empty view events,
as an empty view event is sent during window shutdown. However, the current
implementation requires applications to write a platform-specific helper
function for each supported platform in order to check whether a received
view event is empty. This commit provides a safe, convenient, cross-platform
method that applications can use to detect this special view event and respond
to it.
Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>
Even when a command defers event delivery to the next frame, the already
observed events must still be delivered in the current frame. This
matters for pointer events that hit more than one event handler.
Fixes: https://todo.sr.ht/~eliasnaur/gio/594
Signed-off-by: Elias Naur <mail@eliasnaur.com>
This commit ensures that attempting to perform a system window action prior
to the first call to Event() does not panic. It adopts a similar strategy to
handling Option() prior to the first call to Event(): make a slice of the arguments
and apply them during window initialization.
Fixes: https://todo.sr.ht/~eliasnaur/gio/593
Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>