[Pkg-chromium-commit] chromium-browser/chromium-browser.sid: 685 High Use after free with SVG animations. Credit to Sławomir Błażek.

Tue Dec 7 09:22:33 UTC 2010

Branch name: chromium-browser/chromium-browser.sid
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.sid
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 685
Revision Id: iuculano at debian.org-20101207092233-6jxu8y6l91o0fwm1
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : High Use after free with SVG animations. Credit to Sławomir Błażek.


--------------------------------------------------------
  ** Added :
        - debian/patches/62401.patch

  ** Modified :
        - debian/changelog
        - debian/patches/series

-------------- next part --------------
=== modified file 'debian/changelog'

--- a/debian/changelog	2010-12-07 09:08:52 +0000
+++ b/debian/changelog	2010-12-07 09:22:33 +0000
@@ -7,8 +7,9 @@
     - Medium Make sure the “dangerous file types” list is uptodate with the
       Windows platforms. Credit to Billy Rios of the Google Security Team.
     - High Crash due to bad indexing with malformed video. Credit to miaubiz. 
+    - High Use after free with SVG animations. Credit to Sławomir Błażek.
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Tue, 07 Dec 2010 10:08:33 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org>  Tue, 07 Dec 2010 10:18:56 +0100
 
 chromium-browser (6.0.472.63~r59945-2) unstable; urgency=high
 

=== added file 'debian/patches/62401.patch'
--- a/debian/patches/62401.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/62401.patch	2010-12-07 09:22:33 +0000
@@ -0,0 +1,29 @@
+--- a/src/third_party/WebKit/WebCore/svg/animation/SMILTimeContainer.cpp
++++ b/src/third_party/WebKit/WebCore/svg/animation/SMILTimeContainer.cpp
+@@ -255,7 +255,7 @@ void SMILTimeContainer::updateAnimations
+     sortByPriority(toAnimate, elapsed);
+     
+     // Calculate animation contributions.
+-    typedef HashMap<ElementAttributePair, SVGSMILElement*> ResultElementMap;
++    typedef HashMap<ElementAttributePair, RefPtr<SVGSMILElement> > ResultElementMap;
+     ResultElementMap resultsElements;
+     for (unsigned n = 0; n < toAnimate.size(); ++n) {
+         SVGSMILElement* animation = toAnimate[n];
+@@ -274,7 +274,7 @@ void SMILTimeContainer::updateAnimations
+         
+         // Results are accumulated to the first animation that animates a particular element/attribute pair.
+         ElementAttributePair key(targetElement, attributeName); 
+-        SVGSMILElement* resultElement = resultsElements.get(key);
++        SVGSMILElement* resultElement = resultsElements.get(key).get();
+         if (!resultElement) {
+             resultElement = animation;
+             resultElement->resetToBaseValue(baseValueFor(key));
+@@ -297,7 +297,7 @@ void SMILTimeContainer::updateAnimations
+     Vector<SVGSMILElement*> animationsToApply;
+     ResultElementMap::iterator end = resultsElements.end();
+     for (ResultElementMap::iterator it = resultsElements.begin(); it != end; ++it)
+-        animationsToApply.append(it->second);
++        animationsToApply.append(it->second.get());
+ 
+     // Sort <animateTranform> to be the last one to be applied. <animate> may change transform attribute as
+     // well (directly or indirectly by modifying <use> x/y) and this way transforms combine properly.

=== modified file 'debian/patches/series'
--- a/debian/patches/series	2010-12-07 09:08:52 +0000
+++ b/debian/patches/series	2010-12-07 09:22:33 +0000
@@ -35,3 +35,4 @@
 59554.patch
 59817.patch
 62127.patch
+62401.patch

