[Pkg-chromium-commit] chromium-browser/chromium-browser.squeeze: 710 High Stale pointer with anonymous block handling. Credit to Martin

Fri Feb 11 14:54:03 UTC 2011

Branch name: chromium-browser/chromium-browser.squeeze
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.squeeze
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 710
Revision Id: iuculano at debian.org-20110211145403-g21gytxqf7crbvet
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : High Stale pointer with anonymous block handling. Credit to Martin
Barbella.


--------------------------------------------------------
  ** Added :
        - debian/patches/69556.patch

  ** Modified :
        - debian/changelog
        - debian/patches/series

-------------- next part --------------
=== modified file 'debian/changelog'

--- a/debian/changelog	2011-02-11 14:36:05 +0000
+++ b/debian/changelog	2011-02-11 14:54:03 +0000
@@ -2,8 +2,10 @@
 
   * Backported security patches from stable:
     - High Stale pointer in animation event handling. Credit to Rik Cabanier.
+    - High Stale pointer with anonymous block handling. Credit to Martin
+      Barbella.
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 11 Feb 2011 15:34:37 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 11 Feb 2011 15:53:13 +0100
 
 chromium-browser (6.0.472.63~r59945-5+squeeze1) stable-security; urgency=high
 

=== added file 'debian/patches/69556.patch'
--- a/debian/patches/69556.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/69556.patch	2011-02-11 14:54:03 +0000
@@ -0,0 +1,62 @@
+--- a/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp
++++ b/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp
+@@ -125,6 +125,7 @@ RenderBlock::RenderBlock(Node* node)
+       , m_continuation(0)
+       , m_maxMargin(0)
+       , m_lineHeight(-1)
++      , m_beingDestroyed(false)
+ {
+     setChildrenInline(true);
+ }
+@@ -160,6 +161,9 @@ RenderBlock::~RenderBlock()
+ 
+ void RenderBlock::destroy()
+ {
++    // Mark as being destroyed to avoid trouble with merges in removeChild().
++    m_beingDestroyed = true;
++
+     // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will
+     // properly dirty line boxes that they are removed from. Effects that do :before/:after only on hover could crash otherwise.
+     children()->destroyLeftoverChildren();
+@@ -933,8 +937,8 @@ static bool canMergeContiguousAnonymousB
+     if (oldChild->documentBeingDestroyed() || oldChild->isInline() || oldChild->virtualContinuation())
+         return false;
+ 
+-    if ((prev && (!prev->isAnonymousBlock() || toRenderBlock(prev)->continuation()))
+-        || (next && (!next->isAnonymousBlock() || toRenderBlock(next)->continuation())))
++    if ((prev && (!prev->isAnonymousBlock() || toRenderBlock(prev)->continuation() || toRenderBlock(prev)->beingDestroyed()))
++        || (next && (!next->isAnonymousBlock() || toRenderBlock(next)->continuation() || toRenderBlock(next)->beingDestroyed())))
+         return false;
+ 
+     // FIXME: This check isn't required when inline run-ins can't be split into continuations.
+@@ -1004,10 +1008,6 @@ void RenderBlock::removeChild(RenderObje
+             // Delete the now-empty block's lines and nuke it.
+             nextBlock->deleteLineBoxTree();
+             nextBlock->destroy();
+-
+-            // FIXME: Revert the continuation change done above.
+-            if (oldChildBlock)
+-                oldChildBlock->setContinuation(0);
+         }
+     }
+ 
+--- a/src/third_party/WebKit/WebCore/rendering/RenderBlock.h
++++ b/src/third_party/WebKit/WebCore/rendering/RenderBlock.h
+@@ -53,6 +53,7 @@ public:
+     RenderObjectChildList* children() { return &m_children; }
+ 
+     virtual void destroy();
++    bool beingDestroyed() const { return m_beingDestroyed; }
+ 
+     // These two functions are overridden for inline-block.
+     virtual int lineHeight(bool firstLine, bool isRootLineBox = false) const;
+@@ -574,7 +575,8 @@ private:
+     RenderObjectChildList m_children;
+     RenderLineBoxList m_lineBoxes;   // All of the root line boxes created for this block flow.  For example, <div>Hello<br>world.</div> will have two total lines for the <div>.
+ 
+-    mutable int m_lineHeight;
++    mutable int m_lineHeight : 31;
++    bool m_beingDestroyed : 1;
+ 
+     // RenderRubyBase objects need to be able to split and merge, moving their children around
+     // (calling moveChildTo, moveAllChildrenTo, and makeChildrenNonInline).

=== modified file 'debian/patches/series'
--- a/debian/patches/series	2011-02-11 14:36:05 +0000
+++ b/debian/patches/series	2011-02-11 14:54:03 +0000
@@ -53,3 +53,4 @@
 59081.patch
 68244.patch
 67234.patch
+69556.patch

