[Pkg-chromium-commit] chromium-browser/chromium-browser.sid: 700 High Stale rendering node after DOM node removal. Credit to Martin

Giuseppe Iuculano iuculano at debian.org
Fri Jan 14 16:05:22 UTC 2011


Branch name: chromium-browser/chromium-browser.sid
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.sid
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 700
Revision Id: iuculano at debian.org-20110114160522-yw07o1xxsuqsmhoc
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : High Stale rendering node after DOM node removal. Credit to Martin
Barbella; plus independent discovery by Google Chrome Security Team
(SkyLined). 


--------------------------------------------------------
  ** Added :
        - debian/patches/68439.patch

  ** Modified :
        - debian/changelog
        - debian/patches/series

-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog	2011-01-14 15:52:09 +0000
+++ b/debian/changelog	2011-01-14 16:05:22 +0000
@@ -9,8 +9,11 @@
     - High Vorbis decoder buffer overflows. Credit to David Warren of CERT. 
     - High Bad cast in anchor handling. Credit to Sergey Glazunov. 
     - High Bad cast in video handling. Credit to Sergey Glazunov. 
+    - High Stale rendering node after DOM node removal. Credit to Martin
+      Barbella; plus independent discovery by Google Chrome Security Team
+      (SkyLined). 
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 14 Jan 2011 16:51:24 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 14 Jan 2011 17:04:21 +0100
 
 chromium-browser (6.0.472.63~r59945-4) unstable; urgency=high
 

=== added file 'debian/patches/68439.patch'
--- a/debian/patches/68439.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/68439.patch	2011-01-14 16:05:22 +0000
@@ -0,0 +1,28 @@
+--- a/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp
++++ b/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp
+@@ -990,10 +990,24 @@ void RenderBlock::removeChild(RenderObje
+             // Take all the children out of the |next| block and put them in
+             // the |prev| block.
+             nextBlock->moveAllChildrenTo(prevBlock, nextBlock->hasLayer() || prevBlock->hasLayer());
+-       
++            // FIXME: When we destroy nextBlock, it might happen that nextBlock's next sibling block and
++            // oldChild can get merged. Since oldChild is getting removed, we do not want to move
++            // nextBlock's next sibling block's children into it. By setting a fake continuation,
++            // we prevent this from happening. This is not the best approach, we should replace this
++            // something better later to automatically detect that oldChild is getting removed.
++            RenderBlock* oldChildBlock = 0;
++            if (oldChild->isAnonymous() && oldChild->isRenderBlock() && !toRenderBlock(oldChild)->continuation()) {
++                oldChildBlock = toRenderBlock(oldChild);
++                oldChildBlock->setContinuation(oldChildBlock);
++            }
++
+             // Delete the now-empty block's lines and nuke it.
+             nextBlock->deleteLineBoxTree();
+             nextBlock->destroy();
++
++            // FIXME: Revert the continuation change done above.
++            if (oldChildBlock)
++                oldChildBlock->setContinuation(0);
+         }
+     }
+ 

=== modified file 'debian/patches/series'
--- a/debian/patches/series	2011-01-14 15:52:09 +0000
+++ b/debian/patches/series	2011-01-14 16:05:22 +0000
@@ -48,3 +48,4 @@
 68115.patch
 68178.patch
 68181.patch
+68439.patch



More information about the Pkg-chromium-commit mailing list