[Pkg-chromium-commit] chromium-browser/chromium-browser.sid: 700 High Stale rendering node after DOM node removal. Credit to Martin
Giuseppe Iuculano
iuculano at debian.org
Fri Jan 14 16:05:22 UTC 2011
Branch name: chromium-browser/chromium-browser.sid
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.sid
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 700
Revision Id: iuculano at debian.org-20110114160522-yw07o1xxsuqsmhoc
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : High Stale rendering node after DOM node removal. Credit to Martin
Barbella; plus independent discovery by Google Chrome Security Team
(SkyLined).
--------------------------------------------------------
** Added :
- debian/patches/68439.patch
** Modified :
- debian/changelog
- debian/patches/series
-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog 2011-01-14 15:52:09 +0000
+++ b/debian/changelog 2011-01-14 16:05:22 +0000
@@ -9,8 +9,11 @@
- High Vorbis decoder buffer overflows. Credit to David Warren of CERT.
- High Bad cast in anchor handling. Credit to Sergey Glazunov.
- High Bad cast in video handling. Credit to Sergey Glazunov.
+ - High Stale rendering node after DOM node removal. Credit to Martin
+ Barbella; plus independent discovery by Google Chrome Security Team
+ (SkyLined).
- -- Giuseppe Iuculano <iuculano at debian.org> Fri, 14 Jan 2011 16:51:24 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org> Fri, 14 Jan 2011 17:04:21 +0100
chromium-browser (6.0.472.63~r59945-4) unstable; urgency=high
=== added file 'debian/patches/68439.patch'
--- a/debian/patches/68439.patch 1970-01-01 00:00:00 +0000
+++ b/debian/patches/68439.patch 2011-01-14 16:05:22 +0000
@@ -0,0 +1,28 @@
+--- a/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp
++++ b/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp
+@@ -990,10 +990,24 @@ void RenderBlock::removeChild(RenderObje
+ // Take all the children out of the |next| block and put them in
+ // the |prev| block.
+ nextBlock->moveAllChildrenTo(prevBlock, nextBlock->hasLayer() || prevBlock->hasLayer());
+-
++ // FIXME: When we destroy nextBlock, it might happen that nextBlock's next sibling block and
++ // oldChild can get merged. Since oldChild is getting removed, we do not want to move
++ // nextBlock's next sibling block's children into it. By setting a fake continuation,
++ // we prevent this from happening. This is not the best approach, we should replace this
++ // something better later to automatically detect that oldChild is getting removed.
++ RenderBlock* oldChildBlock = 0;
++ if (oldChild->isAnonymous() && oldChild->isRenderBlock() && !toRenderBlock(oldChild)->continuation()) {
++ oldChildBlock = toRenderBlock(oldChild);
++ oldChildBlock->setContinuation(oldChildBlock);
++ }
++
+ // Delete the now-empty block's lines and nuke it.
+ nextBlock->deleteLineBoxTree();
+ nextBlock->destroy();
++
++ // FIXME: Revert the continuation change done above.
++ if (oldChildBlock)
++ oldChildBlock->setContinuation(0);
+ }
+ }
+
=== modified file 'debian/patches/series'
--- a/debian/patches/series 2011-01-14 15:52:09 +0000
+++ b/debian/patches/series 2011-01-14 16:05:22 +0000
@@ -48,3 +48,4 @@
68115.patch
68178.patch
68181.patch
+68439.patch
More information about the Pkg-chromium-commit
mailing list