[Pkg-chromium-commit] chromium-browser/chromium-browser.squeeze: 720 - [71855] High Integer overflow in textarea handling. Credit to miaubiz.

Fri Mar 4 14:37:37 UTC 2011

Branch name: chromium-browser/chromium-browser.squeeze
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.squeeze
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 720
Revision Id: iuculano at debian.org-20110304143737-ojlvm82xd61svwo1
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message :   - [71855] High Integer overflow in textarea handling. Credit to miaubiz.
  - [71960] Medium Out-of-bounds read in WebGL. Credit to Google Chrome
    Security Team (Inferno).


--------------------------------------------------------
  ** Added :
        - debian/patches/71855.patch
        - debian/patches/71960.patch

  ** Modified :
        - debian/changelog
        - debian/patches/series

-------------- next part --------------
=== modified file 'debian/changelog'

--- a/debian/changelog	2011-03-03 17:22:14 +0000
+++ b/debian/changelog	2011-03-04 14:37:37 +0000
@@ -12,8 +12,11 @@
       community.
     - [71114] High Stale node in table child handling. Credit to Martin Barbella
     - [71115] High Stale pointer in table rendering. Credit to Martin Barbella.
+    - [71855] High Integer overflow in textarea handling. Credit to miaubiz.
+    - [71960] Medium Out-of-bounds read in WebGL. Credit to Google Chrome
+      Security Team (Inferno).
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Thu, 03 Mar 2011 18:20:38 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 04 Mar 2011 15:37:06 +0100
 
 chromium-browser (6.0.472.63~r59945-5+squeeze2) stable-security; urgency=high
 

=== added file 'debian/patches/71855.patch'
--- a/debian/patches/71855.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/71855.patch	2011-03-04 14:37:37 +0000
@@ -0,0 +1,20 @@
+--- a/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp
++++ b/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp
+@@ -2829,7 +2829,7 @@ void RenderBlock::removeFloatingObject(R
+                     // Special-case zero- and less-than-zero-height floats: those don't touch
+                     // the line that they're on, but it still needs to be dirtied. This is
+                     // accomplished by pretending they have a height of 1.
+-                    bottom = max(bottom, it.current()->m_top + 1);
++		    bottom = max(bottom, m_top == numeric_limits<int>::max() ? m_top : m_top + 1);
+                     markLinesDirtyInVerticalRange(0, bottom);
+                 }
+                 m_floatingObjects->removeRef(it.current());
+@@ -3415,7 +3415,7 @@ void RenderBlock::markLinesDirtyInVertic
+ 
+     RootInlineBox* lowestDirtyLine = lastRootBox();
+     RootInlineBox* afterLowest = lowestDirtyLine;
+-    while (lowestDirtyLine && lowestDirtyLine->blockHeight() >= bottom) {
++    while (lowestDirtyLine && lowestDirtyLine->blockHeight() >= bottom && bottom < numeric_limits<int>::max()) {
+         afterLowest = lowestDirtyLine;
+         lowestDirtyLine = lowestDirtyLine->prevRootBox();
+     }

=== added file 'debian/patches/71960.patch'
--- a/debian/patches/71960.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/71960.patch	2011-03-04 14:37:37 +0000
@@ -0,0 +1,27 @@
+--- a/src/gpu/command_buffer/service/gles2_cmd_decoder.cc
++++ b/src/gpu/command_buffer/service/gles2_cmd_decoder.cc
+@@ -1462,9 +1462,11 @@ bool GLES2DecoderImpl::Initialize(gfx::G
+   }
+ 
+   vertex_attrib_manager_.Initialize(group_->max_vertex_attribs());
+-  // We have to enable vertex array 0 on OpenGL or it won't render. Note that
+-  // OpenGL ES 2.0 does not have this issue.
+-  glEnableVertexAttribArray(0);
++  if (gfx::GetGLImplementation() != gfx::kGLImplementationEGLGLES2) {
++    // We have to enable vertex array 0 on OpenGL or it won't render. Note that
++    // OpenGL ES 2.0 does not have this issue.
++    glEnableVertexAttribArray(0);
++  }
+   glGenBuffersARB(1, &attrib_0_buffer_id_);
+   glBindBuffer(GL_ARRAY_BUFFER, attrib_0_buffer_id_);
+   glVertexAttribPointer(0, 1, GL_FLOAT, GL_FALSE, 0, NULL);
+@@ -2175,7 +2177,8 @@ void GLES2DecoderImpl::DoBindTexture(GLe
+ 
+ void GLES2DecoderImpl::DoDisableVertexAttribArray(GLuint index) {
+   if (vertex_attrib_manager_.Enable(index, false)) {
+-    if (index != 0) {
++    if (index != 0 ||
++        gfx::GetGLImplementation() == gfx::kGLImplementationEGLGLES2) {
+       glDisableVertexAttribArray(index);
+     }
+   } else {

=== modified file 'debian/patches/series'
--- a/debian/patches/series	2011-03-03 17:22:14 +0000
+++ b/debian/patches/series	2011-03-04 14:37:37 +0000
@@ -63,3 +63,5 @@
 70376.patch
 71114.patch
 71115.patch
+71855.patch
+71960.patch

