[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Jun 29 04:11:12 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 4a85dc07408fddd0a6af0e29cc68f387070260b8
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date: Mon Jun 28 21:05:41 2010 -0400
fix cve-2010-1405
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index 4a7363d..ce34444 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -2358,8 +2358,14 @@ void RenderBlock::removeFloatingObject(RenderBox* o)
DeprecatedPtrListIterator<FloatingObject> it(*m_floatingObjects);
while (it.current()) {
if (it.current()->m_renderer == o) {
- if (childrenInline())
- markLinesDirtyInVerticalRange(0, it.current()->m_bottom);
+ if (childrenInline()) {
+ int bottom = it.current()->m_bottom;
+ // Special-case zero- and less-than-zero-height floats: those don't touch
+ // the line that they're on, but it still needs to be dirtied. This is
+ // accomplished by pretending they have a height of 1.
+ bottom = max(bottom, it.current()->m_top + 1);
+ markLinesDirtyInVerticalRange(0, bottom);
+ }
m_floatingObjects->removeRef(it.current());
}
++it;
@@ -3010,8 +3016,8 @@ void RenderBlock::clearFloats()
addIntrudingFloats(block, xoffset, offset);
if (childrenInline()) {
- int changeTop = INT_MAX;
- int changeBottom = INT_MIN;
+ int changeTop = numeric_limits<int>::max();
+ int changeBottom = numeric_limits<int>::min();
if (m_floatingObjects) {
for (FloatingObject* f = m_floatingObjects->first(); f; f = m_floatingObjects->next()) {
FloatingObject* oldFloatingObject = floatMap.get(f->m_renderer);
diff --git a/WebCore/rendering/RenderBlockLineLayout.cpp b/WebCore/rendering/RenderBlockLineLayout.cpp
index 191b24a..6e89060 100644
--- a/WebCore/rendering/RenderBlockLineLayout.cpp
+++ b/WebCore/rendering/RenderBlockLineLayout.cpp
@@ -646,7 +646,6 @@ void RenderBlock::layoutInlineChildren(bool relayoutChildren, int& repaintTop, i
bool endLineMatched = false;
bool checkForEndLineMatch = endLine;
bool checkForFloatsFromLastLine = false;
- int lastHeight = height();
bool isLineEmpty = true;
@@ -771,8 +770,7 @@ void RenderBlock::layoutInlineChildren(bool relayoutChildren, int& repaintTop, i
} else
m_floatingObjects->first();
for (FloatingObject* f = m_floatingObjects->current(); f; f = m_floatingObjects->next()) {
- if (f->m_bottom > lastHeight)
- lastRootBox()->floats().append(f->m_renderer);
+ lastRootBox()->floats().append(f->m_renderer);
ASSERT(f->m_renderer == floats[floatIndex].object);
// If a float's geometry has changed, give up on syncing with clean lines.
if (floats[floatIndex].rect != IntRect(f->m_left, f->m_top, f->m_width, f->m_bottom - f->m_top))
@@ -782,7 +780,6 @@ void RenderBlock::layoutInlineChildren(bool relayoutChildren, int& repaintTop, i
lastFloat = m_floatingObjects->last();
}
- lastHeight = height();
lineMidpointState.reset();
resolver.setPosition(end);
}
@@ -842,10 +839,8 @@ void RenderBlock::layoutInlineChildren(bool relayoutChildren, int& repaintTop, i
m_floatingObjects->next();
} else
m_floatingObjects->first();
- for (FloatingObject* f = m_floatingObjects->current(); f; f = m_floatingObjects->next()) {
- if (f->m_bottom > lastHeight)
- lastRootBox()->floats().append(f->m_renderer);
- }
+ for (FloatingObject* f = m_floatingObjects->current(); f; f = m_floatingObjects->next())
+ lastRootBox()->floats().append(f->m_renderer);
lastFloat = m_floatingObjects->last();
}
size_t floatCount = floats.size();
diff --git a/debian/changelog b/debian/changelog
index ce32011..ffd22ed 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
* Turn direct source changes into a patch.
* Fix cve-2010-1368: geolocation info disclosure.
* Fix cve-2010-1392: possibly exploitable html button logic error.
+ * Fix cve-2010-1405: possibly exploitable vertical positioning logic error.
-- Michael Gilbert <michael.s.gilbert at gmail.com> Thu, 27 May 2010 20:36:41 -0400
diff --git a/debian/patches/cve-2010-1392.patch b/debian/patches/cve-2010-1392.patch
index 0614f89..9f2b94d 100644
--- a/debian/patches/cve-2010-1392.patch
+++ b/debian/patches/cve-2010-1392.patch
@@ -1,7 +1,6 @@
-description: fix cve-2010-1392
-author: Michael Gilbert <michael.s.gilbert at gmail.com>
-origin: http://trac.webkit.org/changeset/56297
-===================================================================
+description: fix cve-2010-1392
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/56297
Index: webkit-1.2.1/WebCore/rendering/RenderBlock.cpp
===================================================================
--- webkit-1.2.1.orig/WebCore/rendering/RenderBlock.cpp 2010-05-13 16:31:30.000000000 -0400
diff --git a/debian/patches/cve-2010-1405.patch b/debian/patches/cve-2010-1405.patch
new file mode 100644
index 0000000..9574d32
--- /dev/null
+++ b/debian/patches/cve-2010-1405.patch
@@ -0,0 +1,78 @@
+description: fix cve-2010-1392
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/56186
+Index: webkit-1.2.1/WebCore/rendering/RenderBlock.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderBlock.cpp 2010-06-28 20:56:40.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderBlock.cpp 2010-06-28 21:04:08.000000000 -0400
+@@ -2358,8 +2358,14 @@
+ DeprecatedPtrListIterator<FloatingObject> it(*m_floatingObjects);
+ while (it.current()) {
+ if (it.current()->m_renderer == o) {
+- if (childrenInline())
+- markLinesDirtyInVerticalRange(0, it.current()->m_bottom);
++ if (childrenInline()) {
++ int bottom = it.current()->m_bottom;
++ // Special-case zero- and less-than-zero-height floats: those don't touch
++ // the line that they're on, but it still needs to be dirtied. This is
++ // accomplished by pretending they have a height of 1.
++ bottom = max(bottom, it.current()->m_top + 1);
++ markLinesDirtyInVerticalRange(0, bottom);
++ }
+ m_floatingObjects->removeRef(it.current());
+ }
+ ++it;
+@@ -3010,8 +3016,8 @@
+ addIntrudingFloats(block, xoffset, offset);
+
+ if (childrenInline()) {
+- int changeTop = INT_MAX;
+- int changeBottom = INT_MIN;
++ int changeTop = numeric_limits<int>::max();
++ int changeBottom = numeric_limits<int>::min();
+ if (m_floatingObjects) {
+ for (FloatingObject* f = m_floatingObjects->first(); f; f = m_floatingObjects->next()) {
+ FloatingObject* oldFloatingObject = floatMap.get(f->m_renderer);
+Index: webkit-1.2.1/WebCore/rendering/RenderBlockLineLayout.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderBlockLineLayout.cpp 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderBlockLineLayout.cpp 2010-06-28 21:04:08.000000000 -0400
+@@ -646,7 +646,6 @@
+ bool endLineMatched = false;
+ bool checkForEndLineMatch = endLine;
+ bool checkForFloatsFromLastLine = false;
+- int lastHeight = height();
+
+ bool isLineEmpty = true;
+
+@@ -771,8 +770,7 @@
+ } else
+ m_floatingObjects->first();
+ for (FloatingObject* f = m_floatingObjects->current(); f; f = m_floatingObjects->next()) {
+- if (f->m_bottom > lastHeight)
+- lastRootBox()->floats().append(f->m_renderer);
++ lastRootBox()->floats().append(f->m_renderer);
+ ASSERT(f->m_renderer == floats[floatIndex].object);
+ // If a float's geometry has changed, give up on syncing with clean lines.
+ if (floats[floatIndex].rect != IntRect(f->m_left, f->m_top, f->m_width, f->m_bottom - f->m_top))
+@@ -782,7 +780,6 @@
+ lastFloat = m_floatingObjects->last();
+ }
+
+- lastHeight = height();
+ lineMidpointState.reset();
+ resolver.setPosition(end);
+ }
+@@ -842,10 +839,8 @@
+ m_floatingObjects->next();
+ } else
+ m_floatingObjects->first();
+- for (FloatingObject* f = m_floatingObjects->current(); f; f = m_floatingObjects->next()) {
+- if (f->m_bottom > lastHeight)
+- lastRootBox()->floats().append(f->m_renderer);
+- }
++ for (FloatingObject* f = m_floatingObjects->current(); f; f = m_floatingObjects->next())
++ lastRootBox()->floats().append(f->m_renderer);
+ lastFloat = m_floatingObjects->last();
+ }
+ size_t floatCount = floats.size();
diff --git a/debian/patches/series b/debian/patches/series
index 525ebed..56c394a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@
# security patches
cve-2010-1386.patch
cve-2010-1392.patch
+cve-2010-1405.patch
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list