[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c

Michael Gilbert michael.s.gilbert at gmail.com
Tue Jun 29 04:11:33 UTC 2010 

The following commit has been merged in the debian/unstable branch:
commit 35335acc76f27c8ff753866660c538f62de5eed1
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date:   Mon Jun 28 21:52:22 2010 -0400

    fix cve-2010-1759

diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp
index 2c42187..c67119a 100644
--- a/WebCore/dom/Element.cpp
+++ b/WebCore/dom/Element.cpp
@@ -1430,9 +1430,15 @@ void Element::normalizeAttributes()
     NamedNodeMap* attrs = attributes(true);
     if (!attrs)
         return;
-    unsigned numAttrs = attrs->length();
-    for (unsigned i = 0; i < numAttrs; i++) {
-        if (Attr* attr = attrs->attributeItem(i)->attr())
+
+    if (attrs->isEmpty())
+        return;
+
+    Vector<RefPtr<Attribute> > attributeVector;
+    attrs->copyAttributesToVector(attributeVector);
+    size_t numAttrs = attributeVector.size();
+    for (size_t i = 0; i < numAttrs; ++i) {
+        if (Attr* attr = attributeVector[i]->attr())
             attr->normalize();
     }
 }
diff --git a/WebCore/dom/NamedAttrMap.cpp b/WebCore/dom/NamedAttrMap.cpp
index d8a6ba8..ee979cf 100644
--- a/WebCore/dom/NamedAttrMap.cpp
+++ b/WebCore/dom/NamedAttrMap.cpp
@@ -172,6 +172,11 @@ PassRefPtr<Node> NamedNodeMap::item(unsigned index) const
     return m_attributes[index]->createAttrIfNeeded(m_element);
 }
 
+void NamedNodeMap::copyAttributesToVector(Vector<RefPtr<Attribute> >& copy)
+{
+    copy = m_attributes;
+}
+
 Attribute* NamedNodeMap::getAttributeItemSlowCase(const String& name, bool shouldIgnoreAttributeCase) const
 {
     unsigned len = length();
diff --git a/WebCore/dom/NamedAttrMap.h b/WebCore/dom/NamedAttrMap.h
index d5136b5..e292576 100644
--- a/WebCore/dom/NamedAttrMap.h
+++ b/WebCore/dom/NamedAttrMap.h
@@ -72,6 +72,8 @@ public:
     Attribute* attributeItem(unsigned index) const { return m_attributes[index].get(); }
     Attribute* getAttributeItem(const QualifiedName&) const;
 
+    void copyAttributesToVector(Vector<RefPtr<Attribute> >&);
+
     void shrinkToLength() { m_attributes.shrinkCapacity(length()); }
     void reserveInitialCapacity(unsigned capacity) { m_attributes.reserveInitialCapacity(capacity); }
 
diff --git a/debian/changelog b/debian/changelog
index d78a2e1..acc4a83 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,8 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
   * Fix cve-2010-1664: possible code execution due to improper html5 media
     handling.
   * Fix cve-2010-1758: possible code execution in xml dom processor.
+  * Fix cve-2010-1759: another possible code execution issue in the xml dom
+    processor.
 
  -- Michael Gilbert <michael.s.gilbert at gmail.com>  Thu, 27 May 2010 20:36:41 -0400
 
diff --git a/debian/patches/cve-2010-1759.patch b/debian/patches/cve-2010-1759.patch
new file mode 100644
index 0000000..3fb5fde
--- /dev/null
+++ b/debian/patches/cve-2010-1759.patch
@@ -0,0 +1,55 @@
+description: fix cve-2010-1759
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/59109
+Index: webkit-1.2.1/WebCore/dom/NamedAttrMap.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/dom/NamedAttrMap.cpp	2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/dom/NamedAttrMap.cpp	2010-06-28 21:51:06.000000000 -0400
+@@ -172,6 +172,11 @@
+     return m_attributes[index]->createAttrIfNeeded(m_element);
+ }
+ 
++void NamedNodeMap::copyAttributesToVector(Vector<RefPtr<Attribute> >& copy)
++{
++    copy = m_attributes;
++}
++
+ Attribute* NamedNodeMap::getAttributeItemSlowCase(const String& name, bool shouldIgnoreAttributeCase) const
+ {
+     unsigned len = length();
+Index: webkit-1.2.1/WebCore/dom/Element.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/dom/Element.cpp	2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/dom/Element.cpp	2010-06-28 21:51:06.000000000 -0400
+@@ -1430,9 +1430,15 @@
+     NamedNodeMap* attrs = attributes(true);
+     if (!attrs)
+         return;
+-    unsigned numAttrs = attrs->length();
+-    for (unsigned i = 0; i < numAttrs; i++) {
+-        if (Attr* attr = attrs->attributeItem(i)->attr())
++
++    if (attrs->isEmpty())
++        return;
++
++    Vector<RefPtr<Attribute> > attributeVector;
++    attrs->copyAttributesToVector(attributeVector);
++    size_t numAttrs = attributeVector.size();
++    for (size_t i = 0; i < numAttrs; ++i) {
++        if (Attr* attr = attributeVector[i]->attr())
+             attr->normalize();
+     }
+ }
+Index: webkit-1.2.1/WebCore/dom/NamedAttrMap.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/dom/NamedAttrMap.h	2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/dom/NamedAttrMap.h	2010-06-28 21:51:06.000000000 -0400
+@@ -72,6 +72,8 @@
+     Attribute* attributeItem(unsigned index) const { return m_attributes[index].get(); }
+     Attribute* getAttributeItem(const QualifiedName&) const;
+ 
++    void copyAttributesToVector(Vector<RefPtr<Attribute> >&);
++
+     void shrinkToLength() { m_attributes.shrinkCapacity(length()); }
+     void reserveInitialCapacity(unsigned capacity) { m_attributes.reserveInitialCapacity(capacity); }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 2eb6316..aa4aa24 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ cve-2010-1421.patch
 cve-2010-1501+1767.patch
 cve-2010-1664.patch
 cve-2010-1758.patch
+cve-2010-1759.patch

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list