[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Jun 29 04:11:38 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit dc4a3190013541d60e8382a932cbe6baf954a9b7
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date: Mon Jun 28 22:00:06 2010 -0400
fix cve-2010-1761
diff --git a/WebCore/page/FrameView.cpp b/WebCore/page/FrameView.cpp
index fa346ee..7158354 100644
--- a/WebCore/page/FrameView.cpp
+++ b/WebCore/page/FrameView.cpp
@@ -1275,14 +1275,13 @@ void FrameView::scheduleRelayoutOfSubtree(RenderObject* relayoutRoot)
{
ASSERT(m_frame->view() == this);
- if (!m_layoutSchedulingEnabled || (m_frame->contentRenderer()
- && m_frame->contentRenderer()->needsLayout())) {
+ if (m_frame->contentRenderer() && m_frame->contentRenderer()->needsLayout()) {
if (relayoutRoot)
relayoutRoot->markContainingBlocksForLayout(false);
return;
}
- if (layoutPending()) {
+ if (layoutPending() || !m_layoutSchedulingEnabled) {
if (m_layoutRoot != relayoutRoot) {
if (isObjectAncestorContainerOf(m_layoutRoot, relayoutRoot)) {
// Keep the current root
@@ -1299,7 +1298,7 @@ void FrameView::scheduleRelayoutOfSubtree(RenderObject* relayoutRoot)
relayoutRoot->markContainingBlocksForLayout(false);
}
}
- } else {
+ } else if (m_layoutSchedulingEnabled) {
int delay = m_frame->document()->minimumLayoutDelay();
m_layoutRoot = relayoutRoot;
m_delayedLayout = delay != 0;
diff --git a/debian/changelog b/debian/changelog
index 8240aff..f511292 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -20,6 +20,7 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
* Fix cve-2010-1759: another possible code execution issue in the xml dom
processor.
* Fix cve-2010-1760: user credential information disclosure.
+ * Fix cve-2010-1761: possible code execution in frameview logic.
-- Michael Gilbert <michael.s.gilbert at gmail.com> Thu, 27 May 2010 20:36:41 -0400
diff --git a/debian/patches/cve-2010-1761.patch b/debian/patches/cve-2010-1761.patch
new file mode 100644
index 0000000..e99172e
--- /dev/null
+++ b/debian/patches/cve-2010-1761.patch
@@ -0,0 +1,33 @@
+description: fix cve-2010-1761
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/59263
+Index: webkit-1.2.1/WebCore/page/FrameView.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/page/FrameView.cpp 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/page/FrameView.cpp 2010-06-28 21:58:32.000000000 -0400
+@@ -1275,14 +1275,13 @@
+ {
+ ASSERT(m_frame->view() == this);
+
+- if (!m_layoutSchedulingEnabled || (m_frame->contentRenderer()
+- && m_frame->contentRenderer()->needsLayout())) {
++ if (m_frame->contentRenderer() && m_frame->contentRenderer()->needsLayout()) {
+ if (relayoutRoot)
+ relayoutRoot->markContainingBlocksForLayout(false);
+ return;
+ }
+
+- if (layoutPending()) {
++ if (layoutPending() || !m_layoutSchedulingEnabled) {
+ if (m_layoutRoot != relayoutRoot) {
+ if (isObjectAncestorContainerOf(m_layoutRoot, relayoutRoot)) {
+ // Keep the current root
+@@ -1299,7 +1298,7 @@
+ relayoutRoot->markContainingBlocksForLayout(false);
+ }
+ }
+- } else {
++ } else if (m_layoutSchedulingEnabled) {
+ int delay = m_frame->document()->minimumLayoutDelay();
+ m_layoutRoot = relayoutRoot;
+ m_delayedLayout = delay != 0;
diff --git a/debian/patches/series b/debian/patches/series
index 91b7bc9..d457b56 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,4 @@ cve-2010-1664.patch
cve-2010-1758.patch
cve-2010-1759.patch
cve-2010-1760.patch
+cve-2010-1761.patch
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list