[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c

Tue Jun 29 04:11:42 UTC 2010

The following commit has been merged in the debian/unstable branch:
commit 1f9ad3fce5a7fc7a40883971bf2233ee4c6ea68a
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date:   Mon Jun 28 22:05:58 2010 -0400

    fix cve-2010-1770

diff --git a/WebCore/rendering/RenderText.cpp b/WebCore/rendering/RenderText.cpp
index aa919e0..81f1dde 100644
--- a/WebCore/rendering/RenderText.cpp
+++ b/WebCore/rendering/RenderText.cpp
@@ -203,7 +203,7 @@ void RenderText::deleteTextBoxes()
 PassRefPtr<StringImpl> RenderText::originalText() const
 {
     Node* e = node();
-    return e ? static_cast<Text*>(e)->dataImpl() : 0;
+    return (e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : 0;
 }
 
 void RenderText::absoluteRects(Vector<IntRect>& rects, int tx, int ty)
diff --git a/WebCore/rendering/RenderTextFragment.cpp b/WebCore/rendering/RenderTextFragment.cpp
index f3398a3..1e15d66 100644
--- a/WebCore/rendering/RenderTextFragment.cpp
+++ b/WebCore/rendering/RenderTextFragment.cpp
@@ -47,7 +47,7 @@ RenderTextFragment::RenderTextFragment(Node* node, StringImpl* str)
 PassRefPtr<StringImpl> RenderTextFragment::originalText() const
 {
     Node* e = node();
-    RefPtr<StringImpl> result = (e ? static_cast<Text*>(e)->dataImpl() : contentString());
+    RefPtr<StringImpl> result = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString());
     if (result && (start() > 0 || start() < result->length()))
         result = result->substring(start(), end());
     return result.release();
@@ -80,7 +80,7 @@ UChar RenderTextFragment::previousCharacter()
 {
     if (start()) {
         Node* e = node();
-        StringImpl*  original = (e ? static_cast<Text*>(e)->dataImpl() : contentString());
+        StringImpl*  original = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString());
         if (original)
             return (*original)[start() - 1];
     }
diff --git a/debian/changelog b/debian/changelog
index 73c2239..cb727a7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -22,6 +22,8 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
   * Fix cve-2010-1760: user credential information disclosure.
   * Fix cve-2010-1761: possible code execution in frameview logic.
   * Fix cve-2010-1762: webscript and/or html injection using the textarea
+  * Fix cve-2010-1770: possible code execution due to improper handling of the
+    ibm1147 character set.
     element.
 
  -- Michael Gilbert <michael.s.gilbert at gmail.com>  Thu, 27 May 2010 20:36:41 -0400
diff --git a/debian/patches/cve-2010-1770.patch b/debian/patches/cve-2010-1770.patch
new file mode 100644
index 0000000..4a41544
--- /dev/null
+++ b/debian/patches/cve-2010-1770.patch
@@ -0,0 +1,38 @@
+description: fix cve-2010-1770
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/59795
+Index: webkit-1.2.1/WebCore/rendering/RenderText.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderText.cpp	2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderText.cpp	2010-06-28 22:04:55.000000000 -0400
+@@ -203,7 +203,7 @@
+ PassRefPtr<StringImpl> RenderText::originalText() const
+ {
+     Node* e = node();
+-    return e ? static_cast<Text*>(e)->dataImpl() : 0;
++    return (e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : 0;
+ }
+ 
+ void RenderText::absoluteRects(Vector<IntRect>& rects, int tx, int ty)
+Index: webkit-1.2.1/WebCore/rendering/RenderTextFragment.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderTextFragment.cpp	2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderTextFragment.cpp	2010-06-28 22:04:55.000000000 -0400
+@@ -47,7 +47,7 @@
+ PassRefPtr<StringImpl> RenderTextFragment::originalText() const
+ {
+     Node* e = node();
+-    RefPtr<StringImpl> result = (e ? static_cast<Text*>(e)->dataImpl() : contentString());
++    RefPtr<StringImpl> result = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString());
+     if (result && (start() > 0 || start() < result->length()))
+         result = result->substring(start(), end());
+     return result.release();
+@@ -80,7 +80,7 @@
+ {
+     if (start()) {
+         Node* e = node();
+-        StringImpl*  original = (e ? static_cast<Text*>(e)->dataImpl() : contentString());
++        StringImpl*  original = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString());
+         if (original)
+             return (*original)[start() - 1];
+     }
diff --git a/debian/patches/series b/debian/patches/series
index aa17bd4..f410a07 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,4 @@ cve-2010-1759.patch
 cve-2010-1760.patch
 cve-2010-1761.patch
 cve-2010-1762.patch
+cve-2010-1770.patch

-- 
WebKit Debian packaging

