[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Jun 29 04:11:54 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit a6323c3a6562226c207c57603eda199cd5659ec7
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date: Mon Jun 28 22:10:25 2010 -0400
fix cve-2010-1771
diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp
index c67119a..90fc535 100644
--- a/WebCore/dom/Element.cpp
+++ b/WebCore/dom/Element.cpp
@@ -938,7 +938,7 @@ void Element::recalcStyle(StyleChange change)
newStyle->setChildrenAffectedByDirectAdjacentRules();
}
- if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get())) {
+ if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get()) || change == Force && renderer() && renderer()->requiresForcedStyleRecalcPropagation()) {
setRenderStyle(newStyle);
} else if (needsStyleRecalc() && (styleChangeType() != SyntheticStyleChange) && (document()->usesSiblingRules() || document()->usesDescendantRules())) {
// Although no change occurred, we use the new style so that the cousin style sharing code won't get
diff --git a/WebCore/rendering/RenderButton.h b/WebCore/rendering/RenderButton.h
index 7fd6ab0..1fc5eb6 100644
--- a/WebCore/rendering/RenderButton.h
+++ b/WebCore/rendering/RenderButton.h
@@ -57,12 +57,14 @@ public:
virtual bool canHaveChildren() const;
-protected:
+private:
virtual void styleWillChange(StyleDifference, const RenderStyle* newStyle);
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
virtual bool hasLineIfEmpty() const { return true; }
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
void timerFired(Timer<RenderButton>*);
RenderTextFragment* m_buttonText;
diff --git a/WebCore/rendering/RenderDataGrid.h b/WebCore/rendering/RenderDataGrid.h
index 467edcc..ce221ea 100644
--- a/WebCore/rendering/RenderDataGrid.h
+++ b/WebCore/rendering/RenderDataGrid.h
@@ -53,6 +53,8 @@ public:
private:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
RenderStyle* columnStyle(DataGridColumn*);
RenderStyle* headerStyle(DataGridColumn*);
void recalcStyleForColumns();
diff --git a/WebCore/rendering/RenderFileUploadControl.h b/WebCore/rendering/RenderFileUploadControl.h
index 454041a..d77eadc 100644
--- a/WebCore/rendering/RenderFileUploadControl.h
+++ b/WebCore/rendering/RenderFileUploadControl.h
@@ -56,6 +56,8 @@ private:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
// FileChooserClient methods.
void valueChanged();
void repaint() { RenderBlock::repaint(); }
diff --git a/WebCore/rendering/RenderListItem.h b/WebCore/rendering/RenderListItem.h
index c4c41dc..d140979 100644
--- a/WebCore/rendering/RenderListItem.h
+++ b/WebCore/rendering/RenderListItem.h
@@ -63,6 +63,8 @@ private:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
void updateMarkerLocation();
inline int calcValue() const;
void updateValueNow() const;
diff --git a/WebCore/rendering/RenderMedia.h b/WebCore/rendering/RenderMedia.h
index 0d24c4c..32d6d65 100644
--- a/WebCore/rendering/RenderMedia.h
+++ b/WebCore/rendering/RenderMedia.h
@@ -118,6 +118,8 @@ private:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
RefPtr<HTMLElement> m_controlsShadowRoot;
RefPtr<MediaControlElement> m_panel;
RefPtr<MediaControlMuteButtonElement> m_muteButton;
diff --git a/WebCore/rendering/RenderMenuList.h b/WebCore/rendering/RenderMenuList.h
index f3c1b55..7e80d35 100644
--- a/WebCore/rendering/RenderMenuList.h
+++ b/WebCore/rendering/RenderMenuList.h
@@ -72,6 +72,8 @@ private:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
// PopupMenuClient methods
virtual String itemText(unsigned listIndex) const;
virtual String itemToolTip(unsigned listIndex) const;
diff --git a/WebCore/rendering/RenderObject.h b/WebCore/rendering/RenderObject.h
index 46abfca..f5719db 100644
--- a/WebCore/rendering/RenderObject.h
+++ b/WebCore/rendering/RenderObject.h
@@ -322,6 +322,8 @@ public:
bool cellWidthChanged() const { return m_cellWidthChanged; }
void setCellWidthChanged(bool b = true) { m_cellWidthChanged = b; }
+ virtual bool requiresForcedStyleRecalcPropagation() const { return false; }
+
#if ENABLE(MATHML)
virtual bool isRenderMathMLBlock() const { return false; }
#endif // ENABLE(MATHML)
@@ -412,7 +414,6 @@ public:
void drawArcForBoxSide(GraphicsContext*, int x, int y, float thickness, IntSize radius, int angleStart,
int angleSpan, BoxSide, Color, EBorderStyle, bool firstCorner);
-public:
// The pseudo element style can be cached or uncached. Use the cached method if the pseudo element doesn't respect
// any pseudo classes (and therefore has no concept of changing state).
RenderStyle* getCachedPseudoStyle(PseudoId, RenderStyle* parentStyle = 0) const;
diff --git a/WebCore/rendering/RenderProgress.h b/WebCore/rendering/RenderProgress.h
index ee60d9d..5f42491 100644
--- a/WebCore/rendering/RenderProgress.h
+++ b/WebCore/rendering/RenderProgress.h
@@ -50,6 +50,8 @@ inline RenderProgress* toRenderProgress(RenderObject* object)
// This will catch anyone doing an unnecessary cast.
void toRenderProgress(const RenderProgress*);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
} // namespace WebCore
#endif
diff --git a/WebCore/rendering/RenderSlider.h b/WebCore/rendering/RenderSlider.h
index 92ad73b..fc8ce24 100644
--- a/WebCore/rendering/RenderSlider.h
+++ b/WebCore/rendering/RenderSlider.h
@@ -58,6 +58,8 @@ namespace WebCore {
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
PassRefPtr<RenderStyle> createThumbStyle(const RenderStyle* parentStyle);
int trackSize();
diff --git a/WebCore/rendering/RenderTextControl.h b/WebCore/rendering/RenderTextControl.h
index 2fc8edc..984f41d 100644
--- a/WebCore/rendering/RenderTextControl.h
+++ b/WebCore/rendering/RenderTextControl.h
@@ -107,6 +107,8 @@ private:
virtual bool canBeProgramaticallyScrolled(bool) const { return true; }
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
String finishText(Vector<UChar>&) const;
bool m_wasChangedSinceLastChangeEvent;
diff --git a/debian/changelog b/debian/changelog
index cb727a7..c44b41f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,7 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
* Fix cve-2010-1762: webscript and/or html injection using the textarea
* Fix cve-2010-1770: possible code execution due to improper handling of the
ibm1147 character set.
+ * Fix cve-2010-1771: possible code execution due to improper font handling.
element.
-- Michael Gilbert <michael.s.gilbert at gmail.com> Thu, 27 May 2010 20:36:41 -0400
diff --git a/debian/patches/cve-2010-1771.patch b/debian/patches/cve-2010-1771.patch
new file mode 100644
index 0000000..cceb86b
--- /dev/null
+++ b/debian/patches/cve-2010-1771.patch
@@ -0,0 +1,161 @@
+description: fix cve-2010-1771
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/59876
+Index: webkit-1.2.1/WebCore/dom/Element.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/dom/Element.cpp 2010-06-28 21:51:06.000000000 -0400
++++ webkit-1.2.1/WebCore/dom/Element.cpp 2010-06-28 22:07:40.000000000 -0400
+@@ -938,7 +938,7 @@
+ newStyle->setChildrenAffectedByDirectAdjacentRules();
+ }
+
+- if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get())) {
++ if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get()) || change == Force && renderer() && renderer()->requiresForcedStyleRecalcPropagation()) {
+ setRenderStyle(newStyle);
+ } else if (needsStyleRecalc() && (styleChangeType() != SyntheticStyleChange) && (document()->usesSiblingRules() || document()->usesDescendantRules())) {
+ // Although no change occurred, we use the new style so that the cousin style sharing code won't get
+Index: webkit-1.2.1/WebCore/rendering/RenderMenuList.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderMenuList.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderMenuList.h 2010-06-28 22:07:40.000000000 -0400
+@@ -72,6 +72,8 @@
+
+ virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+
++ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
++
+ // PopupMenuClient methods
+ virtual String itemText(unsigned listIndex) const;
+ virtual String itemToolTip(unsigned listIndex) const;
+Index: webkit-1.2.1/WebCore/rendering/RenderProgress.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderProgress.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderProgress.h 2010-06-28 22:07:40.000000000 -0400
+@@ -50,6 +50,8 @@
+ // This will catch anyone doing an unnecessary cast.
+ void toRenderProgress(const RenderProgress*);
+
++ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
++
+ } // namespace WebCore
+
+ #endif
+Index: webkit-1.2.1/WebCore/rendering/RenderButton.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderButton.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderButton.h 2010-06-28 22:07:40.000000000 -0400
+@@ -57,12 +57,14 @@
+
+ virtual bool canHaveChildren() const;
+
+-protected:
++private:
+ virtual void styleWillChange(StyleDifference, const RenderStyle* newStyle);
+ virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+
+ virtual bool hasLineIfEmpty() const { return true; }
+
++ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
++
+ void timerFired(Timer<RenderButton>*);
+
+ RenderTextFragment* m_buttonText;
+Index: webkit-1.2.1/WebCore/rendering/RenderObject.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderObject.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderObject.h 2010-06-28 22:07:40.000000000 -0400
+@@ -322,6 +322,8 @@
+ bool cellWidthChanged() const { return m_cellWidthChanged; }
+ void setCellWidthChanged(bool b = true) { m_cellWidthChanged = b; }
+
++ virtual bool requiresForcedStyleRecalcPropagation() const { return false; }
++
+ #if ENABLE(MATHML)
+ virtual bool isRenderMathMLBlock() const { return false; }
+ #endif // ENABLE(MATHML)
+@@ -412,7 +414,6 @@
+ void drawArcForBoxSide(GraphicsContext*, int x, int y, float thickness, IntSize radius, int angleStart,
+ int angleSpan, BoxSide, Color, EBorderStyle, bool firstCorner);
+
+-public:
+ // The pseudo element style can be cached or uncached. Use the cached method if the pseudo element doesn't respect
+ // any pseudo classes (and therefore has no concept of changing state).
+ RenderStyle* getCachedPseudoStyle(PseudoId, RenderStyle* parentStyle = 0) const;
+Index: webkit-1.2.1/WebCore/rendering/RenderSlider.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderSlider.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderSlider.h 2010-06-28 22:07:40.000000000 -0400
+@@ -58,6 +58,8 @@
+
+ virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+
++ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
++
+ PassRefPtr<RenderStyle> createThumbStyle(const RenderStyle* parentStyle);
+
+ int trackSize();
+Index: webkit-1.2.1/WebCore/rendering/RenderListItem.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderListItem.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderListItem.h 2010-06-28 22:07:40.000000000 -0400
+@@ -63,6 +63,8 @@
+
+ virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+
++ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
++
+ void updateMarkerLocation();
+ inline int calcValue() const;
+ void updateValueNow() const;
+Index: webkit-1.2.1/WebCore/rendering/RenderMedia.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderMedia.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderMedia.h 2010-06-28 22:07:40.000000000 -0400
+@@ -118,6 +118,8 @@
+
+ virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+
++ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
++
+ RefPtr<HTMLElement> m_controlsShadowRoot;
+ RefPtr<MediaControlElement> m_panel;
+ RefPtr<MediaControlMuteButtonElement> m_muteButton;
+Index: webkit-1.2.1/WebCore/rendering/RenderDataGrid.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderDataGrid.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderDataGrid.h 2010-06-28 22:07:40.000000000 -0400
+@@ -53,6 +53,8 @@
+ private:
+ virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+
++ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
++
+ RenderStyle* columnStyle(DataGridColumn*);
+ RenderStyle* headerStyle(DataGridColumn*);
+ void recalcStyleForColumns();
+Index: webkit-1.2.1/WebCore/rendering/RenderTextControl.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderTextControl.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderTextControl.h 2010-06-28 22:07:40.000000000 -0400
+@@ -107,6 +107,8 @@
+
+ virtual bool canBeProgramaticallyScrolled(bool) const { return true; }
+
++ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
++
+ String finishText(Vector<UChar>&) const;
+
+ bool m_wasChangedSinceLastChangeEvent;
+Index: webkit-1.2.1/WebCore/rendering/RenderFileUploadControl.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderFileUploadControl.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderFileUploadControl.h 2010-06-28 22:07:40.000000000 -0400
+@@ -56,6 +56,8 @@
+
+ virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+
++ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
++
+ // FileChooserClient methods.
+ void valueChanged();
+ void repaint() { RenderBlock::repaint(); }
diff --git a/debian/patches/series b/debian/patches/series
index f410a07..9fb02ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ cve-2010-1760.patch
cve-2010-1761.patch
cve-2010-1762.patch
cve-2010-1770.patch
+cve-2010-1771.patch
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list