[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.5-2-1-g456a68e
Michael Gilbert
michael.s.gilbert at gmail.com
Thu Nov 18 05:06:04 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 456a68e819d1569799c51f480b4c79bcd397fbcd
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date: Thu Nov 18 00:06:05 2010 -0500
fix another round of cves
diff --git a/debian/changelog b/debian/changelog
index c7c88ed..9bf450a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+webkit (1.2.5-3) UNRELEASED; urgency=high
+
+ * fix cve-2010-1824: use-after-free issue in svg handling.
+ * fix cve-2010-3254: integer overflow in websockets.
+ * fix cve-2010-4040: buffer overflow in gif handling.
+ * fix cve-2010-4042: element attribute mishandling.
+
+ -- Michael Gilbert <michael.s.gilbert at gmail.com> Wed, 17 Nov 2010 23:07:08 -0500
+
webkit (1.2.5-2) unstable; urgency=high
* Unapply 02-pool-fixup-and-sparc-support.patch and
diff --git a/debian/patches/cve-2010-1824.patch b/debian/patches/cve-2010-1824.patch
new file mode 100644
index 0000000..2e2626f
--- /dev/null
+++ b/debian/patches/cve-2010-1824.patch
@@ -0,0 +1,34 @@
+Description: fix cve-2010-1824
+Author: Michael Gilbert <michael.s.gilbert at gmail.com>
+Origin: http://trac.webkit.org/changeset/66795
+Index: webkit/WebCore/svg/SVGUseElement.cpp
+===================================================================
+--- webkit.orig/WebCore/svg/SVGUseElement.cpp 2010-11-14 17:07:47.000000000 -0500
++++ webkit/WebCore/svg/SVGUseElement.cpp 2010-11-14 17:07:54.000000000 -0500
+@@ -122,14 +123,14 @@
+ {
+ // This functions exists to assure assumptions made in the code regarding SVGElementInstance creation/destruction are satisfied.
+ SVGElement::insertedIntoDocument();
+- ASSERT(!m_targetElementInstance);
++ ASSERT(!m_targetElementInstance || ((document()->isSVGDocument() || document()->isXHTMLDocument()) && !static_cast<Document*>(document()->parser())->wellFormed()));
+ ASSERT(!m_isPendingResource);
+ }
+
+ void SVGUseElement::removedFromDocument()
+ {
++ SVGStyledTransformableElement::removedFromDocument();
+ m_targetElementInstance = 0;
+- SVGElement::removedFromDocument();
+ }
+
+ void SVGUseElement::svgAttributeChanged(const QualifiedName& attrName)
+@@ -572,8 +573,8 @@
+
+ void SVGUseElement::detach()
+ {
+- m_targetElementInstance = 0;
+ SVGStyledTransformableElement::detach();
++ m_targetElementInstance = 0;
+ }
+
+ static bool isDirectReference(Node* n)
diff --git a/debian/patches/cve-2010-3120.patch b/debian/patches/cve-2010-3120.patch
index 976affc..c354b23 100644
--- a/debian/patches/cve-2010-3120.patch
+++ b/debian/patches/cve-2010-3120.patch
@@ -1,11 +1,11 @@
description: fix cve-2010-3120
author: Michael Gilbert <michael.s.gilbert at gmail.com>
origin: http://trac.webkit.org/changeset/65329
-Index: webkit-1.2.4/WebCore/page/Geolocation.cpp
+Index: webkit/WebCore/page/Geolocation.cpp
===================================================================
---- webkit-1.2.4.orig/WebCore/page/Geolocation.cpp 2010-09-03 15:18:06.000000000 -0400
-+++ webkit-1.2.4/WebCore/page/Geolocation.cpp 2010-09-06 22:14:03.000000000 -0400
-@@ -252,6 +252,9 @@
+--- webkit.orig/WebCore/page/Geolocation.cpp 2010-11-14 19:43:45.000000000 -0500
++++ webkit/WebCore/page/Geolocation.cpp 2010-11-14 19:44:04.000000000 -0500
+@@ -256,6 +256,9 @@
void Geolocation::getCurrentPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options)
{
@@ -15,7 +15,7 @@ Index: webkit-1.2.4/WebCore/page/Geolocation.cpp
RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options);
ASSERT(notifier);
-@@ -260,6 +263,9 @@
+@@ -264,6 +267,9 @@
int Geolocation::watchPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options)
{
diff --git a/debian/patches/cve-2010-3254.patch b/debian/patches/cve-2010-3254.patch
new file mode 100644
index 0000000..2a3d733
--- /dev/null
+++ b/debian/patches/cve-2010-3254.patch
@@ -0,0 +1,125 @@
+Description: fix cve-2010-3254
+Author: Michael Gilbert <michael.s.gilbert at gmail.com>
+Origin: http://trac.webkit.org/changeset/65135
+Index: webkit/WebCore/websockets/WebSocketChannel.cpp
+===================================================================
+--- webkit.orig/WebCore/websockets/WebSocketChannel.cpp 2010-11-14 18:47:14.000000000 -0500
++++ webkit/WebCore/websockets/WebSocketChannel.cpp 2010-11-14 18:53:58.000000000 -0500
+@@ -195,25 +195,50 @@
+ while (p < end) {
+ unsigned char frameByte = static_cast<unsigned char>(*p++);
+ if ((frameByte & 0x80) == 0x80) {
+- int length = 0;
++ size_t length = 0;
++ bool errorFrame = false;
+ while (p < end) {
+- if (length > std::numeric_limits<int>::max() / 128) {
+- LOG(Network, "frame length overflow %d", length);
+- m_client->didReceiveMessageError();
+- if (!m_client)
+- return;
+- handle->close();
+- return;
++ if (length > std::numeric_limits<size_t>::max() / 128) {
++ LOG(Network, "frame length overflow %lu", length);
++ errorFrame = true;
++ break;
++ }
++ size_t newLength = length * 128;
++ unsigned char msgByte = static_cast<unsigned char>(*p);
++ unsigned int lengthMsgByte = msgByte & 0x7f;
++ if (newLength > std::numeric_limits<size_t>::max() - lengthMsgByte) {
++ LOG(Network, "frame length overflow %lu+%u", newLength, lengthMsgByte);
++ errorFrame = true;
++ break;
++ }
++ newLength += lengthMsgByte;
++ if (newLength < length) { // sanity check
++ LOG(Network, "frame length integer wrap %lu->%lu", length, newLength);
++ errorFrame = true;
++ break;
+ }
+- char msgByte = *p;
+- length = length * 128 + (msgByte & 0x7f);
++ length = newLength;
+ ++p;
+ if (!(msgByte & 0x80))
+ break;
+ }
++ if (p + length < p) {
++ LOG(Network, "frame buffer pointer wrap %p+%lu->%p", p, length, p + length);
++ errorFrame = true;
++ }
++ if (errorFrame) {
++ m_client->didReceiveMessageError();
++ if (!m_client)
++ return false;
++ if (!m_closed)
++ m_handle->close();
++ return false;
++ }
++ ASSERT(p + length >= p);
+ if (p + length < end) {
+ p += length;
+ nextFrame = p;
++ ASSERT(nextFrame > m_buffer);
+ m_client->didReceiveMessageError();
+ if (!m_client)
+ return;
+@@ -253,23 +278,28 @@
+ {
+ }
+
+-bool WebSocketChannel::appendToBuffer(const char* data, int len)
++bool WebSocketChannel::appendToBuffer(const char* data, size_t len)
+ {
++ size_t newBufferSize = m_bufferSize + len;
++ if (newBufferSize < m_bufferSize) {
++ LOG(Network, "WebSocket buffer overflow (%lu+%lu)", m_bufferSize, len);
++ return false;
++ }
+ char* newBuffer = 0;
+- if (tryFastMalloc(m_bufferSize + len).getValue(newBuffer)) {
++ if (tryFastMalloc(newBufferSize).getValue(newBuffer)) {
+ if (m_buffer)
+ memcpy(newBuffer, m_buffer, m_bufferSize);
+ memcpy(newBuffer + m_bufferSize, data, len);
+ fastFree(m_buffer);
+ m_buffer = newBuffer;
+- m_bufferSize += len;
++ m_bufferSize = newBufferSize;
+ return true;
+ }
+- m_context->addMessage(ConsoleDestination, JSMessageSource, LogMessageType, ErrorMessageLevel, String::format("WebSocket frame (at %d bytes) is too long.", m_bufferSize + len), 0, m_handshake.clientOrigin());
++ m_context->addMessage(ConsoleDestination, JSMessageSource, LogMessageType, ErrorMessageLevel, String::format("WebSocket frame (at %lu bytes) is too long.", newBufferSize), 0, m_handshake.clientOrigin());
+ return false;
+ }
+
+-void WebSocketChannel::skipBuffer(int len)
++void WebSocketChannel::skipBuffer(size_t len)
+ {
+ ASSERT(len <= m_bufferSize);
+ m_bufferSize -= len;
+Index: webkit/WebCore/websockets/WebSocketChannel.h
+===================================================================
+--- webkit.orig/WebCore/websockets/WebSocketChannel.h 2010-11-14 18:47:14.000000000 -0500
++++ webkit/WebCore/websockets/WebSocketChannel.h 2010-11-14 18:51:36.000000000 -0500
+@@ -74,15 +74,15 @@
+ private:
+ WebSocketChannel(ScriptExecutionContext*, WebSocketChannelClient*, const KURL&, const String& protocol);
+
+- bool appendToBuffer(const char* data, int len);
+- void skipBuffer(int len);
++ bool appendToBuffer(const char* data, size_t len);
++ void skipBuffer(size_t len);
+
+ ScriptExecutionContext* m_context;
+ WebSocketChannelClient* m_client;
+ WebSocketHandshake m_handshake;
+ RefPtr<SocketStreamHandle> m_handle;
+ char* m_buffer;
+- int m_bufferSize;
++ size_t m_bufferSize;
+ };
+
+ } // namespace WebCore
diff --git a/debian/patches/cve-2010-4040.patch b/debian/patches/cve-2010-4040.patch
new file mode 100644
index 0000000..c4266b1
--- /dev/null
+++ b/debian/patches/cve-2010-4040.patch
@@ -0,0 +1,64 @@
+Description: fix cve-2010-4040
+Author: Michael Gilbert <michael.s.gilbert at gmail.com>
+Origin: http://trac.webkit.org/changeset/68446
+Index: webkit/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp
+===================================================================
+--- webkit.orig/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp 2010-10-18 20:55:17.000000000 -0400
++++ webkit/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp 2010-11-14 19:01:51.000000000 -0500
+@@ -343,7 +343,8 @@
+
+ if ((prevMethod == RGBA32Buffer::DisposeNotSpecified) || (prevMethod == RGBA32Buffer::DisposeKeep)) {
+ // Preserve the last frame as the starting state for this frame.
+- buffer->copyBitmapData(*prevBuffer);
++ if (!buffer->copyBitmapData(*prevBuffer))
++ return setFailed();
+ } else {
+ // We want to clear the previous frame to transparent, without
+ // affecting pixels in the image outside of the frame.
+@@ -356,7 +357,8 @@
+ return setFailed();
+ } else {
+ // Copy the whole previous buffer, then clear just its frame.
+- buffer->copyBitmapData(*prevBuffer);
++ if (!buffer->copyBitmapData(*prevBuffer))
++ return setFailed();
+ for (int y = prevRect.y(); y < prevRect.bottom(); ++y) {
+ for (int x = prevRect.x(); x < prevRect.right(); ++x)
+ buffer->setRGBA(x, y, 0, 0, 0, 0);
+Index: webkit/WebCore/platform/image-decoders/ImageDecoder.cpp
+===================================================================
+--- webkit.orig/WebCore/platform/image-decoders/ImageDecoder.cpp 2010-10-18 20:55:17.000000000 -0400
++++ webkit/WebCore/platform/image-decoders/ImageDecoder.cpp 2010-11-14 19:01:51.000000000 -0500
+@@ -126,14 +126,15 @@
+ m_hasAlpha = true;
+ }
+
+-void RGBA32Buffer::copyBitmapData(const RGBA32Buffer& other)
++bool RGBA32Buffer::copyBitmapData(const RGBA32Buffer& other)
+ {
+ if (this == &other)
+- return;
++ return true;
+
+ m_bytes = other.m_bytes;
+ m_size = other.m_size;
+ setHasAlpha(other.m_hasAlpha);
++ return true;
+ }
+
+ bool RGBA32Buffer::setSize(int newWidth, int newHeight)
+Index: webkit/WebCore/platform/image-decoders/ImageDecoder.h
+===================================================================
+--- webkit.orig/WebCore/platform/image-decoders/ImageDecoder.h 2010-10-18 20:55:17.000000000 -0400
++++ webkit/WebCore/platform/image-decoders/ImageDecoder.h 2010-11-14 19:01:51.000000000 -0500
+@@ -83,8 +83,8 @@
+ void zeroFill();
+
+ // Creates a new copy of the image data in |other|, so the two images
+- // can be modified independently.
+- void copyBitmapData(const RGBA32Buffer& other);
++ // can be modified independently. Returns whether the copy succeeded.
++ bool copyBitmapData(const RGBA32Buffer& other);
+
+ // Copies the pixel data at [(startX, startY), (endX, startY)) to the
+ // same X-coordinates on each subsequent row up to but not including
diff --git a/debian/patches/cve-2010-4042.patch b/debian/patches/cve-2010-4042.patch
new file mode 100644
index 0000000..2024b15
--- /dev/null
+++ b/debian/patches/cve-2010-4042.patch
@@ -0,0 +1,126 @@
+Description: fix cve-2010-4042
+Author: Michael Gilbert <michael.s.gilbert at gmail.com>
+Origin: http://trac.webkit.org/changeset/68096
+Index: webkit/WebCore/dom/Attr.cpp
+===================================================================
+--- webkit.orig/WebCore/dom/Attr.cpp 2010-11-17 22:06:14.000000000 -0500
++++ webkit/WebCore/dom/Attr.cpp 2010-11-17 22:06:18.000000000 -0500
+@@ -117,13 +117,21 @@
+ return value();
+ }
+
+-void Attr::setValue(const AtomicString& value, ExceptionCode&)
++void Attr::setValue(const AtomicString& value)
+ {
+ m_ignoreChildrenChanged++;
+ removeChildren();
+ m_attribute->setValue(value);
+ createTextChild();
+ m_ignoreChildrenChanged--;
++}
++
++void Attr::setValue(const AtomicString& value, ExceptionCode&)
++{
++ if (m_element && m_element->isIdAttributeName(m_attribute->name()))
++ m_element->updateId(m_element->getIDAttribute(), value);
++
++ setValue(value);
+
+ if (m_element)
+ m_element->attributeChanged(m_attribute.get());
+@@ -167,7 +175,10 @@
+ if (n->isTextNode())
+ val += static_cast<Text *>(n)->data();
+ }
+-
++
++ if (m_element && m_element->isIdAttributeName(m_attribute->name()))
++ m_element->updateId(m_attribute->value(), val);
++
+ m_attribute->setValue(val.impl());
+ if (m_element)
+ m_element->attributeChanged(m_attribute.get());
+Index: webkit/WebCore/dom/Attr.h
+===================================================================
+--- webkit.orig/WebCore/dom/Attr.h 2010-11-17 22:06:14.000000000 -0500
++++ webkit/WebCore/dom/Attr.h 2010-11-17 22:06:18.000000000 -0500
+@@ -48,6 +48,7 @@
+
+ const AtomicString& value() const { return m_attribute->value(); }
+ void setValue(const AtomicString&, ExceptionCode&);
++ void setValue(const AtomicString&);
+
+ Attribute* attr() const { return m_attribute.get(); }
+ const QualifiedName& qualifiedName() const { return m_attribute->name(); }
+Index: webkit/WebCore/dom/Element.cpp
+===================================================================
+--- webkit.orig/WebCore/dom/Element.cpp 2010-11-17 22:06:14.000000000 -0500
++++ webkit/WebCore/dom/Element.cpp 2010-11-17 22:06:18.000000000 -0500
+@@ -576,7 +576,10 @@
+ else if (!old && !value.isNull())
+ namedAttrMap->addAttribute(createAttribute(QualifiedName(nullAtom, localName, nullAtom), value));
+ else if (old && !value.isNull()) {
+- old->setValue(value);
++ if (Attr* attrNode = old->attr())
++ attrNode->setValue(value);
++ else
++ old->setValue(value);
+ attributeChanged(old);
+ }
+
+@@ -605,7 +608,10 @@
+ else if (!old && !value.isNull())
+ namedAttrMap->addAttribute(createAttribute(name, value));
+ else if (old) {
+- old->setValue(value);
++ if (Attr* attrNode = old->attr())
++ attrNode->setValue(value);
++ else
++ old->setValue(value);
+ attributeChanged(old);
+ }
+
+Index: webkit/WebCore/dom/Document.cpp
+===================================================================
+--- webkit.orig/WebCore/dom/Document.cpp 2010-11-17 22:06:14.000000000 -0500
++++ webkit/WebCore/dom/Document.cpp 2010-11-17 22:06:18.000000000 -0500
+@@ -1082,8 +1082,10 @@
+
+ if (m_elementsById.get(elementId.impl()) == element)
+ m_elementsById.remove(elementId.impl());
+- else
++ else {
++ ASSERT(m_inRemovedLastRefFunction || m_duplicateIds.contains(elementId.impl()));
+ m_duplicateIds.remove(elementId.impl());
++ }
+ }
+
+ Element* Document::getElementByAccessKey(const String& key) const
+Index: webkit/WebCore/dom/Element.h
+===================================================================
+--- webkit.orig/WebCore/dom/Element.h 2010-11-17 22:06:14.000000000 -0500
++++ webkit/WebCore/dom/Element.h 2010-11-17 22:20:19.000000000 -0500
+@@ -100,6 +100,7 @@
+
+ virtual PassRefPtr<DocumentFragment> createContextualFragment(const String&, FragmentScriptingPermission = FragmentScriptingAllowed);
+
++ bool isIdAttributeName(const QualifiedName&) const;
+ const AtomicString& getIDAttribute() const;
+ bool hasAttribute(const QualifiedName&) const;
+ const AtomicString& getAttribute(const QualifiedName&) const;
+@@ -386,6 +387,15 @@
+ doc->addElementById(newId, this);
+ }
+
++inline bool Element::isIdAttributeName(const QualifiedName& attributeName) const
++{
++ // FIXME: This check is probably not correct for the case where the document has an id attribute
++ // with a non-null namespace, because it will return false, a false negative, if the prefixes
++ // don't match but the local name and namespace both do. However, since this has been like this
++ // for a while and the code paths may be hot, we'll have to measure performance if we fix it.
++ return attributeName == idAttributeName();
++}
++
+ } //namespace
+
+ #endif
diff --git a/debian/patches/series b/debian/patches/series
index 52778d2..c1c61c8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,7 @@ cve-2010-2651.patch
cve-2010-2900.patch
cve-2010-2901.patch
cve-2010-3120.patch
+cve-2010-1824.patch
+cve-2010-3254.patch
+cve-2010-4040.patch
+cve-2010-4042.patch
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list