[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-36-g0136662
Michael Gilbert
michael.s.gilbert at gmail.com
Wed Sep 8 00:08:29 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit d06de5a818c351f6fe601c2579b4ae452bb93763
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date: Mon Sep 6 22:08:11 2010 -0400
fix cve-2010-2901
diff --git a/debian/changelog b/debian/changelog
index 4bbd67d..69b84d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ webkit (1.2.4-2) unstable; urgency=high
* fix cve-2010-2651: vulnerability in css style rendering.
* fix cve-2010-2900: vulnerability with large canvas elements when using the
SKIA library.
+ * fix cve-2010-2901: vulnerability in the rendering implementation.
-- Michael Gilbert <michael.s.gilbert at gmail.com> Mon, 06 Sep 2010 21:36:40 -0400
diff --git a/debian/patches/cve-2010-2901.patch b/debian/patches/cve-2010-2901.patch
new file mode 100644
index 0000000..df95114
--- /dev/null
+++ b/debian/patches/cve-2010-2901.patch
@@ -0,0 +1,98 @@
+description: fix cve-2010-2901
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/63048
+Index: webkit-1.2.4/WebCore/rendering/RenderObject.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.cpp 2010-09-03 15:18:07.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderObject.cpp 2010-09-06 22:03:38.000000000 -0400
+@@ -560,6 +560,19 @@
+ return 0;
+ }
+
++RenderBoxModelObject* RenderObject::enclosingBoxModelObject() const
++{
++ RenderObject* curr = const_cast<RenderObject*>(this);
++ while (curr) {
++ if (curr->isBoxModelObject())
++ return toRenderBoxModelObject(curr);
++ curr = curr->parent();
++ }
++
++ ASSERT_NOT_REACHED();
++ return 0;
++}
++
+ RenderBlock* RenderObject::firstLineBlock() const
+ {
+ return 0;
+Index: webkit-1.2.4/WebCore/rendering/RenderObject.h
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.h 2010-09-03 15:18:07.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderObject.h 2010-09-06 22:03:38.000000000 -0400
+@@ -193,7 +193,8 @@
+
+ // Convenience function for getting to the nearest enclosing box of a RenderObject.
+ RenderBox* enclosingBox() const;
+-
++ RenderBoxModelObject* enclosingBoxModelObject() const;
++
+ virtual bool isEmpty() const { return firstChild() == 0; }
+
+ #ifndef NDEBUG
+Index: webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/InlineFlowBox.cpp 2010-09-03 15:18:07.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:06:03.000000000 -0400
+@@ -639,11 +639,24 @@
+ // outlines.
+ if (renderer()->style()->visibility() == VISIBLE && renderer()->hasOutline() && !isRootInlineBox()) {
+ RenderInline* inlineFlow = toRenderInline(renderer());
+- if ((inlineFlow->continuation() || inlineFlow->isInlineContinuation()) && !boxModelObject()->hasSelfPaintingLayer()) {
++
++ RenderBlock* cb = 0;
++ bool containingBlockPaintsContinuationOutline = inlineFlow->continuation() || inlineFlow->isInlineElementContinuation();
++ if (containingBlockPaintsContinuationOutline) {
++ cb = renderer()->containingBlock()->containingBlock();
++
++ for (RenderBoxModelObject* box = boxModelObject(); box != cb; box = box->parent()->enclosingBoxModelObject()) {
++ if (box->hasSelfPaintingLayer()) {
++ containingBlockPaintsContinuationOutline = false;
++ break;
++ }
++ }
++ }
++
++ if (containingBlockPaintsContinuationOutline) {
+ // Add ourselves to the containing block of the entire continuation so that it can
+ // paint us atomically.
+- RenderBlock* block = renderer()->containingBlock()->containingBlock();
+- block->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
++ cb->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
+ } else if (!inlineFlow->isInlineContinuation())
+ paintInfo.outlineObjects->add(inlineFlow);
+ }
+Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:03:04.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:03:38.000000000 -0400
+@@ -1766,8 +1766,18 @@
+ if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) {
+ if (inlineContinuation() && inlineContinuation()->hasOutline() && inlineContinuation()->style()->visibility() == VISIBLE) {
+ RenderInline* inlineRenderer = toRenderInline(inlineContinuation()->node()->renderer());
+- if (!inlineRenderer->hasSelfPaintingLayer())
+- containingBlock()->addContinuationWithOutline(inlineRenderer);
++ RenderBlock* cb = containingBlock();
++
++ bool inlineEnclosedInSelfPaintingLayer = false;
++ for (RenderBoxModelObject* box = inlineRenderer; box != cb; box = box->parent()->enclosingBoxModelObject()) {
++ if (box->hasSelfPaintingLayer()) {
++ inlineEnclosedInSelfPaintingLayer = true;
++ break;
++ }
++ }
++
++ if (!inlineEnclosedInSelfPaintingLayer)
++ cb->addContinuationWithOutline(inlineRenderer);
+ else if (!inlineRenderer->firstLineBox())
+ inlineRenderer->paintOutline(paintInfo.context, tx - x() + inlineRenderer->containingBlock()->x(),
+ ty - y() + inlineRenderer->containingBlock()->y());
diff --git a/debian/patches/series b/debian/patches/series
index d4d3fbf..b16d306 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
cve-2010-2646.patch
cve-2010-2651.patch
cve-2010-2900.patch
+cve-2010-2901.patch
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list