[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-36-g0136662

Michael Gilbert michael.s.gilbert at gmail.com
Wed Sep 8 00:08:25 UTC 2010 

The following commit has been merged in the debian/unstable branch:
commit 5b8a7e678dc05f6f549d3fa3ad4b6c287f427a04
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date:   Mon Sep 6 22:02:39 2010 -0400

    fix cve-2010-2900

diff --git a/debian/changelog b/debian/changelog
index 0a765ac..4bbd67d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ webkit (1.2.4-2) unstable; urgency=high
 
   * fix cve-2010-2646: security origin bypass using IFRAME elements.
   * fix cve-2010-2651: vulnerability in css style rendering.
+  * fix cve-2010-2900: vulnerability with large canvas elements when using the
+    SKIA library.
 
  -- Michael Gilbert <michael.s.gilbert at gmail.com>  Mon, 06 Sep 2010 21:36:40 -0400
 
diff --git a/debian/patches/cve-2010-2900.patch b/debian/patches/cve-2010-2900.patch
new file mode 100644
index 0000000..e4b31e9
--- /dev/null
+++ b/debian/patches/cve-2010-2900.patch
@@ -0,0 +1,29 @@
+description: fix cve-2010-2900
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/63219
+Index: webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/html/HTMLCanvasElement.cpp	2010-09-03 15:18:06.000000000 -0400
++++ webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp	2010-09-06 21:59:30.000000000 -0400
+@@ -66,6 +66,9 @@
+ 
+ HTMLCanvasElement::HTMLCanvasElement(const QualifiedName& tagName, Document* doc)
+     : HTMLElement(tagName, doc)
++//In Skia, we will also limit width/height to 32767.
++static const float MaxSkiaDim = 32767.0F; // Maximum width/height in CSS pixels.
++
+     , m_size(defaultWidth, defaultHeight)
+     , m_observer(0)
+     , m_originClean(true)
+@@ -293,6 +296,11 @@
+     if (!(wf >= 1 && hf >= 1 && wf * hf <= MaxCanvasArea))
+         return IntSize();
+ 
++#if PLATFORM(SKIA)
++    if (wf > MaxSkiaDim || hf > MaxSkiaDim)
++        return IntSize();
++#endif
++
+     return IntSize(static_cast<unsigned>(wf), static_cast<unsigned>(hf));
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index a9873a1..d4d3fbf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 04-spoof-user-agent-to-google.patch
 cve-2010-2646.patch
 cve-2010-2651.patch
+cve-2010-2900.patch

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list