Hello community, here is the log from the commit of package libwebkit for openSUSE:11.2 checked in at Wed Feb 23 12:38:26 CET 2011.
-------- --- old-versions/11.2/UPDATES/all/libwebkit/libwebkit.changes 2011-01-10 14:26:29.000000000 +0100 +++ 11.2/libwebkit/libwebkit.changes 2011-02-17 11:40:08.000000000 +0100 @@ -1,0 +2,14 @@ +Thu Feb 17 11:30:32 CET 2011 - [email protected] + +- Update to version 1.2.7 (bnc#672521, bnc#672526, bnc#672527, + bnc#672530, bnc#672534, bnc#672618): + + Fixes a regression caused by earlier fix for CVE-2010-1791. + This caused webkitgtk to crash on certain sites with + javascript. + + Fixes the following CVEs: + CVE-2010-2901 CVE-2010-4040 CVE-2010-4042 CVE-2010-4199 + CVE-2010-4492 CVE-2010-4493 CVE-2010-4578 CVE-2011-0482 + CVE-2011-0778 +- Drop libwebkit-CVE-2010-4040.patch: fixed upstream. + +------------------------------------------------------------------- calling whatdependson for 11.2-i586 Old: ---- libwebkit-CVE-2010-4040.patch webkit-1.2.6.tar.bz2 New: ---- webkit-1.2.7.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libwebkit.spec ++++++ --- /var/tmp/diff_new_pack.FUhgT3/_old 2011-02-23 12:38:14.000000000 +0100 +++ /var/tmp/diff_new_pack.FUhgT3/_new 2011-02-23 12:38:14.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package libwebkit (Version 1.2.6) +# spec file for package libwebkit # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -40,14 +40,12 @@ Group: Development/Libraries/C and C++ Summary: Library for rendering web content, GTK+ Port BuildRoot: %{_tmppath}/%{name}-%{version}-build -Version: 1.2.6 +Version: 1.2.7 Release: 0.<RELEASE2> Source: webkit-%{version}.tar.bz2 Source1: baselibs.conf # PATCH-FIX-UPSTREAM libwebkit-fixbuild.patch webkit-bug#36054 [email protected] -- Fix brp check failures Patch0: libwebkit-fixbuild.patch -# PATCH-FIX-UPSTREAM libwebkit-CVE-2010-4040.patch CVE-2010-4040 [email protected] -- DoS with GIF image -Patch1: libwebkit-CVE-2010-4040.patch %define debug_package_requires libwebkit-1_0-2 = %{version}-%{release} %description @@ -119,7 +117,6 @@ %prep %setup -q -n webkit-%{version} %patch0 -p1 -%patch1 -p2 %build export SUSE_ASNEEDED=0 ++++++ webkit-1.2.6.tar.bz2 -> webkit-1.2.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/JavaScriptCore/interpreter/Interpreter.cpp new/webkit-1.2.7/JavaScriptCore/interpreter/Interpreter.cpp --- old/webkit-1.2.6/JavaScriptCore/interpreter/Interpreter.cpp 2010-12-28 13:24:33.000000000 +0100 +++ new/webkit-1.2.7/JavaScriptCore/interpreter/Interpreter.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -3465,17 +3465,17 @@ goto vm_throw; } ASSERT(!callFrame->callee()->isHostFunction()); - uint32_t expectedParams = callFrame->callee()->jsExecutable()->parameterCount(); - uint32_t inplaceArgs = min(argCount, expectedParams); - uint32_t i = 0; + int32_t expectedParams = callFrame->callee()->jsExecutable()->parameterCount(); + int32_t inplaceArgs = min(static_cast<int32_t> (argCount), expectedParams); + int32_t i = 0; Register* argStore = callFrame->registers() + argsOffset; // First step is to copy the "expected" parameters from their normal location relative to the callframe for (; i < inplaceArgs; i++) argStore[i] = callFrame->registers()[i - RegisterFile::CallFrameHeaderSize - expectedParams]; // Then we copy any additional arguments that may be further up the stack ('-1' to account for 'this') - for (; i < argCount; i++) - argStore[i] = callFrame->registers()[i - RegisterFile::CallFrameHeaderSize - expectedParams - argCount - 1]; + for (; i < static_cast<int32_t> (argCount); i++) + argStore[i] = callFrame->registers()[i - RegisterFile::CallFrameHeaderSize - expectedParams - static_cast<int32_t> (argCount) - 1]; } else if (!arguments.isUndefinedOrNull()) { if (!arguments.isObject()) { exceptionValue = createInvalidParamError(callFrame, "Function.prototype.apply", arguments, vPC - callFrame->codeBlock()->instructions().begin(), callFrame->codeBlock()); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/css/CSSCursorImageValue.cpp new/webkit-1.2.7/WebCore/css/CSSCursorImageValue.cpp --- old/webkit-1.2.6/WebCore/css/CSSCursorImageValue.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/css/CSSCursorImageValue.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -70,7 +70,7 @@ for (; it != end; ++it) { SVGElement* referencedElement = *it; - referencedElement->setCursorImageValue(0); + referencedElement->cursorImageValueRemoved(); if (SVGCursorElement* cursorElement = resourceReferencedByCursorElement(url, referencedElement->document())) cursorElement->removeClient(referencedElement); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/css/CSSRuleList.cpp new/webkit-1.2.7/WebCore/css/CSSRuleList.cpp --- old/webkit-1.2.6/WebCore/css/CSSRuleList.cpp 2010-03-19 16:20:54.000000000 +0100 +++ new/webkit-1.2.7/WebCore/css/CSSRuleList.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -76,6 +76,7 @@ return; } + m_lstCSSRules[index]->setParent(0); m_lstCSSRules.remove(index); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/css/CSSStyleSheet.cpp new/webkit-1.2.7/WebCore/css/CSSStyleSheet.cpp --- old/webkit-1.2.6/WebCore/css/CSSStyleSheet.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/css/CSSStyleSheet.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -135,6 +135,7 @@ } ec = 0; + item(index)->setParent(0); remove(index); styleSheetChanged(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/editing/ReplaceSelectionCommand.cpp new/webkit-1.2.7/WebCore/editing/ReplaceSelectionCommand.cpp --- old/webkit-1.2.6/WebCore/editing/ReplaceSelectionCommand.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/editing/ReplaceSelectionCommand.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -51,9 +51,12 @@ #include "markup.h" #include "visible_units.h" #include <wtf/StdLibExtras.h> +#include <wtf/Vector.h> namespace WebCore { +typedef Vector<RefPtr<Node> > NodeVector; + using namespace HTMLNames; enum EFragmentType { EmptyFragment, SingleTextNodeFragment, TreeFragment }; @@ -707,7 +710,12 @@ void ReplaceSelectionCommand::copyStyleToChildren(Node* parentNode, const CSSMutableStyleDeclaration* parentStyle) { ASSERT(parentNode->hasTagName(spanTag)); - for (Node* childNode = parentNode->firstChild(); childNode; childNode = childNode->nextSibling()) { + NodeVector childNodes; + for (RefPtr<Node> childNode = parentNode->firstChild(); childNode; childNode = childNode->nextSibling()) + childNodes.append(childNode); + + for (NodeVector::const_iterator it = childNodes.begin(); it != childNodes.end(); it++) { + Node* childNode = it->get(); if (childNode->isTextNode() || !isBlock(childNode) || childNode->hasTagName(preTag)) { // In this case, put a span tag around the child node. RefPtr<Node> newSpan = parentNode->cloneNode(false); @@ -867,7 +875,11 @@ // Inserting content could cause whitespace to collapse, e.g. inserting <div>foo</div> into hello^ world. prepareWhitespaceAtPositionForSplit(insertionPos); - + + // If the downstream node has been removed there's no point in continuing. + if (!insertionPos.downstream().node()) + return; + // NOTE: This would be an incorrect usage of downstream() if downstream() were changed to mean the last position after // p that maps to the same visible position as p (since in the case where a br is at the end of a block and collapsed // away, there are positions after the br which map to the same visible position as [br, 0]). @@ -945,10 +957,10 @@ bool plainTextFragment = isPlainTextMarkup(refNode.get()); while (node) { - Node* next = node->nextSibling(); - fragment.removeNode(node); + RefPtr<Node> next = node->nextSibling(); + fragment.removeNode(node.get()); insertNodeAfterAndUpdateNodesInserted(node, refNode.get()); - + // Mutation events (bug 22634) may have already removed the inserted content if (!node->inDocument()) return; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/page/DragController.cpp new/webkit-1.2.7/WebCore/page/DragController.cpp --- old/webkit-1.2.6/WebCore/page/DragController.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/page/DragController.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -292,6 +292,9 @@ if (!m_documentUnderMouse) return false; + if (m_dragInitiator && !m_documentUnderMouse->securityOrigin()->canReceiveDragData(m_dragInitiator->securityOrigin())) + return false; + m_isHandlingDrag = false; if (actionMask & DragDestinationActionDHTML) { m_isHandlingDrag = tryDHTMLDrag(dragData, operation); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/page/EventHandler.cpp new/webkit-1.2.7/WebCore/page/EventHandler.cpp --- old/webkit-1.2.6/WebCore/page/EventHandler.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/page/EventHandler.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -549,13 +549,13 @@ if (!targetNode) return; + if (!canMouseDragExtendSelect(targetNode)) + return; + RenderObject* targetRenderer = targetNode->renderer(); if (!targetRenderer) return; - if (!canMouseDragExtendSelect(targetNode)) - return; - VisiblePosition targetPosition(targetRenderer->positionForPoint(localPoint)); // Don't modify the selection if we're not on a node. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/page/FrameView.cpp new/webkit-1.2.7/WebCore/page/FrameView.cpp --- old/webkit-1.2.6/WebCore/page/FrameView.cpp 2010-09-28 23:02:14.000000000 +0200 +++ new/webkit-1.2.7/WebCore/page/FrameView.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -972,8 +972,11 @@ if (anchorNode && anchorNode->hasTagName(SVGNames::viewTag)) { RefPtr<SVGViewElement> viewElement = anchorNode->hasTagName(SVGNames::viewTag) ? static_cast<SVGViewElement*>(anchorNode) : 0; if (viewElement.get()) { - RefPtr<SVGSVGElement> svg = static_cast<SVGSVGElement*>(SVGLocatable::nearestViewportElement(viewElement.get())); - svg->inheritViewAttributes(viewElement.get()); + SVGElement* element = SVGLocatable::nearestViewportElement(viewElement.get()); + if (element->hasTagName(SVGNames::svgTag)) { + RefPtr<SVGSVGElement> svg = static_cast<SVGSVGElement*>(element); + svg->inheritViewAttributes(viewElement.get()); + } } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/page/SecurityOrigin.cpp new/webkit-1.2.7/WebCore/page/SecurityOrigin.cpp --- old/webkit-1.2.6/WebCore/page/SecurityOrigin.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/page/SecurityOrigin.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -307,6 +307,21 @@ return true; } +bool SecurityOrigin::canReceiveDragData(const SecurityOrigin* dragInitiator) const +{ + if (this == dragInitiator) + return true; + + // FIXME: Currently we treat data URLs as having a unique origin, contrary to the + // current (9/19/2009) draft of the HTML5 specification. We still want to allow + // drop across data URLs, so we special case data URLs below. If we change to + // match HTML5 w.r.t. data URL security, then we can remove this check. + if (m_protocol == "data") + return true; + + return canAccess(dragInitiator); +} + bool SecurityOrigin::canLoad(const KURL& url, const String& referrer, Document* document) { if (!shouldTreatURLAsLocal(url.string())) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/page/SecurityOrigin.h new/webkit-1.2.7/WebCore/page/SecurityOrigin.h --- old/webkit-1.2.6/WebCore/page/SecurityOrigin.h 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/page/SecurityOrigin.h 2011-02-07 18:29:58.000000000 +0100 @@ -86,6 +86,11 @@ // drawing an image onto an HTML canvas element with the drawImage API. bool taintsCanvas(const KURL&) const; + // Returns true if this SecurityOrigin can receive drag content from the + // initiator. For example, call this function before allowing content to be + // dropped onto a target. + bool canReceiveDragData(const SecurityOrigin* dragInitiator) const; + // Returns true for any non-local URL. If document parameter is supplied, // its local load policy dictates, otherwise if referrer is non-empty and // represents a local file, then the local load is allowed. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/platform/image-decoders/ImageDecoder.cpp new/webkit-1.2.7/WebCore/platform/image-decoders/ImageDecoder.cpp --- old/webkit-1.2.6/WebCore/platform/image-decoders/ImageDecoder.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/platform/image-decoders/ImageDecoder.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -126,14 +126,15 @@ m_hasAlpha = true; } -void RGBA32Buffer::copyBitmapData(const RGBA32Buffer& other) +bool RGBA32Buffer::copyBitmapData(const RGBA32Buffer& other) { if (this == &other) - return; + return true; m_bytes = other.m_bytes; m_size = other.m_size; setHasAlpha(other.m_hasAlpha); + return true; } bool RGBA32Buffer::setSize(int newWidth, int newHeight) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/platform/image-decoders/ImageDecoder.h new/webkit-1.2.7/WebCore/platform/image-decoders/ImageDecoder.h --- old/webkit-1.2.6/WebCore/platform/image-decoders/ImageDecoder.h 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/platform/image-decoders/ImageDecoder.h 2011-02-07 18:29:58.000000000 +0100 @@ -83,8 +83,8 @@ void zeroFill(); // Creates a new copy of the image data in |other|, so the two images - // can be modified independently. - void copyBitmapData(const RGBA32Buffer& other); + // can be modified independently. Returns whether the copy succeeded. + bool copyBitmapData(const RGBA32Buffer& other); // Copies the pixel data at [(startX, startY), (endX, startY)) to the // same X-coordinates on each subsequent row up to but not including diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp new/webkit-1.2.7/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp --- old/webkit-1.2.6/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -343,7 +343,8 @@ if ((prevMethod == RGBA32Buffer::DisposeNotSpecified) || (prevMethod == RGBA32Buffer::DisposeKeep)) { // Preserve the last frame as the starting state for this frame. - buffer->copyBitmapData(*prevBuffer); + if (!buffer->copyBitmapData(*prevBuffer)); + return setFailed(); } else { // We want to clear the previous frame to transparent, without // affecting pixels in the image outside of the frame. @@ -356,7 +357,8 @@ return setFailed(); } else { // Copy the whole previous buffer, then clear just its frame. - buffer->copyBitmapData(*prevBuffer); + if (!buffer->copyBitmapData(*prevBuffer)); + return setFailed(); for (int y = prevRect.y(); y < prevRect.bottom(); ++y) { for (int x = prevRect.x(); x < prevRect.right(); ++x) buffer->setRGBA(x, y, 0, 0, 0, 0); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/rendering/InlineFlowBox.cpp new/webkit-1.2.7/WebCore/rendering/InlineFlowBox.cpp --- old/webkit-1.2.6/WebCore/rendering/InlineFlowBox.cpp 2010-09-28 23:02:12.000000000 +0200 +++ new/webkit-1.2.7/WebCore/rendering/InlineFlowBox.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -639,11 +639,24 @@ // outlines. if (renderer()->style()->visibility() == VISIBLE && renderer()->hasOutline() && !isRootInlineBox()) { RenderInline* inlineFlow = toRenderInline(renderer()); - if ((inlineFlow->continuation() || inlineFlow->isInlineContinuation()) && !boxModelObject()->hasSelfPaintingLayer()) { + + RenderBlock* cb = 0; + bool containingBlockPaintsContinuationOutline = inlineFlow->continuation() || inlineFlow->isInlineContinuation(); + if (containingBlockPaintsContinuationOutline) { + cb = renderer()->containingBlock()->containingBlock(); + + for (RenderBoxModelObject* box = boxModelObject(); box != cb; box = box->parent()->enclosingBoxModelObject()) { + if (box->hasSelfPaintingLayer()) { + containingBlockPaintsContinuationOutline = false; + break; + } + } + } + + if (containingBlockPaintsContinuationOutline) { // Add ourselves to the containing block of the entire continuation so that it can // paint us atomically. - RenderBlock* block = renderer()->containingBlock()->containingBlock(); - block->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer())); + cb->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer())); } else if (!inlineFlow->isInlineContinuation()) paintInfo.outlineObjects->add(inlineFlow); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/rendering/RenderBlock.cpp new/webkit-1.2.7/WebCore/rendering/RenderBlock.cpp --- old/webkit-1.2.6/WebCore/rendering/RenderBlock.cpp 2010-09-28 23:45:32.000000000 +0200 +++ new/webkit-1.2.7/WebCore/rendering/RenderBlock.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -1766,8 +1766,18 @@ if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) { if (inlineContinuation() && inlineContinuation()->hasOutline() && inlineContinuation()->style()->visibility() == VISIBLE) { RenderInline* inlineRenderer = toRenderInline(inlineContinuation()->node()->renderer()); - if (!inlineRenderer->hasSelfPaintingLayer()) - containingBlock()->addContinuationWithOutline(inlineRenderer); + RenderBlock* cb = containingBlock(); + + bool inlineEnclosedInSelfPaintingLayer = false; + for (RenderBoxModelObject* box = inlineRenderer; box != cb; box = box->parent()->enclosingBoxModelObject()) { + if (box->hasSelfPaintingLayer()) { + inlineEnclosedInSelfPaintingLayer = true; + break; + } + } + + if (!inlineEnclosedInSelfPaintingLayer) + cb->addContinuationWithOutline(inlineRenderer); else if (!inlineRenderer->firstLineBox()) inlineRenderer->paintOutline(paintInfo.context, tx - x() + inlineRenderer->containingBlock()->x(), ty - y() + inlineRenderer->containingBlock()->y()); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/rendering/RenderObject.cpp new/webkit-1.2.7/WebCore/rendering/RenderObject.cpp --- old/webkit-1.2.6/WebCore/rendering/RenderObject.cpp 2010-09-28 23:02:12.000000000 +0200 +++ new/webkit-1.2.7/WebCore/rendering/RenderObject.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -560,6 +560,19 @@ return 0; } +RenderBoxModelObject* RenderObject::enclosingBoxModelObject() const +{ + RenderObject* curr = const_cast<RenderObject*>(this); + while (curr) { + if (curr->isBoxModelObject()) + return toRenderBoxModelObject(curr); + curr = curr->parent(); + } + + ASSERT_NOT_REACHED(); + return 0; +} + RenderBlock* RenderObject::firstLineBlock() const { return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/rendering/RenderObject.h new/webkit-1.2.7/WebCore/rendering/RenderObject.h --- old/webkit-1.2.6/WebCore/rendering/RenderObject.h 2010-09-28 23:45:32.000000000 +0200 +++ new/webkit-1.2.7/WebCore/rendering/RenderObject.h 2011-02-07 18:29:58.000000000 +0100 @@ -193,7 +193,9 @@ // Convenience function for getting to the nearest enclosing box of a RenderObject. RenderBox* enclosingBox() const; - + + RenderBoxModelObject* enclosingBoxModelObject() const; + virtual bool isEmpty() const { return firstChild() == 0; } #ifndef NDEBUG diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/rendering/RenderTable.cpp new/webkit-1.2.7/WebCore/rendering/RenderTable.cpp --- old/webkit-1.2.6/WebCore/rendering/RenderTable.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/rendering/RenderTable.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -154,7 +154,7 @@ if (!wrapInAnonymousSection) { // If the next renderer is actually wrapped in an anonymous table section, we need to go up and find that. - while (beforeChild && !beforeChild->isTableSection() && !beforeChild->isTableCol() && beforeChild->style()->display() != TABLE_CAPTION) + while (beforeChild && beforeChild->parent() != this) beforeChild = beforeChild->parent(); RenderBox::addChild(child, beforeChild); @@ -170,6 +170,8 @@ while (lastBox && lastBox->parent()->isAnonymous() && !lastBox->isTableSection() && lastBox->style()->display() != TABLE_CAPTION && lastBox->style()->display() != TABLE_COLUMN_GROUP) lastBox = lastBox->parent(); if (lastBox && lastBox->isAnonymous() && !isAfterContent(lastBox)) { + if (beforeChild == lastBox) + beforeChild = lastBox->firstChild(); lastBox->addChild(child, beforeChild); return; } @@ -1083,6 +1085,8 @@ int RenderTable::firstLineBoxBaseline() const { + recalcSectionsIfNeeded(); + RenderTableSection* firstNonEmptySection = m_head ? m_head : (m_firstBody ? m_firstBody : m_foot); if (firstNonEmptySection && !firstNonEmptySection->numRows()) firstNonEmptySection = sectionBelow(firstNonEmptySection, true); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/rendering/RenderTableRow.cpp new/webkit-1.2.7/WebCore/rendering/RenderTableRow.cpp --- old/webkit-1.2.6/WebCore/rendering/RenderTableRow.cpp 2010-03-19 16:20:54.000000000 +0100 +++ new/webkit-1.2.7/WebCore/rendering/RenderTableRow.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -73,7 +73,9 @@ if (!last) last = lastChild(); if (last && last->isAnonymous() && last->isTableCell()) { - last->addChild(child); + if (beforeChild == last) + beforeChild = last->firstChild(); + last->addChild(child, beforeChild); return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/rendering/RenderTableSection.cpp new/webkit-1.2.7/WebCore/rendering/RenderTableSection.cpp --- old/webkit-1.2.6/WebCore/rendering/RenderTableSection.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/rendering/RenderTableSection.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -94,7 +94,9 @@ if (!last) last = lastChild(); if (last && last->isAnonymous()) { - last->addChild(child); + if (beforeChild == last) + beforeChild = last->firstChild(); + last->addChild(child, beforeChild); return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/rendering/RenderView.cpp new/webkit-1.2.7/WebCore/rendering/RenderView.cpp --- old/webkit-1.2.6/WebCore/rendering/RenderView.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/rendering/RenderView.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -97,6 +97,11 @@ m_maxPrefWidth = m_minPrefWidth; } +bool RenderView::isChildAllowed(RenderObject* child, RenderStyle*) const +{ + return child->isBox(); +} + void RenderView::layout() { if (printing()) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/rendering/RenderView.h new/webkit-1.2.7/WebCore/rendering/RenderView.h --- old/webkit-1.2.6/WebCore/rendering/RenderView.h 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/rendering/RenderView.h 2011-02-07 18:29:58.000000000 +0100 @@ -43,6 +43,7 @@ virtual const char* renderName() const { return "RenderView"; } virtual bool isRenderView() const { return true; } + virtual bool isChildAllowed(RenderObject*, RenderStyle*) const; virtual void layout(); virtual void calcWidth(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/svg/SVGCursorElement.cpp new/webkit-1.2.7/WebCore/svg/SVGCursorElement.cpp --- old/webkit-1.2.6/WebCore/svg/SVGCursorElement.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/svg/SVGCursorElement.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -45,7 +45,7 @@ { HashSet<SVGElement*>::iterator end = m_clients.end(); for (HashSet<SVGElement*>::iterator it = m_clients.begin(); it != end; ++it) - (*it)->setCursorElement(0); + (*it)->cursorElementRemoved(); } void SVGCursorElement::parseMappedAttribute(MappedAttribute* attr) @@ -75,7 +75,12 @@ void SVGCursorElement::removeClient(SVGElement* element) { m_clients.remove(element); - element->setCursorElement(0); + element->cursorElementRemoved(); +} + +void SVGCursorElement::removeReferencedElement(SVGElement* element) +{ + m_clients.remove(element); } void SVGCursorElement::svgAttributeChanged(const QualifiedName& attrName) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/svg/SVGCursorElement.h new/webkit-1.2.7/WebCore/svg/SVGCursorElement.h --- old/webkit-1.2.6/WebCore/svg/SVGCursorElement.h 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/svg/SVGCursorElement.h 2011-02-07 18:29:58.000000000 +0100 @@ -40,6 +40,7 @@ void addClient(SVGElement*); void removeClient(SVGElement*); + void removeReferencedElement(SVGElement*); virtual bool isValid() const { return SVGTests::isValid(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/svg/SVGElement.cpp new/webkit-1.2.7/WebCore/svg/SVGElement.cpp --- old/webkit-1.2.6/WebCore/svg/SVGElement.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/svg/SVGElement.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -182,14 +182,38 @@ void SVGElement::setCursorElement(SVGCursorElement* cursorElement) { - ensureRareSVGData()->setCursorElement(cursorElement); + SVGElementRareData* rareData = ensureRareSVGData(); + if (SVGCursorElement* oldCursorElement = rareData->cursorElement()) { + if (cursorElement == oldCursorElement) + return; + oldCursorElement->removeReferencedElement(this); + } + rareData->setCursorElement(cursorElement); +} + +void SVGElement::cursorElementRemoved() +{ + ASSERT(hasRareSVGData()); + rareSVGData()->setCursorElement(0); } void SVGElement::setCursorImageValue(CSSCursorImageValue* cursorImageValue) { - ensureRareSVGData()->setCursorImageValue(cursorImageValue); + SVGElementRareData* rareData = ensureRareSVGData(); + if (CSSCursorImageValue* oldCursorImageValue = rareData->cursorImageValue()) { + if (cursorImageValue == oldCursorImageValue) + return; + oldCursorImageValue->removeReferencedElement(this); + } + rareData->setCursorImageValue(cursorImageValue); } +void SVGElement::cursorImageValueRemoved() +{ + ASSERT(hasRareSVGData()); + rareSVGData()->setCursorImageValue(0); + } + void SVGElement::parseMappedAttribute(MappedAttribute* attr) { // standard events diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/svg/SVGElement.h new/webkit-1.2.7/WebCore/svg/SVGElement.h --- old/webkit-1.2.6/WebCore/svg/SVGElement.h 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/svg/SVGElement.h 2011-02-07 18:29:58.000000000 +0100 @@ -77,7 +77,9 @@ const HashSet<SVGElementInstance*>& instancesForElement() const; void setCursorElement(SVGCursorElement*); + void cursorElementRemoved(); void setCursorImageValue(CSSCursorImageValue*); + void cursorImageValueRemoved(); protected: SVGElement(const QualifiedName&, Document*); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/svg/SVGUseElement.cpp new/webkit-1.2.7/WebCore/svg/SVGUseElement.cpp --- old/webkit-1.2.6/WebCore/svg/SVGUseElement.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/svg/SVGUseElement.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -747,6 +747,7 @@ // Don't ASSERT(target) here, it may be "pending", too. // Setup sub-shadow tree root node RefPtr<SVGShadowTreeContainerElement> cloneParent = new SVGShadowTreeContainerElement(document()); + use->cloneChildNodes(cloneParent.get()); // Spec: In the generated content, the 'use' will be replaced by 'g', where all attributes from the // 'use' element except for x, y, width, height and xlink:href are transferred to the generated 'g' element. @@ -756,14 +757,6 @@ if (target && !isDisallowedElement(target)) { RefPtr<Element> newChild = target->cloneElementWithChildren(); - // We don't walk the target tree element-by-element, and clone each element, - // but instead use cloneElementWithChildren(). This is an optimization for the common - // case where <use> doesn't contain disallowed elements (ie. <foreignObject>). - // Though if there are disallowed elements in the subtree, we have to remove them. - // For instance: <use> on <g> containing <foreignObject> (indirect case). - if (subtreeContainsDisallowedElement(newChild.get())) - removeDisallowedElementsFromSubtree(newChild.get()); - SVGElement* newChildPtr = 0; if (newChild->isSVGElement()) newChildPtr = static_cast<SVGElement*>(newChild.get()); @@ -773,6 +766,14 @@ ASSERT(!ec); } + // We don't walk the target tree element-by-element, and clone each element, + // but instead use cloneElementWithChildren(). This is an optimization for the common + // case where <use> doesn't contain disallowed elements (ie. <foreignObject>). + // Though if there are disallowed elements in the subtree, we have to remove them. + // For instance: <use> on <g> containing <foreignObject> (indirect case). + if (subtreeContainsDisallowedElement(cloneParent.get())) + removeDisallowedElementsFromSubtree(cloneParent.get()); + // Replace <use> with referenced content. ASSERT(use->parentNode()); use->parentNode()->replaceChild(cloneParent.release(), use, ec); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebCore/svg/animation/SMILTimeContainer.cpp new/webkit-1.2.7/WebCore/svg/animation/SMILTimeContainer.cpp --- old/webkit-1.2.6/WebCore/svg/animation/SMILTimeContainer.cpp 2010-09-10 15:20:33.000000000 +0200 +++ new/webkit-1.2.7/WebCore/svg/animation/SMILTimeContainer.cpp 2011-02-07 18:29:58.000000000 +0100 @@ -254,7 +254,7 @@ sortByPriority(toAnimate, elapsed); // Calculate animation contributions. - typedef HashMap<ElementAttributePair, SVGSMILElement*> ResultElementMap; + typedef HashMap<ElementAttributePair, RefPtr<SVGSMILElement> > ResultElementMap; ResultElementMap resultsElements; for (unsigned n = 0; n < toAnimate.size(); ++n) { SVGSMILElement* animation = toAnimate[n]; @@ -273,7 +273,7 @@ // Results are accumulated to the first animation that animates a particular element/attribute pair. ElementAttributePair key(targetElement, attributeName); - SVGSMILElement* resultElement = resultsElements.get(key); + SVGSMILElement* resultElement = resultsElements.get(key).get(); if (!resultElement) { resultElement = animation; resultElement->resetToBaseValue(baseValueFor(key)); @@ -296,7 +296,7 @@ Vector<SVGSMILElement*> animationsToApply; ResultElementMap::iterator end = resultsElements.end(); for (ResultElementMap::iterator it = resultsElements.begin(); it != end; ++it) - animationsToApply.append(it->second); + animationsToApply.append(it->second.get()); // Sort <animateTranform> to be the last one to be applied. <animate> may change transform attribute as // well (directly or indirectly by modifying <use> x/y) and this way transforms combine properly. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebKit/gtk/NEWS new/webkit-1.2.7/WebKit/gtk/NEWS --- old/webkit-1.2.6/WebKit/gtk/NEWS 2010-12-28 13:31:29.000000000 +0100 +++ new/webkit-1.2.7/WebKit/gtk/NEWS 2011-02-07 18:36:48.000000000 +0100 @@ -1,4 +1,48 @@ ================ +WebKitGTK+ 1.2.7 +================ + +What's new in WebKitGTK+ 1.2.7? + + - Fixes a regression caused by earlier fix for CVE-2010-1791. This + caused webkitgtk to crash on certain sites with javascript. + - Fixes the following CVEs: + + CVE-2010-4492 CVE-2010-4493 CVE-2011-0482 CVE-2010-4199 CVE-2010-4578 + + - Fixes the following bugs which did not have a CVE assigned yet: + + * (Crash in ReplaceSelectionCommand::doApply when modified during mutation event) + + Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=50840 + + Trac: http://trac.webkit.org/changeset/73801 + + * (Stale m_firstBody pointer in WebCore::RenderTable::firstLineBoxBaseline) + + Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=53265 + + Trac: http://trac.webkit.org/changeset/76915 + + * ZDI-CAN-968: font glyph layout (wushi) + + Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=50932 + + Trac: http://trac.webkit.org/changeset/74954 + http://trac.webkit.org/changeset/74364 + + * crash in Range during mutation event (credit: Emil Eklund) + + Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=50710 + + Trac: http://trac.webkit.org/changeset/73801 + + * stale pointer in the CSS object model (credit: Sergey Glazunov) + + Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=51993 + + Trac: http://trac.webkit.org/changeset/75168 + + + * Stale pointer due to incorrect before child addition to table + + Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=53276 + + Trac: http://trac.webkit.org/changeset/77141 + + * (Bad cast in RenderView docheight,docwidth calc due to adding non box childs) + + Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=48328 + + Trac: http://trac.webkit.org/changeset/70681 + +================ WebKitGTK+ 1.2.6 ================ @@ -14,6 +58,9 @@ CVE-2010-4198 CVE-2010-4197 CVE-2010-4204 CVE-2010-4206 CVE-2010-1791 CVE-2010-3812 CVE-2010-3813 + Update: CVE-2010-4577 was also addressed in this release, but failed + to be listed at release time. + ================ WebKitGTK+ 1.2.5 ================ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/WebKit/gtk/webkit/webkitversion.h new/webkit-1.2.7/WebKit/gtk/webkit/webkitversion.h --- old/webkit-1.2.6/WebKit/gtk/webkit/webkitversion.h 2010-12-28 15:21:17.000000000 +0100 +++ new/webkit-1.2.7/WebKit/gtk/webkit/webkitversion.h 2011-02-07 18:43:53.000000000 +0100 @@ -27,7 +27,7 @@ #define WEBKIT_MAJOR_VERSION (1) #define WEBKIT_MINOR_VERSION (2) -#define WEBKIT_MICRO_VERSION (6) +#define WEBKIT_MICRO_VERSION (7) #define WEBKIT_USER_AGENT_MAJOR_VERSION (531) #define WEBKIT_USER_AGENT_MINOR_VERSION (2) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/configure new/webkit-1.2.7/configure --- old/webkit-1.2.6/configure 2010-12-28 15:21:13.000000000 +0100 +++ new/webkit-1.2.7/configure 2011-02-07 18:43:44.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.67 for WebKit 1.2.6. +# Generated by GNU Autoconf 2.67 for WebKit 1.2.7. # # Report bugs to <http://bugs.webkit.org/>. # @@ -701,8 +701,8 @@ # Identity of this package. PACKAGE_NAME='WebKit' PACKAGE_TARNAME='webkit' -PACKAGE_VERSION='1.2.6' -PACKAGE_STRING='WebKit 1.2.6' +PACKAGE_VERSION='1.2.7' +PACKAGE_STRING='WebKit 1.2.7' PACKAGE_BUGREPORT='http://bugs.webkit.org/' PACKAGE_URL='' @@ -1700,7 +1700,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures WebKit 1.2.6 to adapt to many kinds of systems. +\`configure' configures WebKit 1.2.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1770,7 +1770,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of WebKit 1.2.6:";; + short | recursive ) echo "Configuration of WebKit 1.2.7:";; esac cat <<\_ACEOF @@ -2007,7 +2007,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -WebKit configure 1.2.6 +WebKit configure 1.2.7 generated by GNU Autoconf 2.67 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2551,7 +2551,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by WebKit $as_me 1.2.6, which was +It was created by WebKit $as_me 1.2.7, which was generated by GNU Autoconf 2.67. Invocation command line was $ $0 $@ @@ -3009,7 +3009,7 @@ WEBKIT_MAJOR_VERSION=1 WEBKIT_MINOR_VERSION=2 -WEBKIT_MICRO_VERSION=6 +WEBKIT_MICRO_VERSION=7 WEBKIT_USER_AGENT_MAJOR_VERSION=531 WEBKIT_USER_AGENT_MINOR_VERSION=2 @@ -3020,7 +3020,7 @@ -LIBWEBKITGTK_VERSION=19:8:17 +LIBWEBKITGTK_VERSION=19:9:17 am__api_version='1.11' @@ -3461,7 +3461,7 @@ # Define the identity of the package. PACKAGE='webkit' - VERSION='1.2.6' + VERSION='1.2.7' cat >>confdefs.h <<_ACEOF @@ -21826,7 +21826,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by WebKit $as_me 1.2.6, which was +This file was extended by WebKit $as_me 1.2.7, which was generated by GNU Autoconf 2.67. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21892,7 +21892,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -WebKit config.status 1.2.6 +WebKit config.status 1.2.7 configured by $0, generated by GNU Autoconf 2.67, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webkit-1.2.6/configure.ac new/webkit-1.2.7/configure.ac --- old/webkit-1.2.6/configure.ac 2010-12-28 15:20:32.000000000 +0100 +++ new/webkit-1.2.7/configure.ac 2011-02-07 18:38:11.000000000 +0100 @@ -2,7 +2,7 @@ m4_define([webkit_major_version], [1]) m4_define([webkit_minor_version], [2]) -m4_define([webkit_micro_version], [6]) +m4_define([webkit_micro_version], [7]) # This is the version we'll be using as part of our User-Agent string # e.g., AppleWebKit/$(webkit_user_agent_version) ... @@ -35,7 +35,7 @@ dnl # Libtool library version, not to confuse with API version dnl # see http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html#Libtool-versioning -LIBWEBKITGTK_VERSION=19:8:17 +LIBWEBKITGTK_VERSION=19:9:17 AC_SUBST([LIBWEBKITGTK_VERSION]) AM_INIT_AUTOMAKE([foreign subdir-objects tar-ustar]) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
