0ee6ccbd82
* Sun Jul 26 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-6 - fix CVE-2009-1725 - crash, possible ACE in numeric character references - fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free) - fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?) - fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling - fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl * Thu Jul 23 2009 Jaroslav Reznik <jreznik@redhat.com> - 4.2.4-5 - CVE-2009-2537 - select length DoS - correct fixPopupForPlasmaboard.patch * Wed Jul 08 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-4 - fix CMake dependency in parallel_devel patch (#510259, CHIKAMA Masaki) * Mon Jun 15 2009 Rex Dieter <rdieter@fedoraproject.org> 4.2.4-3 - fixPopupForPlasmaboard.patch
68 lines
2.1 KiB
Diff
68 lines
2.1 KiB
Diff
Index: khtml/html/htmlparser.h
|
|
===================================================================
|
|
--- khtml/html/htmlparser.h (revision 983315)
|
|
+++ khtml/html/htmlparser.h (revision 983316)
|
|
@@ -157,7 +157,7 @@
|
|
/*
|
|
* the head element. Needed for crappy html which defines <base> after </head>
|
|
*/
|
|
- DOM::HTMLHeadElementImpl *head;
|
|
+ RefPtr<DOM::HTMLHeadElementImpl> head;
|
|
|
|
/*
|
|
* a possible <isindex> element in the head. Compatibility hack for
|
|
Index: khtml/html/htmlparser.cpp
|
|
===================================================================
|
|
--- khtml/html/htmlparser.cpp (revision 983315)
|
|
+++ khtml/html/htmlparser.cpp (revision 983316)
|
|
@@ -216,7 +216,6 @@
|
|
|
|
form = 0;
|
|
map = 0;
|
|
- head = 0;
|
|
end = false;
|
|
isindex = 0;
|
|
|
|
@@ -678,8 +677,7 @@
|
|
case ID_BASE:
|
|
if(!head) {
|
|
head = new HTMLHeadElementImpl(document);
|
|
- e = head;
|
|
- insertNode(e);
|
|
+ insertNode(head.get());
|
|
handled = true;
|
|
}
|
|
break;
|
|
@@ -894,7 +892,7 @@
|
|
case ID_HEAD:
|
|
if(!head && (current->id() == ID_HTML || current->isDocumentNode())) {
|
|
head = new HTMLHeadElementImpl(document);
|
|
- n = head;
|
|
+ n = head.get();
|
|
}
|
|
break;
|
|
case ID_BODY:
|
|
@@ -1907,19 +1905,19 @@
|
|
head = new HTMLHeadElementImpl(document);
|
|
HTMLElementImpl *body = doc()->body();
|
|
int exceptioncode = 0;
|
|
- doc()->documentElement()->insertBefore(head, body, exceptioncode);
|
|
+ doc()->documentElement()->insertBefore(head.get(), body, exceptioncode);
|
|
if ( exceptioncode ) {
|
|
#ifdef PARSER_DEBUG
|
|
kDebug( 6035 ) << "creation of head failed!!!!:" << exceptioncode;
|
|
#endif
|
|
- delete head;
|
|
+ delete head.get();
|
|
head = 0;
|
|
}
|
|
|
|
// If the body does not exist yet, then the <head> should be pushed as the current block.
|
|
if (head && !body) {
|
|
pushBlock(head->id(), tagPriority(head->id()));
|
|
- setCurrent(head);
|
|
+ setCurrent(head.get());
|
|
}
|
|
}
|
|
|