From 5e929decd1b40178bdb35f2c82bcc38411ffcc10 Mon Sep 17 00:00:00 2001
From: Kevin Kofler <kkofler@fedoraproject.org>
Date: Sun, 26 Jul 2009 03:49:33 +0000
Subject: [PATCH] Rebase CVE-2009-1698 patch.

---
 ...atch => kdelibs-3.5.10-cve-2009-1698.patch | 77 ++++++++-----------
 kdelibs3.spec                                 |  2 +-
 2 files changed, 32 insertions(+), 47 deletions(-)
 rename kdelibs-3.5.4-CVE-2009-1698.patch => kdelibs-3.5.10-cve-2009-1698.patch (55%)

diff --git a/kdelibs-3.5.4-CVE-2009-1698.patch b/kdelibs-3.5.10-cve-2009-1698.patch
similarity index 55%
rename from kdelibs-3.5.4-CVE-2009-1698.patch
rename to kdelibs-3.5.10-cve-2009-1698.patch
index 171f2e3..ab9fea5 100644
--- a/kdelibs-3.5.4-CVE-2009-1698.patch
+++ b/kdelibs-3.5.10-cve-2009-1698.patch
@@ -1,5 +1,34 @@
---- kdelibs-3.5.4/khtml/css/css_valueimpl.cpp.CVE-2009-1698	2009-06-18 10:59:23.000000000 +0200
-+++ kdelibs-3.5.4/khtml/css/css_valueimpl.cpp	2009-06-18 12:53:44.000000000 +0200
+diff -ur kdelibs-3.5.10/khtml/css/cssparser.cpp kdelibs-3.5.10-cve-2009-1698/khtml/css/cssparser.cpp
+--- kdelibs-3.5.10/khtml/css/cssparser.cpp	2007-01-15 12:34:04.000000000 +0100
++++ kdelibs-3.5.10-cve-2009-1698/khtml/css/cssparser.cpp	2009-07-26 05:46:39.000000000 +0200
+@@ -1344,6 +1344,14 @@
+                 if ( args->size() != 1)
+                     return false;
+                 Value *a = args->current();
++                if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
++                    isValid=false;
++                    break;
++                }
++                if (qString(a->string)[0] == '-') {
++                    isValid=false;
++                    break;
++                }
+                 parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
+             }
+             else
+@@ -1396,7 +1404,8 @@
+ 
+     CounterImpl *counter = new CounterImpl;
+     Value *i = args->current();
+-//    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
++    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
++    if (qString(i->string)[0] == '-') goto invalid;
+     counter->m_identifier = domString(i->string);
+     if (counters) {
+         i = args->next();
+diff -ur kdelibs-3.5.10/khtml/css/css_valueimpl.cpp kdelibs-3.5.10-cve-2009-1698/khtml/css/css_valueimpl.cpp
+--- kdelibs-3.5.10/khtml/css/css_valueimpl.cpp	2006-07-22 10:16:49.000000000 +0200
++++ kdelibs-3.5.10-cve-2009-1698/khtml/css/css_valueimpl.cpp	2009-07-26 05:45:36.000000000 +0200
 @@ -736,7 +736,9 @@
  	    text = getValueName(m_value.ident);
  	    break;
@@ -11,47 +40,3 @@
  	    break;
  	case CSSPrimitiveValue::CSS_COUNTER:
              text = "counter(";
---- kdelibs-3.5.4/khtml/css/cssparser.cpp.CVE-2009-1698	2009-06-18 10:37:13.000000000 +0200
-+++ kdelibs-3.5.4/khtml/css/cssparser.cpp	2009-06-23 13:05:20.000000000 +0200
-@@ -1318,6 +1318,7 @@
- 
-     Value *val;
-     CSSValueImpl *parsedValue = 0;
-+    bool valid = true;
-     while ( (val = valueList->current()) ) {
-         if ( val->unit == CSSPrimitiveValue::CSS_URI ) {
-             // url
-@@ -1336,6 +1337,14 @@
-                 if ( args->size() != 1)
-                     return false;
-                 Value *a = args->current();
-+                if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
-+                    valid=false;
-+                    break;
-+                }
-+                if (qString(a->string)[0] == '-') {
-+                    valid=false;
-+                    break;
-+                }
-                 parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
-             }
-             else
-@@ -1367,7 +1376,7 @@
-             break;
-         valueList->next();
-     }
--    if ( values->length() ) {
-+    if ( valid && values->length() ) {
-         addProperty( propId, values, important );
-         valueList->next();
-         return true;
-@@ -1384,7 +1393,8 @@
- 
-     CounterImpl *counter = new CounterImpl;
-     Value *i = args->current();
--//    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
-+    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
-+    if (qString(i->string)[0] == '-') goto invalid;
-     counter->m_identifier = domString(i->string);
-     if (counters) {
-         i = args->next();
diff --git a/kdelibs3.spec b/kdelibs3.spec
index 6a46930..4dd736e 100644
--- a/kdelibs3.spec
+++ b/kdelibs3.spec
@@ -107,7 +107,7 @@ Patch202: kdelibs-3.5.4-CVE-2009-1687.patch
 # fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
 Patch203: kdelibs-3.5.4-CVE-2009-1690.patch
 # fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
-Patch204: kdelibs-3.5.4-CVE-2009-1698.patch
+Patch204: kdelibs-3.5.10-cve-2009-1698.patch
 
 #{?arts:Requires: arts >= %{arts_ev}}
 #Requires: %{qt3} >= %{qt3_ev}