86 lines
3.8 KiB
Diff
86 lines
3.8 KiB
Diff
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp 2010-02-25 15:50:05.987741463 +0100
|
||
|
@@ -515,11 +515,13 @@ bool HTMLFormElement::isURLAttribute(Att
|
||
|
|
||
|
void HTMLFormElement::registerImgElement(HTMLImageElement* e)
|
||
|
{
|
||
|
+ ASSERT(imgElements.find(e) == notFound);
|
||
|
imgElements.append(e);
|
||
|
}
|
||
|
|
||
|
void HTMLFormElement::removeImgElement(HTMLImageElement* e)
|
||
|
{
|
||
|
+ ASSERT(imgElements.find(e) == notFound);
|
||
|
removeFromVector(imgElements, e);
|
||
|
}
|
||
|
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp 2010-02-25 15:43:45.016742027 +0100
|
||
|
@@ -209,6 +209,40 @@ void HTMLImageElement::removedFromDocume
|
||
|
HTMLElement::removedFromDocument();
|
||
|
}
|
||
|
|
||
|
+void HTMLImageElement::insertedIntoTree(bool deep)
|
||
|
+{
|
||
|
+ if (m_form) {
|
||
|
+ // m_form was set by constructor. In debug builds, check that it's an ancestor indeed.
|
||
|
+#ifndef NDEBUG
|
||
|
+ for (Node* ancestor = parentNode(); /* no end condition - there must be a form ancestor */; ancestor = ancestor->parentNode()) {
|
||
|
+ ASSERT(ancestor);
|
||
|
+ if (ancestor->hasTagName(formTag)) {
|
||
|
+ ASSERT(m_form == static_cast<HTMLFormElement*>(ancestor));
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ }
|
||
|
+#endif
|
||
|
+ } else {
|
||
|
+ for (Node* ancestor = parentNode(); ancestor; ancestor = ancestor->parentNode()) {
|
||
|
+ if (ancestor->hasTagName(formTag)) {
|
||
|
+ m_form = static_cast<HTMLFormElement*>(ancestor);
|
||
|
+ m_form->registerImgElement(this);
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ HTMLElement::insertedIntoTree(deep);
|
||
|
+}
|
||
|
+
|
||
|
+void HTMLImageElement::removedFromTree(bool deep)
|
||
|
+{
|
||
|
+ if (m_form)
|
||
|
+ m_form->removeImgElement(this);
|
||
|
+ m_form = 0;
|
||
|
+ HTMLElement::removedFromTree(deep);
|
||
|
+}
|
||
|
+
|
||
|
int HTMLImageElement::width(bool ignorePendingStylesheets) const
|
||
|
{
|
||
|
if (!renderer()) {
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h 2010-02-25 15:41:18.340929598 +0100
|
||
|
@@ -45,8 +45,6 @@ public:
|
||
|
|
||
|
virtual void attach();
|
||
|
virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
|
||
|
- virtual void insertedIntoDocument();
|
||
|
- virtual void removedFromDocument();
|
||
|
|
||
|
virtual bool canStartSelection() const { return false; }
|
||
|
|
||
|
@@ -105,6 +103,11 @@ public:
|
||
|
virtual void addSubresourceAttributeURLs(ListHashSet<KURL>&) const;
|
||
|
|
||
|
private:
|
||
|
+ virtual void insertedIntoDocument();
|
||
|
+ virtual void removedFromDocument();
|
||
|
+ virtual void insertedIntoTree(bool deep);
|
||
|
+ virtual void removedFromTree(bool deep);
|
||
|
+
|
||
|
HTMLImageLoader m_imageLoader;
|
||
|
String usemap;
|
||
|
bool ismap;
|