26 lines
1.5 KiB
Diff
26 lines
1.5 KiB
Diff
|
diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp
|
||
|
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption 2009-09-29 13:01:35.000000000 +0200
|
||
|
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp 2010-02-04 15:00:24.778776273 +0100
|
||
|
@@ -3085,6 +3085,12 @@ bool CSSParser::parseFontWeight(bool imp
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
+static bool isValidFormatFunction(CSSParserValue* val)
|
||
|
+{
|
||
|
+ CSSParserValueList* args = val->function->args;
|
||
|
+ return equalIgnoringCase(val->function->name, "format(") && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT);
|
||
|
+}
|
||
|
+
|
||
|
bool CSSParser::parseFontFaceSrc()
|
||
|
{
|
||
|
RefPtr<CSSValueList> values(CSSValueList::createCommaSeparated());
|
||
|
@@ -3111,7 +3117,7 @@ bool CSSParser::parseFontFaceSrc()
|
||
|
CSSParserValue* a = args->current();
|
||
|
uriValue.clear();
|
||
|
parsedValue = CSSFontFaceSrcValue::createLocal(a->string);
|
||
|
- } else if (equalIgnoringCase(val->function->name, "format(") && allowFormat && uriValue) {
|
||
|
+ } else if (allowFormat && uriValue && isValidFormatFunction(val)) {
|
||
|
expectComma = true;
|
||
|
allowFormat = false;
|
||
|
uriValue->setFormat(args->current()->string);
|