rpms
/
qt
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

sync to F13 - security patches

This commit is contained in:
Jaroslav Reznik 2010-06-15 15:42:06 +00:00
parent c84063a22d
commit 3675bc4f5a
13 changed files with 2000 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
qt-everywhere-opensource-src-4.6.3-CVE-2010-1119.patch Normal file
View File

@ -0,0 +1,15 @@
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Node.cpp.CVE-2010-1119 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Node.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Node.cpp.CVE-2010-1119 2010-06-02 04:03:12.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Node.cpp 2010-06-15 13:11:55.974470742 +0200
@@ -910,7 +910,10 @@ void Node::notifyLocalNodeListsAttribute
if (!data->nodeLists())
return;
- data->nodeLists()->invalidateCachesThatDependOnAttributes();
+ if (!isAttributeNode())
+ data->nodeLists()->invalidateCachesThatDependOnAttributes();
+ else
+ data->nodeLists()->invalidateCaches();
if (data->nodeLists()->isEmpty()) {
data->clearNodeLists();

1416
qt-everywhere-opensource-src-4.6.3-CVE-2010-1303_1304.patch Normal file
View File

File diff suppressed because it is too large Load Diff

12
qt-everywhere-opensource-src-4.6.3-CVE-2010-1392.patch Normal file
View File

@ -0,0 +1,12 @@
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1392/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1392/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp 2010-06-10 20:24:02.864193022 +0200
@@ -4484,7 +4484,7 @@
// Drill into inlines looking for our first text child.
RenderObject* currChild = firstLetterBlock->firstChild();
- while (currChild && currChild->needsLayout() && (!currChild->isReplaced() || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
+ while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
if (currChild->isFloatingOrPositioned()) {
if (currChild->style()->styleType() == FIRST_LETTER)
break;

56
qt-everywhere-opensource-src-4.6.3-CVE-2010-1396.patch Normal file
View File

@ -0,0 +1,56 @@
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1396/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp 2010-06-02 04:03:12.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1396/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp 2010-06-10 20:34:00.316318866 +0200
@@ -395,33 +395,43 @@
document()->removeFocusedNodeOfSubtree(this, true);
forbidEventDispatch();
- int childCountDelta = 0;
+ Vector<RefPtr<Node> > removedChildren;
while (RefPtr<Node> n = m_firstChild) {
- childCountDelta--;
-
Node* next = n->nextSibling();
- // Remove the node from the tree before calling detach or removedFromDocument (4427024, 4129744)
+ // Remove the node from the tree before calling detach or removedFromDocument (4427024, 4129744).
+ // removeChild() does this after calling detach(). There is no explanation for
+ // this discrepancy between removeChild() and its optimized version removeChildren().
n->setPreviousSibling(0);
n->setNextSibling(0);
n->setParent(0);
-
+
m_firstChild = next;
if (n == m_lastChild)
m_lastChild = 0;
if (n->attached())
n->detach();
-
- if (n->inDocument())
- n->removedFromDocument();
+
+ removedChildren.append(n.release());
}
allowEventDispatch();
+ size_t removedChildrenCount = removedChildren.size();
+
// Dispatch a single post-removal mutation event denoting a modified subtree.
- childrenChanged(false, 0, 0, childCountDelta);
+ childrenChanged(false, 0, 0, -static_cast<int>(removedChildrenCount));
dispatchSubtreeModifiedEvent();
+ for (size_t i = 0; i < removedChildrenCount; ++i) {
+ Node* removedChild = removedChildren[i].get();
+ if (removedChild->inDocument())
+ removedChild->removedFromDocument();
+ // removeChild() calls removedFromTree(true) if the child was not in the
+ // document. There is no explanation for this discrepancy between removeChild()
+ // and its optimized version removeChildren().
+ }
+
return true;
}

53
qt-everywhere-opensource-src-4.6.3-CVE-2010-1397.patch Normal file
View File

@ -0,0 +1,53 @@
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/Frame.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/Frame.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/Frame.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/Frame.cpp 2010-06-10 20:41:45.295318418 +0200
@@ -552,12 +552,6 @@
toRenderTextControl(renderer)->selectionChanged(userTriggered);
}
-void Frame::invalidateSelection()
-{
- selection()->setNeedsLayout();
- selectionLayoutChanged();
-}
-
void Frame::setCaretVisible(bool flag)
{
if (m_caretVisible == flag)
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/Frame.h qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/Frame.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/Frame.h 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/Frame.h 2010-06-10 20:41:45.291318453 +0200
@@ -259,8 +259,6 @@
void selectionLayoutChanged();
void notifyRendererOfSelectionChange(bool userTriggered);
- void invalidateSelection();
-
void setCaretVisible(bool = true);
void paintCaret(GraphicsContext*, int tx, int ty, const IntRect& clipRect) const;
void paintDragCaret(GraphicsContext*, int tx, int ty, const IntRect& clipRect) const;
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/FrameView.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/FrameView.cpp 2010-06-10 20:41:45.293318191 +0200
@@ -642,7 +642,8 @@
root->view()->popLayoutState();
m_layoutRoot = 0;
- m_frame->invalidateSelection();
+ m_frame->selection()->setNeedsLayout();
+ m_frame->selectionLayoutChanged();
m_layoutSchedulingEnabled = true;
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp 2010-06-10 20:41:45.297318506 +0200
@@ -1170,7 +1170,7 @@
// The caret rect needs to be invalidated after scrolling
Frame* frame = renderer()->document()->frame();
if (frame)
- frame->invalidateSelection();
+ frame->selection()->setNeedsLayout();
// Just schedule a full repaint of our object.
if (repaint)

244
qt-everywhere-opensource-src-4.6.3-CVE-2010-1398.patch Normal file
View File

@ -0,0 +1,244 @@
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp.CVE-2010-1398 2010-06-02 04:03:12.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp 2010-06-11 16:12:55.750525354 +0200
@@ -35,6 +35,7 @@
#include "ClientRect.h"
#include "ClientRectList.h"
#include "Document.h"
+#include "DocumentFragment.h"
#include "ElementRareData.h"
#include "ExceptionCode.h"
#include "FocusController.h"
@@ -42,6 +43,7 @@
#include "FrameView.h"
#include "HTMLElement.h"
#include "HTMLNames.h"
+#include "HTMLTokenizer.h"
#include "NamedNodeMap.h"
#include "NodeList.h"
#include "NodeRenderStyle.h"
@@ -49,6 +51,7 @@
#include "RenderView.h"
#include "TextIterator.h"
#include "XMLNames.h"
+#include "XMLTokenizer.h"
#if ENABLE(SVG)
#include "SVGNames.h"
@@ -91,6 +94,51 @@ NodeRareData* Element::createRareData()
{
return new ElementRareData;
}
+
+PassRefPtr<DocumentFragment> Element::createContextualFragment(const String& markup)
+{
+ RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
+
+ if (document()->isHTMLDocument())
+ parseHTMLDocumentFragment(markup, fragment.get());
+ else {
+ if (!parseXMLDocumentFragment(markup, fragment.get(), this))
+ // FIXME: We should propagate a syntax error exception out here.
+ return 0;
+ }
+
+ // Exceptions are ignored because none ought to happen here.
+ ExceptionCode ignoredExceptionCode;
+
+ // We need to pop <html> and <body> elements and remove <head> to
+ // accommodate folks passing complete HTML documents to make the
+ // child of an element.
+
+ RefPtr<Node> nextNode;
+ for (RefPtr<Node> node = fragment->firstChild(); node; node = nextNode) {
+ nextNode = node->nextSibling();
+ if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) {
+ Node* firstChild = node->firstChild();
+ if (firstChild)
+ nextNode = firstChild;
+ RefPtr<Node> nextChild;
+ for (RefPtr<Node> child = firstChild; child; child = nextChild) {
+ nextChild = child->nextSibling();
+ node->removeChild(child.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ fragment->insertBefore(child, node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ }
+ fragment->removeChild(node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ } else if (node->hasTagName(headTag)) {
+ fragment->removeChild(node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ }
+ }
+
+ return fragment.release();
+}
PassRefPtr<Node> Element::cloneNode(bool deep)
{
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h.CVE-2010-1398 2010-06-02 04:03:12.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h 2010-06-14 16:54:57.639394749 +0200
@@ -28,6 +28,7 @@
#include "ContainerNode.h"
#include "QualifiedName.h"
#include "ScrollTypes.h"
+#include "DocumentFragment.h"
namespace WebCore {
@@ -89,6 +90,8 @@ public:
DEFINE_ATTRIBUTE_EVENT_LISTENER(search);
DEFINE_ATTRIBUTE_EVENT_LISTENER(selectstart);
+ virtual PassRefPtr<DocumentFragment> createContextualFragment(const String&);
+
const AtomicString& getIDAttribute() const;
bool hasAttribute(const QualifiedName&) const;
const AtomicString& getAttribute(const QualifiedName&) const;
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp.CVE-2010-1398 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp 2010-06-11 16:12:55.752525451 +0200
@@ -1054,11 +1054,7 @@ String createMarkup(const Range* range,
PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document* document, const String& markup, const String& baseURL)
{
- ASSERT(document->documentElement()->isHTMLElement());
- // FIXME: What if the document element is not an HTML element?
- HTMLElement *element = static_cast<HTMLElement*>(document->documentElement());
-
- RefPtr<DocumentFragment> fragment = element->createContextualFragment(markup);
+ RefPtr<DocumentFragment> fragment = document->documentElement()->createContextualFragment(markup);
if (fragment && !baseURL.isEmpty() && baseURL != blankURL() && baseURL != document->baseURL())
completeURLs(fragment.get(), baseURL);
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp.CVE-2010-1398 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp 2010-06-11 16:12:55.753537613 +0200
@@ -235,9 +235,9 @@ String HTMLElement::outerHTML() const
return createMarkup(this);
}
-PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &html)
+PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &markup)
{
- // the following is in accordance with the definition as used by IE
+ // The following is in accordance with the definition as used by IE.
if (endTagRequirement() == TagStatusForbidden)
return 0;
@@ -245,47 +245,7 @@ PassRefPtr<DocumentFragment> HTMLElement
hasLocalName(headTag) || hasLocalName(styleTag) || hasLocalName(titleTag))
return 0;
- RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
-
- if (document()->isHTMLDocument())
- parseHTMLDocumentFragment(html, fragment.get());
- else {
- if (!parseXMLDocumentFragment(html, fragment.get(), this))
- // FIXME: We should propagate a syntax error exception out here.
- return 0;
- }
-
- // Exceptions are ignored because none ought to happen here.
- int ignoredExceptionCode;
-
- // we need to pop <html> and <body> elements and remove <head> to
- // accommodate folks passing complete HTML documents to make the
- // child of an element.
-
- RefPtr<Node> nextNode;
- for (RefPtr<Node> node = fragment->firstChild(); node; node = nextNode) {
- nextNode = node->nextSibling();
- if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) {
- Node *firstChild = node->firstChild();
- if (firstChild)
- nextNode = firstChild;
- RefPtr<Node> nextChild;
- for (RefPtr<Node> child = firstChild; child; child = nextChild) {
- nextChild = child->nextSibling();
- node->removeChild(child.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- fragment->insertBefore(child, node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- }
- fragment->removeChild(node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- } else if (node->hasTagName(headTag)) {
- fragment->removeChild(node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- }
- }
-
- return fragment.release();
+ return Element::createContextualFragment(markup);
}
static inline bool hasOneChild(ContainerNode* node)
@@ -371,7 +331,7 @@ void HTMLElement::setOuterHTML(const Str
void HTMLElement::setInnerText(const String& text, ExceptionCode& ec)
{
- // follow the IE specs about when this is allowed
+ // Follow the IE specs about when this is allowed.
if (endTagRequirement() == TagStatusForbidden) {
ec = NO_MODIFICATION_ALLOWED_ERR;
return;
@@ -441,7 +401,7 @@ void HTMLElement::setInnerText(const Str
void HTMLElement::setOuterText(const String &text, ExceptionCode& ec)
{
- // follow the IE specs about when this is allowed
+ // Follow the IE specs about when this is allowed.
if (endTagRequirement() == TagStatusForbidden) {
ec = NO_MODIFICATION_ALLOWED_ERR;
return;
@@ -469,7 +429,7 @@ void HTMLElement::setOuterText(const Str
if (ec)
return;
- // is previous node a text node? if so, merge into it
+ // Is previous node a text node? If so, merge into it.
Node* prev = t->previousSibling();
if (prev && prev->isTextNode()) {
Text* textPrev = static_cast<Text*>(prev);
@@ -482,7 +442,7 @@ void HTMLElement::setOuterText(const Str
t = textPrev;
}
- // is next node a text node? if so, merge it in
+ // Is next node a text node? If so, merge it in.
Node* next = t->nextSibling();
if (next && next->isTextNode()) {
Text* textNext = static_cast<Text*>(next);
@@ -522,7 +482,7 @@ Node* HTMLElement::insertAdjacent(const
return 0;
}
- // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative
+ // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative.
ec = NOT_SUPPORTED_ERR;
return 0;
}
@@ -530,7 +490,7 @@ Node* HTMLElement::insertAdjacent(const
Element* HTMLElement::insertAdjacentElement(const String& where, Element* newChild, ExceptionCode& ec)
{
if (!newChild) {
- // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative
+ // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative.
ec = TYPE_MISMATCH_ERR;
return 0;
}
@@ -567,8 +527,8 @@ void HTMLElement::addHTMLAlignment(Mappe
void HTMLElement::addHTMLAlignmentToStyledElement(StyledElement* element, MappedAttribute* attr)
{
- // vertical alignment with respect to the current baseline of the text
- // right or left means floating images
+ // Vertical alignment with respect to the current baseline of the text
+ // right or left means floating images.
int floatValue = CSSValueInvalid;
int verticalAlignValue = CSSValueInvalid;

32
qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch Normal file
View File

@ -0,0 +1,32 @@
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp.CVE-2010-1400 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp.CVE-2010-1400 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp 2010-06-15 13:55:36.853463455 +0200
@@ -1611,7 +1611,7 @@ void RenderObject::styleWillChange(Style
}
}
-void RenderObject::styleDidChange(StyleDifference diff, const RenderStyle*)
+void RenderObject::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
{
if (s_affectsParentBlock)
handleDynamicFloatPositionChange();
@@ -1619,9 +1619,17 @@ void RenderObject::styleDidChange(StyleD
if (!m_parent)
return;
- if (diff == StyleDifferenceLayout)
+ if (diff == StyleDifferenceLayout) {
+ // If the object already needs layout, then setNeedsLayout won't do
+ // any work. But if the containing block has changed, then we may need
+ // to make the new containing blocks for layout. The change that can
+ // directly affect the containing block of this object is a change to
+ // the position style.
+ if (m_needsLayout && oldStyle->position() != m_style->position())
+ markContainingBlocksForLayout();
+
setNeedsLayoutAndPrefWidthsRecalc();
- else if (diff == StyleDifferenceLayoutPositionedMovementOnly)
+ } else if (diff == StyleDifferenceLayoutPositionedMovementOnly)
setNeedsPositionedMovementLayout();
// Don't check for repaint here; we need to wait until the layer has been

45
qt-everywhere-opensource-src-4.6.3-CVE-2010-1412.patch Normal file
View File

@ -0,0 +1,45 @@
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp qt-everywhere-opensource-src-4.6.3-2010-1412/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-2010-1412/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp 2010-06-11 00:09:43.741191104 +0200
@@ -3039,22 +3039,33 @@
// Locate the common ancestor render object for the two renderers.
RenderObject* ancestor = commonAncestor(oldHoverObj, newHoverObj);
+ Vector<Node*, 32> nodesToRemoveFromChain;
+ Vector<Node*, 32> nodesToAddToChain;
+
if (oldHoverObj != newHoverObj) {
// The old hover path only needs to be cleared up to (and not including) the common ancestor;
for (RenderObject* curr = oldHoverObj; curr && curr != ancestor; curr = curr->hoverAncestor()) {
- if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain())) {
- curr->node()->setActive(false);
- curr->node()->setHovered(false);
- }
+ if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain()))
+ nodesToRemoveFromChain.append(curr->node());
}
}
// Now set the hover state for our new object up to the root.
for (RenderObject* curr = newHoverObj; curr; curr = curr->hoverAncestor()) {
- if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain())) {
- curr->node()->setActive(request.active());
- curr->node()->setHovered(true);
- }
+ if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain()))
+ nodesToAddToChain.append(curr->node());
+ }
+
+ size_t removeCount = nodesToRemoveFromChain.size();
+ for (size_t i = 0; i < removeCount; ++i) {
+ nodesToRemoveFromChain[i]->setActive(false);
+ nodesToRemoveFromChain[i]->setHovered(false);
+ }
+
+ size_t addCount = nodesToAddToChain.size();
+ for (size_t i = 0; i < addCount; ++i) {
+ nodesToAddToChain[i]->setActive(request.active());
+ nodesToAddToChain[i]->setHovered(true);
}
}

33
qt-everywhere-opensource-src-4.6.3-CVE-2010-1770.patch Normal file
View File

@ -0,0 +1,33 @@
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp 2010-06-11 13:42:31.190174662 +0200
@@ -207,7 +207,7 @@
PassRefPtr<StringImpl> RenderText::originalText() const
{
Node* e = node();
- return e ? static_cast<Text*>(e)->dataImpl() : 0;
+ return (e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : 0;
}
void RenderText::absoluteRects(Vector<IntRect>& rects, int tx, int ty)
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp 2010-06-11 13:42:31.197153658 +0200
@@ -47,7 +47,7 @@
PassRefPtr<StringImpl> RenderTextFragment::originalText() const
{
Node* e = node();
- RefPtr<StringImpl> result = (e ? static_cast<Text*>(e)->dataImpl() : contentString());
+ RefPtr<StringImpl> result = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString());
if (result && (start() > 0 || start() < result->length()))
result = result->substring(start(), end());
return result.release();
@@ -76,7 +76,7 @@
{
if (start()) {
Node* e = node();
- StringImpl* original = (e ? static_cast<Text*>(e)->dataImpl() : contentString());
+ StringImpl* original = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString());
if (original)
return (*original)[start() - 1];
}

16
qt-everywhere-opensource-src-4.6.3-CVE-2010-1773.patch Normal file
View File

@ -0,0 +1,16 @@
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1773/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1773/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp 2010-06-10 17:33:06.092192665 +0200
@@ -88,8 +88,10 @@
--number;
letters[lettersSize - 1] = alphabet[number % alphabetSize];
int length = 1;
- while ((number /= alphabetSize) > 0)
- letters[lettersSize - ++length] = alphabet[number % alphabetSize - 1];
+ while ((number /= alphabetSize) > 0) {
+ --number;
+ letters[lettersSize - ++length] = alphabet[number % alphabetSize];
+ }
ASSERT(length <= lettersSize);
return String(&letters[lettersSize - length], length);

13
qt-everywhere-opensource-src-4.6.3-CVE-2010-1774.patch Normal file
View File

@ -0,0 +1,13 @@
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp qt-everywhere-opensource-src-4.6.3-CVE-1774/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1774/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp 2010-06-11 14:45:02.625278334 +0200
@@ -168,8 +168,7 @@
int usedSpan = 0;
int i = 0;
- while (usedSpan < span) {
- ASSERT(cCol + i < nEffCols);
+ while (usedSpan < span && cCol + i < nEffCols) {
int eSpan = m_table->spanOfEffCol(cCol + i);
// Only set if no col element has already set it.
if (m_width[cCol + i].isAuto() && w.type() != Auto) {

29
qt-everywhere-opensource-src-4.6.3-CVE-2010-1778.patch Normal file
View File

@ -0,0 +1,29 @@
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp.CVE-2010-1778 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp.CVE-2010-1778 2010-06-11 16:12:55.786338275 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp 2010-06-15 13:23:21.114401487 +0200
@@ -1189,14 +1189,13 @@ void FrameView::scheduleRelayoutOfSubtre
{
ASSERT(m_frame->view() == this);
- if (!m_layoutSchedulingEnabled || (m_frame->contentRenderer()
- && m_frame->contentRenderer()->needsLayout())) {
+ if (m_frame->contentRenderer() && m_frame->contentRenderer()->needsLayout()) {
if (relayoutRoot)
relayoutRoot->markContainingBlocksForLayout(false);
return;
}
- if (layoutPending()) {
+ if (layoutPending() || !m_layoutSchedulingEnabled) {
if (m_layoutRoot != relayoutRoot) {
if (isObjectAncestorContainerOf(m_layoutRoot, relayoutRoot)) {
// Keep the current root
@@ -1213,7 +1212,7 @@ void FrameView::scheduleRelayoutOfSubtre
relayoutRoot->markContainingBlocksForLayout(false);
}
}
- } else {
+ } else if (m_layoutSchedulingEnabled) {
int delay = m_frame->document()->minimumLayoutDelay();
m_layoutRoot = relayoutRoot;
m_delayedLayout = delay != 0;

37
qt.spec
View File

@ -13,7 +13,7 @@ Summary: Qt toolkit
Name: qt
Epoch: 1
Version: 4.6.3
Release: 1%{?dist}
Release: 3%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -67,6 +67,18 @@ Patch57: qt-everywhere-opensource-src-4.6.2-webkit-sparc64.patch
Patch104: qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch
Patch106: qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch
Patch108: qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch
Patch109: qt-everywhere-opensource-src-4.6.3-CVE-2010-1303_1304.patch
Patch110: qt-everywhere-opensource-src-4.6.3-CVE-2010-1392.patch
Patch111: qt-everywhere-opensource-src-4.6.3-CVE-2010-1396.patch
Patch112: qt-everywhere-opensource-src-4.6.3-CVE-2010-1397.patch
Patch113: qt-everywhere-opensource-src-4.6.3-CVE-2010-1398.patch
Patch114: qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch
Patch115: qt-everywhere-opensource-src-4.6.3-CVE-2010-1412.patch
Patch116: qt-everywhere-opensource-src-4.6.3-CVE-2010-1770.patch
Patch117: qt-everywhere-opensource-src-4.6.3-CVE-2010-1773.patch
Patch118: qt-everywhere-opensource-src-4.6.3-CVE-2010-1774.patch
Patch119: qt-everywhere-opensource-src-4.6.3-CVE-2010-1119.patch
Patch120: qt-everywhere-opensource-src-4.6.3-CVE-2010-1778.patch
# kde-qt git patches
Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch
@ -428,6 +440,19 @@ Qt libraries used for drawing widgets and OpenGL items.
%patch104 -p1 -b .cve-2010-0051-lax-css-parsing-cross-domain-theft
%patch106 -p1 -b .cve-2010-0656
%patch108 -p1 -b .cve-2010-0648
%patch109 -p1 -b .CVE-2010-1303_1304
%patch110 -p1 -b .CVE-2010-1392
%patch111 -p1 -b .CVE-2010-1396
%patch112 -p1 -b .CVE-2010-1397
%patch113 -p1 -b .CVE-2010-1398
%patch114 -p1 -b .CVE-2010-1400
%patch115 -p1 -b .CVE-2010-1412
%patch116 -p1 -b .CVE-2010-1770
%patch117 -p1 -b .CVE-2010-1773
%patch118 -p1 -b .CVE-2010-1774
%patch119 -p1 -b .CVE-2010-1119
%patch120 -p1 -b .CVE-2010-1778
# kde-qt branch
%patch201 -p1 -b .kde-qt-0001
@ -1029,6 +1054,16 @@ fi
%changelog
* Tue Jun 15 2010 Jaroslav Reznik <jreznik@redhat.com> - 4.6.3-3
- WebKit security update:
CVE-2010-1119, CVE-2010-1400, CVE-2010-1778
* Fri Jun 11 2010 Jaroslav Reznik <jreznik@redhat.com> - 4.6.3-2
- WebKit security update:
CVE-2010-1303_1304, CVE-2010-1392, CVE-2010-1396, CVE-2010-1397,
CVE-2010-1398, CVE-2010-1412, CVE-2010-1770,
CVE-2010-1773, CVE-2010-1774
* Tue Jun 08 2010 Than Ngo <than@redhat.com> - 4.6.3-1
- 4.6.3