rpms/qt/F-13 qt-everywhere-opensource-src-4.6.3-CVE-2010-1303_1304.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.3-CVE-2010-1392.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.3-CVE-2010-1396.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.3-CVE-2010-1397.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.3-CVE-2010-1398.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.3-CVE-2010-1412.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.3-CVE-2010-1770.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.3-CVE-2010-1773.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.3-CVE-2010-1774.patch, NONE, 1.1 qt.spec, 1.395, 1.396
Jaroslav Reznik
jreznik at fedoraproject.org
Fri Jun 11 14:23:52 UTC 2010
Author: jreznik
Update of /cvs/pkgs/rpms/qt/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv8852
Modified Files:
qt.spec
Added Files:
qt-everywhere-opensource-src-4.6.3-CVE-2010-1303_1304.patch
qt-everywhere-opensource-src-4.6.3-CVE-2010-1392.patch
qt-everywhere-opensource-src-4.6.3-CVE-2010-1396.patch
qt-everywhere-opensource-src-4.6.3-CVE-2010-1397.patch
qt-everywhere-opensource-src-4.6.3-CVE-2010-1398.patch
qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch
qt-everywhere-opensource-src-4.6.3-CVE-2010-1412.patch
qt-everywhere-opensource-src-4.6.3-CVE-2010-1770.patch
qt-everywhere-opensource-src-4.6.3-CVE-2010-1773.patch
qt-everywhere-opensource-src-4.6.3-CVE-2010-1774.patch
Log Message:
* Fri Jun 11 2010 Jaroslav Reznik <jreznik at redhat.com> - 4.6.3-2
- WebKit security update:
CVE-2010-1303_1304, CVE-2010-1392, CVE-2010-1396, CVE-2010-1397,
CVE-2010-1398, CVE-2010-1400, CVE-2010-1412, CVE-2010-1770,
CVE-2010-1773, CVE-2010-1774
qt-everywhere-opensource-src-4.6.3-CVE-2010-1303_1304.patch:
WebCore.pro | 6
rendering/RenderSVGShadowTreeRootContainer.cpp | 101 ++++++
rendering/RenderSVGShadowTreeRootContainer.h | 50 +++
rendering/RenderSVGTransformableContainer.cpp | 14
rendering/SVGShadowTreeElements.cpp | 80 +++++
rendering/SVGShadowTreeElements.h | 67 ++++
svg/SVGElement.cpp | 7
svg/SVGElement.h | 9
svg/SVGElementInstance.cpp | 42 --
svg/SVGElementInstance.h | 6
svg/SVGGElement.h | 1
svg/SVGStyledElement.cpp | 15
svg/SVGStyledElement.h | 9
svg/SVGUseElement.cpp | 377 +++++++++++++------------
svg/SVGUseElement.h | 28 +
15 files changed, 561 insertions(+), 251 deletions(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.3-CVE-2010-1303_1304.patch ---
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderSVGShadowTreeRootContainer.cpp qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/rendering/RenderSVGShadowTreeRootContainer.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderSVGShadowTreeRootContainer.cpp 1970-01-01 01:00:00.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/rendering/RenderSVGShadowTreeRootContainer.cpp 2010-06-11 15:29:14.567278020 +0200
@@ -0,0 +1,101 @@
+/*
+ Copyright (C) Research In Motion Limited 2010. All rights reserved.
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public License
+ aint with this library; see the file COPYING.LIB. If not, write to
+ the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ Boston, MA 02110-1301, USA.
+*/
+
+#include "config.h"
+
+#if ENABLE(SVG)
+#include "RenderSVGShadowTreeRootContainer.h"
+
+#include "MouseEvent.h"
+#include "SVGShadowTreeElements.h"
+#include "SVGUseElement.h"
+
+namespace WebCore {
+
+RenderSVGShadowTreeRootContainer::RenderSVGShadowTreeRootContainer(SVGUseElement* node)
+ : RenderSVGTransformableContainer(node)
+ , m_recreateTree(false)
+{
+}
+
+RenderSVGShadowTreeRootContainer::~RenderSVGShadowTreeRootContainer()
+{
+ if (m_shadowRoot && m_shadowRoot->attached())
+ m_shadowRoot->detach();
+}
+
+void RenderSVGShadowTreeRootContainer::updateStyle(Node::StyleChange change)
+{
+ if (m_shadowRoot && m_shadowRoot->attached())
+ m_shadowRoot->recalcStyle(change);
+}
+
+void RenderSVGShadowTreeRootContainer::updateFromElement()
+{
+ bool hadExistingTree = m_shadowRoot;
+
+ SVGUseElement* useElement = static_cast<SVGUseElement*>(node());
+ if (!m_shadowRoot) {
+ ASSERT(!m_recreateTree);
+ m_shadowRoot = new SVGShadowTreeRootElement(document(), useElement);
+ useElement->buildPendingResource();
+ }
+
+ ASSERT(m_shadowRoot->shadowParentNode() == useElement);
+
+ bool shouldRecreateTree = m_recreateTree;
+ if (m_recreateTree) {
+ ASSERT(hadExistingTree);
+
+ if (m_shadowRoot->attached())
+ m_shadowRoot->detach();
+
+ m_shadowRoot->removeAllChildren();
+ m_recreateTree = false;
+ }
+
+ // Only rebuild the shadow tree, if we a) never had a tree or b) we were specifically asked to do so
+ // If the use element is a pending resource, and a) or b) is true, do nothing, and wait for the use
+ // element to be asked to buildPendingResource(), this will call us again, with m_recreateTrue=true.
+ if ((shouldRecreateTree || !hadExistingTree) && !useElement->isPendingResource()) {
+ useElement->buildShadowAndInstanceTree(m_shadowRoot.get());
+
+ // Attach shadow root element
+ m_shadowRoot->attachElement(style(), renderArena());
+
+ // Attach subtree, as if it was a regular non-shadow tree
+ for (Node* child = m_shadowRoot->firstChild(); child; child = child->nextSibling())
+ child->attach();
+ }
+
+ ASSERT(!m_recreateTree);
+ RenderSVGTransformableContainer::updateFromElement();
+}
+
+void RenderSVGShadowTreeRootContainer::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
+{
+ RenderSVGTransformableContainer::styleDidChange(diff, oldStyle);
+
+ if (RenderObject* shadowRootRenderer = m_shadowRoot ? m_shadowRoot->renderer() : 0)
+ shadowRootRenderer->setStyle(style());
+}
+
+}
+
+#endif
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderSVGShadowTreeRootContainer.h qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/rendering/RenderSVGShadowTreeRootContainer.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderSVGShadowTreeRootContainer.h 1970-01-01 01:00:00.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/rendering/RenderSVGShadowTreeRootContainer.h 2010-06-11 15:29:14.568278907 +0200
@@ -0,0 +1,50 @@
+/*
+ Copyright (C) Research In Motion Limited 2010. All rights reserved.
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public License
+ aint with this library; see the file COPYING.LIB. If not, write to
+ the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ Boston, MA 02110-1301, USA.
+*/
+
+#ifndef RenderSVGShadowTreeRootContainer_h
+#define RenderSVGShadowTreeRootContainer_h
+
+#if ENABLE(SVG)
+#include "RenderSVGTransformableContainer.h"
+
+namespace WebCore {
+
+class SVGUseElement;
+class SVGShadowTreeRootElement;
+
+class RenderSVGShadowTreeRootContainer : public RenderSVGTransformableContainer {
+public:
+ RenderSVGShadowTreeRootContainer(SVGUseElement*);
+ virtual ~RenderSVGShadowTreeRootContainer();
+
+ void markShadowTreeForRecreation() { m_recreateTree = true; }
+ void updateStyle(Node::StyleChange);
+ virtual void updateFromElement();
+
+private:
+ virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+
+ bool m_recreateTree;
+ RefPtr<SVGShadowTreeRootElement> m_shadowRoot;
+};
+
+}
+
+#endif
+#endif
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderSVGTransformableContainer.cpp qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/rendering/RenderSVGTransformableContainer.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderSVGTransformableContainer.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/rendering/RenderSVGTransformableContainer.cpp 2010-06-11 15:29:14.568278907 +0200
@@ -1,5 +1,5 @@
/*
- Copyright (C) 2004, 2005 Nikolas Zimmermann <wildfox at kde.org>
+ Copyright (C) 2004, 2005 Nikolas Zimmermann <zimmermann at kde.org>
2004, 2005, 2006 Rob Buis <buis at kde.org>
2009 Google, Inc.
@@ -20,12 +20,12 @@
*/
#include "config.h"
-#if ENABLE(SVG)
+#if ENABLE(SVG)
#include "RenderSVGTransformableContainer.h"
+#include "SVGShadowTreeElements.h"
#include "SVGStyledTransformableElement.h"
-#include "SVGTransformList.h"
namespace WebCore {
@@ -47,6 +47,14 @@
void RenderSVGTransformableContainer::calculateLocalTransform()
{
m_localTransform = static_cast<SVGStyledTransformableElement*>(node())->animatedLocalTransform();
+ if (!node()->hasTagName(SVGNames::gTag) || !static_cast<SVGGElement*>(node())->isShadowTreeContainerElement())
+ return;
+
+ FloatSize translation = static_cast<SVGShadowTreeContainerElement*>(node())->containerTranslation();
+ if (translation.width() == 0 && translation.height() == 0)
+ return;
+
+ m_localTransform.translateRight(translation.width(), translation.height());
}
}
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/SVGShadowTreeElements.cpp qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/rendering/SVGShadowTreeElements.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/SVGShadowTreeElements.cpp 1970-01-01 01:00:00.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/rendering/SVGShadowTreeElements.cpp 2010-06-11 15:29:14.567278020 +0200
@@ -0,0 +1,80 @@
+/*
+ Copyright (C) Research In Motion Limited 2010. All rights reserved.
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public License
+ aint with this library; see the file COPYING.LIB. If not, write to
+ the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ Boston, MA 02110-1301, USA.
+*/
+
+#include "config.h"
+
+#if ENABLE(SVG)
+#include "SVGShadowTreeElements.h"
+
+#include "Document.h"
+#include "FloatSize.h"
+#include "RenderObject.h"
+#include "SVGNames.h"
+
+namespace WebCore {
+
+// SVGShadowTreeContainerElement
+SVGShadowTreeContainerElement::SVGShadowTreeContainerElement(Document* document)
+ : SVGGElement(SVGNames::gTag, document)
+{
+}
+
+SVGShadowTreeContainerElement::~SVGShadowTreeContainerElement()
+{
+}
+
+FloatSize SVGShadowTreeContainerElement::containerTranslation() const
+{
+ return FloatSize(m_xOffset.value(this), m_yOffset.value(this));
+}
+
+// SVGShadowTreeRootElement
+SVGShadowTreeRootElement::SVGShadowTreeRootElement(Document* document, Node* shadowParent)
+ : SVGShadowTreeContainerElement(document)
+ , m_shadowParent(shadowParent)
+{
+ setInDocument(true);
+}
+
+SVGShadowTreeRootElement::~SVGShadowTreeRootElement()
+{
+}
+
+void SVGShadowTreeRootElement::attachElement(PassRefPtr<RenderStyle> style, RenderArena* arena)
+{
+ ASSERT(m_shadowParent);
+
+ // Create the renderer with the specified style
+ RenderObject* renderer = createRenderer(arena, style.get());
+ if (renderer) {
+ setRenderer(renderer);
+ renderer->setStyle(style);
+ }
+
+ // Set these explicitly since this normally happens during an attach()
+ setAttached();
+
+ // Add the renderer to the render tree
+ if (renderer)
+ m_shadowParent->renderer()->addChild(renderer);
+}
+
+}
+
+#endif
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/SVGShadowTreeElements.h qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/rendering/SVGShadowTreeElements.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/SVGShadowTreeElements.h 1970-01-01 01:00:00.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/rendering/SVGShadowTreeElements.h 2010-06-11 15:29:14.568278907 +0200
@@ -0,0 +1,67 @@
+/*
+ Copyright (C) Research In Motion Limited 2010. All rights reserved.
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public License
+ aint with this library; see the file COPYING.LIB. If not, write to
+ the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ Boston, MA 02110-1301, USA.
+*/
+
+#ifndef SVGShadowTreeElements_h
+#define SVGShadowTreeElements_h
+
+#if ENABLE(SVG)
+#include "SVGGElement.h"
+#include "SVGLength.h"
+
+namespace WebCore {
+
+class FloatSize;
+
+class SVGShadowTreeContainerElement : public SVGGElement {
+public:
+ SVGShadowTreeContainerElement(Document*);
+ virtual ~SVGShadowTreeContainerElement();
+
+ virtual bool isShadowTreeContainerElement() const { return true; }
+
+ FloatSize containerTranslation() const;
+ void setContainerOffset(const SVGLength& x, const SVGLength& y)
+ {
+ m_xOffset = x;
+ m_yOffset = y;
+ }
+
+private:
+ SVGLength m_xOffset;
+ SVGLength m_yOffset;
+};
+
+class SVGShadowTreeRootElement : public SVGShadowTreeContainerElement {
+public:
+ SVGShadowTreeRootElement(Document*, Node* shadowParent);
+ virtual ~SVGShadowTreeRootElement();
+
+ virtual bool isShadowNode() const { return m_shadowParent; }
+ virtual Node* shadowParentNode() { return m_shadowParent; }
+
+ void attachElement(PassRefPtr<RenderStyle>, RenderArena*);
+
+private:
+ Node* m_shadowParent;
+};
+
+}
+
+#endif
+#endif
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGElement.cpp qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGElement.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGElement.cpp 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGElement.cpp 2010-06-11 15:29:14.559280466 +0200
@@ -54,7 +54,6 @@
SVGElement::SVGElement(const QualifiedName& tagName, Document* document)
: StyledElement(tagName, document, CreateElementZeroRefCount)
- , m_shadowParent(0)
, m_cursorElement(0)
, m_cursorImageValue(0)
{
@@ -285,7 +284,11 @@
ContainerNode* SVGElement::eventParentNode()
{
- return m_shadowParent ? m_shadowParent : StyledElement::eventParentNode();
+ if (Node* shadowParent = shadowParentNode()) {
+ ASSERT(shadowParent->isContainerNode());
+ return static_cast<ContainerNode*>(shadowParent);
+ }
+ return StyledElement::eventParentNode();
}
}
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGElement.h qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGElement.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGElement.h 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGElement.h 2010-06-11 15:29:14.564280678 +0200
@@ -60,8 +60,6 @@
virtual bool isGradientStop() const { return false; }
virtual bool isTextContent() const { return false; }
- void setShadowParentNode(ContainerNode* node) { m_shadowParent = node; }
-
// For SVGTests
virtual bool isValid() const { return true; }
@@ -95,13 +93,9 @@
friend class SVGElementInstance;
virtual bool isSVGElement() const { return true; }
-
virtual bool isSupported(StringImpl* feature, StringImpl* version) const;
-
- virtual bool isShadowNode() const { return m_shadowParent; }
- virtual Node* shadowParentNode() { return m_shadowParent; }
- virtual ContainerNode* eventParentNode();
+ virtual ContainerNode* eventParentNode();
virtual void buildPendingResource() { }
void mapInstanceToElement(SVGElementInstance*);
@@ -109,7 +103,6 @@
virtual bool haveLoadedRequiredResources();
- ContainerNode* m_shadowParent;
mutable SynchronizablePropertyController m_propertyController;
SVGCursorElement* m_cursorElement;
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGElementInstance.cpp qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGElementInstance.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGElementInstance.cpp 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGElementInstance.cpp 2010-06-11 15:29:14.560280508 +0200
@@ -33,10 +33,6 @@
#include <wtf/RefCountedLeakCounter.h>
-#if USE(JSC)
-#include "GCController.h"
-#endif
-
namespace WebCore {
#ifndef NDEBUG
@@ -51,8 +47,7 @@
}
SVGElementInstance::SVGElementInstance(SVGUseElement* useElement, PassRefPtr<SVGElement> originalElement)
- : m_needsUpdate(false)
- , m_useElement(useElement)
+ : m_useElement(useElement)
, m_element(originalElement)
, m_previousSibling(0)
, m_nextSibling(0)
@@ -93,20 +88,6 @@
m_shadowTreeElement = element;
}
-void SVGElementInstance::forgetWrapper()
-{
-#if USE(JSC)
- // FIXME: This is fragile, as discussed with Sam. Need to find a better solution.
- // Think about the case where JS explicitely holds "var root = useElement.instanceRoot;".
- // We still have to recreate this wrapper somehow. The gc collection below, won't catch it.
-
- // If the use shadow tree has been rebuilt, just the JSSVGElementInstance objects
- // are still holding RefPtrs of SVGElementInstance objects, which prevent us to
- // be deleted (and the shadow tree is not destructed as well). Force JS GC.
- gcController().garbageCollectNow();
-#endif
-}
-
void SVGElementInstance::appendChild(PassRefPtr<SVGElementInstance> child)
{
appendChildToContainer<SVGElementInstance, SVGElementInstance>(child.get(), this);
@@ -114,27 +95,24 @@
void SVGElementInstance::invalidateAllInstancesOfElement(SVGElement* element)
{
- if (!element)
+ if (!element || !element->isStyled())
+ return;
+
+ if (static_cast<SVGStyledElement*>(element)->instanceUpdatesBlocked())
return;
HashSet<SVGElementInstance*> set = element->instancesForElement();
if (set.isEmpty())
return;
- // Find all use elements referencing the instances - ask them _once_ to rebuild.
+ // Mark all use elements referencing 'element' for rebuilding
HashSet<SVGElementInstance*>::const_iterator it = set.begin();
const HashSet<SVGElementInstance*>::const_iterator end = set.end();
- for (; it != end; ++it)
- (*it)->setNeedsUpdate(true);
-}
-
-void SVGElementInstance::setNeedsUpdate(bool value)
-{
- m_needsUpdate = value;
-
- if (m_needsUpdate)
- correspondingUseElement()->setNeedsStyleRecalc();
+ for (; it != end; ++it) {
+ ASSERT((*it)->correspondingElement() == element);
+ (*it)->correspondingUseElement()->invalidateShadowTree();
+ }
}
ScriptExecutionContext* SVGElementInstance::scriptExecutionContext() const
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGElementInstance.h qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGElementInstance.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGElementInstance.h 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGElementInstance.h 2010-06-11 15:29:14.556183347 +0200
@@ -46,9 +46,6 @@
virtual ~SVGElementInstance();
- bool needsUpdate() const { return m_needsUpdate; }
- void setNeedsUpdate(bool);
-
virtual ScriptExecutionContext* scriptExecutionContext() const;
virtual bool addEventListener(const AtomicString& eventType, PassRefPtr<EventListener>, bool useCapture);
@@ -129,7 +126,6 @@
void appendChild(PassRefPtr<SVGElementInstance> child);
void setShadowTreeElement(SVGElement*);
- void forgetWrapper();
template<class GenericNode, class GenericNodeContainer>
friend void appendChildToContainer(GenericNode* child, GenericNodeContainer* container);
@@ -153,8 +149,6 @@
virtual EventTargetData* eventTargetData();
virtual EventTargetData* ensureEventTargetData();
- bool m_needsUpdate : 1;
-
SVGUseElement* m_useElement;
RefPtr<SVGElement> m_element;
RefPtr<SVGElement> m_shadowTreeElement;
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGGElement.h qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGGElement.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGGElement.h 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGGElement.h 2010-06-11 15:29:14.564280678 +0200
@@ -37,6 +37,7 @@
SVGGElement(const QualifiedName&, Document*);
virtual ~SVGGElement();
+ virtual bool isShadowTreeContainerElement() const { return false; }
virtual bool isValid() const { return SVGTests::isValid(); }
virtual void parseMappedAttribute(MappedAttribute*);
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGStyledElement.cpp qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGStyledElement.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGStyledElement.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGStyledElement.cpp 2010-06-11 15:29:14.562280735 +0200
@@ -45,11 +45,11 @@
using namespace SVGNames;
char SVGStyledElementIdentifier[] = "SVGStyledElement";
-static HashSet<const SVGStyledElement*>* gElementsWithInstanceUpdatesBlocked = 0;
SVGStyledElement::SVGStyledElement(const QualifiedName& tagName, Document* doc)
: SVGElement(tagName, doc)
, m_className(this, HTMLNames::classAttr)
+ , m_instanceUpdatesBlocked(false)
{
}
@@ -270,19 +270,6 @@
SVGResource::removeClient(this);
SVGElement::detach();
}
-
-void SVGStyledElement::setInstanceUpdatesBlocked(bool blockUpdates)
-{
- if (blockUpdates) {
- if (!gElementsWithInstanceUpdatesBlocked)
- gElementsWithInstanceUpdatesBlocked = new HashSet<const SVGStyledElement*>;
- gElementsWithInstanceUpdatesBlocked->add(this);
- } else {
- ASSERT(gElementsWithInstanceUpdatesBlocked);
- ASSERT(gElementsWithInstanceUpdatesBlocked->contains(this));
- gElementsWithInstanceUpdatesBlocked->remove(this);
- }
-}
}
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGStyledElement.h qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGStyledElement.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGStyledElement.h 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGStyledElement.h 2010-06-11 15:29:14.554166596 +0200
@@ -49,10 +49,9 @@
virtual bool rendererIsNeeded(RenderStyle*);
virtual SVGResource* canvasResource() { return 0; }
-
+
virtual bool mapToEntry(const QualifiedName&, MappedAttributeEntry&) const;
virtual void parseMappedAttribute(MappedAttribute*);
-
virtual void svgAttributeChanged(const QualifiedName&);
virtual void childrenChanged(bool changedByParser = false, Node* beforeChange = 0, Node* afterChange = 0, int childCountDelta = 0);
@@ -62,8 +61,9 @@
void invalidateResourcesInAncestorChain() const;
virtual void detach();
-
- void setInstanceUpdatesBlocked(bool);
+
+ bool instanceUpdatesBlocked() const { return m_instanceUpdatesBlocked; }
+ void setInstanceUpdatesBlocked(bool value) { m_instanceUpdatesBlocked = value; }
protected:
virtual bool hasRelativeValues() const { return true; }
@@ -72,6 +72,7 @@
private:
ANIMATED_PROPERTY_DECLARATIONS(SVGStyledElement, SVGStyledElementIdentifier, HTMLNames::classAttrString, String, ClassName, className)
+ bool m_instanceUpdatesBlocked;
};
} // namespace WebCore
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGUseElement.cpp qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGUseElement.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGUseElement.cpp 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGUseElement.cpp 2010-06-11 15:43:17.347280236 +0200
@@ -1,7 +1,7 @@
/*
Copyright (C) 2004, 2005, 2006, 2007, 2008 Nikolas Zimmermann <zimmermann at kde.org>
2004, 2005, 2006, 2007 Rob Buis <buis at kde.org>
- Copyright (C) Research In Motion Limited 2009. All rights reserved.
+ Copyright (C) Research In Motion Limited 2009-2010. All rights reserved.
This file is part of the KDE project
@@ -35,12 +35,13 @@
#include "MappedAttribute.h"
#include "NodeRenderStyle.h"
#include "RegisteredEventListener.h"
-#include "RenderSVGTransformableContainer.h"
+#include "RenderSVGShadowTreeRootContainer.h"
#include "SVGElementInstance.h"
#include "SVGElementInstanceList.h"
#include "SVGGElement.h"
#include "SVGLength.h"
#include "SVGPreserveAspectRatio.h"
+#include "SVGShadowTreeElements.h"
#include "SVGSMILElement.h"
#include "SVGSVGElement.h"
#include "SVGSymbolElement.h"
@@ -67,6 +68,8 @@
, m_height(this, SVGNames::heightAttr, LengthModeHeight)
, m_href(this, XLinkNames::hrefAttr)
, m_externalResourcesRequired(this, SVGNames::externalResourcesRequiredAttr, false)
+ , m_isPendingResource(false)
+ , m_needsShadowTreeRecreation(false)
{
}
@@ -76,6 +79,16 @@
SVGElementInstance* SVGUseElement::instanceRoot() const
{
+ // If there is no element instance tree, force immediate SVGElementInstance tree
+ // creation, as we can't wait for the lazy creation to happen if ie. JS wants to
+ // access the instanceRoot object right after creating the element on-the-fly
+ if (!m_targetElementInstance) {
+ if (RenderSVGShadowTreeRootContainer* shadowRoot = static_cast<RenderSVGShadowTreeRootContainer*>(renderer())) {
+ shadowRoot->markShadowTreeForRecreation();
+ shadowRoot->updateFromElement();
+ }
+ }
+
return m_targetElementInstance.get();
}
@@ -114,14 +127,15 @@
void SVGUseElement::insertedIntoDocument()
{
+ // This functions exists to assure assumptions made in the code regarding SVGElementInstance creation/destruction are satisfied.
SVGElement::insertedIntoDocument();
- buildPendingResource();
+ ASSERT(!m_targetElementInstance);
+ ASSERT(!m_isPendingResource);
}
void SVGUseElement::removedFromDocument()
{
m_targetElementInstance = 0;
- m_shadowTreeRootElement = 0;
SVGElement::removedFromDocument();
}
@@ -129,87 +143,120 @@
{
SVGStyledTransformableElement::svgAttributeChanged(attrName);
- if (!attached())
+ if (!renderer())
return;
- if (attrName == SVGNames::xAttr || attrName == SVGNames::yAttr ||
- attrName == SVGNames::widthAttr || attrName == SVGNames::heightAttr ||
- SVGTests::isKnownAttribute(attrName) ||
- SVGLangSpace::isKnownAttribute(attrName) ||
- SVGExternalResourcesRequired::isKnownAttribute(attrName) ||
- SVGURIReference::isKnownAttribute(attrName) ||
- SVGStyledTransformableElement::isKnownAttribute(attrName)) {
- buildPendingResource();
+ if (SVGURIReference::isKnownAttribute(attrName)) {
+ if (m_isPendingResource) {
+ document()->accessSVGExtensions()->removePendingResource(m_resourceId);
+ m_resourceId = String();
+ m_isPendingResource = false;
+ }
- if (m_shadowTreeRootElement)
- m_shadowTreeRootElement->setNeedsStyleRecalc();
+ invalidateShadowTree();
+ return;
+ }
+
+ if (attrName == SVGNames::xAttr || attrName == SVGNames::yAttr) {
+ updateContainerOffsets();
+ return;
+ }
+
+ // Be very careful here, if svgAttributeChanged() has been called because a SVG CSS property changed, we do NOT want to reclone the tree!
+ if (SVGStyledElement::isKnownAttribute(attrName)) {
+ setNeedsStyleRecalc();
+ return;
+ }
+
+ // TODO: We should be able to remove the need for width/height to require a reclone, similar to the x/y logic.
+ if (attrName == SVGNames::widthAttr
+ || attrName == SVGNames::heightAttr
+ || SVGTests::isKnownAttribute(attrName)
+ || SVGLangSpace::isKnownAttribute(attrName)
+ || SVGExternalResourcesRequired::isKnownAttribute(attrName)
+ || SVGStyledTransformableElement::isKnownAttribute(attrName)) {
+ invalidateShadowTree();
}
}
-void SVGUseElement::childrenChanged(bool changedByParser, Node* beforeChange, Node* afterChange, int childCountDelta)
+static void updateContainerOffset(SVGElementInstance* targetInstance)
{
- SVGElement::childrenChanged(changedByParser, beforeChange, afterChange, childCountDelta);
+ // Depth-first used to write the method in early exit style, no particular other reason.
+ for (SVGElementInstance* instance = targetInstance->firstChild(); instance; instance = instance->nextSibling())
+ updateContainerOffset(instance);
- if (!attached())
+ SVGElement* correspondingElement = targetInstance->correspondingElement();
+ ASSERT(correspondingElement);
+
+ if (!correspondingElement->hasTagName(SVGNames::useTag))
return;
- buildPendingResource();
+ SVGElement* shadowTreeElement = targetInstance->shadowTreeElement();
+ ASSERT(shadowTreeElement);
+ ASSERT(shadowTreeElement->hasTagName(SVGNames::gTag));
+
+ if (!static_cast<SVGGElement*>(shadowTreeElement)->isShadowTreeContainerElement())
+ return;
- if (m_shadowTreeRootElement)
- m_shadowTreeRootElement->setNeedsStyleRecalc();
+ // Spec: An additional transformation translate(x,y) is appended to the end
+ // (i.e., right-side) of the transform attribute on the generated 'g', where x
+ // and y represent the values of the x and y attributes on the 'use' element.
+ SVGUseElement* useElement = static_cast<SVGUseElement*>(correspondingElement);
+ SVGShadowTreeContainerElement* containerElement = static_cast<SVGShadowTreeContainerElement*>(shadowTreeElement);
+ containerElement->setContainerOffset(useElement->x(), useElement->y());
}
-
-static bool shadowTreeContainsChangedNodes(SVGElementInstance* target)
+
+void SVGUseElement::updateContainerOffsets()
{
- if (!target) // when use is referencing an non-existing element, there will be no Instance tree built
- return false;
+ if (!m_targetElementInstance)
+ return;
- if (target->needsUpdate())
- return true;
+ // Update root container offset (not reachable through instance tree)
+ SVGElement* shadowRoot = m_targetElementInstance->shadowTreeElement();
+ ASSERT(shadowRoot);
- for (SVGElementInstance* instance = target->firstChild(); instance; instance = instance->nextSibling())
- if (shadowTreeContainsChangedNodes(instance))
- return true;
+ Node* parentNode = shadowRoot->parentNode();
+ ASSERT(parentNode);
+ ASSERT(parentNode->isSVGElement());
+ ASSERT(parentNode->hasTagName(SVGNames::gTag));
+ ASSERT(static_cast<SVGGElement*>(parentNode)->isShadowTreeContainerElement());
- return false;
+ SVGShadowTreeContainerElement* containerElement = static_cast<SVGShadowTreeContainerElement*>(parentNode);
+ containerElement->setContainerOffset(x(), y());
+
+ // Update whole subtree, scanning for shadow container elements, marking a cloned use subtree
+ updateContainerOffset(m_targetElementInstance.get());
+
+ if (renderer())
+ renderer()->setNeedsLayout(true);
}
void SVGUseElement::recalcStyle(StyleChange change)
{
- if (attached() && needsStyleRecalc() && shadowTreeContainsChangedNodes(m_targetElementInstance.get())) {
- buildPendingResource();
-
- if (m_shadowTreeRootElement)
- m_shadowTreeRootElement->setNeedsStyleRecalc();
+ // Eventually mark shadow root element needing style recalc
+ if (needsStyleRecalc() && m_targetElementInstance) {
+ if (SVGElement* shadowRoot = m_targetElementInstance->shadowTreeElement())
+ shadowRoot->setNeedsStyleRecalc();
}
- SVGStyledElement::recalcStyle(change);
+ SVGStyledTransformableElement::recalcStyle(change);
- // The shadow tree root element is NOT a direct child element of us.
- // So we have to take care it receives style updates, manually.
- if (!m_shadowTreeRootElement || !m_shadowTreeRootElement->attached())
- return;
-
- // Mimic Element::recalcStyle(). The main difference is that we don't call attach() on the
- // shadow tree root element, but call attachShadowTree() here. Calling attach() will crash
- // as the shadow tree root element has no (direct) parent node. Yes, shadow trees are tricky.
- if (change >= Inherit || m_shadowTreeRootElement->needsStyleRecalc()) {
- RefPtr<RenderStyle> newStyle = document()->styleSelector()->styleForElement(m_shadowTreeRootElement.get());
- StyleChange ch = Node::diff(m_shadowTreeRootElement->renderStyle(), newStyle.get());
- if (ch == Detach) {
- ASSERT(m_shadowTreeRootElement->attached());
- m_shadowTreeRootElement->detach();
- attachShadowTree();
-
- // attach recalulates the style for all children. No need to do it twice.
- m_shadowTreeRootElement->setNeedsStyleRecalc(NoStyleChange);
- m_shadowTreeRootElement->setChildNeedsStyleRecalc(false);
- return;
- }
+ bool needsStyleUpdate = !m_needsShadowTreeRecreation;
+ if (m_needsShadowTreeRecreation) {
+ static_cast<RenderSVGShadowTreeRootContainer*>(renderer())->markShadowTreeForRecreation();
+ m_needsShadowTreeRecreation = false;
}
- // Only change==Detach needs special treatment, for anything else recalcStyle() works.
- m_shadowTreeRootElement->recalcStyle(change);
+ RenderSVGShadowTreeRootContainer* shadowRoot = static_cast<RenderSVGShadowTreeRootContainer*>(renderer());
+ if (!shadowRoot)
+ return;
+
+ shadowRoot->updateFromElement();
+
+ if (!needsStyleUpdate)
+ return;
+
+ shadowRoot->updateStyle(change);
}
#ifdef DUMP_INSTANCE_TREE
@@ -218,17 +265,21 @@
SVGElement* element = targetInstance->correspondingElement();
ASSERT(element);
+ SVGElement* shadowTreeElement = targetInstance->shadowTreeElement();
+ ASSERT(shadowTreeElement);
+
String elementId = element->getIDAttribute();
String elementNodeName = element->nodeName();
+ String shadowTreeElementNodeName = shadowTreeElement->nodeName();
String parentNodeName = element->parentNode() ? element->parentNode()->nodeName() : "null";
String firstChildNodeName = element->firstChild() ? element->firstChild()->nodeName() : "null";
for (unsigned int i = 0; i < depth; ++i)
text += " ";
- text += String::format("SVGElementInstance this=%p, (parentNode=%s, firstChild=%s, correspondingElement=%s (%p), shadowTreeElement=%p, id=%s)\n",
- targetInstance, parentNodeName.latin1().data(), firstChildNodeName.latin1().data(), elementNodeName.latin1().data(),
- element, targetInstance->shadowTreeElement(), elementId.latin1().data());
+ text += String::format("SVGElementInstance this=%p, (parentNode=%s (%p), firstChild=%s (%p), correspondingElement=%s (%p), shadowTreeElement=%s (%p), id=%s)\n",
+ targetInstance, parentNodeName.latin1().data(), element->parentNode(), firstChildNodeName.latin1().data(), element->firstChild(),
+ elementNodeName.latin1().data(), element, shadowTreeElementNodeName.latin1().data(), shadowTreeElement, elementId.latin1().data());
for (unsigned int i = 0; i < depth; ++i)
text += " ";
@@ -284,16 +335,36 @@
void SVGUseElement::buildPendingResource()
{
+ // If we're called the first time (during shadow tree root creation from RenderSVGShadowTreeRootContainer)
+ // we either determine that our target is available or not - then we add ourselves to the pending resource list
+ // Once the pending resource appears, it will call buildPendingResource(), so we're called a second time.
String id = SVGURIReference::getTarget(href());
Element* targetElement = document()->getElementById(id);
+ ASSERT(!m_targetElementInstance);
if (!targetElement) {
- // TODO: We want to deregister as pending resource, if our href() changed!
- // TODO: Move to svgAttributeChanged, once we're fixing use & the new dynamic update concept.
+ if (m_isPendingResource)
+ return;
+
+ m_isPendingResource = true;
+ m_resourceId = id;
document()->accessSVGExtensions()->addPendingResource(id, this);
return;
}
+ if (m_isPendingResource) {
+ ASSERT(!m_targetElementInstance);
+ m_isPendingResource = false;
+ invalidateShadowTree();
+ }
+}
+
+void SVGUseElement::buildShadowAndInstanceTree(SVGShadowTreeRootElement* shadowRoot)
+{
+ String id = SVGURIReference::getTarget(href());
+ Element* targetElement = document()->getElementById(id);
+ ASSERT(targetElement);
+
// Do not build the shadow/instance tree for <use> elements living in a shadow tree.
// The will be expanded soon anyway - see expandUseElementsInShadowTree().
Node* parent = parentNode();
@@ -308,17 +379,13 @@
if (targetElement && targetElement->isSVGElement())
target = static_cast<SVGElement*>(targetElement);
- if (m_targetElementInstance) {
- m_targetElementInstance->forgetWrapper();
+ if (m_targetElementInstance)
m_targetElementInstance = 0;
- }
// Do not allow self-referencing.
// 'target' may be null, if it's a non SVG namespaced element.
- if (!target || target == this) {
- m_shadowTreeRootElement = 0;
+ if (!target || target == this)
return;
- }
// Why a seperated instance/shadow tree? SVG demands it:
// The instance tree is accesable from JavaScript, and has to
@@ -340,45 +407,45 @@
// Non-appearing <use> content is easier to debug, then half-appearing content.
if (foundProblem) {
m_targetElementInstance = 0;
- m_shadowTreeRootElement = 0;
return;
}
// Assure instance tree building was successfull
ASSERT(m_targetElementInstance);
+ ASSERT(!m_targetElementInstance->shadowTreeElement());
ASSERT(m_targetElementInstance->correspondingUseElement() == this);
- // Setup shadow tree root node
- m_shadowTreeRootElement = new SVGGElement(SVGNames::gTag, document());
- m_shadowTreeRootElement->setInDocument();
- m_shadowTreeRootElement->setShadowParentNode(this);
-
- // Spec: An additional transformation translate(x,y) is appended to the end
- // (i.e., right-side) of the transform attribute on the generated 'g', where x
- // and y represent the values of the x and y attributes on the 'use' element.
- if (x().value(this) != 0.0 || y().value(this) != 0.0) {
- String transformString = String::format("translate(%f, %f)", x().value(this), y().value(this));
- m_shadowTreeRootElement->setAttribute(SVGNames::transformAttr, transformString);
- }
+ ASSERT(m_targetElementInstance->correspondingElement() == target);
// Build shadow tree from instance tree
// This also handles the special cases: <use> on <symbol>, <use> on <svg>.
- buildShadowTree(target, m_targetElementInstance.get());
+ buildShadowTree(shadowRoot, target, m_targetElementInstance.get());
#if ENABLE(SVG) && ENABLE(SVG_USE)
// Expand all <use> elements in the shadow tree.
// Expand means: replace the actual <use> element by what it references.
- expandUseElementsInShadowTree(m_shadowTreeRootElement.get());
+ expandUseElementsInShadowTree(shadowRoot, shadowRoot);
// Expand all <symbol> elements in the shadow tree.
// Expand means: replace the actual <symbol> element by the <svg> element.
- expandSymbolElementsInShadowTree(m_shadowTreeRootElement.get());
-
+ expandSymbolElementsInShadowTree(shadowRoot, shadowRoot);
#endif
// Now that the shadow tree is completly expanded, we can associate
// shadow tree elements <-> instances in the instance tree.
- associateInstancesWithShadowTreeElements(m_shadowTreeRootElement->firstChild(), m_targetElementInstance.get());
+ associateInstancesWithShadowTreeElements(shadowRoot->firstChild(), m_targetElementInstance.get());
+
+ // If no shadow tree element is present, this means that the reference root
+ // element was removed, as it is disallowed (ie. <use> on <foreignObject>)
+ // Do NOT leave an inconsistent instance tree around, instead destruct it.
+ if (!m_targetElementInstance->shadowTreeElement()) {
+ shadowRoot->removeAllChildren();
+ m_targetElementInstance = 0;
+ return;
+ }
+
+ // Consistency checks - this is assumed in updateContainerOffset().
+ ASSERT(m_targetElementInstance->shadowTreeElement()->parentNode() == shadowRoot);
// Eventually dump instance tree
#ifdef DUMP_INSTANCE_TREE
@@ -395,8 +462,8 @@
PassRefPtr<XMLSerializer> serializer = XMLSerializer::create();
- String markup = serializer->serializeToString(m_shadowTreeRootElement.get(), ec);
- ASSERT(ec == 0);
+ String markup = serializer->serializeToString(shadowRoot, ec);
+ ASSERT(!ec);
fprintf(stderr, "Dumping <use> shadow tree markup:\n%s\n", markup.latin1().data());
#endif
@@ -404,30 +471,33 @@
// Transfer event listeners assigned to the referenced element to our shadow tree elements.
transferEventListenersToShadowTree(m_targetElementInstance.get());
- // The DOM side is setup properly. Now we have to attach the root shadow
- // tree element manually - using attach() won't work for "shadow nodes".
- attachShadowTree();
+ // Update container translation offsets
+ updateContainerOffsets();
}
RenderObject* SVGUseElement::createRenderer(RenderArena* arena, RenderStyle*)
{
- return new (arena) RenderSVGTransformableContainer(this);
+ return new (arena) RenderSVGShadowTreeRootContainer(this);
+}
+
+static void updateFromElementCallback(Node* node)
+{
+ if (RenderObject* renderer = node->renderer())
+ renderer->updateFromElement();
}
void SVGUseElement::attach()
{
SVGStyledTransformableElement::attach();
- // If we're a pending resource, this doesn't have any effect.
- attachShadowTree();
+ if (renderer())
+ queuePostAttachCallback(updateFromElementCallback, this);
}
void SVGUseElement::detach()
{
SVGStyledTransformableElement::detach();
-
- if (m_shadowTreeRootElement)
- m_shadowTreeRootElement->detach();
+ m_targetElementInstance = 0;
}
static bool isDirectReference(Node* n)
@@ -443,10 +513,10 @@
Path SVGUseElement::toClipPath() const
{
- if (!m_shadowTreeRootElement)
- const_cast<SVGUseElement*>(this)->buildPendingResource();
+ Node* n = m_targetElementInstance ? m_targetElementInstance->shadowTreeElement() : 0;
+ if (!n)
+ return Path();
- Node* n = m_shadowTreeRootElement->firstChild();
if (n->isSVGElement() && static_cast<SVGElement*>(n)->isStyledTransformable()) {
if (!isDirectReference(n))
// Spec: Indirect references are an error (14.3.5)
@@ -480,11 +550,12 @@
continue;
// Create SVGElementInstance object, for both container/non-container nodes.
- RefPtr<SVGElementInstance> instancePtr = SVGElementInstance::create(this, element);
- targetInstance->appendChild(instancePtr.get());
+ RefPtr<SVGElementInstance> instance = SVGElementInstance::create(this, element);
+ SVGElementInstance* instancePtr = instance.get();
+ targetInstance->appendChild(instance.release());
// Enter recursion, appending new instance tree nodes to the "instance" object.
- buildInstanceTree(element, instancePtr.get(), foundProblem);
+ buildInstanceTree(element, instancePtr, foundProblem);
}
// Spec: If the referenced object is itself a 'use', or if there are 'use' subelements within the referenced
@@ -525,10 +596,11 @@
// Create an instance object, even if we're dealing with a cycle
RefPtr<SVGElementInstance> newInstance = SVGElementInstance::create(this, target);
- targetInstance->appendChild(newInstance);
+ SVGElementInstance* newInstancePtr = newInstance.get();
+ targetInstance->appendChild(newInstance.release());
// Eventually enter recursion to build SVGElementInstance objects for the sub-tree children
- buildInstanceTree(target, newInstance.get(), foundProblem);
+ buildInstanceTree(target, newInstancePtr, foundProblem);
}
void SVGUseElement::alterShadowTreeForSVGTag(SVGElement* target)
@@ -559,7 +631,7 @@
}
}
-void SVGUseElement::buildShadowTree(SVGElement* target, SVGElementInstance* targetInstance)
+void SVGUseElement::buildShadowTree(SVGShadowTreeRootElement* shadowRoot, SVGElement* target, SVGElementInstance* targetInstance)
{
// For instance <use> on <foreignObject> (direct case).
if (isDisallowedElement(target))
@@ -581,8 +653,8 @@
ASSERT(newChildPtr);
ExceptionCode ec = 0;
- m_shadowTreeRootElement->appendChild(newChild.release(), ec);
- ASSERT(ec == 0);
+ shadowRoot->appendChild(newChild.release(), ec);
+ ASSERT(!ec);
// Handle use referencing <svg> special case
if (target->hasTagName(SVGNames::svgTag))
@@ -590,7 +662,7 @@
}
#if ENABLE(SVG) && ENABLE(SVG_USE)
-void SVGUseElement::expandUseElementsInShadowTree(Node* element)
+void SVGUseElement::expandUseElementsInShadowTree(SVGShadowTreeRootElement* shadowRoot, Node* element)
{
// Why expand the <use> elements in the shadow tree here, and not just
// do this directly in buildShadowTree, if we encounter a <use> element?
@@ -611,28 +683,14 @@
// Don't ASSERT(target) here, it may be "pending", too.
if (target) {
// Setup sub-shadow tree root node
- RefPtr<SVGElement> cloneParent = new SVGGElement(SVGNames::gTag, document());
+ RefPtr<SVGShadowTreeContainerElement> cloneParent = new SVGShadowTreeContainerElement(document());
// Spec: In the generated content, the 'use' will be replaced by 'g', where all attributes from the
// 'use' element except for x, y, width, height and xlink:href are transferred to the generated 'g' element.
transferUseAttributesToReplacedElement(use, cloneParent.get());
- // Spec: An additional transformation translate(x,y) is appended to the end
- // (i.e., right-side) of the transform attribute on the generated 'g', where x
- // and y represent the values of the x and y attributes on the 'use' element.
- if (use->x().value(this) != 0.0 || use->y().value(this) != 0.0) {
- if (!cloneParent->hasAttribute(SVGNames::transformAttr)) {
- String transformString = String::format("translate(%f, %f)", use->x().value(this), use->y().value(this));
- cloneParent->setAttribute(SVGNames::transformAttr, transformString);
- } else {
- String transformString = String::format(" translate(%f, %f)", use->x().value(this), use->y().value(this));
- const AtomicString& transformAttribute = cloneParent->getAttribute(SVGNames::transformAttr);
- cloneParent->setAttribute(SVGNames::transformAttr, transformAttribute + transformString);
- }
- }
-
ExceptionCode ec = 0;
-
+
// For instance <use> on <foreignObject> (direct case).
if (isDisallowedElement(target)) {
// We still have to setup the <use> replacment (<g>). Otherwhise
@@ -640,7 +698,7 @@
// Replace <use> with referenced content.
ASSERT(use->parentNode());
use->parentNode()->replaceChild(cloneParent.release(), use, ec);
- ASSERT(ec == 0);
+ ASSERT(!ec);
return;
}
@@ -660,28 +718,28 @@
ASSERT(newChildPtr);
cloneParent->appendChild(newChild.release(), ec);
- ASSERT(ec == 0);
+ ASSERT(!ec);
// Replace <use> with referenced content.
ASSERT(use->parentNode());
use->parentNode()->replaceChild(cloneParent.release(), use, ec);
- ASSERT(ec == 0);
+ ASSERT(!ec);
// Handle use referencing <svg> special case
if (target->hasTagName(SVGNames::svgTag))
alterShadowTreeForSVGTag(newChildPtr);
// Immediately stop here, and restart expanding.
- expandUseElementsInShadowTree(m_shadowTreeRootElement.get());
+ expandUseElementsInShadowTree(shadowRoot, shadowRoot);
return;
}
}
for (RefPtr<Node> child = element->firstChild(); child; child = child->nextSibling())
- expandUseElementsInShadowTree(child.get());
+ expandUseElementsInShadowTree(shadowRoot, child.get());
}
-void SVGUseElement::expandSymbolElementsInShadowTree(Node* element)
+void SVGUseElement::expandSymbolElementsInShadowTree(SVGShadowTreeRootElement* shadowRoot, Node* element)
{
if (element->hasTagName(SVGNames::symbolTag)) {
// Spec: The referenced 'symbol' and its contents are deep-cloned into the generated tree,
@@ -708,7 +766,7 @@
for (Node* child = element->firstChild(); child; child = child->nextSibling()) {
RefPtr<Node> newChild = child->cloneNode(true);
svgElement->appendChild(newChild.release(), ec);
- ASSERT(ec == 0);
+ ASSERT(!ec);
}
// We don't walk the target tree element-by-element, and clone each element,
@@ -722,43 +780,19 @@
// Replace <symbol> with <svg>.
ASSERT(element->parentNode());
element->parentNode()->replaceChild(svgElement.release(), element, ec);
- ASSERT(ec == 0);
+ ASSERT(!ec);
// Immediately stop here, and restart expanding.
- expandSymbolElementsInShadowTree(m_shadowTreeRootElement.get());
+ expandSymbolElementsInShadowTree(shadowRoot, shadowRoot);
return;
}
for (RefPtr<Node> child = element->firstChild(); child; child = child->nextSibling())
- expandSymbolElementsInShadowTree(child.get());
+ expandSymbolElementsInShadowTree(shadowRoot, child.get());
}
#endif
-
-void SVGUseElement::attachShadowTree()
-{
- if (!m_shadowTreeRootElement || m_shadowTreeRootElement->attached() || !document()->shouldCreateRenderers() || !attached() || !renderer())
- return;
- // Inspired by RenderTextControl::createSubtreeIfNeeded().
- if (renderer()->canHaveChildren() && childShouldCreateRenderer(m_shadowTreeRootElement.get())) {
- RefPtr<RenderStyle> style = m_shadowTreeRootElement->styleForRenderer();
-
- if (m_shadowTreeRootElement->rendererIsNeeded(style.get())) {
- m_shadowTreeRootElement->setRenderer(m_shadowTreeRootElement->createRenderer(document()->renderArena(), style.get()));
- if (RenderObject* shadowRenderer = m_shadowTreeRootElement->renderer()) {
- shadowRenderer->setStyle(style.release());
- renderer()->addChild(shadowRenderer, m_shadowTreeRootElement->nextRenderer());
- m_shadowTreeRootElement->setAttached();
- }
- }
-
- // This will take care of attaching all shadow tree child nodes.
- for (Node* child = m_shadowTreeRootElement->firstChild(); child; child = child->nextSibling())
- child->attach();
- }
-}
-
void SVGUseElement::transferEventListenersToShadowTree(SVGElementInstance* target)
{
if (!target)
@@ -846,14 +880,19 @@
return instance;
for (SVGElementInstance* current = instance->firstChild(); current; current = current->nextSibling()) {
- SVGElementInstance* search = instanceForShadowTreeElement(element, current);
- if (search)
+ if (SVGElementInstance* search = instanceForShadowTreeElement(element, current))
return search;
}
return 0;
}
+void SVGUseElement::invalidateShadowTree()
+{
+ m_needsShadowTreeRecreation = true;
+ setNeedsStyleRecalc();
+}
+
void SVGUseElement::transferUseAttributesToReplacedElement(SVGElement* from, SVGElement* to) const
{
ASSERT(from);
@@ -864,19 +903,19 @@
ExceptionCode ec = 0;
to->removeAttribute(SVGNames::xAttr, ec);
- ASSERT(ec == 0);
+ ASSERT(!ec);
to->removeAttribute(SVGNames::yAttr, ec);
- ASSERT(ec == 0);
+ ASSERT(!ec);
to->removeAttribute(SVGNames::widthAttr, ec);
- ASSERT(ec == 0);
+ ASSERT(!ec);
to->removeAttribute(SVGNames::heightAttr, ec);
- ASSERT(ec == 0);
+ ASSERT(!ec);
to->removeAttribute(XLinkNames::hrefAttr, ec);
- ASSERT(ec == 0);
+ ASSERT(!ec);
}
}
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGUseElement.h qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGUseElement.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/svg/SVGUseElement.h 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/svg/SVGUseElement.h 2010-06-11 15:29:14.557181915 +0200
@@ -32,6 +32,7 @@
class SVGElementInstance;
class SVGLength;
+ class SVGShadowTreeRootElement;
class SVGUseElement : public SVGStyledTransformableElement,
public SVGTests,
@@ -52,11 +53,9 @@
virtual void buildPendingResource();
virtual void parseMappedAttribute(MappedAttribute*);
- virtual void childrenChanged(bool changedByParser = false, Node* beforeChange = 0, Node* afterChange = 0, int childCountDelta = 0);
-
virtual void svgAttributeChanged(const QualifiedName&);
- virtual void recalcStyle(StyleChange = NoChange);
+ virtual void recalcStyle(StyleChange = NoChange);
virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
virtual void attach();
virtual void detach();
@@ -65,6 +64,12 @@
static void removeDisallowedElementsFromSubtree(Node* element);
SVGElementInstance* instanceForShadowTreeElement(Node* element) const;
+ void invalidateShadowTree();
+
+ private:
+ friend class RenderSVGShadowTreeRootContainer;
+ bool isPendingResource() const { return m_isPendingResource; }
+ void buildShadowAndInstanceTree(SVGShadowTreeRootElement*);
private:
ANIMATED_PROPERTY_DECLARATIONS(SVGUseElement, SVGNames::useTagString, SVGNames::xAttrString, SVGLength, X, x)
@@ -86,26 +91,25 @@
void handleDeepUseReferencing(SVGUseElement* use, SVGElementInstance* targetInstance, bool& foundCycle);
// Shadow tree handling
- PassRefPtr<SVGSVGElement> buildShadowTreeForSymbolTag(SVGElement* target, SVGElementInstance* targetInstance);
- void alterShadowTreeForSVGTag(SVGElement* target);
-
- void buildShadowTree(SVGElement* target, SVGElementInstance* targetInstance);
+ void alterShadowTreeForSVGTag(SVGElement*);
+ void buildShadowTree(SVGShadowTreeRootElement*, SVGElement* target, SVGElementInstance* targetInstance);
#if ENABLE(SVG) && ENABLE(SVG_USE)
- void expandUseElementsInShadowTree(Node* element);
- void expandSymbolElementsInShadowTree(Node* element);
+ void expandUseElementsInShadowTree(SVGShadowTreeRootElement*, Node* element);
+ void expandSymbolElementsInShadowTree(SVGShadowTreeRootElement*, Node* element);
#endif
- void attachShadowTree();
-
// "Tree connector"
void associateInstancesWithShadowTreeElements(Node* target, SVGElementInstance* targetInstance);
SVGElementInstance* instanceForShadowTreeElement(Node* element, SVGElementInstance* instance) const;
void transferUseAttributesToReplacedElement(SVGElement* from, SVGElement* to) const;
void transferEventListenersToShadowTree(SVGElementInstance* target);
+ void updateContainerOffsets();
- RefPtr<SVGElement> m_shadowTreeRootElement;
+ bool m_isPendingResource;
+ bool m_needsShadowTreeRecreation;
+ String m_resourceId;
RefPtr<SVGElementInstance> m_targetElementInstance;
};
diff -urN qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/WebCore.pro qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/WebCore.pro
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/WebCore.pro 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1303-1304/src/3rdparty/webkit/WebCore/WebCore.pro 2010-06-11 15:29:11.343280486 +0200
@@ -2066,6 +2066,7 @@
rendering/RenderSVGInlineText.h \
rendering/RenderSVGModelObject.h \
rendering/RenderSVGRoot.h \
+ rendering/RenderSVGShadowTreeRootContainer.h \
rendering/RenderSVGText.h \
rendering/RenderSVGTextPath.h \
rendering/RenderSVGTransformableContainer.h \
@@ -2121,6 +2122,7 @@
rendering/SVGRenderSupport.h \
rendering/SVGRenderTreeAsText.h \
rendering/SVGRootInlineBox.h \
+ rendering/SVGShadowTreeElements.h \
rendering/TextControlInnerElements.h \
rendering/TransformState.h \
svg/animation/SMILTimeContainer.h \
@@ -3093,6 +3095,7 @@
rendering/RenderSVGInlineText.cpp \
rendering/RenderSVGModelObject.cpp \
rendering/RenderSVGRoot.cpp \
+ rendering/RenderSVGShadowTreeRootContainer.cpp \
rendering/RenderSVGText.cpp \
rendering/RenderSVGTextPath.cpp \
rendering/RenderSVGTransformableContainer.cpp \
@@ -3102,7 +3105,8 @@
rendering/SVGInlineFlowBox.cpp \
rendering/SVGInlineTextBox.cpp \
rendering/SVGRenderSupport.cpp \
- rendering/SVGRootInlineBox.cpp
+ rendering/SVGRootInlineBox.cpp \
+ rendering/SVGShadowTreeElements.cpp
# GENERATOR 5-C:
qt-everywhere-opensource-src-4.6.3-CVE-2010-1392.patch:
RenderBlock.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.3-CVE-2010-1392.patch ---
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1392/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1392/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp 2010-06-10 20:24:02.864193022 +0200
@@ -4484,7 +4484,7 @@
// Drill into inlines looking for our first text child.
RenderObject* currChild = firstLetterBlock->firstChild();
- while (currChild && currChild->needsLayout() && (!currChild->isReplaced() || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
+ while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
if (currChild->isFloatingOrPositioned()) {
if (currChild->style()->styleType() == FIRST_LETTER)
break;
qt-everywhere-opensource-src-4.6.3-CVE-2010-1396.patch:
ContainerNode.cpp | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.3-CVE-2010-1396.patch ---
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1396/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp 2010-06-02 04:03:12.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1396/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp 2010-06-10 20:34:00.316318866 +0200
@@ -395,33 +395,43 @@
document()->removeFocusedNodeOfSubtree(this, true);
forbidEventDispatch();
- int childCountDelta = 0;
+ Vector<RefPtr<Node> > removedChildren;
while (RefPtr<Node> n = m_firstChild) {
- childCountDelta--;
-
Node* next = n->nextSibling();
- // Remove the node from the tree before calling detach or removedFromDocument (4427024, 4129744)
+ // Remove the node from the tree before calling detach or removedFromDocument (4427024, 4129744).
+ // removeChild() does this after calling detach(). There is no explanation for
+ // this discrepancy between removeChild() and its optimized version removeChildren().
n->setPreviousSibling(0);
n->setNextSibling(0);
n->setParent(0);
-
+
m_firstChild = next;
if (n == m_lastChild)
m_lastChild = 0;
if (n->attached())
n->detach();
-
- if (n->inDocument())
- n->removedFromDocument();
+
+ removedChildren.append(n.release());
}
allowEventDispatch();
+ size_t removedChildrenCount = removedChildren.size();
+
// Dispatch a single post-removal mutation event denoting a modified subtree.
- childrenChanged(false, 0, 0, childCountDelta);
+ childrenChanged(false, 0, 0, -static_cast<int>(removedChildrenCount));
dispatchSubtreeModifiedEvent();
+ for (size_t i = 0; i < removedChildrenCount; ++i) {
+ Node* removedChild = removedChildren[i].get();
+ if (removedChild->inDocument())
+ removedChild->removedFromDocument();
+ // removeChild() calls removedFromTree(true) if the child was not in the
+ // document. There is no explanation for this discrepancy between removeChild()
+ // and its optimized version removeChildren().
+ }
+
return true;
}
qt-everywhere-opensource-src-4.6.3-CVE-2010-1397.patch:
page/Frame.cpp | 6 ------
page/Frame.h | 2 --
page/FrameView.cpp | 3 ++-
rendering/RenderLayer.cpp | 2 +-
4 files changed, 3 insertions(+), 10 deletions(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.3-CVE-2010-1397.patch ---
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/Frame.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/Frame.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/Frame.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/Frame.cpp 2010-06-10 20:41:45.295318418 +0200
@@ -552,12 +552,6 @@
toRenderTextControl(renderer)->selectionChanged(userTriggered);
}
-void Frame::invalidateSelection()
-{
- selection()->setNeedsLayout();
- selectionLayoutChanged();
-}
-
void Frame::setCaretVisible(bool flag)
{
if (m_caretVisible == flag)
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/Frame.h qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/Frame.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/Frame.h 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/Frame.h 2010-06-10 20:41:45.291318453 +0200
@@ -259,8 +259,6 @@
void selectionLayoutChanged();
void notifyRendererOfSelectionChange(bool userTriggered);
- void invalidateSelection();
-
void setCaretVisible(bool = true);
void paintCaret(GraphicsContext*, int tx, int ty, const IntRect& clipRect) const;
void paintDragCaret(GraphicsContext*, int tx, int ty, const IntRect& clipRect) const;
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/FrameView.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/page/FrameView.cpp 2010-06-10 20:41:45.293318191 +0200
@@ -642,7 +642,8 @@
root->view()->popLayoutState();
m_layoutRoot = 0;
- m_frame->invalidateSelection();
+ m_frame->selection()->setNeedsLayout();
+ m_frame->selectionLayoutChanged();
m_layoutSchedulingEnabled = true;
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1397/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp 2010-06-10 20:41:45.297318506 +0200
@@ -1170,7 +1170,7 @@
// The caret rect needs to be invalidated after scrolling
Frame* frame = renderer()->document()->frame();
if (frame)
- frame->invalidateSelection();
+ frame->selection()->setNeedsLayout();
// Just schedule a full repaint of our object.
if (repaint)
qt-everywhere-opensource-src-4.6.3-CVE-2010-1398.patch:
dom/Element.cpp | 48 +++++++++++++++++++++++++++++++++++++++
dom/Element.h | 2 +
editing/markup.cpp | 6 ----
html/HTMLElement.cpp | 62 +++++++++------------------------------------------
4 files changed, 62 insertions(+), 56 deletions(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.3-CVE-2010-1398.patch ---
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1398/src/3rdparty/webkit/WebCore/dom/Element.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp 2010-06-02 04:03:12.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1398/src/3rdparty/webkit/WebCore/dom/Element.cpp 2010-06-10 21:10:21.197317643 +0200
@@ -35,6 +35,7 @@
#include "ClientRect.h"
#include "ClientRectList.h"
#include "Document.h"
+#include "DocumentFragment.h"
#include "ElementRareData.h"
#include "ExceptionCode.h"
#include "FocusController.h"
@@ -42,6 +43,7 @@
#include "FrameView.h"
#include "HTMLElement.h"
#include "HTMLNames.h"
+#include "HTMLTokenizer.h"
#include "NamedNodeMap.h"
#include "NodeList.h"
#include "NodeRenderStyle.h"
@@ -49,6 +51,7 @@
#include "RenderView.h"
#include "TextIterator.h"
#include "XMLNames.h"
+#include "XMLTokenizer.h"
#if ENABLE(SVG)
#include "SVGNames.h"
@@ -91,6 +94,51 @@
{
return new ElementRareData;
}
+
+PassRefPtr<DocumentFragment> Element::createContextualFragment(const String& markup)
+{
+ RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
+
+ if (document()->isHTMLDocument())
+ parseHTMLDocumentFragment(markup, fragment.get());
+ else {
+ if (!parseXMLDocumentFragment(markup, fragment.get(), this))
+ // FIXME: We should propagate a syntax error exception out here.
+ return 0;
+ }
+
+ // Exceptions are ignored because none ought to happen here.
+ ExceptionCode ignoredExceptionCode;
+
+ // We need to pop <html> and <body> elements and remove <head> to
+ // accommodate folks passing complete HTML documents to make the
+ // child of an element.
+
+ RefPtr<Node> nextNode;
+ for (RefPtr<Node> node = fragment->firstChild(); node; node = nextNode) {
+ nextNode = node->nextSibling();
+ if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) {
+ Node* firstChild = node->firstChild();
+ if (firstChild)
+ nextNode = firstChild;
+ RefPtr<Node> nextChild;
+ for (RefPtr<Node> child = firstChild; child; child = nextChild) {
+ nextChild = child->nextSibling();
+ node->removeChild(child.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ fragment->insertBefore(child, node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ }
+ fragment->removeChild(node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ } else if (node->hasTagName(headTag)) {
+ fragment->removeChild(node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ }
+ }
+
+ return fragment.release();
+}
PassRefPtr<Node> Element::cloneNode(bool deep)
{
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h qt-everywhere-opensource-src-4.6.3-CVE-2010-1398/src/3rdparty/webkit/WebCore/dom/Element.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h 2010-06-02 04:03:12.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1398/src/3rdparty/webkit/WebCore/dom/Element.h 2010-06-10 21:09:56.802317368 +0200
@@ -89,6 +89,8 @@
DEFINE_ATTRIBUTE_EVENT_LISTENER(search);
DEFINE_ATTRIBUTE_EVENT_LISTENER(selectstart);
+ virtual PassRefPtr<DocumentFragment> createContextualFragment(const String&);
+
const AtomicString& getIDAttribute() const;
bool hasAttribute(const QualifiedName&) const;
const AtomicString& getAttribute(const QualifiedName&) const;
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1398/src/3rdparty/webkit/WebCore/editing/markup.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1398/src/3rdparty/webkit/WebCore/editing/markup.cpp 2010-06-10 21:05:12.880192498 +0200
@@ -1054,11 +1054,7 @@
PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document* document, const String& markup, const String& baseURL)
{
- ASSERT(document->documentElement()->isHTMLElement());
- // FIXME: What if the document element is not an HTML element?
- HTMLElement *element = static_cast<HTMLElement*>(document->documentElement());
-
- RefPtr<DocumentFragment> fragment = element->createContextualFragment(markup);
+ RefPtr<DocumentFragment> fragment = document->documentElement()->createContextualFragment(markup);
if (fragment && !baseURL.isEmpty() && baseURL != blankURL() && baseURL != document->baseURL())
completeURLs(fragment.get(), baseURL);
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1398/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1398/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp 2010-06-10 21:13:26.701317282 +0200
@@ -235,9 +235,9 @@
return createMarkup(this);
}
-PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &html)
+PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &markup)
{
- // the following is in accordance with the definition as used by IE
+ // The following is in accordance with the definition as used by IE.
if (endTagRequirement() == TagStatusForbidden)
return 0;
@@ -245,47 +245,7 @@
hasLocalName(headTag) || hasLocalName(styleTag) || hasLocalName(titleTag))
return 0;
- RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
-
- if (document()->isHTMLDocument())
- parseHTMLDocumentFragment(html, fragment.get());
- else {
- if (!parseXMLDocumentFragment(html, fragment.get(), this))
- // FIXME: We should propagate a syntax error exception out here.
- return 0;
- }
-
- // Exceptions are ignored because none ought to happen here.
- int ignoredExceptionCode;
-
- // we need to pop <html> and <body> elements and remove <head> to
- // accommodate folks passing complete HTML documents to make the
- // child of an element.
-
- RefPtr<Node> nextNode;
- for (RefPtr<Node> node = fragment->firstChild(); node; node = nextNode) {
- nextNode = node->nextSibling();
- if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) {
- Node *firstChild = node->firstChild();
- if (firstChild)
- nextNode = firstChild;
- RefPtr<Node> nextChild;
- for (RefPtr<Node> child = firstChild; child; child = nextChild) {
- nextChild = child->nextSibling();
- node->removeChild(child.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- fragment->insertBefore(child, node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- }
- fragment->removeChild(node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- } else if (node->hasTagName(headTag)) {
- fragment->removeChild(node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- }
- }
-
- return fragment.release();
+ return Element::createContextualFragment(markup);
}
static inline bool hasOneChild(ContainerNode* node)
@@ -371,7 +331,7 @@
void HTMLElement::setInnerText(const String& text, ExceptionCode& ec)
{
- // follow the IE specs about when this is allowed
+ // Follow the IE specs about when this is allowed.
if (endTagRequirement() == TagStatusForbidden) {
ec = NO_MODIFICATION_ALLOWED_ERR;
return;
@@ -441,7 +401,7 @@
void HTMLElement::setOuterText(const String &text, ExceptionCode& ec)
{
- // follow the IE specs about when this is allowed
+ // Follow the IE specs about when this is allowed.
if (endTagRequirement() == TagStatusForbidden) {
ec = NO_MODIFICATION_ALLOWED_ERR;
return;
@@ -469,7 +429,7 @@
if (ec)
return;
- // is previous node a text node? if so, merge into it
+ // Is previous node a text node? If so, merge into it.
Node* prev = t->previousSibling();
if (prev && prev->isTextNode()) {
Text* textPrev = static_cast<Text*>(prev);
@@ -482,7 +442,7 @@
t = textPrev;
}
- // is next node a text node? if so, merge it in
+ // Is next node a text node? If so, merge it in.
Node* next = t->nextSibling();
if (next && next->isTextNode()) {
Text* textNext = static_cast<Text*>(next);
@@ -522,7 +482,7 @@
return 0;
}
- // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative
+ // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative.
ec = NOT_SUPPORTED_ERR;
return 0;
}
@@ -530,7 +490,7 @@
Element* HTMLElement::insertAdjacentElement(const String& where, Element* newChild, ExceptionCode& ec)
{
if (!newChild) {
- // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative
+ // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative.
ec = TYPE_MISMATCH_ERR;
return 0;
}
@@ -567,8 +527,8 @@
void HTMLElement::addHTMLAlignmentToStyledElement(StyledElement* element, MappedAttribute* attr)
{
- // vertical alignment with respect to the current baseline of the text
- // right or left means floating images
+ // Vertical alignment with respect to the current baseline of the text
+ // right or left means floating images.
int floatValue = CSSValueInvalid;
int verticalAlignValue = CSSValueInvalid;
qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch:
RenderObject.cpp | 9 +++++++++
1 file changed, 9 insertions(+)
--- NEW FILE qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch ---
Pouze v qt-everywhere-opensource-src-4.6.3-CVE-2010-1400/src/3rdparty/webkit/WebCore: changeset_r54521.diff
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1400/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1400/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp 2010-06-10 21:43:55.916193363 +0200
@@ -1684,6 +1684,15 @@
if (repaintContainer == this)
return;
+ // If the object already needs layout, then setNeedsLayout won't do
+ // any work. But if the containing block has changed, then we may need
+ // to make the new containing blocks for layout. The change that can
+ // directly affect the containing block of this object is a change to
+ // the position style.
+ if (m_needsLayout && oldStyle->position() != m_style->position())
+ markContainingBlocksForLayout();
+
+
RenderObject* o = parent();
if (!o)
return;
qt-everywhere-opensource-src-4.6.3-CVE-2010-1412.patch:
RenderLayer.cpp | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.3-CVE-2010-1412.patch ---
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp qt-everywhere-opensource-src-4.6.3-2010-1412/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-2010-1412/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp 2010-06-11 00:09:43.741191104 +0200
@@ -3039,22 +3039,33 @@
// Locate the common ancestor render object for the two renderers.
RenderObject* ancestor = commonAncestor(oldHoverObj, newHoverObj);
+ Vector<Node*, 32> nodesToRemoveFromChain;
+ Vector<Node*, 32> nodesToAddToChain;
+
if (oldHoverObj != newHoverObj) {
// The old hover path only needs to be cleared up to (and not including) the common ancestor;
for (RenderObject* curr = oldHoverObj; curr && curr != ancestor; curr = curr->hoverAncestor()) {
- if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain())) {
- curr->node()->setActive(false);
- curr->node()->setHovered(false);
- }
+ if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain()))
+ nodesToRemoveFromChain.append(curr->node());
}
}
// Now set the hover state for our new object up to the root.
for (RenderObject* curr = newHoverObj; curr; curr = curr->hoverAncestor()) {
- if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain())) {
- curr->node()->setActive(request.active());
- curr->node()->setHovered(true);
- }
+ if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain()))
+ nodesToAddToChain.append(curr->node());
+ }
+
+ size_t removeCount = nodesToRemoveFromChain.size();
+ for (size_t i = 0; i < removeCount; ++i) {
+ nodesToRemoveFromChain[i]->setActive(false);
+ nodesToRemoveFromChain[i]->setHovered(false);
+ }
+
+ size_t addCount = nodesToAddToChain.size();
+ for (size_t i = 0; i < addCount; ++i) {
+ nodesToAddToChain[i]->setActive(request.active());
+ nodesToAddToChain[i]->setHovered(true);
}
}
qt-everywhere-opensource-src-4.6.3-CVE-2010-1770.patch:
RenderText.cpp | 2 +-
RenderTextFragment.cpp | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.3-CVE-2010-1770.patch ---
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp 2010-06-11 13:42:31.190174662 +0200
@@ -207,7 +207,7 @@
PassRefPtr<StringImpl> RenderText::originalText() const
{
Node* e = node();
- return e ? static_cast<Text*>(e)->dataImpl() : 0;
+ return (e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : 0;
}
void RenderText::absoluteRects(Vector<IntRect>& rects, int tx, int ty)
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp 2010-06-11 13:42:31.197153658 +0200
@@ -47,7 +47,7 @@
PassRefPtr<StringImpl> RenderTextFragment::originalText() const
{
Node* e = node();
- RefPtr<StringImpl> result = (e ? static_cast<Text*>(e)->dataImpl() : contentString());
+ RefPtr<StringImpl> result = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString());
if (result && (start() > 0 || start() < result->length()))
result = result->substring(start(), end());
return result.release();
@@ -76,7 +76,7 @@
{
if (start()) {
Node* e = node();
- StringImpl* original = (e ? static_cast<Text*>(e)->dataImpl() : contentString());
+ StringImpl* original = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString());
if (original)
return (*original)[start() - 1];
}
qt-everywhere-opensource-src-4.6.3-CVE-2010-1773.patch:
RenderListMarker.cpp | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.3-CVE-2010-1773.patch ---
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1773/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1773/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp 2010-06-10 17:33:06.092192665 +0200
@@ -88,8 +88,10 @@
--number;
letters[lettersSize - 1] = alphabet[number % alphabetSize];
int length = 1;
- while ((number /= alphabetSize) > 0)
- letters[lettersSize - ++length] = alphabet[number % alphabetSize - 1];
+ while ((number /= alphabetSize) > 0) {
+ --number;
+ letters[lettersSize - ++length] = alphabet[number % alphabetSize];
+ }
ASSERT(length <= lettersSize);
return String(&letters[lettersSize - length], length);
qt-everywhere-opensource-src-4.6.3-CVE-2010-1774.patch:
FixedTableLayout.cpp | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.3-CVE-2010-1774.patch ---
diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp qt-everywhere-opensource-src-4.6.3-CVE-1774/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp 2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3-CVE-1774/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp 2010-06-11 14:45:02.625278334 +0200
@@ -168,8 +168,7 @@
int usedSpan = 0;
int i = 0;
- while (usedSpan < span) {
- ASSERT(cCol + i < nEffCols);
+ while (usedSpan < span && cCol + i < nEffCols) {
int eSpan = m_table->spanOfEffCol(cCol + i);
// Only set if no col element has already set it.
if (m_width[cCol + i].isAuto() && w.type() != Auto) {
Index: qt.spec
===================================================================
RCS file: /cvs/pkgs/rpms/qt/F-13/qt.spec,v
retrieving revision 1.395
retrieving revision 1.396
diff -u -p -r1.395 -r1.396
--- qt.spec 9 Jun 2010 12:12:30 -0000 1.395
+++ qt.spec 11 Jun 2010 14:23:51 -0000 1.396
@@ -13,7 +13,7 @@ Summary: Qt toolkit
Name: qt
Epoch: 1
Version: 4.6.3
-Release: 1%{?dist}
+Release: 2%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions
@@ -67,6 +67,16 @@ Patch57: qt-everywhere-opensource-src-4.
Patch104: qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch
Patch106: qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch
Patch108: qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch
+Patch109: qt-everywhere-opensource-src-4.6.3-CVE-2010-1303_1304.patch
+Patch110: qt-everywhere-opensource-src-4.6.3-CVE-2010-1392.patch
+Patch111: qt-everywhere-opensource-src-4.6.3-CVE-2010-1396.patch
+Patch112: qt-everywhere-opensource-src-4.6.3-CVE-2010-1397.patch
+Patch113: qt-everywhere-opensource-src-4.6.3-CVE-2010-1398.patch
+Patch114: qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch
+Patch115: qt-everywhere-opensource-src-4.6.3-CVE-2010-1412.patch
+Patch116: qt-everywhere-opensource-src-4.6.3-CVE-2010-1770.patch
+Patch117: qt-everywhere-opensource-src-4.6.3-CVE-2010-1773.patch
+Patch118: qt-everywhere-opensource-src-4.6.3-CVE-2010-1774.patch
# kde-qt git patches
Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch
@@ -428,6 +438,17 @@ Qt libraries used for drawing widgets an
%patch104 -p1 -b .cve-2010-0051-lax-css-parsing-cross-domain-theft
%patch106 -p1 -b .cve-2010-0656
%patch108 -p1 -b .cve-2010-0648
+%patch109 -p1 -b .CVE-2010-1303_1304
+%patch110 -p1 -b .CVE-2010-1392
+%patch111 -p1 -b .CVE-2010-1396
+%patch112 -p1 -b .CVE-2010-1397
+%patch113 -p1 -b .CVE-2010-1398
+%patch114 -p1 -b .CVE-2010-1400
+%patch115 -p1 -b .CVE-2010-1412
+%patch116 -p1 -b .CVE-2010-1770
+%patch117 -p1 -b .CVE-2010-1773
+%patch118 -p1 -b .CVE-2010-1774
+
# kde-qt branch
%patch201 -p1 -b .kde-qt-0001
@@ -1029,6 +1050,12 @@ fi
%changelog
+* Fri Jun 11 2010 Jaroslav Reznik <jreznik at redhat.com> - 4.6.3-2
+- WebKit security update:
+ CVE-2010-1303_1304, CVE-2010-1392, CVE-2010-1396, CVE-2010-1397,
+ CVE-2010-1398, CVE-2010-1400, CVE-2010-1412, CVE-2010-1770,
+ CVE-2010-1773, CVE-2010-1774
+
* Tue Jun 08 2010 Than Ngo <than at redhat.com> - 4.6.3-1
- 4.6.3
More information about the scm-commits
mailing list