Merge lp:~ari-tczew/ubuntu/natty/webkit/lp-691104 into lp:ubuntu/natty/webkit
- Natty (11.04)
- lp-691104
- Merge into natty
Proposed by
Artur Rona
Status: | Superseded |
---|---|
Proposed branch: | lp:~ari-tczew/ubuntu/natty/webkit/lp-691104 |
Merge into: | lp:ubuntu/natty/webkit |
Diff against target: |
493 lines (+435/-0) 10 files modified
debian/changelog (+52/-0) debian/patches/05-fix-jit-on-kfreebsd-i386.patch (+51/-0) debian/patches/cve-2010-2646.patch (+110/-0) debian/patches/cve-2010-2651.patch (+38/-0) debian/patches/cve-2010-2900.patch (+29/-0) debian/patches/cve-2010-2901.patch (+98/-0) debian/patches/cve-2010-3120.patch (+27/-0) debian/patches/series (+7/-0) debian/patches/typo_webkitwebsettings.patch (+18/-0) debian/patches/ubuntu-gir-version.patch (+5/-0) |
To merge this branch: | bzr merge lp:~ari-tczew/ubuntu/natty/webkit/lp-691104 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Robert Ancell (community) | Needs Resubmitting | ||
Review via email: mp+43943@code.launchpad.net |
Commit message
Description of the change
I prepared a merge with Debian unstable, but there is a FTBFS. More information on bug report.
To post a comment you must log in.
Revision history for this message
Robert Ancell (robert-ancell) wrote : | # |
review:
Needs Resubmitting
Revision history for this message
Artur Rona (ari-tczew) wrote : | # |
> Merge is on wrong branch, packaging is here:
> lp:~ubuntu-desktop/webkit/ubuntu
>
> Note that the branch has been updated.
I don't like when someone signs my work as its...
Unmerged revisions
- 22. By Artur Rona
-
[ Artur Rona ]
* Merge from debian unstable. Remaining changes: (LP: #691104)
- debian/control: Drop Build-Depends on gir-repository-dev since
we don't have this package in archive.
- debian/patches/ ubuntu- gir-version. patch: Use the 1.2 gobject
introspection abi.[ David Stansby ]
* debian/patches/ typo_webkitwebs ettings. patch: Fix typo. (LP: #552718)
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file 'debian/changelog' |
2 | --- debian/changelog 2010-10-21 13:40:42 +0000 |
3 | +++ debian/changelog 2010-12-16 18:14:15 +0000 |
4 | @@ -1,3 +1,55 @@ |
5 | +webkit (1.2.5-2.1ubuntu1) natty; urgency=low |
6 | + |
7 | + [ Artur Rona ] |
8 | + * Merge from debian unstable. Remaining changes: (LP: #691104) |
9 | + - debian/control: Drop Build-Depends on gir-repository-dev since |
10 | + we don't have this package in archive. |
11 | + - debian/patches/ubuntu-gir-version.patch: Use the 1.2 gobject |
12 | + introspection abi. |
13 | + |
14 | + [ David Stansby ] |
15 | + * debian/patches/typo_webkitwebsettings.patch: Fix typo. (LP: #552718) |
16 | + |
17 | + -- Artur Rona <ari-tczew@ubuntu.com> Thu, 16 Dec 2010 15:02:49 +0100 |
18 | + |
19 | +webkit (1.2.5-2.1) unstable; urgency=low |
20 | + |
21 | + * Non-maintainer upload. |
22 | + * Add patch 05-fix-jit-on-kfreebsd-i386.patch by Petr Salinger and |
23 | + Michael Dorrington: Fixes Javascript JIT crashing on kfreebsd-i386 |
24 | + (closes: #598956). |
25 | + |
26 | + -- gregor herrmann <gregoa@debian.org> Wed, 10 Nov 2010 23:28:55 +0100 |
27 | + |
28 | +webkit (1.2.5-2) unstable; urgency=high |
29 | + |
30 | + * Unapply 02-pool-fixup-and-sparc-support.patch and |
31 | + 04-spoof-user-agent-to-google.patch in git. This prevents the |
32 | + creation of an unwanted debian-changes patch. |
33 | + |
34 | + -- Michael Gilbert <michael.s.gilbert@gmail.com> Mon, 18 Oct 2010 22:00:36 -0400 |
35 | + |
36 | +webkit (1.2.5-1) unstable; urgency=high |
37 | + |
38 | + [ Gustavo Noronha Silva ] |
39 | + |
40 | + * New upstream release |
41 | + - fixes the following CVES: |
42 | + |
43 | + CVE-2010-1780 CVE-2010-3113 CVE-2010-1814 CVE-2010-1812 |
44 | + CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114 |
45 | + CVE-2010-3116 CVE-2010-3257 CVE-2010-3259 |
46 | + |
47 | + [ Michael Gilbert ] |
48 | + * fix cve-2010-2646: security origin bypass using IFRAME elements. |
49 | + * fix cve-2010-2651: vulnerability in css style rendering. |
50 | + * fix cve-2010-2900: vulnerability with large canvas elements when using the |
51 | + SKIA library. |
52 | + * fix cve-2010-2901: vulnerability in the rendering implementation. |
53 | + * fix cve-2010-3120: vulnerability in geolocation feature. |
54 | + |
55 | + -- Gustavo Noronha Silva <kov@debian.org> Sat, 16 Oct 2010 17:50:56 -0300 |
56 | + |
57 | webkit (1.2.5-0ubuntu3) natty; urgency=low |
58 | |
59 | * debian/patches/ubuntu-gir-version.patch: |
60 | |
61 | === added file 'debian/patches/05-fix-jit-on-kfreebsd-i386.patch' |
62 | --- debian/patches/05-fix-jit-on-kfreebsd-i386.patch 1970-01-01 00:00:00 +0000 |
63 | +++ debian/patches/05-fix-jit-on-kfreebsd-i386.patch 2010-12-16 18:14:15 +0000 |
64 | @@ -0,0 +1,51 @@ |
65 | +Author: Petr Salinger |
66 | +Tester: Michael Dorrington |
67 | +Description: Fixes Javascript JIT crashing on kfreebsd-i386. |
68 | + Fixes Javascript JIT issue that causes webkit to crash on kfreebsd-i386, |
69 | + see <http://bugs.debian.org/598956>. |
70 | + |
71 | + For reasoning of patch see: |
72 | + "Common practices and problems found when porting to GNU/k*BSD" |
73 | + <http://glibc-bsd.alioth.debian.org/porting/PORTING> |
74 | + |
75 | + On kfreebsd-amd64, this issue does not occur. |
76 | + |
77 | + |
78 | +--- webkit-1.2.4/JavaScriptCore/jit/JITOpcodes.cpp 2010-09-03 20:18:02.000000000 +0100 |
79 | ++++ webkit-1.2.4-fix_jit_kfreebsd_i386/JavaScriptCore/jit/JITOpcodes.cpp 2010-10-07 06:09:55.000000000 +0100 |
80 | +@@ -165,7 +165,7 @@ |
81 | + * stack pointer by the right amount after the call. |
82 | + */ |
83 | + |
84 | +-#if COMPILER(MSVC) || OS(LINUX) |
85 | ++#if COMPILER(MSVC) || OS(LINUX) || defined(__GLIBC__) |
86 | + #if COMPILER(MSVC) |
87 | + #pragma pack(push) |
88 | + #pragma pack(4) |
89 | +@@ -228,7 +228,7 @@ |
90 | + storePtr(regT2, Address(stackPointerRegister, OBJECT_OFFSETOF(NativeCallFrameStructure, thisValue) + OBJECT_OFFSETOF(JSValue, u.asBits.payload))); |
91 | + storePtr(regT3, Address(stackPointerRegister, OBJECT_OFFSETOF(NativeCallFrameStructure, thisValue) + OBJECT_OFFSETOF(JSValue, u.asBits.tag))); |
92 | + |
93 | +-#if COMPILER(MSVC) || OS(LINUX) |
94 | ++#if COMPILER(MSVC) || OS(LINUX) || defined(__GLIBC__) |
95 | + // ArgList is passed by reference so is stackPointerRegister + 4 * sizeof(Register) |
96 | + addPtr(Imm32(OBJECT_OFFSETOF(NativeCallFrameStructure, result)), stackPointerRegister, X86Registers::ecx); |
97 | + |
98 | +@@ -1689,7 +1689,7 @@ |
99 | + * not the rest of the callframe so we need a nice way to ensure we increment the |
100 | + * stack pointer by the right amount after the call. |
101 | + */ |
102 | +-#if COMPILER(MSVC) || OS(LINUX) |
103 | ++#if COMPILER(MSVC) || OS(LINUX) || defined(__GLIBC__) |
104 | + struct NativeCallFrameStructure { |
105 | + // CallFrame* callFrame; // passed in EDX |
106 | + JSObject* callee; |
107 | +@@ -1742,7 +1742,7 @@ |
108 | + loadPtr(Address(regT1, -(int)sizeof(Register)), regT1); |
109 | + storePtr(regT1, Address(stackPointerRegister, OBJECT_OFFSETOF(NativeCallFrameStructure, thisValue))); |
110 | + |
111 | +-#if COMPILER(MSVC) || OS(LINUX) |
112 | ++#if COMPILER(MSVC) || OS(LINUX) || defined(__GLIBC__) |
113 | + // ArgList is passed by reference so is stackPointerRegister + 4 * sizeof(Register) |
114 | + addPtr(Imm32(OBJECT_OFFSETOF(NativeCallFrameStructure, result)), stackPointerRegister, X86Registers::ecx); |
115 | + |
116 | |
117 | === added file 'debian/patches/cve-2010-2646.patch' |
118 | --- debian/patches/cve-2010-2646.patch 1970-01-01 00:00:00 +0000 |
119 | +++ debian/patches/cve-2010-2646.patch 2010-12-16 18:14:15 +0000 |
120 | @@ -0,0 +1,110 @@ |
121 | +description: fix cve-2010-2646 |
122 | +author: Michael Gilbert <michael.s.gilbert@gmail.com> |
123 | +origin: http://trac.webkit.org/changeset/58873 |
124 | +Index: webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp |
125 | +=================================================================== |
126 | +--- webkit-1.2.4.orig/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:13:45.000000000 -0400 |
127 | ++++ webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:14:42.000000000 -0400 |
128 | +@@ -54,8 +54,12 @@ |
129 | + frames.append(frame); |
130 | + } |
131 | + |
132 | +- for (unsigned i = 0; i < frames.size(); ++i) |
133 | +- frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), frames[i]->domWindow()->sessionStorage())); |
134 | ++ for (unsigned i = 0; i < frames.size(); ++i) { |
135 | ++ ExceptionCode ec = 0; |
136 | ++ Storage* storage = frames[i]->domWindow()->sessionStorage(ec); |
137 | ++ if (!ec) |
138 | ++ frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage)); |
139 | ++ } |
140 | + } else { |
141 | + // Send events to every page. |
142 | + const HashSet<Page*>& pages = page->group().pages(); |
143 | +Index: webkit-1.2.4/WebCore/page/DOMWindow.h |
144 | +=================================================================== |
145 | +--- webkit-1.2.4.orig/WebCore/page/DOMWindow.h 2010-09-07 01:13:45.000000000 -0400 |
146 | ++++ webkit-1.2.4/WebCore/page/DOMWindow.h 2010-09-07 01:14:42.000000000 -0400 |
147 | +@@ -206,7 +206,7 @@ |
148 | + |
149 | + #if ENABLE(DOM_STORAGE) |
150 | + // HTML 5 key/value storage |
151 | +- Storage* sessionStorage() const; |
152 | ++ Storage* sessionStorage(ExceptionCode&) const; |
153 | + Storage* localStorage(ExceptionCode&) const; |
154 | + #endif |
155 | + |
156 | +Index: webkit-1.2.4/WebCore/page/DOMWindow.cpp |
157 | +=================================================================== |
158 | +--- webkit-1.2.4.orig/WebCore/page/DOMWindow.cpp 2010-09-07 01:13:45.000000000 -0400 |
159 | ++++ webkit-1.2.4/WebCore/page/DOMWindow.cpp 2010-09-07 01:14:42.000000000 -0400 |
160 | +@@ -567,7 +567,7 @@ |
161 | + } |
162 | + |
163 | + #if ENABLE(DOM_STORAGE) |
164 | +-Storage* DOMWindow::sessionStorage() const |
165 | ++Storage* DOMWindow::sessionStorage(ExceptionCode& ec) const |
166 | + { |
167 | + if (m_sessionStorage) |
168 | + return m_sessionStorage.get(); |
169 | +@@ -576,6 +576,11 @@ |
170 | + if (!document) |
171 | + return 0; |
172 | + |
173 | ++ if (!document->securityOrigin()->canAccessLocalStorage()) { |
174 | ++ ec = SECURITY_ERR; |
175 | ++ return 0; |
176 | ++ } |
177 | ++ |
178 | + Page* page = document->page(); |
179 | + if (!page) |
180 | + return 0; |
181 | +@@ -593,16 +598,16 @@ |
182 | + { |
183 | + if (m_localStorage) |
184 | + return m_localStorage.get(); |
185 | +- |
186 | ++ |
187 | + Document* document = this->document(); |
188 | + if (!document) |
189 | + return 0; |
190 | +- |
191 | ++ |
192 | + if (!document->securityOrigin()->canAccessLocalStorage()) { |
193 | + ec = SECURITY_ERR; |
194 | + return 0; |
195 | + } |
196 | +- |
197 | ++ |
198 | + Page* page = document->page(); |
199 | + if (!page) |
200 | + return 0; |
201 | +Index: webkit-1.2.4/WebCore/page/SecurityOrigin.h |
202 | +=================================================================== |
203 | +--- webkit-1.2.4.orig/WebCore/page/SecurityOrigin.h 2010-09-07 01:13:45.000000000 -0400 |
204 | ++++ webkit-1.2.4/WebCore/page/SecurityOrigin.h 2010-09-07 01:14:42.000000000 -0400 |
205 | +@@ -120,6 +120,11 @@ |
206 | + bool canAccessLocalStorage() const { return !isUnique(); } |
207 | + bool canAccessCookies() const { return !isUnique(); } |
208 | + |
209 | ++ // Technically, we should always allow access to sessionStorage, but we |
210 | ++ // currently don't handle creating a sessionStorage area for unique |
211 | ++ // origins. |
212 | ++ bool canAccessSessionStorage() const { return !isUnique(); } |
213 | ++ |
214 | + bool isSecureTransitionTo(const KURL&) const; |
215 | + |
216 | + // The local SecurityOrigin is the most privileged SecurityOrigin. |
217 | +Index: webkit-1.2.4/WebCore/page/DOMWindow.idl |
218 | +=================================================================== |
219 | +--- webkit-1.2.4.orig/WebCore/page/DOMWindow.idl 2010-09-07 01:14:36.000000000 -0400 |
220 | ++++ webkit-1.2.4/WebCore/page/DOMWindow.idl 2010-09-07 01:14:42.000000000 -0400 |
221 | +@@ -164,7 +164,8 @@ |
222 | + raises(DOMException); |
223 | + #endif |
224 | + #if defined(ENABLE_DOM_STORAGE) && ENABLE_DOM_STORAGE |
225 | +- readonly attribute [EnabledAtRuntime] Storage sessionStorage; |
226 | ++ readonly attribute [EnabledAtRuntime] Storage sessionStorage |
227 | ++ getter raises(DOMException); |
228 | + readonly attribute [EnabledAtRuntime] Storage localStorage |
229 | + getter raises(DOMException); |
230 | + #endif |
231 | |
232 | === added file 'debian/patches/cve-2010-2651.patch' |
233 | --- debian/patches/cve-2010-2651.patch 1970-01-01 00:00:00 +0000 |
234 | +++ debian/patches/cve-2010-2651.patch 2010-12-16 18:14:15 +0000 |
235 | @@ -0,0 +1,38 @@ |
236 | +description: fix cve-2010-2651 |
237 | +author: Michael Gilbert <michael.s.gilbert@gmail.com> |
238 | +origin: http://trac.webkit.org/changeset/59247 |
239 | +Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp |
240 | +=================================================================== |
241 | +--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-03 15:18:07.000000000 -0400 |
242 | ++++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 21:50:51.000000000 -0400 |
243 | +@@ -4651,10 +4651,12 @@ |
244 | + |
245 | + // Drill into inlines looking for our first text child. |
246 | + RenderObject* currChild = firstLetterBlock->firstChild(); |
247 | +- while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) { |
248 | ++ while (currChild && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) { |
249 | + if (currChild->isFloatingOrPositioned()) { |
250 | +- if (currChild->style()->styleType() == FIRST_LETTER) |
251 | ++ if (currChild->style()->styleType() == FIRST_LETTER) { |
252 | ++ currChild = currChild->firstChild(); |
253 | + break; |
254 | ++ } |
255 | + currChild = currChild->nextSibling(); |
256 | + } else |
257 | + currChild = currChild->firstChild(); |
258 | +@@ -4671,11 +4673,11 @@ |
259 | + |
260 | + // If the child already has style, then it has already been created, so we just want |
261 | + // to update it. |
262 | +- if (currChild->style()->styleType() == FIRST_LETTER) { |
263 | ++ if (firstLetterContainer->style()->styleType() == FIRST_LETTER) { |
264 | + RenderStyle* pseudo = firstLetterBlock->getCachedPseudoStyle(FIRST_LETTER, |
265 | +- firstLetterContainer->firstLineStyle()); |
266 | +- currChild->setStyle(pseudo); |
267 | +- for (RenderObject* genChild = currChild->firstChild(); genChild; genChild = genChild->nextSibling()) { |
268 | ++ firstLetterContainer->parent()->firstLineStyle()); |
269 | ++ firstLetterContainer->setStyle(pseudo); |
270 | ++ for (RenderObject* genChild = firstLetterContainer->firstChild(); genChild; genChild = genChild->nextSibling()) { |
271 | + if (genChild->isText()) |
272 | + genChild->setStyle(pseudo); |
273 | + } |
274 | |
275 | === added file 'debian/patches/cve-2010-2900.patch' |
276 | --- debian/patches/cve-2010-2900.patch 1970-01-01 00:00:00 +0000 |
277 | +++ debian/patches/cve-2010-2900.patch 2010-12-16 18:14:15 +0000 |
278 | @@ -0,0 +1,29 @@ |
279 | +description: fix cve-2010-2900 |
280 | +author: Michael Gilbert <michael.s.gilbert@gmail.com> |
281 | +origin: http://trac.webkit.org/changeset/63219 |
282 | +Index: webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp |
283 | +=================================================================== |
284 | +--- webkit-1.2.4.orig/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:28:56.000000000 -0400 |
285 | ++++ webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:29:28.000000000 -0400 |
286 | +@@ -64,6 +64,9 @@ |
287 | + // in exchange for a smaller maximum canvas size. |
288 | + const float HTMLCanvasElement::MaxCanvasArea = 32768 * 8192; // Maximum canvas area in CSS pixels |
289 | + |
290 | ++//In Skia, we will also limit width/height to 32767. |
291 | ++static const float MaxSkiaDim = 32767.0F; // Maximum width/height in CSS pixels. |
292 | ++ |
293 | + HTMLCanvasElement::HTMLCanvasElement(const QualifiedName& tagName, Document* doc) |
294 | + : HTMLElement(tagName, doc) |
295 | + , m_size(defaultWidth, defaultHeight) |
296 | +@@ -293,6 +296,11 @@ |
297 | + if (!(wf >= 1 && hf >= 1 && wf * hf <= MaxCanvasArea)) |
298 | + return IntSize(); |
299 | + |
300 | ++#if PLATFORM(SKIA) |
301 | ++ if (wf > MaxSkiaDim || hf > MaxSkiaDim) |
302 | ++ return IntSize(); |
303 | ++#endif |
304 | ++ |
305 | + return IntSize(static_cast<unsigned>(wf), static_cast<unsigned>(hf)); |
306 | + } |
307 | + |
308 | |
309 | === added file 'debian/patches/cve-2010-2901.patch' |
310 | --- debian/patches/cve-2010-2901.patch 1970-01-01 00:00:00 +0000 |
311 | +++ debian/patches/cve-2010-2901.patch 2010-12-16 18:14:15 +0000 |
312 | @@ -0,0 +1,98 @@ |
313 | +description: fix cve-2010-2901 |
314 | +author: Michael Gilbert <michael.s.gilbert@gmail.com> |
315 | +origin: http://trac.webkit.org/changeset/63048 |
316 | +Index: webkit-1.2.4/WebCore/rendering/RenderObject.cpp |
317 | +=================================================================== |
318 | +--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.cpp 2010-09-06 22:55:29.000000000 -0400 |
319 | ++++ webkit-1.2.4/WebCore/rendering/RenderObject.cpp 2010-09-06 22:56:03.000000000 -0400 |
320 | +@@ -560,6 +560,19 @@ |
321 | + return 0; |
322 | + } |
323 | + |
324 | ++RenderBoxModelObject* RenderObject::enclosingBoxModelObject() const |
325 | ++{ |
326 | ++ RenderObject* curr = const_cast<RenderObject*>(this); |
327 | ++ while (curr) { |
328 | ++ if (curr->isBoxModelObject()) |
329 | ++ return toRenderBoxModelObject(curr); |
330 | ++ curr = curr->parent(); |
331 | ++ } |
332 | ++ |
333 | ++ ASSERT_NOT_REACHED(); |
334 | ++ return 0; |
335 | ++} |
336 | ++ |
337 | + RenderBlock* RenderObject::firstLineBlock() const |
338 | + { |
339 | + return 0; |
340 | +Index: webkit-1.2.4/WebCore/rendering/RenderObject.h |
341 | +=================================================================== |
342 | +--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.h 2010-09-06 22:55:29.000000000 -0400 |
343 | ++++ webkit-1.2.4/WebCore/rendering/RenderObject.h 2010-09-06 22:56:03.000000000 -0400 |
344 | +@@ -193,7 +193,8 @@ |
345 | + |
346 | + // Convenience function for getting to the nearest enclosing box of a RenderObject. |
347 | + RenderBox* enclosingBox() const; |
348 | +- |
349 | ++ RenderBoxModelObject* enclosingBoxModelObject() const; |
350 | ++ |
351 | + virtual bool isEmpty() const { return firstChild() == 0; } |
352 | + |
353 | + #ifndef NDEBUG |
354 | +Index: webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp |
355 | +=================================================================== |
356 | +--- webkit-1.2.4.orig/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:55:28.000000000 -0400 |
357 | ++++ webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:56:24.000000000 -0400 |
358 | +@@ -639,11 +639,24 @@ |
359 | + // outlines. |
360 | + if (renderer()->style()->visibility() == VISIBLE && renderer()->hasOutline() && !isRootInlineBox()) { |
361 | + RenderInline* inlineFlow = toRenderInline(renderer()); |
362 | +- if ((inlineFlow->continuation() || inlineFlow->isInlineContinuation()) && !boxModelObject()->hasSelfPaintingLayer()) { |
363 | ++ |
364 | ++ RenderBlock* cb = 0; |
365 | ++ bool containingBlockPaintsContinuationOutline = inlineFlow->continuation() || inlineFlow->isInlineContinuation(); |
366 | ++ if (containingBlockPaintsContinuationOutline) { |
367 | ++ cb = renderer()->containingBlock()->containingBlock(); |
368 | ++ |
369 | ++ for (RenderBoxModelObject* box = boxModelObject(); box != cb; box = box->parent()->enclosingBoxModelObject()) { |
370 | ++ if (box->hasSelfPaintingLayer()) { |
371 | ++ containingBlockPaintsContinuationOutline = false; |
372 | ++ break; |
373 | ++ } |
374 | ++ } |
375 | ++ } |
376 | ++ |
377 | ++ if (containingBlockPaintsContinuationOutline) { |
378 | + // Add ourselves to the containing block of the entire continuation so that it can |
379 | + // paint us atomically. |
380 | +- RenderBlock* block = renderer()->containingBlock()->containingBlock(); |
381 | +- block->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer())); |
382 | ++ cb->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer())); |
383 | + } else if (!inlineFlow->isInlineContinuation()) |
384 | + paintInfo.outlineObjects->add(inlineFlow); |
385 | + } |
386 | +Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp |
387 | +=================================================================== |
388 | +--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:55:28.000000000 -0400 |
389 | ++++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:56:03.000000000 -0400 |
390 | +@@ -1766,8 +1766,18 @@ |
391 | + if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) { |
392 | + if (inlineContinuation() && inlineContinuation()->hasOutline() && inlineContinuation()->style()->visibility() == VISIBLE) { |
393 | + RenderInline* inlineRenderer = toRenderInline(inlineContinuation()->node()->renderer()); |
394 | +- if (!inlineRenderer->hasSelfPaintingLayer()) |
395 | +- containingBlock()->addContinuationWithOutline(inlineRenderer); |
396 | ++ RenderBlock* cb = containingBlock(); |
397 | ++ |
398 | ++ bool inlineEnclosedInSelfPaintingLayer = false; |
399 | ++ for (RenderBoxModelObject* box = inlineRenderer; box != cb; box = box->parent()->enclosingBoxModelObject()) { |
400 | ++ if (box->hasSelfPaintingLayer()) { |
401 | ++ inlineEnclosedInSelfPaintingLayer = true; |
402 | ++ break; |
403 | ++ } |
404 | ++ } |
405 | ++ |
406 | ++ if (!inlineEnclosedInSelfPaintingLayer) |
407 | ++ cb->addContinuationWithOutline(inlineRenderer); |
408 | + else if (!inlineRenderer->firstLineBox()) |
409 | + inlineRenderer->paintOutline(paintInfo.context, tx - x() + inlineRenderer->containingBlock()->x(), |
410 | + ty - y() + inlineRenderer->containingBlock()->y()); |
411 | |
412 | === added file 'debian/patches/cve-2010-3120.patch' |
413 | --- debian/patches/cve-2010-3120.patch 1970-01-01 00:00:00 +0000 |
414 | +++ debian/patches/cve-2010-3120.patch 2010-12-16 18:14:15 +0000 |
415 | @@ -0,0 +1,27 @@ |
416 | +description: fix cve-2010-3120 |
417 | +author: Michael Gilbert <michael.s.gilbert@gmail.com> |
418 | +origin: http://trac.webkit.org/changeset/65329 |
419 | +Index: webkit-1.2.4/WebCore/page/Geolocation.cpp |
420 | +=================================================================== |
421 | +--- webkit-1.2.4.orig/WebCore/page/Geolocation.cpp 2010-09-03 15:18:06.000000000 -0400 |
422 | ++++ webkit-1.2.4/WebCore/page/Geolocation.cpp 2010-09-06 22:14:03.000000000 -0400 |
423 | +@@ -252,6 +252,9 @@ |
424 | + |
425 | + void Geolocation::getCurrentPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options) |
426 | + { |
427 | ++ if (!m_frame) |
428 | ++ return; |
429 | ++ |
430 | + RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options); |
431 | + ASSERT(notifier); |
432 | + |
433 | +@@ -260,6 +263,9 @@ |
434 | + |
435 | + int Geolocation::watchPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options) |
436 | + { |
437 | ++ if (!m_frame) |
438 | ++ return 0; |
439 | ++ |
440 | + RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options); |
441 | + ASSERT(notifier); |
442 | + |
443 | |
444 | === modified file 'debian/patches/series' |
445 | --- debian/patches/series 2010-10-21 13:40:42 +0000 |
446 | +++ debian/patches/series 2010-12-16 18:14:15 +0000 |
447 | @@ -1,3 +1,10 @@ |
448 | 02-pool-fixup-and-sparc-support.patch |
449 | 04-spoof-user-agent-to-google.patch |
450 | +05-fix-jit-on-kfreebsd-i386.patch |
451 | +cve-2010-2646.patch |
452 | +cve-2010-2651.patch |
453 | +cve-2010-2900.patch |
454 | +cve-2010-2901.patch |
455 | +cve-2010-3120.patch |
456 | ubuntu-gir-version.patch |
457 | +typo_webkitwebsettings.patch |
458 | |
459 | === added file 'debian/patches/typo_webkitwebsettings.patch' |
460 | --- debian/patches/typo_webkitwebsettings.patch 1970-01-01 00:00:00 +0000 |
461 | +++ debian/patches/typo_webkitwebsettings.patch 2010-12-16 18:14:15 +0000 |
462 | @@ -0,0 +1,18 @@ |
463 | +From: Artur Rona <ari-tczew@ubuntu.com> |
464 | +Description: Fix typo in WebKit/gtk/webkit/webkitwebsettings.cpp. |
465 | +Bug-Ubuntu: https://launchpad.net/bugs/552718 |
466 | +Origin: upstream, http://trac.webkit.org/changeset/64629/ |
467 | +Author: David Stansby <dstansby@gmail.com> |
468 | + |
469 | +diff -pruN -x '*~' webkit-1.2.5.orig/WebKit/gtk/webkit/webkitwebsettings.cpp webkit-1.2.5/WebKit/gtk/webkit/webkitwebsettings.cpp |
470 | +--- webkit-1.2.5.orig/WebKit/gtk/webkit/webkitwebsettings.cpp 2010-12-16 13:31:40.000000000 +0100 |
471 | ++++ webkit-1.2.5/WebKit/gtk/webkit/webkitwebsettings.cpp 2010-12-16 15:42:22.000000000 +0100 |
472 | +@@ -578,7 +578,7 @@ static void webkit_web_settings_class_in |
473 | + PROP_ENABLE_XSS_AUDITOR, |
474 | + g_param_spec_boolean("enable-xss-auditor", |
475 | + _("Enable XSS Auditor"), |
476 | +- _("Whether to enable teh XSS auditor"), |
477 | ++ _("Whether to enable the XSS auditor"), |
478 | + TRUE, |
479 | + flags)); |
480 | + /** |
481 | |
482 | === modified file 'debian/patches/ubuntu-gir-version.patch' |
483 | --- debian/patches/ubuntu-gir-version.patch 2010-10-21 13:40:42 +0000 |
484 | +++ debian/patches/ubuntu-gir-version.patch 2010-12-16 18:14:15 +0000 |
485 | @@ -1,3 +1,8 @@ |
486 | +From: Artur Rona <ari-tczew@ubuntu.com> |
487 | +Description: Use the 1.2 gobject introspection abi. |
488 | +Forwarded: not-needed |
489 | +Author: Robert Ancell <robert.ancell@canonical.com> |
490 | + |
491 | Index: webkit-1.2.5/WebKit/gtk/JSCore-1.0.gir |
492 | =================================================================== |
493 | --- webkit-1.2.5.orig/WebKit/gtk/JSCore-1.0.gir 2010-09-10 23:20:33.000000000 +1000 |
Merge is on wrong branch, packaging is here:
lp:~ubuntu-desktop/webkit/ubuntu
Note that the branch has been updated.