Merge lp:~ari-tczew/ubuntu/natty/webkit/lp-691104 into lp:ubuntu/natty/webkit
- Natty (11.04)
- lp-691104
- Merge into natty
Proposed by
Artur Rona
Status: | Superseded |
---|---|
Proposed branch: | lp:~ari-tczew/ubuntu/natty/webkit/lp-691104 |
Merge into: | lp:ubuntu/natty/webkit |
Diff against target: |
493 lines (+435/-0) 10 files modified
debian/changelog (+52/-0) debian/patches/05-fix-jit-on-kfreebsd-i386.patch (+51/-0) debian/patches/cve-2010-2646.patch (+110/-0) debian/patches/cve-2010-2651.patch (+38/-0) debian/patches/cve-2010-2900.patch (+29/-0) debian/patches/cve-2010-2901.patch (+98/-0) debian/patches/cve-2010-3120.patch (+27/-0) debian/patches/series (+7/-0) debian/patches/typo_webkitwebsettings.patch (+18/-0) debian/patches/ubuntu-gir-version.patch (+5/-0) |
To merge this branch: | bzr merge lp:~ari-tczew/ubuntu/natty/webkit/lp-691104 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Robert Ancell (community) | Needs Resubmitting | ||
Review via email:
|
Commit message
Description of the change
I prepared a merge with Debian unstable, but there is a FTBFS. More information on bug report.
To post a comment you must log in.
Revision history for this message
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Robert Ancell (robert-ancell) wrote : | # |
review:
Needs Resubmitting
Revision history for this message
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Artur Rona (ari-tczew) wrote : | # |
> Merge is on wrong branch, packaging is here:
> lp:~ubuntu-desktop/webkit/ubuntu
>
> Note that the branch has been updated.
I don't like when someone signs my work as its...
Unmerged revisions
- 22. By Artur Rona
-
[ Artur Rona ]
* Merge from debian unstable. Remaining changes: (LP: #691104)
- debian/control: Drop Build-Depends on gir-repository-dev since
we don't have this package in archive.
- debian/patches/ ubuntu- gir-version. patch: Use the 1.2 gobject
introspection abi.[ David Stansby ]
* debian/patches/ typo_webkitwebs ettings. patch: Fix typo. (LP: #552718)
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file 'debian/changelog' | |||
2 | --- debian/changelog 2010-10-21 13:40:42 +0000 | |||
3 | +++ debian/changelog 2010-12-16 18:14:15 +0000 | |||
4 | @@ -1,3 +1,55 @@ | |||
5 | 1 | webkit (1.2.5-2.1ubuntu1) natty; urgency=low | ||
6 | 2 | |||
7 | 3 | [ Artur Rona ] | ||
8 | 4 | * Merge from debian unstable. Remaining changes: (LP: #691104) | ||
9 | 5 | - debian/control: Drop Build-Depends on gir-repository-dev since | ||
10 | 6 | we don't have this package in archive. | ||
11 | 7 | - debian/patches/ubuntu-gir-version.patch: Use the 1.2 gobject | ||
12 | 8 | introspection abi. | ||
13 | 9 | |||
14 | 10 | [ David Stansby ] | ||
15 | 11 | * debian/patches/typo_webkitwebsettings.patch: Fix typo. (LP: #552718) | ||
16 | 12 | |||
17 | 13 | -- Artur Rona <ari-tczew@ubuntu.com> Thu, 16 Dec 2010 15:02:49 +0100 | ||
18 | 14 | |||
19 | 15 | webkit (1.2.5-2.1) unstable; urgency=low | ||
20 | 16 | |||
21 | 17 | * Non-maintainer upload. | ||
22 | 18 | * Add patch 05-fix-jit-on-kfreebsd-i386.patch by Petr Salinger and | ||
23 | 19 | Michael Dorrington: Fixes Javascript JIT crashing on kfreebsd-i386 | ||
24 | 20 | (closes: #598956). | ||
25 | 21 | |||
26 | 22 | -- gregor herrmann <gregoa@debian.org> Wed, 10 Nov 2010 23:28:55 +0100 | ||
27 | 23 | |||
28 | 24 | webkit (1.2.5-2) unstable; urgency=high | ||
29 | 25 | |||
30 | 26 | * Unapply 02-pool-fixup-and-sparc-support.patch and | ||
31 | 27 | 04-spoof-user-agent-to-google.patch in git. This prevents the | ||
32 | 28 | creation of an unwanted debian-changes patch. | ||
33 | 29 | |||
34 | 30 | -- Michael Gilbert <michael.s.gilbert@gmail.com> Mon, 18 Oct 2010 22:00:36 -0400 | ||
35 | 31 | |||
36 | 32 | webkit (1.2.5-1) unstable; urgency=high | ||
37 | 33 | |||
38 | 34 | [ Gustavo Noronha Silva ] | ||
39 | 35 | |||
40 | 36 | * New upstream release | ||
41 | 37 | - fixes the following CVES: | ||
42 | 38 | |||
43 | 39 | CVE-2010-1780 CVE-2010-3113 CVE-2010-1814 CVE-2010-1812 | ||
44 | 40 | CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114 | ||
45 | 41 | CVE-2010-3116 CVE-2010-3257 CVE-2010-3259 | ||
46 | 42 | |||
47 | 43 | [ Michael Gilbert ] | ||
48 | 44 | * fix cve-2010-2646: security origin bypass using IFRAME elements. | ||
49 | 45 | * fix cve-2010-2651: vulnerability in css style rendering. | ||
50 | 46 | * fix cve-2010-2900: vulnerability with large canvas elements when using the | ||
51 | 47 | SKIA library. | ||
52 | 48 | * fix cve-2010-2901: vulnerability in the rendering implementation. | ||
53 | 49 | * fix cve-2010-3120: vulnerability in geolocation feature. | ||
54 | 50 | |||
55 | 51 | -- Gustavo Noronha Silva <kov@debian.org> Sat, 16 Oct 2010 17:50:56 -0300 | ||
56 | 52 | |||
57 | 1 | webkit (1.2.5-0ubuntu3) natty; urgency=low | 53 | webkit (1.2.5-0ubuntu3) natty; urgency=low |
58 | 2 | 54 | ||
59 | 3 | * debian/patches/ubuntu-gir-version.patch: | 55 | * debian/patches/ubuntu-gir-version.patch: |
60 | 4 | 56 | ||
61 | === added file 'debian/patches/05-fix-jit-on-kfreebsd-i386.patch' | |||
62 | --- debian/patches/05-fix-jit-on-kfreebsd-i386.patch 1970-01-01 00:00:00 +0000 | |||
63 | +++ debian/patches/05-fix-jit-on-kfreebsd-i386.patch 2010-12-16 18:14:15 +0000 | |||
64 | @@ -0,0 +1,51 @@ | |||
65 | 1 | Author: Petr Salinger | ||
66 | 2 | Tester: Michael Dorrington | ||
67 | 3 | Description: Fixes Javascript JIT crashing on kfreebsd-i386. | ||
68 | 4 | Fixes Javascript JIT issue that causes webkit to crash on kfreebsd-i386, | ||
69 | 5 | see <http://bugs.debian.org/598956>. | ||
70 | 6 | |||
71 | 7 | For reasoning of patch see: | ||
72 | 8 | "Common practices and problems found when porting to GNU/k*BSD" | ||
73 | 9 | <http://glibc-bsd.alioth.debian.org/porting/PORTING> | ||
74 | 10 | |||
75 | 11 | On kfreebsd-amd64, this issue does not occur. | ||
76 | 12 | |||
77 | 13 | |||
78 | 14 | --- webkit-1.2.4/JavaScriptCore/jit/JITOpcodes.cpp 2010-09-03 20:18:02.000000000 +0100 | ||
79 | 15 | +++ webkit-1.2.4-fix_jit_kfreebsd_i386/JavaScriptCore/jit/JITOpcodes.cpp 2010-10-07 06:09:55.000000000 +0100 | ||
80 | 16 | @@ -165,7 +165,7 @@ | ||
81 | 17 | * stack pointer by the right amount after the call. | ||
82 | 18 | */ | ||
83 | 19 | |||
84 | 20 | -#if COMPILER(MSVC) || OS(LINUX) | ||
85 | 21 | +#if COMPILER(MSVC) || OS(LINUX) || defined(__GLIBC__) | ||
86 | 22 | #if COMPILER(MSVC) | ||
87 | 23 | #pragma pack(push) | ||
88 | 24 | #pragma pack(4) | ||
89 | 25 | @@ -228,7 +228,7 @@ | ||
90 | 26 | storePtr(regT2, Address(stackPointerRegister, OBJECT_OFFSETOF(NativeCallFrameStructure, thisValue) + OBJECT_OFFSETOF(JSValue, u.asBits.payload))); | ||
91 | 27 | storePtr(regT3, Address(stackPointerRegister, OBJECT_OFFSETOF(NativeCallFrameStructure, thisValue) + OBJECT_OFFSETOF(JSValue, u.asBits.tag))); | ||
92 | 28 | |||
93 | 29 | -#if COMPILER(MSVC) || OS(LINUX) | ||
94 | 30 | +#if COMPILER(MSVC) || OS(LINUX) || defined(__GLIBC__) | ||
95 | 31 | // ArgList is passed by reference so is stackPointerRegister + 4 * sizeof(Register) | ||
96 | 32 | addPtr(Imm32(OBJECT_OFFSETOF(NativeCallFrameStructure, result)), stackPointerRegister, X86Registers::ecx); | ||
97 | 33 | |||
98 | 34 | @@ -1689,7 +1689,7 @@ | ||
99 | 35 | * not the rest of the callframe so we need a nice way to ensure we increment the | ||
100 | 36 | * stack pointer by the right amount after the call. | ||
101 | 37 | */ | ||
102 | 38 | -#if COMPILER(MSVC) || OS(LINUX) | ||
103 | 39 | +#if COMPILER(MSVC) || OS(LINUX) || defined(__GLIBC__) | ||
104 | 40 | struct NativeCallFrameStructure { | ||
105 | 41 | // CallFrame* callFrame; // passed in EDX | ||
106 | 42 | JSObject* callee; | ||
107 | 43 | @@ -1742,7 +1742,7 @@ | ||
108 | 44 | loadPtr(Address(regT1, -(int)sizeof(Register)), regT1); | ||
109 | 45 | storePtr(regT1, Address(stackPointerRegister, OBJECT_OFFSETOF(NativeCallFrameStructure, thisValue))); | ||
110 | 46 | |||
111 | 47 | -#if COMPILER(MSVC) || OS(LINUX) | ||
112 | 48 | +#if COMPILER(MSVC) || OS(LINUX) || defined(__GLIBC__) | ||
113 | 49 | // ArgList is passed by reference so is stackPointerRegister + 4 * sizeof(Register) | ||
114 | 50 | addPtr(Imm32(OBJECT_OFFSETOF(NativeCallFrameStructure, result)), stackPointerRegister, X86Registers::ecx); | ||
115 | 51 | |||
116 | 0 | 52 | ||
117 | === added file 'debian/patches/cve-2010-2646.patch' | |||
118 | --- debian/patches/cve-2010-2646.patch 1970-01-01 00:00:00 +0000 | |||
119 | +++ debian/patches/cve-2010-2646.patch 2010-12-16 18:14:15 +0000 | |||
120 | @@ -0,0 +1,110 @@ | |||
121 | 1 | description: fix cve-2010-2646 | ||
122 | 2 | author: Michael Gilbert <michael.s.gilbert@gmail.com> | ||
123 | 3 | origin: http://trac.webkit.org/changeset/58873 | ||
124 | 4 | Index: webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp | ||
125 | 5 | =================================================================== | ||
126 | 6 | --- webkit-1.2.4.orig/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:13:45.000000000 -0400 | ||
127 | 7 | +++ webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:14:42.000000000 -0400 | ||
128 | 8 | @@ -54,8 +54,12 @@ | ||
129 | 9 | frames.append(frame); | ||
130 | 10 | } | ||
131 | 11 | |||
132 | 12 | - for (unsigned i = 0; i < frames.size(); ++i) | ||
133 | 13 | - frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), frames[i]->domWindow()->sessionStorage())); | ||
134 | 14 | + for (unsigned i = 0; i < frames.size(); ++i) { | ||
135 | 15 | + ExceptionCode ec = 0; | ||
136 | 16 | + Storage* storage = frames[i]->domWindow()->sessionStorage(ec); | ||
137 | 17 | + if (!ec) | ||
138 | 18 | + frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage)); | ||
139 | 19 | + } | ||
140 | 20 | } else { | ||
141 | 21 | // Send events to every page. | ||
142 | 22 | const HashSet<Page*>& pages = page->group().pages(); | ||
143 | 23 | Index: webkit-1.2.4/WebCore/page/DOMWindow.h | ||
144 | 24 | =================================================================== | ||
145 | 25 | --- webkit-1.2.4.orig/WebCore/page/DOMWindow.h 2010-09-07 01:13:45.000000000 -0400 | ||
146 | 26 | +++ webkit-1.2.4/WebCore/page/DOMWindow.h 2010-09-07 01:14:42.000000000 -0400 | ||
147 | 27 | @@ -206,7 +206,7 @@ | ||
148 | 28 | |||
149 | 29 | #if ENABLE(DOM_STORAGE) | ||
150 | 30 | // HTML 5 key/value storage | ||
151 | 31 | - Storage* sessionStorage() const; | ||
152 | 32 | + Storage* sessionStorage(ExceptionCode&) const; | ||
153 | 33 | Storage* localStorage(ExceptionCode&) const; | ||
154 | 34 | #endif | ||
155 | 35 | |||
156 | 36 | Index: webkit-1.2.4/WebCore/page/DOMWindow.cpp | ||
157 | 37 | =================================================================== | ||
158 | 38 | --- webkit-1.2.4.orig/WebCore/page/DOMWindow.cpp 2010-09-07 01:13:45.000000000 -0400 | ||
159 | 39 | +++ webkit-1.2.4/WebCore/page/DOMWindow.cpp 2010-09-07 01:14:42.000000000 -0400 | ||
160 | 40 | @@ -567,7 +567,7 @@ | ||
161 | 41 | } | ||
162 | 42 | |||
163 | 43 | #if ENABLE(DOM_STORAGE) | ||
164 | 44 | -Storage* DOMWindow::sessionStorage() const | ||
165 | 45 | +Storage* DOMWindow::sessionStorage(ExceptionCode& ec) const | ||
166 | 46 | { | ||
167 | 47 | if (m_sessionStorage) | ||
168 | 48 | return m_sessionStorage.get(); | ||
169 | 49 | @@ -576,6 +576,11 @@ | ||
170 | 50 | if (!document) | ||
171 | 51 | return 0; | ||
172 | 52 | |||
173 | 53 | + if (!document->securityOrigin()->canAccessLocalStorage()) { | ||
174 | 54 | + ec = SECURITY_ERR; | ||
175 | 55 | + return 0; | ||
176 | 56 | + } | ||
177 | 57 | + | ||
178 | 58 | Page* page = document->page(); | ||
179 | 59 | if (!page) | ||
180 | 60 | return 0; | ||
181 | 61 | @@ -593,16 +598,16 @@ | ||
182 | 62 | { | ||
183 | 63 | if (m_localStorage) | ||
184 | 64 | return m_localStorage.get(); | ||
185 | 65 | - | ||
186 | 66 | + | ||
187 | 67 | Document* document = this->document(); | ||
188 | 68 | if (!document) | ||
189 | 69 | return 0; | ||
190 | 70 | - | ||
191 | 71 | + | ||
192 | 72 | if (!document->securityOrigin()->canAccessLocalStorage()) { | ||
193 | 73 | ec = SECURITY_ERR; | ||
194 | 74 | return 0; | ||
195 | 75 | } | ||
196 | 76 | - | ||
197 | 77 | + | ||
198 | 78 | Page* page = document->page(); | ||
199 | 79 | if (!page) | ||
200 | 80 | return 0; | ||
201 | 81 | Index: webkit-1.2.4/WebCore/page/SecurityOrigin.h | ||
202 | 82 | =================================================================== | ||
203 | 83 | --- webkit-1.2.4.orig/WebCore/page/SecurityOrigin.h 2010-09-07 01:13:45.000000000 -0400 | ||
204 | 84 | +++ webkit-1.2.4/WebCore/page/SecurityOrigin.h 2010-09-07 01:14:42.000000000 -0400 | ||
205 | 85 | @@ -120,6 +120,11 @@ | ||
206 | 86 | bool canAccessLocalStorage() const { return !isUnique(); } | ||
207 | 87 | bool canAccessCookies() const { return !isUnique(); } | ||
208 | 88 | |||
209 | 89 | + // Technically, we should always allow access to sessionStorage, but we | ||
210 | 90 | + // currently don't handle creating a sessionStorage area for unique | ||
211 | 91 | + // origins. | ||
212 | 92 | + bool canAccessSessionStorage() const { return !isUnique(); } | ||
213 | 93 | + | ||
214 | 94 | bool isSecureTransitionTo(const KURL&) const; | ||
215 | 95 | |||
216 | 96 | // The local SecurityOrigin is the most privileged SecurityOrigin. | ||
217 | 97 | Index: webkit-1.2.4/WebCore/page/DOMWindow.idl | ||
218 | 98 | =================================================================== | ||
219 | 99 | --- webkit-1.2.4.orig/WebCore/page/DOMWindow.idl 2010-09-07 01:14:36.000000000 -0400 | ||
220 | 100 | +++ webkit-1.2.4/WebCore/page/DOMWindow.idl 2010-09-07 01:14:42.000000000 -0400 | ||
221 | 101 | @@ -164,7 +164,8 @@ | ||
222 | 102 | raises(DOMException); | ||
223 | 103 | #endif | ||
224 | 104 | #if defined(ENABLE_DOM_STORAGE) && ENABLE_DOM_STORAGE | ||
225 | 105 | - readonly attribute [EnabledAtRuntime] Storage sessionStorage; | ||
226 | 106 | + readonly attribute [EnabledAtRuntime] Storage sessionStorage | ||
227 | 107 | + getter raises(DOMException); | ||
228 | 108 | readonly attribute [EnabledAtRuntime] Storage localStorage | ||
229 | 109 | getter raises(DOMException); | ||
230 | 110 | #endif | ||
231 | 0 | 111 | ||
232 | === added file 'debian/patches/cve-2010-2651.patch' | |||
233 | --- debian/patches/cve-2010-2651.patch 1970-01-01 00:00:00 +0000 | |||
234 | +++ debian/patches/cve-2010-2651.patch 2010-12-16 18:14:15 +0000 | |||
235 | @@ -0,0 +1,38 @@ | |||
236 | 1 | description: fix cve-2010-2651 | ||
237 | 2 | author: Michael Gilbert <michael.s.gilbert@gmail.com> | ||
238 | 3 | origin: http://trac.webkit.org/changeset/59247 | ||
239 | 4 | Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp | ||
240 | 5 | =================================================================== | ||
241 | 6 | --- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-03 15:18:07.000000000 -0400 | ||
242 | 7 | +++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 21:50:51.000000000 -0400 | ||
243 | 8 | @@ -4651,10 +4651,12 @@ | ||
244 | 9 | |||
245 | 10 | // Drill into inlines looking for our first text child. | ||
246 | 11 | RenderObject* currChild = firstLetterBlock->firstChild(); | ||
247 | 12 | - while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) { | ||
248 | 13 | + while (currChild && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) { | ||
249 | 14 | if (currChild->isFloatingOrPositioned()) { | ||
250 | 15 | - if (currChild->style()->styleType() == FIRST_LETTER) | ||
251 | 16 | + if (currChild->style()->styleType() == FIRST_LETTER) { | ||
252 | 17 | + currChild = currChild->firstChild(); | ||
253 | 18 | break; | ||
254 | 19 | + } | ||
255 | 20 | currChild = currChild->nextSibling(); | ||
256 | 21 | } else | ||
257 | 22 | currChild = currChild->firstChild(); | ||
258 | 23 | @@ -4671,11 +4673,11 @@ | ||
259 | 24 | |||
260 | 25 | // If the child already has style, then it has already been created, so we just want | ||
261 | 26 | // to update it. | ||
262 | 27 | - if (currChild->style()->styleType() == FIRST_LETTER) { | ||
263 | 28 | + if (firstLetterContainer->style()->styleType() == FIRST_LETTER) { | ||
264 | 29 | RenderStyle* pseudo = firstLetterBlock->getCachedPseudoStyle(FIRST_LETTER, | ||
265 | 30 | - firstLetterContainer->firstLineStyle()); | ||
266 | 31 | - currChild->setStyle(pseudo); | ||
267 | 32 | - for (RenderObject* genChild = currChild->firstChild(); genChild; genChild = genChild->nextSibling()) { | ||
268 | 33 | + firstLetterContainer->parent()->firstLineStyle()); | ||
269 | 34 | + firstLetterContainer->setStyle(pseudo); | ||
270 | 35 | + for (RenderObject* genChild = firstLetterContainer->firstChild(); genChild; genChild = genChild->nextSibling()) { | ||
271 | 36 | if (genChild->isText()) | ||
272 | 37 | genChild->setStyle(pseudo); | ||
273 | 38 | } | ||
274 | 0 | 39 | ||
275 | === added file 'debian/patches/cve-2010-2900.patch' | |||
276 | --- debian/patches/cve-2010-2900.patch 1970-01-01 00:00:00 +0000 | |||
277 | +++ debian/patches/cve-2010-2900.patch 2010-12-16 18:14:15 +0000 | |||
278 | @@ -0,0 +1,29 @@ | |||
279 | 1 | description: fix cve-2010-2900 | ||
280 | 2 | author: Michael Gilbert <michael.s.gilbert@gmail.com> | ||
281 | 3 | origin: http://trac.webkit.org/changeset/63219 | ||
282 | 4 | Index: webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp | ||
283 | 5 | =================================================================== | ||
284 | 6 | --- webkit-1.2.4.orig/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:28:56.000000000 -0400 | ||
285 | 7 | +++ webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:29:28.000000000 -0400 | ||
286 | 8 | @@ -64,6 +64,9 @@ | ||
287 | 9 | // in exchange for a smaller maximum canvas size. | ||
288 | 10 | const float HTMLCanvasElement::MaxCanvasArea = 32768 * 8192; // Maximum canvas area in CSS pixels | ||
289 | 11 | |||
290 | 12 | +//In Skia, we will also limit width/height to 32767. | ||
291 | 13 | +static const float MaxSkiaDim = 32767.0F; // Maximum width/height in CSS pixels. | ||
292 | 14 | + | ||
293 | 15 | HTMLCanvasElement::HTMLCanvasElement(const QualifiedName& tagName, Document* doc) | ||
294 | 16 | : HTMLElement(tagName, doc) | ||
295 | 17 | , m_size(defaultWidth, defaultHeight) | ||
296 | 18 | @@ -293,6 +296,11 @@ | ||
297 | 19 | if (!(wf >= 1 && hf >= 1 && wf * hf <= MaxCanvasArea)) | ||
298 | 20 | return IntSize(); | ||
299 | 21 | |||
300 | 22 | +#if PLATFORM(SKIA) | ||
301 | 23 | + if (wf > MaxSkiaDim || hf > MaxSkiaDim) | ||
302 | 24 | + return IntSize(); | ||
303 | 25 | +#endif | ||
304 | 26 | + | ||
305 | 27 | return IntSize(static_cast<unsigned>(wf), static_cast<unsigned>(hf)); | ||
306 | 28 | } | ||
307 | 29 | |||
308 | 0 | 30 | ||
309 | === added file 'debian/patches/cve-2010-2901.patch' | |||
310 | --- debian/patches/cve-2010-2901.patch 1970-01-01 00:00:00 +0000 | |||
311 | +++ debian/patches/cve-2010-2901.patch 2010-12-16 18:14:15 +0000 | |||
312 | @@ -0,0 +1,98 @@ | |||
313 | 1 | description: fix cve-2010-2901 | ||
314 | 2 | author: Michael Gilbert <michael.s.gilbert@gmail.com> | ||
315 | 3 | origin: http://trac.webkit.org/changeset/63048 | ||
316 | 4 | Index: webkit-1.2.4/WebCore/rendering/RenderObject.cpp | ||
317 | 5 | =================================================================== | ||
318 | 6 | --- webkit-1.2.4.orig/WebCore/rendering/RenderObject.cpp 2010-09-06 22:55:29.000000000 -0400 | ||
319 | 7 | +++ webkit-1.2.4/WebCore/rendering/RenderObject.cpp 2010-09-06 22:56:03.000000000 -0400 | ||
320 | 8 | @@ -560,6 +560,19 @@ | ||
321 | 9 | return 0; | ||
322 | 10 | } | ||
323 | 11 | |||
324 | 12 | +RenderBoxModelObject* RenderObject::enclosingBoxModelObject() const | ||
325 | 13 | +{ | ||
326 | 14 | + RenderObject* curr = const_cast<RenderObject*>(this); | ||
327 | 15 | + while (curr) { | ||
328 | 16 | + if (curr->isBoxModelObject()) | ||
329 | 17 | + return toRenderBoxModelObject(curr); | ||
330 | 18 | + curr = curr->parent(); | ||
331 | 19 | + } | ||
332 | 20 | + | ||
333 | 21 | + ASSERT_NOT_REACHED(); | ||
334 | 22 | + return 0; | ||
335 | 23 | +} | ||
336 | 24 | + | ||
337 | 25 | RenderBlock* RenderObject::firstLineBlock() const | ||
338 | 26 | { | ||
339 | 27 | return 0; | ||
340 | 28 | Index: webkit-1.2.4/WebCore/rendering/RenderObject.h | ||
341 | 29 | =================================================================== | ||
342 | 30 | --- webkit-1.2.4.orig/WebCore/rendering/RenderObject.h 2010-09-06 22:55:29.000000000 -0400 | ||
343 | 31 | +++ webkit-1.2.4/WebCore/rendering/RenderObject.h 2010-09-06 22:56:03.000000000 -0400 | ||
344 | 32 | @@ -193,7 +193,8 @@ | ||
345 | 33 | |||
346 | 34 | // Convenience function for getting to the nearest enclosing box of a RenderObject. | ||
347 | 35 | RenderBox* enclosingBox() const; | ||
348 | 36 | - | ||
349 | 37 | + RenderBoxModelObject* enclosingBoxModelObject() const; | ||
350 | 38 | + | ||
351 | 39 | virtual bool isEmpty() const { return firstChild() == 0; } | ||
352 | 40 | |||
353 | 41 | #ifndef NDEBUG | ||
354 | 42 | Index: webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp | ||
355 | 43 | =================================================================== | ||
356 | 44 | --- webkit-1.2.4.orig/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:55:28.000000000 -0400 | ||
357 | 45 | +++ webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:56:24.000000000 -0400 | ||
358 | 46 | @@ -639,11 +639,24 @@ | ||
359 | 47 | // outlines. | ||
360 | 48 | if (renderer()->style()->visibility() == VISIBLE && renderer()->hasOutline() && !isRootInlineBox()) { | ||
361 | 49 | RenderInline* inlineFlow = toRenderInline(renderer()); | ||
362 | 50 | - if ((inlineFlow->continuation() || inlineFlow->isInlineContinuation()) && !boxModelObject()->hasSelfPaintingLayer()) { | ||
363 | 51 | + | ||
364 | 52 | + RenderBlock* cb = 0; | ||
365 | 53 | + bool containingBlockPaintsContinuationOutline = inlineFlow->continuation() || inlineFlow->isInlineContinuation(); | ||
366 | 54 | + if (containingBlockPaintsContinuationOutline) { | ||
367 | 55 | + cb = renderer()->containingBlock()->containingBlock(); | ||
368 | 56 | + | ||
369 | 57 | + for (RenderBoxModelObject* box = boxModelObject(); box != cb; box = box->parent()->enclosingBoxModelObject()) { | ||
370 | 58 | + if (box->hasSelfPaintingLayer()) { | ||
371 | 59 | + containingBlockPaintsContinuationOutline = false; | ||
372 | 60 | + break; | ||
373 | 61 | + } | ||
374 | 62 | + } | ||
375 | 63 | + } | ||
376 | 64 | + | ||
377 | 65 | + if (containingBlockPaintsContinuationOutline) { | ||
378 | 66 | // Add ourselves to the containing block of the entire continuation so that it can | ||
379 | 67 | // paint us atomically. | ||
380 | 68 | - RenderBlock* block = renderer()->containingBlock()->containingBlock(); | ||
381 | 69 | - block->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer())); | ||
382 | 70 | + cb->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer())); | ||
383 | 71 | } else if (!inlineFlow->isInlineContinuation()) | ||
384 | 72 | paintInfo.outlineObjects->add(inlineFlow); | ||
385 | 73 | } | ||
386 | 74 | Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp | ||
387 | 75 | =================================================================== | ||
388 | 76 | --- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:55:28.000000000 -0400 | ||
389 | 77 | +++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:56:03.000000000 -0400 | ||
390 | 78 | @@ -1766,8 +1766,18 @@ | ||
391 | 79 | if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) { | ||
392 | 80 | if (inlineContinuation() && inlineContinuation()->hasOutline() && inlineContinuation()->style()->visibility() == VISIBLE) { | ||
393 | 81 | RenderInline* inlineRenderer = toRenderInline(inlineContinuation()->node()->renderer()); | ||
394 | 82 | - if (!inlineRenderer->hasSelfPaintingLayer()) | ||
395 | 83 | - containingBlock()->addContinuationWithOutline(inlineRenderer); | ||
396 | 84 | + RenderBlock* cb = containingBlock(); | ||
397 | 85 | + | ||
398 | 86 | + bool inlineEnclosedInSelfPaintingLayer = false; | ||
399 | 87 | + for (RenderBoxModelObject* box = inlineRenderer; box != cb; box = box->parent()->enclosingBoxModelObject()) { | ||
400 | 88 | + if (box->hasSelfPaintingLayer()) { | ||
401 | 89 | + inlineEnclosedInSelfPaintingLayer = true; | ||
402 | 90 | + break; | ||
403 | 91 | + } | ||
404 | 92 | + } | ||
405 | 93 | + | ||
406 | 94 | + if (!inlineEnclosedInSelfPaintingLayer) | ||
407 | 95 | + cb->addContinuationWithOutline(inlineRenderer); | ||
408 | 96 | else if (!inlineRenderer->firstLineBox()) | ||
409 | 97 | inlineRenderer->paintOutline(paintInfo.context, tx - x() + inlineRenderer->containingBlock()->x(), | ||
410 | 98 | ty - y() + inlineRenderer->containingBlock()->y()); | ||
411 | 0 | 99 | ||
412 | === added file 'debian/patches/cve-2010-3120.patch' | |||
413 | --- debian/patches/cve-2010-3120.patch 1970-01-01 00:00:00 +0000 | |||
414 | +++ debian/patches/cve-2010-3120.patch 2010-12-16 18:14:15 +0000 | |||
415 | @@ -0,0 +1,27 @@ | |||
416 | 1 | description: fix cve-2010-3120 | ||
417 | 2 | author: Michael Gilbert <michael.s.gilbert@gmail.com> | ||
418 | 3 | origin: http://trac.webkit.org/changeset/65329 | ||
419 | 4 | Index: webkit-1.2.4/WebCore/page/Geolocation.cpp | ||
420 | 5 | =================================================================== | ||
421 | 6 | --- webkit-1.2.4.orig/WebCore/page/Geolocation.cpp 2010-09-03 15:18:06.000000000 -0400 | ||
422 | 7 | +++ webkit-1.2.4/WebCore/page/Geolocation.cpp 2010-09-06 22:14:03.000000000 -0400 | ||
423 | 8 | @@ -252,6 +252,9 @@ | ||
424 | 9 | |||
425 | 10 | void Geolocation::getCurrentPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options) | ||
426 | 11 | { | ||
427 | 12 | + if (!m_frame) | ||
428 | 13 | + return; | ||
429 | 14 | + | ||
430 | 15 | RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options); | ||
431 | 16 | ASSERT(notifier); | ||
432 | 17 | |||
433 | 18 | @@ -260,6 +263,9 @@ | ||
434 | 19 | |||
435 | 20 | int Geolocation::watchPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options) | ||
436 | 21 | { | ||
437 | 22 | + if (!m_frame) | ||
438 | 23 | + return 0; | ||
439 | 24 | + | ||
440 | 25 | RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options); | ||
441 | 26 | ASSERT(notifier); | ||
442 | 27 | |||
443 | 0 | 28 | ||
444 | === modified file 'debian/patches/series' | |||
445 | --- debian/patches/series 2010-10-21 13:40:42 +0000 | |||
446 | +++ debian/patches/series 2010-12-16 18:14:15 +0000 | |||
447 | @@ -1,3 +1,10 @@ | |||
448 | 1 | 02-pool-fixup-and-sparc-support.patch | 1 | 02-pool-fixup-and-sparc-support.patch |
449 | 2 | 04-spoof-user-agent-to-google.patch | 2 | 04-spoof-user-agent-to-google.patch |
450 | 3 | 05-fix-jit-on-kfreebsd-i386.patch | ||
451 | 4 | cve-2010-2646.patch | ||
452 | 5 | cve-2010-2651.patch | ||
453 | 6 | cve-2010-2900.patch | ||
454 | 7 | cve-2010-2901.patch | ||
455 | 8 | cve-2010-3120.patch | ||
456 | 3 | ubuntu-gir-version.patch | 9 | ubuntu-gir-version.patch |
457 | 10 | typo_webkitwebsettings.patch | ||
458 | 4 | 11 | ||
459 | === added file 'debian/patches/typo_webkitwebsettings.patch' | |||
460 | --- debian/patches/typo_webkitwebsettings.patch 1970-01-01 00:00:00 +0000 | |||
461 | +++ debian/patches/typo_webkitwebsettings.patch 2010-12-16 18:14:15 +0000 | |||
462 | @@ -0,0 +1,18 @@ | |||
463 | 1 | From: Artur Rona <ari-tczew@ubuntu.com> | ||
464 | 2 | Description: Fix typo in WebKit/gtk/webkit/webkitwebsettings.cpp. | ||
465 | 3 | Bug-Ubuntu: https://launchpad.net/bugs/552718 | ||
466 | 4 | Origin: upstream, http://trac.webkit.org/changeset/64629/ | ||
467 | 5 | Author: David Stansby <dstansby@gmail.com> | ||
468 | 6 | |||
469 | 7 | diff -pruN -x '*~' webkit-1.2.5.orig/WebKit/gtk/webkit/webkitwebsettings.cpp webkit-1.2.5/WebKit/gtk/webkit/webkitwebsettings.cpp | ||
470 | 8 | --- webkit-1.2.5.orig/WebKit/gtk/webkit/webkitwebsettings.cpp 2010-12-16 13:31:40.000000000 +0100 | ||
471 | 9 | +++ webkit-1.2.5/WebKit/gtk/webkit/webkitwebsettings.cpp 2010-12-16 15:42:22.000000000 +0100 | ||
472 | 10 | @@ -578,7 +578,7 @@ static void webkit_web_settings_class_in | ||
473 | 11 | PROP_ENABLE_XSS_AUDITOR, | ||
474 | 12 | g_param_spec_boolean("enable-xss-auditor", | ||
475 | 13 | _("Enable XSS Auditor"), | ||
476 | 14 | - _("Whether to enable teh XSS auditor"), | ||
477 | 15 | + _("Whether to enable the XSS auditor"), | ||
478 | 16 | TRUE, | ||
479 | 17 | flags)); | ||
480 | 18 | /** | ||
481 | 0 | 19 | ||
482 | === modified file 'debian/patches/ubuntu-gir-version.patch' | |||
483 | --- debian/patches/ubuntu-gir-version.patch 2010-10-21 13:40:42 +0000 | |||
484 | +++ debian/patches/ubuntu-gir-version.patch 2010-12-16 18:14:15 +0000 | |||
485 | @@ -1,3 +1,8 @@ | |||
486 | 1 | From: Artur Rona <ari-tczew@ubuntu.com> | ||
487 | 2 | Description: Use the 1.2 gobject introspection abi. | ||
488 | 3 | Forwarded: not-needed | ||
489 | 4 | Author: Robert Ancell <robert.ancell@canonical.com> | ||
490 | 5 | |||
491 | 1 | Index: webkit-1.2.5/WebKit/gtk/JSCore-1.0.gir | 6 | Index: webkit-1.2.5/WebKit/gtk/JSCore-1.0.gir |
492 | 2 | =================================================================== | 7 | =================================================================== |
493 | 3 | --- webkit-1.2.5.orig/WebKit/gtk/JSCore-1.0.gir 2010-09-10 23:20:33.000000000 +1000 | 8 | --- webkit-1.2.5.orig/WebKit/gtk/JSCore-1.0.gir 2010-09-10 23:20:33.000000000 +1000 |
Merge is on wrong branch, packaging is here:
lp:~ubuntu-desktop/webkit/ubuntu
Note that the branch has been updated.