Commit f663ef01 authored by Natanael Copa's avatar Natanael Copa

main/webkit: upgrade to 1.3.5

parent 410300dc
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=webkit
pkgver=1.2.4
pkgrel=1
pkgver=1.3.5
pkgrel=0
pkgdesc="portable web rendering engine WebKit for GTK+"
url="http://webkitgtk.org/"
license="LGPL BSD"
......@@ -17,13 +17,6 @@ makedepends="
install=
subpackages="$pkgname-dev gtklauncher"
source="http://webkitgtk.org/$pkgname-$pkgver.tar.gz
cve-2010-2646.patch
cve-2010-2651.patch
cve-2010-2900.patch
cve-2010-2901.patch
cve-2010-3115.patch
cve-2010-3116.patch
cve-2010-3120.patch
"
depends_dev="gtk+-dev libsoup-dev gstreamer-dev"
......@@ -63,11 +56,4 @@ gtklauncher() {
"$subpkgdir"/usr/bin/GtkLauncher
}
md5sums="dc3a92dd0e8c2e70263fbfdf809b51a5 webkit-1.2.4.tar.gz
3d2c4af2fa46388876de7a5747f50de0 cve-2010-2646.patch
4db553a178f951b857486bcc0955b663 cve-2010-2651.patch
abfec5aeaa5005279993d731dc919680 cve-2010-2900.patch
fa980cb721e6a2b43107633dc3782d62 cve-2010-2901.patch
fc5553d85c14f29128985bddc195782c cve-2010-3115.patch
b4787ffaac3f102e7bb267839a261496 cve-2010-3116.patch
b3e21cb4755c6cbab31dbe5063883c04 cve-2010-3120.patch"
md5sums="421104ef53ed865e0bb7b7f4e465de31 webkit-1.3.5.tar.gz"
description: fix cve-2010-2646
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/58873
Index: webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:13:45.000000000 -0400
+++ webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:14:42.000000000 -0400
@@ -54,8 +54,12 @@
frames.append(frame);
}
- for (unsigned i = 0; i < frames.size(); ++i)
- frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), frames[i]->domWindow()->sessionStorage()));
+ for (unsigned i = 0; i < frames.size(); ++i) {
+ ExceptionCode ec = 0;
+ Storage* storage = frames[i]->domWindow()->sessionStorage(ec);
+ if (!ec)
+ frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage));
+ }
} else {
// Send events to every page.
const HashSet<Page*>& pages = page->group().pages();
Index: webkit-1.2.4/WebCore/page/DOMWindow.h
===================================================================
--- webkit-1.2.4.orig/WebCore/page/DOMWindow.h 2010-09-07 01:13:45.000000000 -0400
+++ webkit-1.2.4/WebCore/page/DOMWindow.h 2010-09-07 01:14:42.000000000 -0400
@@ -206,7 +206,7 @@
#if ENABLE(DOM_STORAGE)
// HTML 5 key/value storage
- Storage* sessionStorage() const;
+ Storage* sessionStorage(ExceptionCode&) const;
Storage* localStorage(ExceptionCode&) const;
#endif
Index: webkit-1.2.4/WebCore/page/DOMWindow.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/page/DOMWindow.cpp 2010-09-07 01:13:45.000000000 -0400
+++ webkit-1.2.4/WebCore/page/DOMWindow.cpp 2010-09-07 01:14:42.000000000 -0400
@@ -567,7 +567,7 @@
}
#if ENABLE(DOM_STORAGE)
-Storage* DOMWindow::sessionStorage() const
+Storage* DOMWindow::sessionStorage(ExceptionCode& ec) const
{
if (m_sessionStorage)
return m_sessionStorage.get();
@@ -576,6 +576,11 @@
if (!document)
return 0;
+ if (!document->securityOrigin()->canAccessLocalStorage()) {
+ ec = SECURITY_ERR;
+ return 0;
+ }
+
Page* page = document->page();
if (!page)
return 0;
@@ -593,16 +598,16 @@
{
if (m_localStorage)
return m_localStorage.get();
-
+
Document* document = this->document();
if (!document)
return 0;
-
+
if (!document->securityOrigin()->canAccessLocalStorage()) {
ec = SECURITY_ERR;
return 0;
}
-
+
Page* page = document->page();
if (!page)
return 0;
Index: webkit-1.2.4/WebCore/page/SecurityOrigin.h
===================================================================
--- webkit-1.2.4.orig/WebCore/page/SecurityOrigin.h 2010-09-07 01:13:45.000000000 -0400
+++ webkit-1.2.4/WebCore/page/SecurityOrigin.h 2010-09-07 01:14:42.000000000 -0400
@@ -120,6 +120,11 @@
bool canAccessLocalStorage() const { return !isUnique(); }
bool canAccessCookies() const { return !isUnique(); }
+ // Technically, we should always allow access to sessionStorage, but we
+ // currently don't handle creating a sessionStorage area for unique
+ // origins.
+ bool canAccessSessionStorage() const { return !isUnique(); }
+
bool isSecureTransitionTo(const KURL&) const;
// The local SecurityOrigin is the most privileged SecurityOrigin.
Index: webkit-1.2.4/WebCore/page/DOMWindow.idl
===================================================================
--- webkit-1.2.4.orig/WebCore/page/DOMWindow.idl 2010-09-07 01:14:36.000000000 -0400
+++ webkit-1.2.4/WebCore/page/DOMWindow.idl 2010-09-07 01:14:42.000000000 -0400
@@ -164,7 +164,8 @@
raises(DOMException);
#endif
#if defined(ENABLE_DOM_STORAGE) && ENABLE_DOM_STORAGE
- readonly attribute [EnabledAtRuntime] Storage sessionStorage;
+ readonly attribute [EnabledAtRuntime] Storage sessionStorage
+ getter raises(DOMException);
readonly attribute [EnabledAtRuntime] Storage localStorage
getter raises(DOMException);
#endif
description: fix cve-2010-2651
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/59247
Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-03 15:18:07.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 21:50:51.000000000 -0400
@@ -4651,10 +4651,12 @@
// Drill into inlines looking for our first text child.
RenderObject* currChild = firstLetterBlock->firstChild();
- while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
+ while (currChild && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
if (currChild->isFloatingOrPositioned()) {
- if (currChild->style()->styleType() == FIRST_LETTER)
+ if (currChild->style()->styleType() == FIRST_LETTER) {
+ currChild = currChild->firstChild();
break;
+ }
currChild = currChild->nextSibling();
} else
currChild = currChild->firstChild();
@@ -4671,11 +4673,11 @@
// If the child already has style, then it has already been created, so we just want
// to update it.
- if (currChild->style()->styleType() == FIRST_LETTER) {
+ if (firstLetterContainer->style()->styleType() == FIRST_LETTER) {
RenderStyle* pseudo = firstLetterBlock->getCachedPseudoStyle(FIRST_LETTER,
- firstLetterContainer->firstLineStyle());
- currChild->setStyle(pseudo);
- for (RenderObject* genChild = currChild->firstChild(); genChild; genChild = genChild->nextSibling()) {
+ firstLetterContainer->parent()->firstLineStyle());
+ firstLetterContainer->setStyle(pseudo);
+ for (RenderObject* genChild = firstLetterContainer->firstChild(); genChild; genChild = genChild->nextSibling()) {
if (genChild->isText())
genChild->setStyle(pseudo);
}
description: fix cve-2010-2900
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/63219
Index: webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:28:56.000000000 -0400
+++ webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:29:28.000000000 -0400
@@ -64,6 +64,9 @@
// in exchange for a smaller maximum canvas size.
const float HTMLCanvasElement::MaxCanvasArea = 32768 * 8192; // Maximum canvas area in CSS pixels
+//In Skia, we will also limit width/height to 32767.
+static const float MaxSkiaDim = 32767.0F; // Maximum width/height in CSS pixels.
+
HTMLCanvasElement::HTMLCanvasElement(const QualifiedName& tagName, Document* doc)
: HTMLElement(tagName, doc)
, m_size(defaultWidth, defaultHeight)
@@ -293,6 +296,11 @@
if (!(wf >= 1 && hf >= 1 && wf * hf <= MaxCanvasArea))
return IntSize();
+#if PLATFORM(SKIA)
+ if (wf > MaxSkiaDim || hf > MaxSkiaDim)
+ return IntSize();
+#endif
+
return IntSize(static_cast<unsigned>(wf), static_cast<unsigned>(hf));
}
description: fix cve-2010-2901
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/63048
Index: webkit-1.2.4/WebCore/rendering/RenderObject.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.cpp 2010-09-06 22:55:29.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/RenderObject.cpp 2010-09-06 22:56:03.000000000 -0400
@@ -560,6 +560,19 @@
return 0;
}
+RenderBoxModelObject* RenderObject::enclosingBoxModelObject() const
+{
+ RenderObject* curr = const_cast<RenderObject*>(this);
+ while (curr) {
+ if (curr->isBoxModelObject())
+ return toRenderBoxModelObject(curr);
+ curr = curr->parent();
+ }
+
+ ASSERT_NOT_REACHED();
+ return 0;
+}
+
RenderBlock* RenderObject::firstLineBlock() const
{
return 0;
Index: webkit-1.2.4/WebCore/rendering/RenderObject.h
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.h 2010-09-06 22:55:29.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/RenderObject.h 2010-09-06 22:56:03.000000000 -0400
@@ -193,7 +193,8 @@
// Convenience function for getting to the nearest enclosing box of a RenderObject.
RenderBox* enclosingBox() const;
-
+ RenderBoxModelObject* enclosingBoxModelObject() const;
+
virtual bool isEmpty() const { return firstChild() == 0; }
#ifndef NDEBUG
Index: webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:55:28.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:56:24.000000000 -0400
@@ -639,11 +639,24 @@
// outlines.
if (renderer()->style()->visibility() == VISIBLE && renderer()->hasOutline() && !isRootInlineBox()) {
RenderInline* inlineFlow = toRenderInline(renderer());
- if ((inlineFlow->continuation() || inlineFlow->isInlineContinuation()) && !boxModelObject()->hasSelfPaintingLayer()) {
+
+ RenderBlock* cb = 0;
+ bool containingBlockPaintsContinuationOutline = inlineFlow->continuation() || inlineFlow->isInlineContinuation();
+ if (containingBlockPaintsContinuationOutline) {
+ cb = renderer()->containingBlock()->containingBlock();
+
+ for (RenderBoxModelObject* box = boxModelObject(); box != cb; box = box->parent()->enclosingBoxModelObject()) {
+ if (box->hasSelfPaintingLayer()) {
+ containingBlockPaintsContinuationOutline = false;
+ break;
+ }
+ }
+ }
+
+ if (containingBlockPaintsContinuationOutline) {
// Add ourselves to the containing block of the entire continuation so that it can
// paint us atomically.
- RenderBlock* block = renderer()->containingBlock()->containingBlock();
- block->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
+ cb->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
} else if (!inlineFlow->isInlineContinuation())
paintInfo.outlineObjects->add(inlineFlow);
}
Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:55:28.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:56:03.000000000 -0400
@@ -1766,8 +1766,18 @@
if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) {
if (inlineContinuation() && inlineContinuation()->hasOutline() && inlineContinuation()->style()->visibility() == VISIBLE) {
RenderInline* inlineRenderer = toRenderInline(inlineContinuation()->node()->renderer());
- if (!inlineRenderer->hasSelfPaintingLayer())
- containingBlock()->addContinuationWithOutline(inlineRenderer);
+ RenderBlock* cb = containingBlock();
+
+ bool inlineEnclosedInSelfPaintingLayer = false;
+ for (RenderBoxModelObject* box = inlineRenderer; box != cb; box = box->parent()->enclosingBoxModelObject()) {
+ if (box->hasSelfPaintingLayer()) {
+ inlineEnclosedInSelfPaintingLayer = true;
+ break;
+ }
+ }
+
+ if (!inlineEnclosedInSelfPaintingLayer)
+ cb->addContinuationWithOutline(inlineRenderer);
else if (!inlineRenderer->firstLineBox())
inlineRenderer->paintOutline(paintInfo.context, tx - x() + inlineRenderer->containingBlock()->x(),
ty - y() + inlineRenderer->containingBlock()->y());
description: fix cve-2010-3115
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/63925
Index: webkit-1.2.4/WebCore/page/History.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/page/History.cpp 2010-09-03 16:12:23.000000000 -0400
+++ webkit-1.2.4/WebCore/page/History.cpp 2010-09-06 22:08:52.000000000 -0400
@@ -82,7 +82,7 @@
KURL History::urlForState(const String& urlString)
{
- KURL baseURL = m_frame->loader()->baseURL();
+ KURL baseURL = m_frame->document()->url();
if (urlString.isEmpty())
return baseURL;
description: fix cve-2010-3116
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/64293
Index: webkit-1.2.4/WebCore/page/Page.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/page/Page.cpp 2010-09-03 15:18:06.000000000 -0400
+++ webkit-1.2.4/WebCore/page/Page.cpp 2010-09-06 22:11:32.000000000 -0400
@@ -192,6 +192,9 @@
frame->pageDestroyed();
m_editorClient->pageDestroyed();
+ if (m_pluginData)
+ m_pluginData->disconnectPage();
+
#if ENABLE(INSPECTOR)
m_inspectorController->inspectedPageDestroyed();
#endif
description: fix cve-2010-3120
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/65329
Index: webkit-1.2.4/WebCore/page/Geolocation.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/page/Geolocation.cpp 2010-09-03 15:18:06.000000000 -0400
+++ webkit-1.2.4/WebCore/page/Geolocation.cpp 2010-09-06 22:14:03.000000000 -0400
@@ -252,6 +252,9 @@
void Geolocation::getCurrentPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options)
{
+ if (!m_frame)
+ return;
+
RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options);
ASSERT(notifier);
@@ -260,6 +263,9 @@
int Geolocation::watchPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options)
{
+ if (!m_frame)
+ return 0;
+
RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options);
ASSERT(notifier);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment