[Pkg-chromium-commit] [SCM] Git repository for pkg-chromium branch, squeeze, updated. a4382fe5f958c34a0cb0f288df2e1bdc3df8f2a8

Giuseppe Iuculano iuculano at debian.org
Wed Aug 31 15:48:53 UTC 2011 

The following commit has been merged in the squeeze branch:
commit 29385229cf6131712771d5b53aa253b4e648d85c
Author: Giuseppe Iuculano <iuculano at debian.org>
Date:   Wed Aug 31 17:37:23 2011 +0200

    Added patch file cor CVE-2011-2824

diff --git a/debian/patches/CVE-2011-2824.patch b/debian/patches/CVE-2011-2824.patch
new file mode 100644
index 0000000..45225f5
--- /dev/null
+++ b/debian/patches/CVE-2011-2824.patch
@@ -0,0 +1,52 @@
+--- a/src/third_party/WebKit/WebCore/rendering/CounterNode.cpp
++++ b/src/third_party/WebKit/WebCore/rendering/CounterNode.cpp
+@@ -44,6 +44,49 @@ CounterNode::CounterNode(RenderObject* o
+ CounterNode* CounterNode::nextInPreOrderAfterChildren(const CounterNode* stayWithin) const
+ {
+     if (this == stayWithin)
++    // Ideally this would be an assert and this would never be reached. In reality this happens a lot
++    // so we need to handle these cases. The node is still connected to the tree so we need to detach it.
++    if (m_parent || m_previousSibling || m_nextSibling || m_firstChild || m_lastChild) {
++        CounterNode* oldParent = 0;
++        CounterNode* oldPreviousSibling = 0;
++        // Instead of calling removeChild() we do this safely as the tree is likely broken if we get here.
++        if (m_parent) {
++            if (m_parent->m_firstChild == this)
++                m_parent->m_firstChild = m_nextSibling;
++            if (m_parent->m_lastChild == this)
++                m_parent->m_lastChild = m_previousSibling;
++            oldParent = m_parent;
++            m_parent = 0;
++        }
++        if (m_previousSibling) {
++            if (m_previousSibling->m_nextSibling == this)
++                m_previousSibling->m_nextSibling = m_nextSibling;
++            oldPreviousSibling = m_previousSibling;
++            m_previousSibling = 0;
++        }
++        if (m_nextSibling) {
++            if (m_nextSibling->m_previousSibling == this)
++                m_nextSibling->m_previousSibling = oldPreviousSibling;
++            m_nextSibling = 0;
++        }
++        if (m_firstChild) {
++            // The node's children are reparented to the old parent.
++            for (CounterNode* child = m_firstChild; child; ) {
++                CounterNode* nextChild = child->m_nextSibling;
++                CounterNode* nextSibling = 0;
++                child->m_parent = oldParent;
++                if (oldPreviousSibling) {
++                    nextSibling = oldPreviousSibling->m_nextSibling;
++                    child->m_previousSibling = oldPreviousSibling;
++                    oldPreviousSibling->m_nextSibling = child;
++                    child->m_nextSibling = nextSibling;
++                    nextSibling->m_previousSibling = child;
++                    oldPreviousSibling = child;
++                }
++                child = nextChild;
++            }
++        }
++    }
+         return 0;
+ 
+     const CounterNode* current = this;

-- 
Git repository for pkg-chromium

More information about the Pkg-chromium-commit mailing list