add patch from upstream to fix crash and possible code injection

by run-in styling (CVE-2010-1806), bump PKGREVISION

4 files changed, 39 insertions, 3 deletions

diff --git a/www/webkit-gtk/Makefile b/www/webkit-gtk/Makefile
index f19ff6810e1..c27236c6801 100644
--- a/www/webkit-gtk/Makefile
+++ b/www/webkit-gtk/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.38 2011/03/15 21:58:56 drochner Exp $
+# $NetBSD: Makefile,v 1.39 2011/04/13 16:19:14 drochner Exp $
 
 DISTNAME=	webkit-1.2.7
 PKGNAME=	${DISTNAME:S/webkit/webkit-gtk/}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	http://www.webkitgtk.org/
 
diff --git a/www/webkit-gtk/distinfo b/www/webkit-gtk/distinfo
index 7e1f7d8ae75..1139f68e1d4 100644
--- a/www/webkit-gtk/distinfo
+++ b/www/webkit-gtk/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.32 2011/03/15 21:58:56 drochner Exp $
+$NetBSD: distinfo,v 1.33 2011/04/13 16:19:14 drochner Exp $
 
 SHA1 (webkit-1.2.7.tar.gz) = e9afc573d2459794c3749ba404f2187f9dcc9ed3
 RMD160 (webkit-1.2.7.tar.gz) = f36b3ae05693e0eeb4d1936ceee52b6fe1517e57
@@ -10,3 +10,5 @@ SHA1 (patch-ag) = 0da0f8e1299ab061118e0338af521a1f07f4722b
 SHA1 (patch-ah) = 9e0178a9fe7175e29e16155bd190b852ced7d01f
 SHA1 (patch-ba) = 6caffef625e9c04e971fbbd0763b4f9c834491e3
 SHA1 (patch-bb) = 5e59576629e9ecfbbe576c3d0afe047bda449291
+SHA1 (patch-bc) = 0d6d3e2e2f5b2d199aaa94084f9d5a96b39c2708
+SHA1 (patch-bd) = 2e105ade29ff04cdcb5385d19aee467090b6765a
diff --git a/www/webkit-gtk/patches/patch-bc b/www/webkit-gtk/patches/patch-bc
new file mode 100644
index 00000000000..7dfc1d0933d
--- /dev/null
+++ b/www/webkit-gtk/patches/patch-bc
@@ -0,0 +1,19 @@
+$NetBSD: patch-bc,v 1.3 2011/04/13 16:19:15 drochner Exp $
+
+CVE-2010-1806
+
+--- WebCore/rendering/RenderObjectChildList.cpp.orig	2010-09-28 21:44:50.000000000 +0000
++++ WebCore/rendering/RenderObjectChildList.cpp
+@@ -52,7 +52,11 @@ void RenderObjectChildList::destroyLefto
+     while (firstChild()) {
+         if (firstChild()->isListMarker() || (firstChild()->style()->styleType() == FIRST_LETTER && !firstChild()->isText()))
+             firstChild()->remove();  // List markers are owned by their enclosing list and so don't get destroyed by this container. Similarly, first letters are destroyed by their remaining text fragment.
+-        else {
++        else if (firstChild()->isRunIn() && firstChild()->node()) {
++            firstChild()->node()->setRenderer(0);
++            firstChild()->node()->setNeedsStyleRecalc();
++            firstChild()->destroy();
++        } else {
+             // Destroy any anonymous children remaining in the render tree, as well as implicit (shadow) DOM elements like those used in the engine-based text fields.
+             if (firstChild()->node())
+                 firstChild()->node()->setRenderer(0);
diff --git a/www/webkit-gtk/patches/patch-bd b/www/webkit-gtk/patches/patch-bd
new file mode 100644
index 00000000000..c9668249c8c
--- /dev/null
+++ b/www/webkit-gtk/patches/patch-bd
@@ -0,0 +1,15 @@
+$NetBSD: patch-bd,v 1.3 2011/04/13 16:19:15 drochner Exp $
+
+CVE-2010-1806
+
+--- WebCore/rendering/RenderBlock.cpp.orig	2011-02-07 17:29:58.000000000 +0000
++++ WebCore/rendering/RenderBlock.cpp
+@@ -544,6 +544,8 @@ void RenderBlock::removeChild(RenderObje
+                                     (!oldChild->isRenderBlock() || !toRenderBlock(oldChild)->inlineContinuation()) && 
+                                     (!prev || (prev->isAnonymousBlock() && prev->childrenInline())) &&
+                                     (!next || (next->isAnonymousBlock() && next->childrenInline()));
++    if (prev && prev->firstChild() && prev->firstChild()->isInline() && prev->firstChild()->isRunIn())
++	canDeleteAnonymousBlocks = false;
+     if (canDeleteAnonymousBlocks && prev && next) {
+         // Take all the children out of the |next| block and put them in
+         // the |prev| block.