diff options
Diffstat (limited to 'debian/patches/0249-webkit-stale-frame-pointer.diff')
| -rw-r--r-- | debian/patches/0249-webkit-stale-frame-pointer.diff | 161 |
1 files changed, 0 insertions, 161 deletions
diff --git a/debian/patches/0249-webkit-stale-frame-pointer.diff b/debian/patches/0249-webkit-stale-frame-pointer.diff deleted file mode 100644 index c966d9a..0000000 --- a/debian/patches/0249-webkit-stale-frame-pointer.diff +++ /dev/null @@ -1,161 +0,0 @@ -qt-bugs@ issue : none yet -Trolltech task ID : none yet -bugs.kde.org number : none -applied: no -author: Apple - -this fixes CVE-2008-3632: - -Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through 2.0.2, -and iPhone 1.0 through 2.0.2, allows remote attackers to execute arbitrary code -or cause a denial of service (application crash) via a web page with crafted -Cascading Style Sheets (CSS) import statements. - - ---- a/src/3rdparty/webkit/WebCore/dom/Document.cpp -+++ b/src/3rdparty/webkit/WebCore/dom/Document.cpp -@@ -291,9 +291,8 @@ Document::Document(DOMImplementation* im - m_renderArena = 0; - - m_axObjectCache = 0; -- -- // FIXME: DocLoader probably no longer needs the frame argument -- m_docLoader = new DocLoader(frame, this); -+ -+ m_docLoader = new DocLoader(this); - - visuallyOrdered = false; - m_bParsing = false; -@@ -1169,15 +1168,23 @@ void Document::detach() - if (render) - render->destroy(); - -- // FIXME: is this needed or desirable? -- m_frame = 0; -- -+ // This is required, as our Frame might delete itself as soon as it detaches -+ // us. However, this violates Node::detach() symantics, as it's never -+ // possible to re-attach. Eventually Document::detach() should be renamed -+ // or this call made explicit in each of the callers of Document::detach(). -+ clearFramePointer(); -+ - if (m_renderArena) { - delete m_renderArena; - m_renderArena = 0; - } - } - -+void Document::clearFramePointer() -+{ -+ m_frame = 0; -+} -+ - void Document::removeAllEventListenersFromAllNodes() - { - m_windowEventListeners.clear(); ---- a/src/3rdparty/webkit/WebCore/dom/Document.h -+++ b/src/3rdparty/webkit/WebCore/dom/Document.h -@@ -344,6 +344,8 @@ public: - virtual void attach(); - virtual void detach(); - -+ void clearFramePointer(); -+ - RenderArena* renderArena() { return m_renderArena; } - - AXObjectCache* axObjectCache() const; ---- a/src/3rdparty/webkit/WebCore/loader/DocLoader.cpp -+++ b/src/3rdparty/webkit/WebCore/loader/DocLoader.cpp -@@ -40,10 +40,9 @@ - - namespace WebCore { - --DocLoader::DocLoader(Frame *frame, Document* doc) -+DocLoader::DocLoader(Document* doc) - : m_cache(cache()) - , m_cachePolicy(CachePolicyVerify) -- , m_frame(frame) - , m_doc(doc) - , m_requestCount(0) - , m_autoLoadImages(true) -@@ -53,6 +52,11 @@ DocLoader::DocLoader(Frame *frame, Docum - m_cache->addDocLoader(this); - } - -+Frame* DocLoader::frame() const -+{ -+ return m_doc->frame(); -+} -+ - DocLoader::~DocLoader() - { - HashMap<String, CachedResource*>::iterator end = m_docResources.end(); -@@ -146,7 +150,7 @@ CachedResource* DocLoader::requestResour - } - } - -- if (m_frame && m_frame->loader()->isReloading()) -+ if (frame() && frame()->loader()->isReloading()) - setCachePolicy(CachePolicyReload); - - checkForReload(fullURL); -@@ -197,8 +201,8 @@ void DocLoader::removeCachedResource(Cac - void DocLoader::setLoadInProgress(bool load) - { - m_loadInProgress = load; -- if (!load && m_frame) -- m_frame->loader()->loadDone(); -+ if (!load && frame()) -+ frame()->loader()->loadDone(); - } - - void DocLoader::checkCacheObjectStatus(CachedResource* resource) -@@ -217,7 +221,7 @@ void DocLoader::checkCacheObjectStatus(C - } - - // Notify the caller that we "loaded". -- if (!m_frame || m_frame->loader()->haveToldBridgeAboutLoad(resource->url())) -+ if (!frame() || frame()->loader()->haveToldBridgeAboutLoad(resource->url())) - return; - - ResourceRequest request(resource->url()); -@@ -226,9 +230,9 @@ void DocLoader::checkCacheObjectStatus(C - - if (resource->sendResourceLoadCallbacks()) { - // FIXME: If the WebKit client changes or cancels the request, WebCore does not respect this and continues the load. -- m_frame->loader()->loadedResourceFromMemoryCache(request, response, data ? data->size() : 0); -+ frame()->loader()->loadedResourceFromMemoryCache(request, response, data ? data->size() : 0); - } -- m_frame->loader()->didTellBridgeAboutLoad(resource->url()); -+ frame()->loader()->didTellBridgeAboutLoad(resource->url()); - } - - void DocLoader::incrementRequestCount() ---- a/src/3rdparty/webkit/WebCore/loader/DocLoader.h -+++ b/src/3rdparty/webkit/WebCore/loader/DocLoader.h -@@ -49,7 +49,7 @@ friend class Cache; - friend class HTMLImageLoader; - - public: -- DocLoader(Frame*, Document*); -+ DocLoader(Document*); - ~DocLoader(); - - CachedImage* requestImage(const String& url); -@@ -73,7 +73,7 @@ public: - CachePolicy cachePolicy() const { return m_cachePolicy; } - void setCachePolicy(CachePolicy); - -- Frame* frame() const { return m_frame; } -+ Frame* frame() const; // Can be NULL - Document* doc() const { return m_doc; } - - void removeCachedResource(CachedResource*) const; -@@ -100,7 +100,6 @@ private: - HashSet<String> m_reloadedURLs; - mutable HashMap<String, CachedResource*> m_docResources; - CachePolicy m_cachePolicy; -- Frame* m_frame; - Document *m_doc; - - int m_requestCount; |