1 files changed, 98 insertions, 0 deletions

diff --git a/main/webkit/cve-2010-2901.patch b/main/webkit/cve-2010-2901.patch
new file mode 100644
index 000000000..a130342d4
--- /dev/null
+++ b/main/webkit/cve-2010-2901.patch
@@ -0,0 +1,98 @@
+description: fix cve-2010-2901
+author: Michael Gilbert <michael.s.gilbert@gmail.com>
+origin: http://trac.webkit.org/changeset/63048
+Index: webkit-1.2.4/WebCore/rendering/RenderObject.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.cpp	2010-09-06 22:55:29.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderObject.cpp	2010-09-06 22:56:03.000000000 -0400
+@@ -560,6 +560,19 @@
+     return 0;
+ }
+ 
++RenderBoxModelObject* RenderObject::enclosingBoxModelObject() const
++{
++    RenderObject* curr = const_cast<RenderObject*>(this);
++    while (curr) {
++        if (curr->isBoxModelObject())
++            return toRenderBoxModelObject(curr);
++        curr = curr->parent();
++    }
++
++    ASSERT_NOT_REACHED();
++    return 0;
++}
++
+ RenderBlock* RenderObject::firstLineBlock() const
+ {
+     return 0;
+Index: webkit-1.2.4/WebCore/rendering/RenderObject.h
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.h	2010-09-06 22:55:29.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderObject.h	2010-09-06 22:56:03.000000000 -0400
+@@ -193,7 +193,8 @@
+ 
+     // Convenience function for getting to the nearest enclosing box of a RenderObject.
+     RenderBox* enclosingBox() const;
+-    
++    RenderBoxModelObject* enclosingBoxModelObject() const;
++
+     virtual bool isEmpty() const { return firstChild() == 0; }
+ 
+ #ifndef NDEBUG
+Index: webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/InlineFlowBox.cpp	2010-09-06 22:55:28.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp	2010-09-06 22:56:24.000000000 -0400
+@@ -639,11 +639,24 @@
+             // outlines.
+             if (renderer()->style()->visibility() == VISIBLE && renderer()->hasOutline() && !isRootInlineBox()) {
+                 RenderInline* inlineFlow = toRenderInline(renderer());
+-                if ((inlineFlow->continuation() || inlineFlow->isInlineContinuation()) && !boxModelObject()->hasSelfPaintingLayer()) {
++
++                RenderBlock* cb = 0;
++                bool containingBlockPaintsContinuationOutline = inlineFlow->continuation() || inlineFlow->isInlineContinuation();
++                if (containingBlockPaintsContinuationOutline) {
++                    cb = renderer()->containingBlock()->containingBlock();
++
++                    for (RenderBoxModelObject* box = boxModelObject(); box != cb; box = box->parent()->enclosingBoxModelObject()) {
++                        if (box->hasSelfPaintingLayer()) {
++                            containingBlockPaintsContinuationOutline = false;
++                            break;
++                        }
++                    }
++                }
++
++                if (containingBlockPaintsContinuationOutline) {
+                     // Add ourselves to the containing block of the entire continuation so that it can
+                     // paint us atomically.
+-                    RenderBlock* block = renderer()->containingBlock()->containingBlock();
+-                    block->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
++                    cb->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
+                 } else if (!inlineFlow->isInlineContinuation())
+                     paintInfo.outlineObjects->add(inlineFlow);
+             }
+Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp	2010-09-06 22:55:28.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp	2010-09-06 22:56:03.000000000 -0400
+@@ -1766,8 +1766,18 @@
+     if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) {
+         if (inlineContinuation() && inlineContinuation()->hasOutline() && inlineContinuation()->style()->visibility() == VISIBLE) {
+             RenderInline* inlineRenderer = toRenderInline(inlineContinuation()->node()->renderer());
+-            if (!inlineRenderer->hasSelfPaintingLayer())
+-                containingBlock()->addContinuationWithOutline(inlineRenderer);
++            RenderBlock* cb = containingBlock();
++
++            bool inlineEnclosedInSelfPaintingLayer = false;
++            for (RenderBoxModelObject* box = inlineRenderer; box != cb; box = box->parent()->enclosingBoxModelObject()) {
++                if (box->hasSelfPaintingLayer()) {
++                    inlineEnclosedInSelfPaintingLayer = true;
++                    break;
++                }
++            }
++
++            if (!inlineEnclosedInSelfPaintingLayer)
++                cb->addContinuationWithOutline(inlineRenderer);
+             else if (!inlineRenderer->firstLineBox())
+                 inlineRenderer->paintOutline(paintInfo.context, tx - x() + inlineRenderer->containingBlock()->x(),
+                                              ty - y() + inlineRenderer->containingBlock()->y());