head	1.4;
access;
symbols
	pkgsrc-2013Q2:1.4.0.8
	pkgsrc-2013Q2-base:1.4
	pkgsrc-2012Q4:1.4.0.6
	pkgsrc-2012Q4-base:1.4
	pkgsrc-2011Q4:1.4.0.4
	pkgsrc-2011Q4-base:1.4
	pkgsrc-2011Q2:1.4.0.2
	pkgsrc-2011Q2-base:1.4;
locks; strict;
comment	@# @;


1.4
date	2011.06.09.11.00.01;	author drochner;	state dead;
branches;
next	1.3;

1.3
date	2011.04.13.16.19.15;	author drochner;	state Exp;
branches;
next	1.2;

1.2
date	2011.02.10.18.26.35;	author drochner;	state dead;
branches;
next	1.1;

1.1
date	2011.01.25.18.38.16;	author drochner;	state Exp;
branches;
next	;


desc
@@


1.4
log
@update to 1.4.1
this switches to the new stable branch
(shlib major changed -> PKGREV bumps needed)
@
text
@$NetBSD: patch-bd,v 1.3 2011/04/13 16:19:15 drochner Exp $

CVE-2010-1806

--- WebCore/rendering/RenderBlock.cpp.orig	2011-02-07 17:29:58.000000000 +0000
+++ WebCore/rendering/RenderBlock.cpp
@@@@ -544,6 +544,8 @@@@ void RenderBlock::removeChild(RenderObje
                                     (!oldChild->isRenderBlock() || !toRenderBlock(oldChild)->inlineContinuation()) && 
                                     (!prev || (prev->isAnonymousBlock() && prev->childrenInline())) &&
                                     (!next || (next->isAnonymousBlock() && next->childrenInline()));
+    if (prev && prev->firstChild() && prev->firstChild()->isInline() && prev->firstChild()->isRunIn())
+	canDeleteAnonymousBlocks = false;
     if (canDeleteAnonymousBlocks && prev && next) {
         // Take all the children out of the |next| block and put them in
         // the |prev| block.
@


1.3
log
@add patch from upstream to fix crash and possible code injection
by run-in styling (CVE-2010-1806), bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD$
@


1.2
log
@update to 1.2.7
changes:
-fix some security problems (CVE-2010-4492, CVE-2010-4493, CVE-2011-0482,
 CVE-2010-4199, CVE-2010-4578)
-fix some crashes (which were partly patched in pkgsrc before)
@
text
@d1 1
a1 1
$NetBSD: patch-bd,v 1.1 2011/01/25 18:38:16 drochner Exp $
d3 13
a15 56
--- WebCore/editing/ReplaceSelectionCommand.cpp.orig	2010-09-10 13:20:33.000000000 +0000
+++ WebCore/editing/ReplaceSelectionCommand.cpp
@@@@ -51,11 +51,14 @@@@
 #include "markup.h"
 #include "visible_units.h"
 #include <wtf/StdLibExtras.h>
+#include <wtf/Vector.h> 
 
 namespace WebCore {
 
 using namespace HTMLNames;
 
+typedef Vector<RefPtr<Node> > NodeVector; 
+
 enum EFragmentType { EmptyFragment, SingleTextNodeFragment, TreeFragment };
 
 // --- ReplacementFragment helper class
@@@@ -707,7 +710,13 @@@@ void ReplaceSelectionCommand::handleStyl
 void ReplaceSelectionCommand::copyStyleToChildren(Node* parentNode, const CSSMutableStyleDeclaration* parentStyle)
 {
     ASSERT(parentNode->hasTagName(spanTag));
-    for (Node* childNode = parentNode->firstChild(); childNode; childNode = childNode->nextSibling()) {
+        NodeVector childNodes; 
+        for (RefPtr<Node> childNode = parentNode->firstChild(); childNode; childNode = childNode->nextSibling()) 
+        childNodes.append(childNode); 
+
+for (NodeVector::const_iterator it = childNodes.begin(); it != childNodes.end(); it++) { 
+        Node* childNode = it->get(); 
+
         if (childNode->isTextNode() || !isBlock(childNode) || childNode->hasTagName(preTag)) {
             // In this case, put a span tag around the child node.
             RefPtr<Node> newSpan = parentNode->cloneNode(false);
@@@@ -867,7 +876,11 @@@@ void ReplaceSelectionCommand::doApply()
     
     // Inserting content could cause whitespace to collapse, e.g. inserting <div>foo</div> into hello^ world.
     prepareWhitespaceAtPositionForSplit(insertionPos);
-    
+   
+    // If the downstream node has been removed there's no point in continuing. 
+    if (!insertionPos.downstream().node()) 
+        return; 
+ 
     // NOTE: This would be an incorrect usage of downstream() if downstream() were changed to mean the last position after 
     // p that maps to the same visible position as p (since in the case where a br is at the end of a block and collapsed 
     // away, there are positions after the br which map to the same visible position as [br, 0]).  
@@@@ -945,8 +958,8 @@@@ void ReplaceSelectionCommand::doApply()
     bool plainTextFragment = isPlainTextMarkup(refNode.get());
 
     while (node) {
-        Node* next = node->nextSibling();
-        fragment.removeNode(node);
+        RefPtr<Node> next = node->nextSibling(); 
+        fragment.removeNode(node.get());  
         insertNodeAfterAndUpdateNodesInserted(node, refNode.get());
 
         // Mutation events (bug 22634) may have already removed the inserted content
@


1.1
log
@-fix the png-1.5 API problem using a new function introduced in beta08
 which is simpler and more runtime efficient
-pull in some stability patches from upstream
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@