[patchlogo]

Debian patch tracking system

- chromium-browser - chromium-browser/6.0.472.63~r59945-5+squeeze6 - series patch CVE-2011-1797.patch

chromium-browser (6.0.472.63~r59945-5+squeeze6) CVE-2011-1797.patch

Summary

 src/third_party/WebKit/WebCore/rendering/RenderTable.cpp |   38 ++++++++++++---
 src/third_party/WebKit/WebCore/rendering/RenderTable.h   |    1 
 2 files changed, 33 insertions(+), 6 deletions(-)
download this patch

Patch contents

--- a/src/third_party/WebKit/WebCore/rendering/RenderTable.cpp
+++ b/src/third_party/WebKit/WebCore/rendering/RenderTable.cpp
@@ -108,11 +108,15 @@ void RenderTable::addChild(RenderObject*
             RenderObject* o = beforeChild->previousSibling();
             while (o && o != m_caption)
                 o = o->previousSibling();
-            if (!o)
+            if (!o) {
                 m_caption = 0;
+                setNeedsSectionRecalc();
+            }
         }
         if (!m_caption)
             m_caption = toRenderBlock(child);
+        else
+            setNeedsSectionRecalc();
         wrapInAnonymousSection = false;
     } else if (child->isTableCol()) {
         m_hasColElements = true;
@@ -188,6 +192,9 @@ void RenderTable::addChild(RenderObject*
 void RenderTable::removeChild(RenderObject* oldChild)
 {
     RenderBox::removeChild(oldChild);
+
+    if (m_caption && oldChild == m_caption && node())
+        node()->setNeedsStyleRecalc();
     setNeedsSectionRecalc();
 }
 
@@ -638,6 +645,25 @@ RenderTableCol* RenderTable::colElement(
     return 0;
 }
 
+void RenderTable::recalcCaption(RenderBlock* caption) const
+{
+    if (!m_caption) {
+        m_caption = caption;
+        m_caption->setNeedsLayout(true);
+    } else {
+        // Detach the child from the table.
+        const RenderBlock* block = static_cast<const RenderBlock*>(this);
+        const_cast<RenderBlock*>(block)->removeChild(caption);
+
+        // Make sure to null out the child's renderer.
+        if (Node* node = caption->node())
+            node->setRenderer(0);
+
+        // Destroy the child now.
+        caption->destroy();
+    }
+}
+
 void RenderTable::recalcSections() const
 {
     m_caption = 0;
@@ -647,13 +673,13 @@ void RenderTable::recalcSections() const
     m_hasColElements = false;
 
     // We need to get valid pointers to caption, head, foot and first body again
-    for (RenderObject* child = firstChild(); child; child = child->nextSibling()) {
+    RenderObject* nextSibling;
+    for (RenderObject* child = firstChild(); child; child = nextSibling) {
+        nextSibling = child->nextSibling();
         switch (child->style()->display()) {
             case TABLE_CAPTION:
-                if (!m_caption && child->isRenderBlock()) {
-                    m_caption = toRenderBlock(child);
-                    m_caption->setNeedsLayout(true);
-                }
+                if (child->isRenderBlock())
+                    recalcCaption(toRenderBlock(child));
                 break;
             case TABLE_COLUMN:
             case TABLE_COLUMN_GROUP:
--- a/src/third_party/WebKit/WebCore/rendering/RenderTable.h
+++ b/src/third_party/WebKit/WebCore/rendering/RenderTable.h
@@ -174,6 +174,7 @@ private:
 
     virtual IntRect overflowClipRect(int tx, int ty);
 
+    void recalcCaption(RenderBlock*) const;
     void recalcSections() const;
 
     mutable Vector<int> m_columnPos;
page code/design/content is copyright (c) 2008 sean finney <seanius@debian.org>.
patches viewed/retrieved through this system are copyrighted by their respective authors.
browse git repo - clone git repo