From dd1e63d850682947bcbb4b78efa08f8e9318dcf0 Mon Sep 17 00:00:00 2001
From: Simon Hausmann <simon.hausmann@nokia.com>
Date: Tue, 16 Jun 2009 14:20:08 +0200
Subject: Backported WebKit SVG revisions (r43590, r43795) from the trunk

Reviewed-by: Ariya
---
 dist/changes-4.5.2                        |  1 +
 src/3rdparty/webkit/VERSION               |  2 +-
 src/3rdparty/webkit/WebCore/ChangeLog     | 28 ++++++++++++++++++++++++++++
 src/3rdparty/webkit/WebCore/svg/SVGList.h |  6 +++++-
 4 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/dist/changes-4.5.2 b/dist/changes-4.5.2
index 8363917..91a7bef 100644
--- a/dist/changes-4.5.2
+++ b/dist/changes-4.5.2
@@ -54,6 +54,7 @@ General Improvements
        Network (r41664, r42516, r42747)
        Plugins (r41346, r43550, r43915, r43917, r43923)
        Clipboard (r41360)
+       SVG (r43590, r43795)
 
 - QAbstractItemView
     * [250754] Changing the font of the view did not update the size of the
diff --git a/src/3rdparty/webkit/VERSION b/src/3rdparty/webkit/VERSION
index 7d5d1c5..2be6d53 100644
--- a/src/3rdparty/webkit/VERSION
+++ b/src/3rdparty/webkit/VERSION
@@ -8,4 +8,4 @@ The commit imported was from the
 
 and has the sha1 checksum
 
-        4ee8af9348b3f57d3c0f3575ae0a58336cf07a92
+        44bbcef18007e00c6cfee294640c5cfc9e464aa4
diff --git a/src/3rdparty/webkit/WebCore/ChangeLog b/src/3rdparty/webkit/WebCore/ChangeLog
index 072beee..fb31572 100644
--- a/src/3rdparty/webkit/WebCore/ChangeLog
+++ b/src/3rdparty/webkit/WebCore/ChangeLog
@@ -1,3 +1,31 @@
+2009-05-15  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Oliver Hunt.
+
+        https://bugs.webkit.org/show_bug.cgi?id=25741
+
+        Append instead of throwing when insertItemBefore gets an out-of-bound
+        index.
+
+        Test: svg/dom/svglist-insertItemBefore-appends.html
+
+        * svg/SVGList.h:
+        (WebCore::SVGList::insertItemBefore):
+
+2009-03-19  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Darin Adler.
+
+        <rdar://problem/6702386> Incorrect bound check in SVGList::insertItemBefore
+
+        SVGList::insertItemBefore would not perform a bounds check on the
+        index it was provided, potentially leading to a buffer overflow. 
+
+        Test: svg/dom/svglist-exception-on-out-bounds-error.html
+
+        * svg/SVGList.h:
+        (WebCore::SVGList::insertItemBefore):
+
 2009-05-19  Kenneth Rohde Christiansen  <kenneth.christiansen@openbossa.org>
 
         Reviewed by Simon Hausmann.
diff --git a/src/3rdparty/webkit/WebCore/svg/SVGList.h b/src/3rdparty/webkit/WebCore/svg/SVGList.h
index d4f7641..5381598 100644
--- a/src/3rdparty/webkit/WebCore/svg/SVGList.h
+++ b/src/3rdparty/webkit/WebCore/svg/SVGList.h
@@ -96,7 +96,11 @@ namespace WebCore {
 
         Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode&)
         {
-            m_vector.insert(index, newItem);
+            if (index < m_vector.size()) {
+                m_vector.insert(index, newItem);
+            } else {
+                m_vector.append(newItem);
+            }
             return newItem;
         }
 
-- 
cgit v0.12