head	1.2;
access;
symbols
	old_RELEASE_8_0_0:1.1
	old_RELEASE_7_2_0:1.1;
locks; strict;
comment	@# @;


1.2
date	2010.02.07.21.48.43;	author beat;	state dead;
branches;
next	1.1;

1.1
date	2009.02.23.20.40.55;	author marcus;	state Exp;
branches;
next	;


desc
@@


1.2
log
@- Update to 3.6

What's new in Firefox 3.6:

  * Support for the HTML5 File API
  * A change to how third-party software integrates with Firefox to
    increase stability.
  * The ability to run scripts asynchronously to speed up page load times.
  * A mechanism to prevent incompatible software from crashing Firefox.
  * Users can now change their browser's appearance with a single click,
    with built in support for Personas.
  * Firefox 3.6 will alert users about out of date plugins to keep them
    safe.
  * Open, native video can now be displayed full screen, and supports
    poster frames.
  * Support for the WOFF font format.
  * Improved JavaScript performance, overall browser responsiveness and
    startup time.
  * Support for new CSS, DOM and HTML5 web technologies.

Thanks to:	Andreas Tobler, Florian Smeets, nox@@, miwi@@ and all testers
@
text
@--- .pc/401042-backport.patch/layout/generic/nsInlineFrame.cpp	2009-01-05 02:55:09.000000000 +0100
+++ layout/generic/nsInlineFrame.cpp	2009-01-05 02:56:08.000000000 +0100
@@@@ -576,27 +576,52 @@@@ nsInlineFrame::ReflowFrames(nsPresContex
         ReparentFloatsForInlineChild(irs.mLineContainer, frame, PR_FALSE);
       }
       frame->SetParent(this);
       // We also need to check if frame has a next-in-flow. It it does, then set
       // its parent frame pointer, too. Otherwise, if we reflow frame and it's
       // complete we'll fail when deleting its next-in-flow which is no longer
       // needed. This scenario doesn't happen often, but it can happen
       nsIFrame* nextInFlow = frame->GetNextInFlow();
-      while (nextInFlow) {
+      for ( ; nextInFlow; nextInFlow = nextInFlow->GetNextInFlow()) {
         // Since we only do lazy setting of parent pointers for the frame's
         // initial reflow, this frame can't have a next-in-flow. That means
         // the continuing child frame must be in our child list as well. If
         // not, then something is wrong
         NS_ASSERTION(mFrames.ContainsFrame(nextInFlow), "unexpected flow");
         if (havePrevBlock) {
           ReparentFloatsForInlineChild(irs.mLineContainer, nextInFlow, PR_FALSE);
         }
         nextInFlow->SetParent(this);
-        nextInFlow = nextInFlow->GetNextInFlow();
+      }
+
+      // Fix the parent pointer for ::first-letter child frame next-in-flows,
+      // so nsFirstLetterFrame::Reflow can destroy them safely (bug 401042).
+      nsIFrame* realFrame = nsPlaceholderFrame::GetRealFrameFor(frame);
+      if (realFrame->GetType() == nsLayoutAtoms::letterFrame) {
+        nsIFrame* child = realFrame->GetFirstChild(nsnull);
+        if (child) {
+          nsIFrame* nextInFlow = child->GetNextInFlow();
+          for ( ; nextInFlow; nextInFlow = nextInFlow->GetNextInFlow()) {
+            if (mFrames.ContainsFrame(nextInFlow)) {
+              nextInFlow->SetParent(this);
+            }
+            else {
+#ifdef DEBUG              
+              // Once we find a next-in-flow that isn't ours none of the
+              // remaining next-in-flows should be either.
+              for ( ; nextInFlow; nextInFlow = nextInFlow->GetNextInFlow()) {
+                NS_ASSERTION(!mFrames.ContainsFrame(nextInFlow),
+                             "unexpected letter frame flow");
+              }
+#endif
+              break;
+            }
+          }
+        }
       }
     }
     rv = ReflowInlineFrame(aPresContext, aReflowState, irs, frame, aStatus);
     if (NS_FAILED(rv)) {
       done = PR_TRUE;
       break;
     }
     if (NS_INLINE_IS_BREAK(aStatus) || 
@


1.1
log
@Back-port some more patches to fix CVE-2009-0352.

Obtained from:	Mozilla Bugzilla
Reported by:	simon
@
text
@@

