diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp

--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption	2009-09-29 13:01:35.000000000 +0200

+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp	2010-02-04 15:00:24.778776273 +0100

@@ -3085,6 +3085,12 @@ bool CSSParser::parseFontWeight(bool imp

     return false;

 }

+static bool isValidFormatFunction(CSSParserValue* val)

+{

+    CSSParserValueList* args = val->function->args;

+    return equalIgnoringCase(val->function->name, "format(") && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT);

+}

+

 bool CSSParser::parseFontFaceSrc()

 {

     RefPtr<CSSValueList> values(CSSValueList::createCommaSeparated());

@@ -3111,7 +3117,7 @@ bool CSSParser::parseFontFaceSrc()

                     CSSParserValue* a = args->current();

                     uriValue.clear();

                     parsedValue = CSSFontFaceSrcValue::createLocal(a->string);

-                } else if (equalIgnoringCase(val->function->name, "format(") && allowFormat && uriValue) {

+                } else if (allowFormat && uriValue && isValidFormatFunction(val)) {

                     expectComma = true;

                     allowFormat = false;

                     uriValue->setFormat(args->current()->string);