diff options
| author | Steve Block <steveblock@google.com> | 2010-09-09 11:18:29 +0100 |
|---|---|---|
| committer | Steve Block <steveblock@google.com> | 2010-09-09 12:20:26 +0100 |
| commit | 3f2f7e2fd4924ef8eaf542740438ede42a81732e (patch) | |
| tree | 80d3d9aa136ace24934b12514781f37e50f09f1c | |
| parent | e1d3e323642600e02d50760bd7dacd11e4ccfa83 (diff) | |
| download | external_webkit-3f2f7e2fd4924ef8eaf542740438ede42a81732e.zip external_webkit-3f2f7e2fd4924ef8eaf542740438ede42a81732e.tar.gz external_webkit-3f2f7e2fd4924ef8eaf542740438ede42a81732e.tar.bz2 | |
Cherry-pick security fix in WebKit change 65090
See http://trac.webkit.org/changeset/65090
Note that this required a manual merge due to our not having
http://trac.webkit.org/changeset/60251
Bug: 2986936
Change-Id: I035ec5d92c4e31cc8f7667dfc46e22d2a02cda97
| -rw-r--r-- | WebCore/rendering/RenderRubyRun.cpp | 32 |
1 files changed, 17 insertions, 15 deletions
diff --git a/WebCore/rendering/RenderRubyRun.cpp b/WebCore/rendering/RenderRubyRun.cpp index 61be455..3267abb 100644 --- a/WebCore/rendering/RenderRubyRun.cpp +++ b/WebCore/rendering/RenderRubyRun.cpp @@ -143,14 +143,15 @@ void RenderRubyRun::addChild(RenderObject* child, RenderObject* beforeChild) RenderBlock::removeChild(beforeChild); newRun->addChild(beforeChild); } else { - ASSERT(hasRubyBase()); // Otherwise beforeChild would be borked. - // Insertion before a ruby base object. - // In this case we need insert a new run before the current one and split the base. - RenderObject* ruby = parent(); - RenderRubyRun* newRun = staticCreateRubyRun(ruby); - ruby->addChild(newRun, this); - newRun->addChild(child); - rubyBaseSafe()->moveChildren(newRun->rubyBaseSafe(), beforeChild); + if (hasRubyBase()) { + // Insertion before a ruby base object. + // In this case we need insert a new run before the current one and split the base. + RenderObject* ruby = parent(); + RenderRubyRun* newRun = staticCreateRubyRun(ruby); + ruby->addChild(newRun, this); + newRun->addChild(child); + rubyBaseSafe()->moveChildren(newRun->rubyBaseSafe(), beforeChild); + } } } else { // child is not a text -> insert it into the base @@ -171,13 +172,14 @@ void RenderRubyRun::removeChild(RenderObject* child) if (base && rightNeighbour && rightNeighbour->isRubyRun()) { // Ruby run without a base can happen only at the first run. RenderRubyRun* rightRun = static_cast<RenderRubyRun*>(rightNeighbour); - ASSERT(rightRun->hasRubyBase()); - RenderRubyBase* rightBase = rightRun->rubyBaseSafe(); - // Collect all children in a single base, then swap the bases. - rightBase->moveChildren(base); - moveChildTo(rightRun, rightRun->children(), base); - rightRun->moveChildTo(this, children(), rightBase); - // The now empty ruby base will be removed below. + if (rightRun->hasRubyBase()) { + RenderRubyBase* rightBase = rightRun->rubyBaseSafe(); + // Collect all children in a single base, then swap the bases. + rightBase->moveChildren(base); + moveChildTo(rightRun, rightRun->children(), base); + rightRun->moveChildTo(this, children(), rightBase); + // The now empty ruby base will be removed below. + } } } |