Cherry-pick security fix in WebKit change 63772

See http://trac.webkit.org/changeset/63772

Note that this is only a partial cherry-pick. I don't think that the
fix to RenderBlock::canMergeContiguousAnonymousBlocks() is required as
we don't have this method in our version of WebKit. The method was
added in http://trac.webkit.org/changeset/60201). Attempting to make
the fix without this change, or cherry-picking this change too, would
be too high risk.

Bug: 2986936
Change-Id: I8d9f1924611e693e340dcb2f05a43d5673ef23b1

1 files changed, 6 insertions, 1 deletions

diff --git a/WebCore/rendering/RenderObjectChildList.cpp b/WebCore/rendering/RenderObjectChildList.cpp
index d56a015..24e8645 100644
--- a/WebCore/rendering/RenderObjectChildList.cpp
+++ b/WebCore/rendering/RenderObjectChildList.cpp
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2009 Apple Inc.  All rights reserved.
+ * Copyright (C) Research In Motion Limited 2010. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,7 +53,11 @@ void RenderObjectChildList::destroyLeftoverChildren()
     while (firstChild()) {
         if (firstChild()->isListMarker() || (firstChild()->style()->styleType() == FIRST_LETTER && !firstChild()->isText()))
             firstChild()->remove();  // List markers are owned by their enclosing list and so don't get destroyed by this container. Similarly, first letters are destroyed by their remaining text fragment.
-        else {
+        else if (firstChild()->isRunIn() && firstChild()->node()) {
+            firstChild()->node()->setRenderer(0);
+            firstChild()->node()->setNeedsStyleRecalc();
+            firstChild()->destroy();
+        } else {
             // Destroy any anonymous children remaining in the render tree, as well as implicit (shadow) DOM elements like those used in the engine-based text fields.
             if (firstChild()->node())
                 firstChild()->node()->setRenderer(0);