diff options
| author | Steve Block <steveblock@google.com> | 2010-09-10 04:32:59 -0700 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2010-09-10 04:32:59 -0700 |
| commit | 574b2420d2e43cab716a4ae8b5c18ff48dd7ee9f (patch) | |
| tree | c3843c13396bc6551294d29f97c1815e906d9eb8 /WebCore | |
| parent | d8a7ee4d40714f2434265e0f76549ef9ce79a036 (diff) | |
| parent | 946ea101a7673e7f566d52b1ba81f85b75666d16 (diff) | |
| download | external_webkit-574b2420d2e43cab716a4ae8b5c18ff48dd7ee9f.zip external_webkit-574b2420d2e43cab716a4ae8b5c18ff48dd7ee9f.tar.gz external_webkit-574b2420d2e43cab716a4ae8b5c18ff48dd7ee9f.tar.bz2 | |
am 946ea101: Cherry-pick security fix in WebKit change 66052
Merge commit '946ea101a7673e7f566d52b1ba81f85b75666d16' into gingerbread-plus-aosp
* commit '946ea101a7673e7f566d52b1ba81f85b75666d16':
Cherry-pick security fix in WebKit change 66052
Diffstat (limited to 'WebCore')
| -rw-r--r-- | WebCore/rendering/RenderCounter.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/WebCore/rendering/RenderCounter.cpp b/WebCore/rendering/RenderCounter.cpp index 3cb9a07..6e678e8 100644 --- a/WebCore/rendering/RenderCounter.cpp +++ b/WebCore/rendering/RenderCounter.cpp @@ -136,6 +136,11 @@ static bool findPlaceForCounter(RenderObject* counterOwner, const AtomicString& RenderObject* currentRenderer = counterOwner->previousInPreOrder(); previousSibling = 0; while (currentRenderer) { + // A sibling without a parent means that the counter node tree was not constructed correctly so we stop + // traversing. In the future RenderCounter should handle RenderObjects that are not connected to the + // render tree at counter node creation. See bug 43812. + if (previousSibling && !previousSibling->parent()) + return false; CounterNode* currentCounter = makeCounterNode(currentRenderer, identifier, false); if (searchEndRenderer == currentRenderer) { // We may be at the end of our search. |