summaryrefslogtreecommitdiffstats
path: root/WebCore
diff options
context:
space:
mode:
authorSteve Block <steveblock@google.com>2010-09-09 11:55:43 +0100
committerSteve Block <steveblock@google.com>2010-09-09 12:20:26 +0100
commit946ea101a7673e7f566d52b1ba81f85b75666d16 (patch)
tree4e98542b96fc6e699a901ad75422f1672099f970 /WebCore
parent93f07dbc620b468fe98b72a93f0d0e84c40353cd (diff)
downloadexternal_webkit-946ea101a7673e7f566d52b1ba81f85b75666d16.zip
external_webkit-946ea101a7673e7f566d52b1ba81f85b75666d16.tar.gz
external_webkit-946ea101a7673e7f566d52b1ba81f85b75666d16.tar.bz2
Cherry-pick security fix in WebKit change 66052
See http://trac.webkit.org/changeset/66052 Bug: 2986936 Change-Id: I42d1b546b328e28d8dd817c5904fa1d0ee0b759c
Diffstat (limited to 'WebCore')
-rw-r--r--WebCore/rendering/RenderCounter.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/WebCore/rendering/RenderCounter.cpp b/WebCore/rendering/RenderCounter.cpp
index 3cb9a07..6e678e8 100644
--- a/WebCore/rendering/RenderCounter.cpp
+++ b/WebCore/rendering/RenderCounter.cpp
@@ -136,6 +136,11 @@ static bool findPlaceForCounter(RenderObject* counterOwner, const AtomicString&
RenderObject* currentRenderer = counterOwner->previousInPreOrder();
previousSibling = 0;
while (currentRenderer) {
+ // A sibling without a parent means that the counter node tree was not constructed correctly so we stop
+ // traversing. In the future RenderCounter should handle RenderObjects that are not connected to the
+ // render tree at counter node creation. See bug 43812.
+ if (previousSibling && !previousSibling->parent())
+ return false;
CounterNode* currentCounter = makeCounterNode(currentRenderer, identifier, false);
if (searchEndRenderer == currentRenderer) {
// We may be at the end of our search.
generated by cgit v1.1 at 2024-06-20 15:32:50 +0000