am 440c0366: Cherry-pick security fix in WebKit change 63772

Merge commit '440c0366ae0192fb737c7dd87dc2d7156266b3f7' into gingerbread-plus-aosp * commit '440c0366ae0192fb737c7dd87dc2d7156266b3f7': Cherry-pick security fix in WebKit change 63772
author: Steve Block <steveblock@google.com> 2010-09-10 04:32:31 -0700
committer: Android Git Automerger <android-git-automerger@android.com> 2010-09-10 04:32:31 -0700
commit: e772cff7e4f4e6838bc95ad69c7b17a12b11ed43 (patch)
tree: 3e8c7de2fe4831ca73706549e17704c6eff2b40a /WebCore
parent: a8a44d01c8c57974c92ba7d924cf600cde71ed27 (diff)
parent: 440c0366ae0192fb737c7dd87dc2d7156266b3f7 (diff)
download: external_webkit-e772cff7e4f4e6838bc95ad69c7b17a12b11ed43.zip
external_webkit-e772cff7e4f4e6838bc95ad69c7b17a12b11ed43.tar.gz
external_webkit-e772cff7e4f4e6838bc95ad69c7b17a12b11ed43.tar.bz2
1 files changed, 6 insertions, 1 deletions
diff --git a/WebCore/rendering/RenderObjectChildList.cpp b/WebCore/rendering/RenderObjectChildList.cpp
index d56a015..24e8645 100644
--- a/WebCore/rendering/RenderObjectChildList.cpp
+++ b/WebCore/rendering/RenderObjectChildList.cpp
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2009 Apple Inc.  All rights reserved.
+ * Copyright (C) Research In Motion Limited 2010. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,7 +53,11 @@ void RenderObjectChildList::destroyLeftoverChildren()
     while (firstChild()) {
         if (firstChild()->isListMarker() || (firstChild()->style()->styleType() == FIRST_LETTER && !firstChild()->isText()))
             firstChild()->remove();  // List markers are owned by their enclosing list and so don't get destroyed by this container. Similarly, first letters are destroyed by their remaining text fragment.
-        else {
+        else if (firstChild()->isRunIn() && firstChild()->node()) {
+            firstChild()->node()->setRenderer(0);
+            firstChild()->node()->setNeedsStyleRecalc();
+            firstChild()->destroy();
+        } else {
             // Destroy any anonymous children remaining in the render tree, as well as implicit (shadow) DOM elements like those used in the engine-based text fields.
             if (firstChild()->node())
                 firstChild()->node()->setRenderer(0);
author	Steve Block <steveblock@google.com>	2010-09-10 04:32:31 -0700
committer	Android Git Automerger <android-git-automerger@android.com>	2010-09-10 04:32:31 -0700
commit	e772cff7e4f4e6838bc95ad69c7b17a12b11ed43 (patch)
tree	3e8c7de2fe4831ca73706549e17704c6eff2b40a /WebCore
parent	a8a44d01c8c57974c92ba7d924cf600cde71ed27 (diff)
parent	440c0366ae0192fb737c7dd87dc2d7156266b3f7 (diff)
download	external_webkit-e772cff7e4f4e6838bc95ad69c7b17a12b11ed43.zip external_webkit-e772cff7e4f4e6838bc95ad69c7b17a12b11ed43.tar.gz external_webkit-e772cff7e4f4e6838bc95ad69c7b17a12b11ed43.tar.bz2