blob: 09fe1f8c46e1317630b513989d5c33a1689384f0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
description: fix cve-2010-2651
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/59247
Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-03 15:18:07.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 21:50:51.000000000 -0400
@@ -4651,10 +4651,12 @@
// Drill into inlines looking for our first text child.
RenderObject* currChild = firstLetterBlock->firstChild();
- while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
+ while (currChild && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
if (currChild->isFloatingOrPositioned()) {
- if (currChild->style()->styleType() == FIRST_LETTER)
+ if (currChild->style()->styleType() == FIRST_LETTER) {
+ currChild = currChild->firstChild();
break;
+ }
currChild = currChild->nextSibling();
} else
currChild = currChild->firstChild();
@@ -4671,11 +4673,11 @@
// If the child already has style, then it has already been created, so we just want
// to update it.
- if (currChild->style()->styleType() == FIRST_LETTER) {
+ if (firstLetterContainer->style()->styleType() == FIRST_LETTER) {
RenderStyle* pseudo = firstLetterBlock->getCachedPseudoStyle(FIRST_LETTER,
- firstLetterContainer->firstLineStyle());
- currChild->setStyle(pseudo);
- for (RenderObject* genChild = currChild->firstChild(); genChild; genChild = genChild->nextSibling()) {
+ firstLetterContainer->parent()->firstLineStyle());
+ firstLetterContainer->setStyle(pseudo);
+ for (RenderObject* genChild = firstLetterContainer->firstChild(); genChild; genChild = genChild->nextSibling()) {
if (genChild->isText())
genChild->setStyle(pseudo);
}
|
