description: fix cve-2010-2651
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/59247
Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp	2010-09-03 15:18:07.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp	2010-09-06 21:50:51.000000000 -0400
@@ -4651,10 +4651,12 @@
 
     // Drill into inlines looking for our first text child.
     RenderObject* currChild = firstLetterBlock->firstChild();
-    while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
+    while (currChild && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
         if (currChild->isFloatingOrPositioned()) {
-            if (currChild->style()->styleType() == FIRST_LETTER)
+            if (currChild->style()->styleType() == FIRST_LETTER) {
+                currChild = currChild->firstChild();
                 break;
+            }
             currChild = currChild->nextSibling();
         } else
             currChild = currChild->firstChild();
@@ -4671,11 +4673,11 @@
 
     // If the child already has style, then it has already been created, so we just want
     // to update it.
-    if (currChild->style()->styleType() == FIRST_LETTER) {
+    if (firstLetterContainer->style()->styleType() == FIRST_LETTER) {
         RenderStyle* pseudo = firstLetterBlock->getCachedPseudoStyle(FIRST_LETTER,
-                                                                     firstLetterContainer->firstLineStyle());
-        currChild->setStyle(pseudo);
-        for (RenderObject* genChild = currChild->firstChild(); genChild; genChild = genChild->nextSibling()) {
+                                                                     firstLetterContainer->parent()->firstLineStyle());
+        firstLetterContainer->setStyle(pseudo);
+        for (RenderObject* genChild = firstLetterContainer->firstChild(); genChild; genChild = genChild->nextSibling()) {
             if (genChild->isText()) 
                 genChild->setStyle(pseudo);
         }