www/webkit-gtk/patches/patch-bc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

$NetBSD: patch-bc,v 1.3 2011/04/13 16:19:15 drochner Exp $

CVE-2010-1806

--- WebCore/rendering/RenderObjectChildList.cpp.orig	2010-09-28 21:44:50.000000000 +0000
+++ WebCore/rendering/RenderObjectChildList.cpp
@@ -52,7 +52,11 @@ void RenderObjectChildList::destroyLefto
     while (firstChild()) {
         if (firstChild()->isListMarker() || (firstChild()->style()->styleType() == FIRST_LETTER && !firstChild()->isText()))
             firstChild()->remove();  // List markers are owned by their enclosing list and so don't get destroyed by this container. Similarly, first letters are destroyed by their remaining text fragment.
-        else {
+        else if (firstChild()->isRunIn() && firstChild()->node()) {
+            firstChild()->node()->setRenderer(0);
+            firstChild()->node()->setNeedsStyleRecalc();
+            firstChild()->destroy();
+        } else {
             // Destroy any anonymous children remaining in the render tree, as well as implicit (shadow) DOM elements like those used in the engine-based text fields.
             if (firstChild()->node())
                 firstChild()->node()->setRenderer(0);