diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp --- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp 2010-06-02 04:03:11.000000000 +0200 +++ qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp 2010-06-11 13:42:31.190174662 +0200 @@ -207,7 +207,7 @@ PassRefPtr RenderText::originalText() const { Node* e = node(); - return e ? static_cast(e)->dataImpl() : 0; + return (e && e->isTextNode()) ? static_cast(e)->dataImpl() : 0; } void RenderText::absoluteRects(Vector& rects, int tx, int ty) diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp --- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp 2010-06-02 04:03:11.000000000 +0200 +++ qt-everywhere-opensource-src-4.6.3-CVE-1770/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp 2010-06-11 13:42:31.197153658 +0200 @@ -47,7 +47,7 @@ PassRefPtr RenderTextFragment::originalText() const { Node* e = node(); - RefPtr result = (e ? static_cast(e)->dataImpl() : contentString()); + RefPtr result = ((e && e->isTextNode()) ? static_cast(e)->dataImpl() : contentString()); if (result && (start() > 0 || start() < result->length())) result = result->substring(start(), end()); return result.release(); @@ -76,7 +76,7 @@ { if (start()) { Node* e = node(); - StringImpl* original = (e ? static_cast(e)->dataImpl() : contentString()); + StringImpl* original = ((e && e->isTextNode()) ? static_cast(e)->dataImpl() : contentString()); if (original) return (*original)[start() - 1]; }