30 lines
1.4 KiB
Diff
30 lines
1.4 KiB
Diff
diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp
|
|
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl 2009-09-29 13:01:36.000000000 +0200
|
|
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp 2010-02-04 15:43:15.707711730 +0100
|
|
@@ -1025,8 +1025,15 @@ void RenderText::position(InlineBox* box
|
|
if (!s->m_len) {
|
|
// We want the box to be destroyed.
|
|
s->remove();
|
|
+ if (m_firstTextBox == s)
|
|
+ m_firstTextBox = s->nextTextBox();
|
|
+ else
|
|
+ s->prevTextBox()->setNextLineBox(s->nextTextBox());
|
|
+ if (m_lastTextBox == s)
|
|
+ m_lastTextBox = s->prevTextBox();
|
|
+ else
|
|
+ s->nextTextBox()->setPreviousLineBox(s->prevTextBox());
|
|
s->destroy(renderArena());
|
|
- m_firstTextBox = m_lastTextBox = 0;
|
|
return;
|
|
}
|
|
|
|
@@ -1203,7 +1210,7 @@ void RenderText::checkConsistency() cons
|
|
#ifdef CHECK_CONSISTENCY
|
|
const InlineTextBox* prev = 0;
|
|
for (const InlineTextBox* child = m_firstTextBox; child != 0; child = child->nextTextBox()) {
|
|
- ASSERT(child->object() == this);
|
|
+ ASSERT(child->renderer() == this);
|
|
ASSERT(child->prevTextBox() == prev);
|
|
prev = child;
|
|
}
|