Cherry-pick security fix in WebKit change 62134

author Steve Block <steveblock@google.com>

Thu, 9 Sep 2010 10:53:17 +0000 (11:53 +0100)

committer Steve Block <steveblock@google.com>

Thu, 9 Sep 2010 11:03:51 +0000 (12:03 +0100)
author Steve Block <steveblock@google.com>
Thu, 9 Sep 2010 10:53:17 +0000 (11:53 +0100)
committer Steve Block <steveblock@google.com>
Thu, 9 Sep 2010 11:03:51 +0000 (12:03 +0100)
diff --git a/WebCore/dom/CharacterData.cpp b/WebCore/dom/CharacterData.cpp

index 3c3dc37..cb12184 100644 (file)
--- a/WebCore/dom/CharacterData.cpp
+++ b/WebCore/dom/CharacterData.cpp
@@ -46,15 +46,15 @@ void CharacterData::setData(const String& data, ExceptionCode&)
      int oldLength = length();
      RefPtr<StringImpl> oldStr = m_data;
      m_data = dataImpl;
-    
+
      if ((!renderer() || !rendererIsNeeded(renderer()->style())) && attached()) {
          detach();
          attach();
      } else if (renderer())
-        toRenderText(renderer())->setText(m_data);
-    
+        toRenderText(renderer())->setTextWithOffset(m_data, 0, oldLength);
+
      dispatchModifiedEvent(oldStr.get());
-    
+
      document()->textRemoved(this, 0, oldLength);
  }
  
diff --git a/WebCore/dom/Text.cpp b/WebCore/dom/Text.cpp

index 1ce074a..229fa88 100644 (file)
--- a/WebCore/dom/Text.cpp
+++ b/WebCore/dom/Text.cpp
@@ -77,7 +77,7 @@ PassRefPtr<Text> Text::splitText(unsigned offset, ExceptionCode& ec)
          document()->textNodeSplit(this);
  
      if (renderer())
-        toRenderText(renderer())->setText(dataImpl());
+        toRenderText(renderer())->setTextWithOffset(dataImpl(), 0, oldStr->length());
  
      return newText.release();
  }
author	Steve Block <steveblock@google.com>
	Thu, 9 Sep 2010 10:53:17 +0000 (11:53 +0100)
committer	Steve Block <steveblock@google.com>
	Thu, 9 Sep 2010 11:03:51 +0000 (12:03 +0100)
WebCore/dom/CharacterData.cpp		patch \| blob \| history
WebCore/dom/Text.cpp		patch \| blob \| history