From 440c0366ae0192fb737c7dd87dc2d7156266b3f7 Mon Sep 17 00:00:00 2001
From: Steve Block <steveblock@google.com>
Date: Thu, 9 Sep 2010 11:20:02 +0100
Subject: [PATCH] Cherry-pick security fix in WebKit change 63772

See http://trac.webkit.org/changeset/63772

Note that this is only a partial cherry-pick. I don't think that the
fix to RenderBlock::canMergeContiguousAnonymousBlocks() is required as
we don't have this method in our version of WebKit. The method was
added in http://trac.webkit.org/changeset/60201). Attempting to make
the fix without this change, or cherry-picking this change too, would
be too high risk.

Bug: 2986936
Change-Id: I8d9f1924611e693e340dcb2f05a43d5673ef23b1
---
 WebCore/rendering/RenderObjectChildList.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/WebCore/rendering/RenderObjectChildList.cpp b/WebCore/rendering/RenderObjectChildList.cpp
index d56a015f7..24e864588 100644
--- a/WebCore/rendering/RenderObjectChildList.cpp
+++ b/WebCore/rendering/RenderObjectChildList.cpp
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2009 Apple Inc.  All rights reserved.
+ * Copyright (C) Research In Motion Limited 2010. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,7 +53,11 @@ void RenderObjectChildList::destroyLeftoverChildren()
     while (firstChild()) {
         if (firstChild()->isListMarker() || (firstChild()->style()->styleType() == FIRST_LETTER && !firstChild()->isText()))
             firstChild()->remove();  // List markers are owned by their enclosing list and so don't get destroyed by this container. Similarly, first letters are destroyed by their remaining text fragment.
-        else {
+        else if (firstChild()->isRunIn() && firstChild()->node()) {
+            firstChild()->node()->setRenderer(0);
+            firstChild()->node()->setNeedsStyleRecalc();
+            firstChild()->destroy();
+        } else {
             // Destroy any anonymous children remaining in the render tree, as well as implicit (shadow) DOM elements like those used in the engine-based text fields.
             if (firstChild()->node())
                 firstChild()->node()->setRenderer(0);
-- 
2.11.0