fix cve-2010-1806 (backported by Michael Gilbert):
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Jul 2010 20:37:15 +0000 (20:37 +0000)
committerMichael Gilbert <michael.s.gilbert@gmail.com>
Sun, 27 Mar 2011 17:06:25 +0000 (13:06 -0400)
commita519084d110b1a7e52be896895ffddf064ddda8b
tree3cd9696d051e37b0008b9b4ce9446948d9b05b50
parent04cd0279330ac8913b1166902d255a12a2f33481
fix cve-2010-1806 (backported by Michael Gilbert):

2010-07-20  Leo Yang  <leo.yang@torchmobile.com.cn>

        Reviewed by David Hyatt.

        Don't merge Anonymous block whose first child is inline run-in.
        Make run-in recalculate its style after its renderer is destroyed.
        https://bugs.webkit.org/show_bug.cgi?id=41375.

        Test: fast/runin/crash-when-reparent-sibling.html

        * rendering/RenderBlock.cpp:
        (WebCore::canMergeContiguousAnonymousBlocks):
        * rendering/RenderObjectChildList.cpp:
        (WebCore::RenderObjectChildList::destroyLeftoverChildren):
2010-07-20  Leo Yang  <leo.yang@torchmobile.com.cn>

        Reviewed by David Hyatt.

        Test case to verify https://bugs.webkit.org/show_bug.cgi?id=41375.
        Test passes if expected result occurs without crash.
        https://bugs.webkit.org/show_bug.cgi?id=41375.

        * fast/runin/crash-when-reparent-sibling-expected.txt: Added.
        * fast/runin/crash-when-reparent-sibling.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63772 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/fast/runin/crash-when-reparent-sibling-expected.txt [new file with mode: 0644]
LayoutTests/fast/runin/crash-when-reparent-sibling.html [new file with mode: 0644]
WebCore/rendering/RenderObjectChildList.cpp