Cherry-pick security fix in WebKit change 66052 See http://trac.webkit.org/changeset/66052 Bug: 2986936 Change-Id: I42d1b546b328e28d8dd817c5904fa1d0ee0b759c

commit: 946ea101a7673e7f566d52b1ba81f85b75666d16 [log] [tgz]
author: Steve Block <steveblock@google.com> Thu Sep 09 11:55:43 2010 +0100
committer: Steve Block <steveblock@google.com> Thu Sep 09 12:20:26 2010 +0100
tree: 4e98542b96fc6e699a901ad75422f1672099f970
parent: 93f07dbc620b468fe98b72a93f0d0e84c40353cd [diff]
diff --git a/WebCore/rendering/RenderCounter.cpp b/WebCore/rendering/RenderCounter.cpp
index 3cb9a07..6e678e8 100644
--- a/WebCore/rendering/RenderCounter.cpp
+++ b/WebCore/rendering/RenderCounter.cpp

@@ -136,6 +136,11 @@
     RenderObject* currentRenderer = counterOwner->previousInPreOrder();
     previousSibling = 0;
     while (currentRenderer) {
+        // A sibling without a parent means that the counter node tree was not constructed correctly so we stop
+        // traversing. In the future RenderCounter should handle RenderObjects that are not connected to the
+        // render tree at counter node creation. See bug 43812.
+        if (previousSibling && !previousSibling->parent())
+            return false;
         CounterNode* currentCounter = makeCounterNode(currentRenderer, identifier, false);
         if (searchEndRenderer == currentRenderer) {
             // We may be at the end of our search.
commit	946ea101a7673e7f566d52b1ba81f85b75666d16	[log] [tgz]
author	Steve Block <steveblock@google.com>	Thu Sep 09 11:55:43 2010 +0100
committer	Steve Block <steveblock@google.com>	Thu Sep 09 12:20:26 2010 +0100
tree	4e98542b96fc6e699a901ad75422f1672099f970
parent	93f07dbc620b468fe98b72a93f0d0e84c40353cd [diff]