Cherry-pick security fix in WebKit change 66052
See http://trac.webkit.org/changeset/66052
Bug: 2986936
Change-Id: I42d1b546b328e28d8dd817c5904fa1d0ee0b759c
diff --git a/WebCore/rendering/RenderCounter.cpp b/WebCore/rendering/RenderCounter.cpp
index 3cb9a07..6e678e8 100644
--- a/WebCore/rendering/RenderCounter.cpp
+++ b/WebCore/rendering/RenderCounter.cpp
@@ -136,6 +136,11 @@
RenderObject* currentRenderer = counterOwner->previousInPreOrder();
previousSibling = 0;
while (currentRenderer) {
+ // A sibling without a parent means that the counter node tree was not constructed correctly so we stop
+ // traversing. In the future RenderCounter should handle RenderObjects that are not connected to the
+ // render tree at counter node creation. See bug 43812.
+ if (previousSibling && !previousSibling->parent())
+ return false;
CounterNode* currentCounter = makeCounterNode(currentRenderer, identifier, false);
if (searchEndRenderer == currentRenderer) {
// We may be at the end of our search.