Cherry-pick WebKit security fix (webkit.org r69345) Do not merge
See http://trac.webkit.org/changeset/69345
Change-Id: Ie0f421c22fc4ec007417181c834e50033a389230
diff --git a/WebCore/rendering/InlineFlowBox.cpp b/WebCore/rendering/InlineFlowBox.cpp
index abfdf5c..f193a4c 100644
--- a/WebCore/rendering/InlineFlowBox.cpp
+++ b/WebCore/rendering/InlineFlowBox.cpp
@@ -81,8 +81,6 @@
child->setFirstLineStyleBit(m_firstLine);
if (child->isText())
m_hasTextChildren = true;
- if (child->renderer()->selectionState() != RenderObject::SelectionNone)
- root()->setHasSelectedChildren(true);
checkConsistency();
}
diff --git a/WebCore/rendering/RenderBlockLineLayout.cpp b/WebCore/rendering/RenderBlockLineLayout.cpp
index a7f3553..4446666 100644
--- a/WebCore/rendering/RenderBlockLineLayout.cpp
+++ b/WebCore/rendering/RenderBlockLineLayout.cpp
@@ -265,6 +265,7 @@
{
ASSERT(firstRun);
+ bool rootHasSelectedChildren = false;
InlineFlowBox* parentBox = 0;
for (BidiRun* r = firstRun; r; r = r->next()) {
// Create a box for our object.
@@ -279,6 +280,9 @@
if (!box)
continue;
+ if (!rootHasSelectedChildren && box->renderer()->selectionState() != RenderObject::SelectionNone)
+ rootHasSelectedChildren = true;
+
// If we have no parent box yet, or if the run is not simply a sibling,
// then we need to construct inline boxes as necessary to properly enclose the
// run's inline box.
@@ -304,6 +308,11 @@
// be the last continuation of our line list.
ASSERT(lastLineBox() && !lastLineBox()->isConstructed());
+ // Set the m_selectedChildren flag on the root inline box if one of the leaf inline box
+ // from the bidi runs walk above has a selection state.
+ if (rootHasSelectedChildren)
+ lastLineBox()->root()->setHasSelectedChildren(true);
+
// Set bits on our inline flow boxes that indicate which sides should
// paint borders/margins/padding. This knowledge will ultimately be used when
// we determine the horizontal positions and widths of all the inline boxes on