commit eea2457721313546f0b5ddab3836282e338847b9
author Steve Block <steveblock@google.com> Thu Sep 09 11:53:17 2010 +0100
committer Steve Block <steveblock@google.com> Thu Sep 09 12:03:51 2010 +0100
tree 3e1ef41a13655c7794aa91dbbf966bdfa965eca4
parent a926fcfd627808c13994eb22aa991c82fd57673a

Cherry-pick security fix in WebKit change 62134

See http://trac.webkit.org/changeset/62134

Bug: 2986936
Change-Id: Ie5c1698e58b9183519aae5dfa8cf5fb8f158feb1

WebCore/dom/CharacterData.cpp

diff --git a/WebCore/dom/CharacterData.cpp b/WebCore/dom/CharacterData.cpp
index 3c3dc37..cb12184 100644
--- a/WebCore/dom/CharacterData.cpp
+++ b/WebCore/dom/CharacterData.cpp
@@ -46,15 +46,15 @@
     int oldLength = length();
     RefPtr<StringImpl> oldStr = m_data;
     m_data = dataImpl;
-    
+
     if ((!renderer() || !rendererIsNeeded(renderer()->style())) && attached()) {
         detach();
         attach();
     } else if (renderer())
-        toRenderText(renderer())->setText(m_data);
-    
+        toRenderText(renderer())->setTextWithOffset(m_data, 0, oldLength);
+
     dispatchModifiedEvent(oldStr.get());
-    
+
     document()->textRemoved(this, 0, oldLength);
 }
 

WebCore/dom/Text.cpp

diff --git a/WebCore/dom/Text.cpp b/WebCore/dom/Text.cpp
index 1ce074a..229fa88 100644
--- a/WebCore/dom/Text.cpp
+++ b/WebCore/dom/Text.cpp
@@ -77,7 +77,7 @@
         document()->textNodeSplit(this);
 
     if (renderer())
-        toRenderText(renderer())->setText(dataImpl());
+        toRenderText(renderer())->setTextWithOffset(dataImpl(), 0, oldStr->length());
 
     return newText.release();
 }