Cherry-pick security fix in WebKit change 62134
See http://trac.webkit.org/changeset/62134
Bug: 2986936
Change-Id: Ie5c1698e58b9183519aae5dfa8cf5fb8f158feb1
diff --git a/WebCore/dom/CharacterData.cpp b/WebCore/dom/CharacterData.cpp
index 3c3dc37..cb12184 100644
--- a/WebCore/dom/CharacterData.cpp
+++ b/WebCore/dom/CharacterData.cpp
@@ -46,15 +46,15 @@
int oldLength = length();
RefPtr<StringImpl> oldStr = m_data;
m_data = dataImpl;
-
+
if ((!renderer() || !rendererIsNeeded(renderer()->style())) && attached()) {
detach();
attach();
} else if (renderer())
- toRenderText(renderer())->setText(m_data);
-
+ toRenderText(renderer())->setTextWithOffset(m_data, 0, oldLength);
+
dispatchModifiedEvent(oldStr.get());
-
+
document()->textRemoved(this, 0, oldLength);
}
diff --git a/WebCore/dom/Text.cpp b/WebCore/dom/Text.cpp
index 1ce074a..229fa88 100644
--- a/WebCore/dom/Text.cpp
+++ b/WebCore/dom/Text.cpp
@@ -77,7 +77,7 @@
document()->textNodeSplit(this);
if (renderer())
- toRenderText(renderer())->setText(dataImpl());
+ toRenderText(renderer())->setTextWithOffset(dataImpl(), 0, oldStr->length());
return newText.release();
}