Source/WebCore/rendering/RenderButton.cpp - Issue 11377109: Merge 133717 - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(296)

My Issues | Starred Open | Closed | All

Unified Diff: Source/WebCore/rendering/RenderButton.cpp

Issue 11377109: Merge 133717 (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/1271/

Patch Set: Created 8 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « Source/WebCore/rendering/RenderBlock.cpp ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: Source/WebCore/rendering/RenderButton.cpp

===================================================================

--- Source/WebCore/rendering/RenderButton.cpp (revision 134270)

+++ Source/WebCore/rendering/RenderButton.cpp (working copy)

@@ -60,7 +60,11 @@

void RenderButton::removeChild(RenderObject* oldChild)

{

- if (oldChild == m_inner || !m_inner) {

+ // m_inner should be the only child, but checking for direct children who

+ // are not m_inner prevents security problems when that assumption is

+ // violated.

+ if (oldChild == m_inner || !m_inner || oldChild->parent() == this) {

+ ASSERT(oldChild == m_inner || !m_inner);

RenderDeprecatedFlexibleBox::removeChild(oldChild);

m_inner = 0;

} else

« no previous file with comments | « Source/WebCore/rendering/RenderBlock.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698