diff options
Diffstat (limited to 'Source/WebCore/rendering/RenderButton.cpp')
| -rw-r--r-- | Source/WebCore/rendering/RenderButton.cpp | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/Source/WebCore/rendering/RenderButton.cpp b/Source/WebCore/rendering/RenderButton.cpp index 7103e6e50..69cef2922 100644 --- a/Source/WebCore/rendering/RenderButton.cpp +++ b/Source/WebCore/rendering/RenderButton.cpp @@ -60,7 +60,11 @@ void RenderButton::addChild(RenderObject* newChild, RenderObject* beforeChild) void RenderButton::removeChild(RenderObject* oldChild) { - if (oldChild == m_inner || !m_inner) { + // m_inner should be the only child, but checking for direct children who + // are not m_inner prevents security problems when that assumption is + // violated. + if (oldChild == m_inner || !m_inner || oldChild->parent() == this) { + ASSERT(oldChild == m_inner || !m_inner); RenderDeprecatedFlexibleBox::removeChild(oldChild); m_inner = 0; } else |