diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl	2009-09-29 13:01:36.000000000 +0200
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp	2010-02-04 15:43:15.707711730 +0100
@@ -1025,8 +1025,15 @@ void RenderText::position(InlineBox* box
     if (!s->m_len) {
         // We want the box to be destroyed.
         s->remove();
+        if (m_firstTextBox == s)
+            m_firstTextBox = s->nextTextBox();
+        else
+            s->prevTextBox()->setNextLineBox(s->nextTextBox());
+        if (m_lastTextBox == s)
+            m_lastTextBox = s->prevTextBox();
+        else
+            s->nextTextBox()->setPreviousLineBox(s->prevTextBox());
         s->destroy(renderArena());
-        m_firstTextBox = m_lastTextBox = 0;
         return;
     }
 
@@ -1203,7 +1210,7 @@ void RenderText::checkConsistency() cons
 #ifdef CHECK_CONSISTENCY
     const InlineTextBox* prev = 0;
     for (const InlineTextBox* child = m_firstTextBox; child != 0; child = child->nextTextBox()) {
-        ASSERT(child->object() == this);
+        ASSERT(child->renderer() == this);
         ASSERT(child->prevTextBox() == prev);
         prev = child;
     }