Title: [202320] trunk/Source/WebCore
- Revision
- 202320
- Author
- [email protected]
- Date
- 2016-06-21 20:53:47 -0700 (Tue, 21 Jun 2016)
Log Message
DumpRenderTree crashed in com.apple.WebCore: WebCore::HTMLSelectElement::updateSelectedState
https://bugs.webkit.org/show_bug.cgi?id=159009
<rdar://problem/23454623>
Reviewed by Jon Lee.
It seems we can get bogus indices from UIKit's implementation
of UIWebSelectMultiplePicker. Guard against this situation.
Covered by running the existing tests in WebKit1 with Guard Malloc,
such as fast/spatial-navigation/snav-multiple-select-optgroup.html
* html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::updateSelectedState): Early return
if we get an index out of range.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (202319 => 202320)
--- trunk/Source/WebCore/ChangeLog 2016-06-22 03:34:05 UTC (rev 202319)
+++ trunk/Source/WebCore/ChangeLog 2016-06-22 03:53:47 UTC (rev 202320)
@@ -1,3 +1,21 @@
+2016-06-21 Dean Jackson <[email protected]>
+
+ DumpRenderTree crashed in com.apple.WebCore: WebCore::HTMLSelectElement::updateSelectedState
+ https://bugs.webkit.org/show_bug.cgi?id=159009
+ <rdar://problem/23454623>
+
+ Reviewed by Jon Lee.
+
+ It seems we can get bogus indices from UIKit's implementation
+ of UIWebSelectMultiplePicker. Guard against this situation.
+
+ Covered by running the existing tests in WebKit1 with Guard Malloc,
+ such as fast/spatial-navigation/snav-multiple-select-optgroup.html
+
+ * html/HTMLSelectElement.cpp:
+ (WebCore::HTMLSelectElement::updateSelectedState): Early return
+ if we get an index out of range.
+
2016-06-21 Chris Dumez <[email protected]>
Pass ScriptExecutionContext::Task as rvalue reference
Modified: trunk/Source/WebCore/html/HTMLSelectElement.cpp (202319 => 202320)
--- trunk/Source/WebCore/html/HTMLSelectElement.cpp 2016-06-22 03:34:05 UTC (rev 202319)
+++ trunk/Source/WebCore/html/HTMLSelectElement.cpp 2016-06-22 03:53:47 UTC (rev 202320)
@@ -1269,7 +1269,10 @@
void HTMLSelectElement::updateSelectedState(int listIndex, bool multi, bool shift)
{
- ASSERT(listIndex >= 0);
+ auto& items = listItems();
+ int listSize = static_cast<int>(items.size());
+ if (listIndex < 0 || listIndex >= listSize)
+ return;
// Save the selection so it can be compared to the new selection when
// dispatching change events during mouseup, or after autoscroll finishes.
@@ -1280,7 +1283,7 @@
bool shiftSelect = m_multiple && shift;
bool multiSelect = m_multiple && multi && !shift;
- auto& clickedElement = *listItems()[listIndex];
+ auto& clickedElement = *items[listIndex];
if (is<HTMLOptionElement>(clickedElement)) {
// Keep track of whether an active selection (like during drag
// selection), should select or deselect.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
