Skip to site navigation (Press enter)

[webkit-changes] [130719] branches/chromium/1229

yosin Mon, 08 Oct 2012 22:30:38 -0700

Title: [130719] branches/chromium/1229

Revision: 130719
Author: yo...@chromium.org
Date: 2012-10-08 22:31:47 -0700 (Mon, 08 Oct 2012)

Log Message

Merge 130717 - HTMLSelectElement::typeAheadFind depends on implementation dependent behavior
https://bugs.webkit.org/show_bug.cgi?id=98710


Reviewed by Kent Tamura.

Source/WebCore:

This patch gets rid of C/C++ implementation dependent behavior from
HTMLSelectElement::typeAheadFind() which does modulo operation with
a negative operand.

HTMLSelectElement::typeAheadFind() contains _expression_ with modulo
operator and dividend can be -1 when the "select" element without
"option" element but "optgroup" element.

Test: fast/forms/select/select-typeahead-crash.html

* html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::typeAheadFind): Changed to do modulo
operation with both operands are non-negative.

LayoutTests:

This patch adds a test for checking HTMLSelectElement::typeAheadFind
doesn't crash.

* fast/forms/select/select-typeahead-crash-expected.txt: Added.
* fast/forms/select/select-typeahead-crash.html: Added.

TBR=yo...@chromium.org
Review URL: https://codereview.chromium.org/11091018

Modified Paths

branches/chromium/1229/Source/WebCore/html/HTMLSelectElement.cpp

Added Paths

branches/chromium/1229/LayoutTests/fast/forms/select/select-typeahead-crash-expected.txt
branches/chromium/1229/LayoutTests/fast/forms/select/select-typeahead-crash.html

Diff

Copied: branches/chromium/1229/LayoutTests/fast/forms/select/select-typeahead-crash-expected.txt (from rev 130717, trunk/LayoutTests/fast/forms/select/select-typeahead-crash-expected.txt) (0 => 130719)


--- branches/chromium/1229/LayoutTests/fast/forms/select/select-typeahead-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1229/LayoutTests/fast/forms/select/select-typeahead-crash-expected.txt	2012-10-09 05:31:47 UTC (rev 130719)
@@ -0,0 +1,12 @@
+Select element without option but optgroup causes crash on key press
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Please run this with DumpRenderTree.
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Copied: branches/chromium/1229/LayoutTests/fast/forms/select/select-typeahead-crash.html (from rev 130717, trunk/LayoutTests/fast/forms/select/select-typeahead-crash.html) (0 => 130719)


--- branches/chromium/1229/LayoutTests/fast/forms/select/select-typeahead-crash.html	                        (rev 0)
+++ branches/chromium/1229/LayoutTests/fast/forms/select/select-typeahead-crash.html	2012-10-09 05:31:47 UTC (rev 130719)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<p id="description"></p>
+<p>Please run this with DumpRenderTree.</p>
+<select id="test"><optgroup></optgroup><optgroup></optgroup></select>
+<div id="console"></div>
+<script>
+description('Select element without option but optgroup causes crash on key press');
+function keyDown(key, modifiers)
+{
+    if (!window.eventSender)
+        return;
+    eventSender.keyDown(key, modifiers);
+}
+var test = document.getElementById("test");
+test.focus();
+keyDown('a');
+keyDown('b');
+</script>
+<script src=""
+</body>

Modified: branches/chromium/1229/Source/WebCore/html/HTMLSelectElement.cpp (130718 => 130719)


--- branches/chromium/1229/Source/WebCore/html/HTMLSelectElement.cpp	2012-10-09 05:12:56 UTC (rev 130718)
+++ branches/chromium/1229/Source/WebCore/html/HTMLSelectElement.cpp	2012-10-09 05:31:47 UTC (rev 130719)
@@ -1514,8 +1514,10 @@
         return;
 
     int selected = selectedIndex();
-    int index = (optionToListIndex(selected >= 0 ? selected : 0) + searchStartOffset) % itemCount;
-    ASSERT(index >= 0);
+    int index = optionToListIndex(selected >= 0 ? selected : 0) + searchStartOffset;
+    if (index < 0)
+        return;
+    index %= itemCount;
 
     // Compute a case-folded copy of the prefix string before beginning the search for
     // a matching element. This code uses foldCase to work around the fact that

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes