commit d3515ddf54c2369e8610c69bff35f58b6a6ba33a
author bweinstein@apple.com <bweinstein@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Jan 26 22:45:38 2010 +0000
committer bweinstein@apple.com <bweinstein@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Jan 26 22:45:38 2010 +0000
tree ec7cc49c4ff9d683ebf60f6a985f7f3d599976ae
parent 533d0aef0bca19799fe72cdf849d9879e84e5007

Crash in WebKit!WebCore::RenderMenuList::itemStyle
https://bugs.webkit.org/show_bug.cgi?id=34182
<rdar://7087757>
        
Reviewed by Jon Honeycutt.

Added bounds checks in RenderMenuList to make sure we are
not making an out of bounds check in a vector once an option
element has been deleted. If we are out of bounds, we fall back to
a default value and return early, and in the case of itemStyle, we use a 
previous option's style, if it is available.

* manual-tests/select-delete-item.html: Added.
* rendering/RenderMenuList.cpp:
(WebCore::RenderMenuList::itemText): If out of bounds check, return early.
(WebCore::RenderMenuList::itemToolTip): Ditto.
(WebCore::RenderMenuList::itemIsEnabled): Ditto.
(WebCore::RenderMenuList::itemStyle): If out of bounds check, try using the 0th index
    option style, then fall back to the select's style if that option doesn't exist.
(WebCore::RenderMenuList::itemBackgroundColor): If out of bounds check, return early.
(WebCore::RenderMenuList::itemIsSeparator): Ditto.
(WebCore::RenderMenuList::itemIsLabel): Ditto.
(WebCore::RenderMenuList::itemIsSelected): Ditto.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53867 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebCore/manual-tests/select-delete-item.html

diff --git a/WebCore/manual-tests/select-delete-item.html b/WebCore/manual-tests/select-delete-item.html
new file mode 100644
index 0000000..43ca0c3
--- /dev/null
+++ b/WebCore/manual-tests/select-delete-item.html
@@ -0,0 +1,21 @@
+<html>

+<head>

+    <title>RenderMenuList::itemStyle Select Element Crash</title>

+    <script>

+        function removeItem() {

+            var select = document.getElementById("dropDown");

+            select.removeChild(document.getElementsByTagName("option")[2]);

+        }

+    </script>

+</head>

+<body>

+    <select id="dropDown" onfocus="setTimeout('removeItem();', 2000);">

+        <option>Option 1</option>

+        <option>Option 2</option>

+        <option>Option 3</option>

+    </select>

+    <p>This is a test for bug <a href="http://webkit.org/b/34182">34182</a> Crash in WebKit!WebCore::RenderMenuList::itemStyle.

+    Once the select gets focus, in 2 seconds it will delete an item. This test passes

+    if you have the select open when it deletes an item, and doesn't crash.</p>

+</body>

+</html>