[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

Gustavo Noronha Silva gns at gnome.org
Thu Apr 8 02:24:53 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 0a2fc760e88afe7f178781560b4e7dceefa06374
Author: cfleizach at apple.com <cfleizach at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Apr 1 17:17:11 2010 +0000

    Bug 36968 - 1 crash in Safari at com.apple.WebCore: WebCore::Element::getAttribute const
    https://bugs.webkit.org/show_bug.cgi?id=36968
    
    Reviewed by Beth Dakin.
    
    WebCore:
    
    Test: accessibility/crash-with-noelement-selectbox.html
    
    When a <select> element had no options, the selectedIndex == -1 and that was being
    used to index into an empty array.
    
    * accessibility/AccessibilityRenderObject.cpp:
    (WebCore::AccessibilityRenderObject::stringValue):
    
    LayoutTests:
    
    * accessibility/crash-with-noelement-selectbox-expected.txt: Added.
    * accessibility/crash-with-noelement-selectbox.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56920 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 50c81d9..9f7dbc3 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-04-01  Chris Fleizach  <cfleizach at apple.com>
+
+        Reviewed by Beth Dakin.
+
+        Bug 36968 - 1 crash in Safari at com.apple.WebCore: WebCore::Element::getAttribute const
+        https://bugs.webkit.org/show_bug.cgi?id=36968
+
+        * accessibility/crash-with-noelement-selectbox-expected.txt: Added.
+        * accessibility/crash-with-noelement-selectbox.html: Added.
+
 2010-03-31  MORITA Hajime  <morrita at google.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/accessibility/crash-with-noelement-selectbox-expected.txt b/LayoutTests/accessibility/crash-with-noelement-selectbox-expected.txt
new file mode 100644
index 0000000..9a6bdaa
--- /dev/null
+++ b/LayoutTests/accessibility/crash-with-noelement-selectbox-expected.txt
@@ -0,0 +1,10 @@
+
+This tests that there's no crash when accessising the stringValue of a menu list that has no elements.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/crash-with-noelement-selectbox.html b/LayoutTests/accessibility/crash-with-noelement-selectbox.html
new file mode 100644
index 0000000..5e27db8
--- /dev/null
+++ b/LayoutTests/accessibility/crash-with-noelement-selectbox.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../fast/js/resources/js-test-style.css">
+<script>
+var successfullyParsed = false;
+</script>
+<script src="../fast/js/resources/js-test-pre.js"></script>
+</head>
+<body id="body">
+
+<select id="selectBox">
+</select>
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+    description("This tests that there's no crash when accessising the stringValue of a menu list that has no elements.");
+
+    if (window.accessibilityController) {
+       document.getElementById("selectBox").focus();
+       var selectBox = accessibilityController.focusedElement;
+
+       // this call should not crash. 
+       var stringValue = selectBox.stringValue;
+    }
+
+    successfullyParsed = true;
+</script>
+
+<script src="../fast/js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 1751845..c58d667 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-04-01  Chris Fleizach  <cfleizach at apple.com>
+
+        Reviewed by Beth Dakin.
+
+        Bug 36968 - 1 crash in Safari at com.apple.WebCore: WebCore::Element::getAttribute const
+        https://bugs.webkit.org/show_bug.cgi?id=36968
+
+        Test: accessibility/crash-with-noelement-selectbox.html
+
+        When a <select> element had no options, the selectedIndex == -1 and that was being
+        used to index into an empty array.
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::stringValue):
+
 2010-03-31  MORITA Hajime  <morrita at google.com>
         
         Reviewed by Darin Adler.
diff --git a/WebCore/accessibility/AccessibilityRenderObject.cpp b/WebCore/accessibility/AccessibilityRenderObject.cpp
index 8de8e5b..b24211c 100644
--- a/WebCore/accessibility/AccessibilityRenderObject.cpp
+++ b/WebCore/accessibility/AccessibilityRenderObject.cpp
@@ -884,7 +884,12 @@ String AccessibilityRenderObject::stringValue() const
         // RenderMenuList will go straight to the text() of its selected item.
         // This has to be overriden in the case where the selected item has an aria label
         SelectElement* selectNode = toSelectElement(static_cast<Element*>(m_renderer->node()));
-        Element* selectedOption = selectNode->listItems()[selectNode->selectedIndex()];
+        int selectedIndex = selectNode->selectedIndex();
+        const Vector<Element*> listItems = selectNode->listItems();
+        
+        Element* selectedOption = 0;
+        if (selectedIndex >= 0 && selectedIndex < (int)listItems.size()) 
+            selectedOption = listItems[selectedIndex];
         String overridenDescription = AccessibilityObject::getAttribute(selectedOption, aria_labelAttr);
         if (!overridenDescription.isNull())
             return overridenDescription;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list