HTMLSelectElement does not include selected index/indices while saving state

Source/core/html/HTMLSelectElement.cpp

Index: Source/core/html/HTMLSelectElement.cpp
diff --git a/Source/core/html/HTMLSelectElement.cpp b/Source/core/html/HTMLSelectElement.cpp
index 906812120075f2065568cbede9200c54123b4cd9..dc7237dc62c59de34f89a57acd1119d8b4bf5b1f 100644
--- a/Source/core/html/HTMLSelectElement.cpp
+++ b/Source/core/html/HTMLSelectElement.cpp
@@ -1039,6 +1039,7 @@ FormControlState HTMLSelectElement::saveFormControlState() const
         if (!option->selected())
             continue;
         state.append(option->value());
+        state.append(String::number(i));

[tkent, 2014/09/09 02:14:45]

Because you change the format of the state, you need to update
formStateSignature() in FormController.cpp.

[spartha, 2014/09/09 11:09:56]

Done.

         if (!multiple())
             break;
     }
@@ -1073,21 +1074,34 @@ void HTMLSelectElement::restoreFormControlState(const FormControlState& state)
         toHTMLOptionElement(items[i])->setSelectedState(false);
     }
 
+    // The saved state should have atleast one value and an index.

[tkent, 2014/09/09 02:14:45]

atleast -> at least

[spartha, 2014/09/09 11:09:56]

Done.

+    ASSERT(state.valueSize() >= 2);
     if (!multiple()) {
-        size_t foundIndex = searchOptionsForValue(state[0], 0, itemsSize);
-        if (foundIndex != kNotFound)
-            toHTMLOptionElement(items[foundIndex])->setSelectedState(true);
+        size_t index = state[1].toInt();

[tkent, 2014/09/09 02:14:45]

This code parsing a unsigned value as a signed value.

[spartha, 2014/09/09 11:09:56]

Done.

+        if (valueAtIndex(index) == state[0]) {
+            toHTMLOptionElement(items[index])->setSelectedState(true);

[tkent, 2014/09/09 02:14:45]

This has a bad-cast vulnerability if state[0] is an empty string and
items[index] is not an <option>.

[spartha, 2014/09/09 11:09:56]

Done.

+        } else {
+            size_t foundIndex = searchOptionsForValue(state[0], 0, itemsSize);
+            if (foundIndex != kNotFound)
+                toHTMLOptionElement(items[foundIndex])->setSelectedState(true);
+        }
     } else {
         size_t startIndex = 0;
-        for (size_t i = 0; i < state.valueSize(); ++i) {
+        for (size_t i = 0; i < state.valueSize(); i+= 2) {
             const String& value = state[i];
-            size_t foundIndex = searchOptionsForValue(value, startIndex, itemsSize);
-            if (foundIndex == kNotFound)
-                foundIndex = searchOptionsForValue(value, 0, startIndex);
-            if (foundIndex == kNotFound)
-                continue;
-            toHTMLOptionElement(items[foundIndex])->setSelectedState(true);
-            startIndex = foundIndex + 1;
+            const size_t index = state[i + 1].toInt();

[tkent, 2014/09/09 02:14:45]

parsing a unsigned value as a signed value.

[spartha, 2014/09/09 11:09:56]

Done.

+            if (valueAtIndex(index) == value) {
+                toHTMLOptionElement(items[index])->setSelectedState(true);

[tkent, 2014/09/09 02:14:45]

Ditto. bad-cast.

[spartha, 2014/09/09 11:09:56]

Done.

+                startIndex = index + 1;
+            } else {
+                size_t foundIndex = searchOptionsForValue(value, startIndex, itemsSize);
+                if (foundIndex == kNotFound)
+                    foundIndex = searchOptionsForValue(value, 0, startIndex);
+                if (foundIndex == kNotFound)
+                    continue;
+                toHTMLOptionElement(items[foundIndex])->setSelectedState(true);
+                startIndex = foundIndex + 1;
+            }
         }
     }