Index: Source/core/html/HTMLSelectElement.cpp |
diff --git a/Source/core/html/HTMLSelectElement.cpp b/Source/core/html/HTMLSelectElement.cpp |
index 906812120075f2065568cbede9200c54123b4cd9..dc7237dc62c59de34f89a57acd1119d8b4bf5b1f 100644 |
--- a/Source/core/html/HTMLSelectElement.cpp |
+++ b/Source/core/html/HTMLSelectElement.cpp |
@@ -1039,6 +1039,7 @@ FormControlState HTMLSelectElement::saveFormControlState() const |
if (!option->selected()) |
continue; |
state.append(option->value()); |
+ state.append(String::number(i)); |
tkent
2014/09/09 02:14:45
Because you change the format of the state, you ne
spartha
2014/09/09 11:09:56
Done.
|
if (!multiple()) |
break; |
} |
@@ -1073,21 +1074,34 @@ void HTMLSelectElement::restoreFormControlState(const FormControlState& state) |
toHTMLOptionElement(items[i])->setSelectedState(false); |
} |
+ // The saved state should have atleast one value and an index. |
tkent
2014/09/09 02:14:45
atleast -> at least
spartha
2014/09/09 11:09:56
Done.
|
+ ASSERT(state.valueSize() >= 2); |
if (!multiple()) { |
- size_t foundIndex = searchOptionsForValue(state[0], 0, itemsSize); |
- if (foundIndex != kNotFound) |
- toHTMLOptionElement(items[foundIndex])->setSelectedState(true); |
+ size_t index = state[1].toInt(); |
tkent
2014/09/09 02:14:45
This code parsing a unsigned value as a signed val
spartha
2014/09/09 11:09:56
Done.
|
+ if (valueAtIndex(index) == state[0]) { |
+ toHTMLOptionElement(items[index])->setSelectedState(true); |
tkent
2014/09/09 02:14:45
This has a bad-cast vulnerability if state[0] is a
spartha
2014/09/09 11:09:56
Done.
|
+ } else { |
+ size_t foundIndex = searchOptionsForValue(state[0], 0, itemsSize); |
+ if (foundIndex != kNotFound) |
+ toHTMLOptionElement(items[foundIndex])->setSelectedState(true); |
+ } |
} else { |
size_t startIndex = 0; |
- for (size_t i = 0; i < state.valueSize(); ++i) { |
+ for (size_t i = 0; i < state.valueSize(); i+= 2) { |
const String& value = state[i]; |
- size_t foundIndex = searchOptionsForValue(value, startIndex, itemsSize); |
- if (foundIndex == kNotFound) |
- foundIndex = searchOptionsForValue(value, 0, startIndex); |
- if (foundIndex == kNotFound) |
- continue; |
- toHTMLOptionElement(items[foundIndex])->setSelectedState(true); |
- startIndex = foundIndex + 1; |
+ const size_t index = state[i + 1].toInt(); |
tkent
2014/09/09 02:14:45
parsing a unsigned value as a signed value.
spartha
2014/09/09 11:09:56
Done.
|
+ if (valueAtIndex(index) == value) { |
+ toHTMLOptionElement(items[index])->setSelectedState(true); |
tkent
2014/09/09 02:14:45
Ditto. bad-cast.
spartha
2014/09/09 11:09:56
Done.
|
+ startIndex = index + 1; |
+ } else { |
+ size_t foundIndex = searchOptionsForValue(value, startIndex, itemsSize); |
+ if (foundIndex == kNotFound) |
+ foundIndex = searchOptionsForValue(value, 0, startIndex); |
+ if (foundIndex == kNotFound) |
+ continue; |
+ toHTMLOptionElement(items[foundIndex])->setSelectedState(true); |
+ startIndex = foundIndex + 1; |
+ } |
} |
} |