From 0cec68ea996623ee652900986c7232c8d538a209 Mon Sep 17 00:00:00 2001 From: Sam Atkins Date: Sat, 27 Jul 2024 13:33:51 +0100 Subject: [PATCH] LibWeb: Correct logic for removing end nodes from HTMLOptionsCollection This test case would previously crash. Found with domato. --- .../Text/expected/DOM/HTMLSelectElement-length.txt | 3 +++ .../Text/input/DOM/HTMLSelectElement-length.html | 12 ++++++++++++ .../Libraries/LibWeb/HTML/HTMLOptionsCollection.cpp | 4 ++-- 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 Tests/LibWeb/Text/expected/DOM/HTMLSelectElement-length.txt create mode 100644 Tests/LibWeb/Text/input/DOM/HTMLSelectElement-length.html diff --git a/Tests/LibWeb/Text/expected/DOM/HTMLSelectElement-length.txt b/Tests/LibWeb/Text/expected/DOM/HTMLSelectElement-length.txt new file mode 100644 index 00000000000..7938dcdde86 --- /dev/null +++ b/Tests/LibWeb/Text/expected/DOM/HTMLSelectElement-length.txt @@ -0,0 +1,3 @@ +0 +1 +0 diff --git a/Tests/LibWeb/Text/input/DOM/HTMLSelectElement-length.html b/Tests/LibWeb/Text/input/DOM/HTMLSelectElement-length.html new file mode 100644 index 00000000000..78eb617820e --- /dev/null +++ b/Tests/LibWeb/Text/input/DOM/HTMLSelectElement-length.html @@ -0,0 +1,12 @@ + + diff --git a/Userland/Libraries/LibWeb/HTML/HTMLOptionsCollection.cpp b/Userland/Libraries/LibWeb/HTML/HTMLOptionsCollection.cpp index 2009332cbcf..5b54634f546 100644 --- a/Userland/Libraries/LibWeb/HTML/HTMLOptionsCollection.cpp +++ b/Userland/Libraries/LibWeb/HTML/HTMLOptionsCollection.cpp @@ -66,8 +66,8 @@ WebIDL::ExceptionOr HTMLOptionsCollection::set_length(WebIDL::UnsignedLong auto n = current - value; // 3.2. Remove the last n nodes in the collection from their parent nodes. - for (WebIDL::UnsignedLong i = current - 1; i >= current - n; i--) - this->item(i)->remove(); + for (auto i = 0u; i < n; i++) + item(length() - 1)->remove(); } return {};