Merging issue 5302009 to the 8.0 branch.

Fix a browser crasher with negative index set on select popups. BUG=63774 TEST=Visit http://vescam.com/select_crasher.html and try all the selects in that page. Review URL: http://codereview.chromium.org/5766005 git-svn-id: svn://svn.chromium.org/chrome/branches/552/src@69188 0039d316-1c4b-4281-b951-d872f2087c98
author: jcivelli@chromium.org <jcivelli@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-12-14 21:42:00 +0000
committer: jcivelli@chromium.org <jcivelli@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-12-14 21:42:00 +0000
commit: 5f9e6c48efd2d9ed4a18f201fedab4b89d0dc0f2 (patch)
tree: 43a96325cb0abcd2d8170f8a0dd2f76b9aef1d2a
parent: 671ce5d86bff5b42f4baea67b1ac3dfdff17efa1 (diff)
download: chromium_src-5f9e6c48efd2d9ed4a18f201fedab4b89d0dc0f2.zip
chromium_src-5f9e6c48efd2d9ed4a18f201fedab4b89d0dc0f2.tar.gz
chromium_src-5f9e6c48efd2d9ed4a18f201fedab4b89d0dc0f2.tar.bz2
1 files changed, 11 insertions, 5 deletions
diff --git a/webkit/glue/webmenurunner_mac.mm b/webkit/glue/webmenurunner_mac.mm
index b7e48ba..3e1376a 100644
--- a/webkit/glue/webmenurunner_mac.mm
+++ b/webkit/glue/webmenurunner_mac.mm
@@ -91,8 +91,7 @@ BOOL gNewNSMenuAPI;
                                         attributes:attrs]);
     [menuItem setAttributedTitle:attrTitle];
   }
-  if (gNewNSMenuAPI)
-    [menuItem setTag:[menu_ numberOfItems] - 1];
+  [menuItem setTag:[menu_ numberOfItems] - 1];
 }
 
 // Reflects the result of the user's interaction with the popup menu. If NO, the
@@ -113,8 +112,13 @@ BOOL gNewNSMenuAPI;
            withBounds:(NSRect)bounds
          initialIndex:(int)index {
   if (gNewNSMenuAPI) {
-    NSMenuItem* selectedItem = [menu_ itemAtIndex:index];
-    [selectedItem setState:NSOnState];
+    // index might be out of bounds, in which case we set no selection.
+    NSMenuItem* selectedItem = [menu_ itemWithTag:index];
+    if (selectedItem) {
+      [selectedItem setState:NSOnState];
+    } else {
+      selectedItem = [menu_ itemWithTag:0];
+    }
     NSPoint anchor = NSMakePoint(NSMinX(bounds) + kPopupXOffset,
                                  NSMaxY(bounds));
     [menu_ popUpMenuPositioningItem:selectedItem
@@ -128,7 +132,9 @@ BOOL gNewNSMenuAPI;
                                                               pullsDown:NO];
     [button autorelease];
     [button setMenu:menu_];
-    [button selectItemAtIndex:index];
+    // We use selectItemWithTag below so if the index is out-of-bounds nothing
+    // bad happens.
+    [button selectItemWithTag:index];
     [button setFont:[NSFont menuFontOfSize:fontSize_]];
 
     // Create a dummy view to associate the popup with, since the OS will use
author	jcivelli@chromium.org <jcivelli@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-12-14 21:42:00 +0000
committer	jcivelli@chromium.org <jcivelli@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-12-14 21:42:00 +0000
commit	5f9e6c48efd2d9ed4a18f201fedab4b89d0dc0f2 (patch)
tree	43a96325cb0abcd2d8170f8a0dd2f76b9aef1d2a
parent	671ce5d86bff5b42f4baea67b1ac3dfdff17efa1 (diff)
download	chromium_src-5f9e6c48efd2d9ed4a18f201fedab4b89d0dc0f2.zip chromium_src-5f9e6c48efd2d9ed4a18f201fedab4b89d0dc0f2.tar.gz chromium_src-5f9e6c48efd2d9ed4a18f201fedab4b89d0dc0f2.tar.bz2