Fix crashes in ScrollingStateNode::insertChild()
authorsimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 23 Jul 2019 19:50:17 +0000 (19:50 +0000)
committersimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 23 Jul 2019 19:50:17 +0000 (19:50 +0000)
commit9858e48a24a76607c53304653ffe069243d929ea
tree355c3fe5b77095c465903ca7503c3cc7d5a71c36
parentc8d0ca5803097f953f1f363fc4a9167e7d055ed0
Fix crashes in ScrollingStateNode::insertChild()
https://bugs.webkit.org/show_bug.cgi?id=200023
rdar://problem/53265378

Reviewed by Darin Adler.

Crash data suggest that ScrollingStateNode::insertChild() can be passed an index that
is larger than the size of the vector, causing crashes.

Fix defensively by falling back to append() if the passed index is equal to or larger
than the size of the children vector.

* page/scrolling/ScrollingStateNode.cpp:
(WebCore::ScrollingStateNode::insertChild):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247734 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/page/scrolling/ScrollingStateNode.cpp