From 4ade207605af2d7d843b38783c15670465f8d9db Mon Sep 17 00:00:00 2001
From: Carlos Garcia Campos <cgarcia@igalia.com>
Date: Mon, 16 Oct 2017 09:24:51 +0000
Subject: [PATCH] Merge r221779 - [GTK][WPE] UI process crash in
 WebBackForwardList::restoreFromState
 https://bugs.webkit.org/show_bug.cgi?id=176303

Reviewed by Michael Catanzaro.

Ensure the current index provided by the session state is not out of actual item list bounds. This is a bug in
the session state decoder, but WebBackForwardList::backForwardListState() is already doing the check and using
the last item index instead, so it's not easy to know where the actual problem is. In any case we should
still protect the decoder.

* UIProcess/API/glib/WebKitWebViewSessionState.cpp:
(decodeSessionState):
---
 Source/WebKit/ChangeLog                           | 15 +++++++++++++++
 .../API/glib/WebKitWebViewSessionState.cpp        |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index 830a59256bf0..2b10c685b792 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog
@@ -1,3 +1,18 @@
+2017-09-07  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        [GTK][WPE] UI process crash in WebBackForwardList::restoreFromState
+        https://bugs.webkit.org/show_bug.cgi?id=176303
+
+        Reviewed by Michael Catanzaro.
+
+        Ensure the current index provided by the session state is not out of actual item list bounds. This is a bug in
+        the session state decoder, but WebBackForwardList::backForwardListState() is already doing the check and using
+        the last item index instead, so it's not easy to know where the actual problem is. In any case we should
+        still protect the decoder.
+
+        * UIProcess/API/glib/WebKitWebViewSessionState.cpp:
+        (decodeSessionState):
+
 2017-09-06  Adrian Perez de Castro  <aperez@igalia.com>
 
         [WPE][CMake] Fix path to the WebKitApplicationInfo.h header.
diff --git a/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp b/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp
index 4bea267dbc2a..9cb5d9335505 100644
--- a/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp
+++ b/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp
@@ -369,7 +369,7 @@ static bool decodeSessionState(GBytes* data, SessionState& sessionState)
     decodeBackForwardListItemState(backForwardListStateIter.get(), sessionState.backForwardListState);
 
     if (hasCurrentIndex)
-        sessionState.backForwardListState.currentIndex = currentIndex;
+        sessionState.backForwardListState.currentIndex = std::min<uint32_t>(currentIndex, sessionState.backForwardListState.items.size() - 1);
     return true;
 }