[Android] Fix trying to remove out-of-bounds autofill suggestion
If the suggestions known to the popup controller change but a removal
confirmation is still pending, the index held by the confirmation is out
of date and can either:
* delete an incorrect suggestions or
* cause a crash due to an out-of-bounds access.
This CL only fixes the latter case but might need to be merged.
A proper fix would involve wide-spread changes to the identification
of a selected suggestions (see https://crbug.com/1209792).
Bug: 1208721
Change-Id: Ib5d352b1752583faf01aa28ef61c983f0c655921
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2896977
Commit-Queue: Friedrich [CET] <fhorschig@chromium.org>
Reviewed-by: Marc Treib <treib@chromium.org>
Cr-Commit-Position: refs/heads/master@{#883425}
diff --git a/chrome/browser/ui/autofill/autofill_popup_controller_impl.cc b/chrome/browser/ui/autofill/autofill_popup_controller_impl.cc
index 061337f7..ac4dc2e 100644
--- a/chrome/browser/ui/autofill/autofill_popup_controller_impl.cc
+++ b/chrome/browser/ui/autofill/autofill_popup_controller_impl.cc
@@ -350,6 +350,11 @@
}
bool AutofillPopupControllerImpl::RemoveSuggestion(int list_index) {
+ // This function might be called in a callback, so ensure the list index is
+ // still in bounds. If not, terminate the removing and consider it failed.
+ // TODO(crbug.com/1209792): Replace these checks with a stronger identifier.
+ if (list_index < 0 || static_cast<size_t>(list_index) >= suggestions_.size())
+ return false;
if (!delegate_->RemoveSuggestion(suggestions_[list_index].value,
suggestions_[list_index].frontend_id)) {
return false;