From a0b44ff5e7d60e3024e7592197cb1d6120b1130d Mon Sep 17 00:00:00 2001
From: Andreas Kling <andreas@ladybird.org>
Date: Tue, 21 Jan 2025 13:48:16 +0100
Subject: [PATCH] LibWeb: Iterate over a copy of associated form controls in
 form.reset()

DOM structure may change during reset algorithm invocation, which may
lead to form controls being unregistered.
---
 Libraries/LibWeb/HTML/HTMLFormElement.cpp         | 3 ++-
 Tests/LibWeb/Crash/HTML/reset-form-iteration.html | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibWeb/Crash/HTML/reset-form-iteration.html

diff --git a/Libraries/LibWeb/HTML/HTMLFormElement.cpp b/Libraries/LibWeb/HTML/HTMLFormElement.cpp
index 3849c18e24a..26e0c67d105 100644
--- a/Libraries/LibWeb/HTML/HTMLFormElement.cpp
+++ b/Libraries/LibWeb/HTML/HTMLFormElement.cpp
@@ -317,7 +317,8 @@ void HTMLFormElement::reset_form()
 
     // 2. If reset is true, then invoke the reset algorithm of each resettable element whose form owner is form.
     if (reset) {
-        for (auto element : m_associated_elements) {
+        GC::RootVector<GC::Ref<HTMLElement>> associated_elements_copy(heap(), m_associated_elements);
+        for (auto element : associated_elements_copy) {
             VERIFY(is<FormAssociatedElement>(*element));
             auto& form_associated_element = dynamic_cast<FormAssociatedElement&>(*element);
             if (form_associated_element.is_resettable())
diff --git a/Tests/LibWeb/Crash/HTML/reset-form-iteration.html b/Tests/LibWeb/Crash/HTML/reset-form-iteration.html
new file mode 100644
index 00000000000..41ac9b109e5
--- /dev/null
+++ b/Tests/LibWeb/Crash/HTML/reset-form-iteration.html
@@ -0,0 +1,4 @@
+<form id="theForm"><output><input></output></form>
+<script>
+    theForm.reset();
+</script>