Title: [216395] releases/WebKitGTK/webkit-2.16
Revision
216395
Author
carlo...@webkit.org
Date
2017-05-08 05:42:05 -0700 (Mon, 08 May 2017)

Log Message

Merge r215971 - Crash under WebCore::AccessibilityRenderObject::handleAriaExpandedChanged().
https://bugs.webkit.org/show_bug.cgi?id=171427
Source/WebCore:

rdar://problem/31863417

Reviewed by Brent Fulgham.

The AccessibilityRenderObject object might delete itself in handleAriaExpandedChanged() under the call
to the parentObject() method. This will cause a crash when accessing the object later in this method.
Protect the current object while executing arbitrary event code.

Test: accessibility/accessibility-crash-setattribute.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::handleAriaExpandedChanged):

LayoutTests:

Reviewed by Brent Fulgham.

* accessibility/accessibility-crash-setattribute-expected.txt: Added.
* accessibility/accessibility-crash-setattribute.html: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (216394 => 216395)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog	2017-05-08 12:40:43 UTC (rev 216394)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog	2017-05-08 12:42:05 UTC (rev 216395)
@@ -1,3 +1,13 @@
+2017-04-28  Per Arne Vollan  <pvol...@apple.com>
+
+        Crash under WebCore::AccessibilityRenderObject::handleAriaExpandedChanged().
+        https://bugs.webkit.org/show_bug.cgi?id=171427
+
+        Reviewed by Brent Fulgham.
+
+        * accessibility/accessibility-crash-setattribute-expected.txt: Added.
+        * accessibility/accessibility-crash-setattribute.html: Added.
+
 2017-04-28  Dean Jackson  <d...@apple.com>
 
         App crashing: Dispatch queue: com.apple.root.user-interactive-qos / vBoxConvolve / WebCore::FEGaussianBlur::platformApplySoftware()

Added: releases/WebKitGTK/webkit-2.16/LayoutTests/accessibility/accessibility-crash-setattribute-expected.txt (0 => 216395)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/accessibility/accessibility-crash-setattribute-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/accessibility/accessibility-crash-setattribute-expected.txt	2017-05-08 12:42:05 UTC (rev 216395)
@@ -0,0 +1,2 @@
+PASS if no crash.  
+

Added: releases/WebKitGTK/webkit-2.16/LayoutTests/accessibility/accessibility-crash-setattribute.html (0 => 216395)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/accessibility/accessibility-crash-setattribute.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/accessibility/accessibility-crash-setattribute.html	2017-05-08 12:42:05 UTC (rev 216395)
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<style>
+    #div { visibility: collapse }
+</style>
+<body>
+PASS if no crash.
+<script>
+    if (window.accessibilityController) {
+        var largeRange = accessibilityController.accessibleElementById("largeRange");
+    }
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+    }
+    function eventhandler() {
+        document.execCommand("bold", false);
+        img.style.removeProperty("-webkit-appearance");
+        img.setAttribute("aria-expanded", "false");
+    }
+</script>
+<input id="largeRange" max="100" min="0" type="range" value="50">
+<div id="div">
+    <dl>
+        <canvas>aaa</canvas>
+        <img id="img" src="" style="-webkit-appearance: relevancy-level-indicator;" _onerror_="eventhandler()"></img>
+    </dl>
+</div>
+</body>

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (216394 => 216395)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog	2017-05-08 12:40:43 UTC (rev 216394)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog	2017-05-08 12:42:05 UTC (rev 216395)
@@ -1,3 +1,20 @@
+2017-04-28  Per Arne Vollan  <pvol...@apple.com>
+
+        Crash under WebCore::AccessibilityRenderObject::handleAriaExpandedChanged().
+        https://bugs.webkit.org/show_bug.cgi?id=171427
+        rdar://problem/31863417
+
+        Reviewed by Brent Fulgham.
+
+        The AccessibilityRenderObject object might delete itself in handleAriaExpandedChanged() under the call
+        to the parentObject() method. This will cause a crash when accessing the object later in this method.
+        Protect the current object while executing arbitrary event code.
+
+        Test: accessibility/accessibility-crash-setattribute.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::handleAriaExpandedChanged):
+
 2017-04-28  Dean Jackson  <d...@apple.com>
 
         App crashing: Dispatch queue: com.apple.root.user-interactive-qos / vBoxConvolve / WebCore::FEGaussianBlur::platformApplySoftware()

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (216394 => 216395)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2017-05-08 12:40:43 UTC (rev 216394)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2017-05-08 12:42:05 UTC (rev 216395)
@@ -2442,6 +2442,9 @@
 
 void AccessibilityRenderObject::handleAriaExpandedChanged()
 {
+    // This object might be deleted under the call to the parentObject() method.
+    auto protectedThis = makeRef(*this);
+    
     // Find if a parent of this object should handle aria-expanded changes.
     AccessibilityObject* containerParent = this->parentObject();
     while (containerParent) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to