[webkit-changes] [295618] trunk/Source/WebCore/accessibility/AccessibilityObject.cpp

Thu, 16 Jun 2022 17:29:38 -0700

Title: [295618] trunk/Source/WebCore/accessibility/AccessibilityObject.cpp
Revision
295618
Author
[email protected]
Date
2022-06-16 17:21:06 -0700 (Thu, 16 Jun 2022)

Log Message

AX: AccessibilityObject::insertChild does not check the validity of the insertionIndex while processing grandchildren
https://bugs.webkit.org/show_bug.cgi?id=241650

Reviewed by Chris Fleizach.

When AccessibilityObject::insertChild is asked to insert a child that's
ignored, we instead add that object's children. However, both
`accessibilityIsIgnored` and `children` can cause layout, and said
layout could cause AccessibilityObject::m_children to be cleared. This
makes the `insertionIndex` invalid, which causes a crash.

In this patch, right before m_children.insert(), we check to make sure
the index is still valid.

I wasn't able to make a test for this bug. It is difficult to reproduce,
and the circumstances to reproduce are complex.

* Source/WebCore/accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::insertChild):

Canonical link: https://commits.webkit.org/251623@main

Modified Paths

Diff

Modified: trunk/Source/WebCore/accessibility/AccessibilityObject.cpp (295617 => 295618)


--- trunk/Source/WebCore/accessibility/AccessibilityObject.cpp	2022-06-16 23:52:58 UTC (rev 295617)
+++ trunk/Source/WebCore/accessibility/AccessibilityObject.cpp	2022-06-17 00:21:06 UTC (rev 295618)
@@ -632,6 +632,9 @@
                     // Even though `child` is ignored, we still need to set ancestry flags based on it.
                     grandchild->initializeAncestorFlags(childAncestorFlags);
                     grandchild->addAncestorFlags(thisAncestorFlags);
+                    // Calls to `child->accessibilityIsIgnored()` or `child->children()` can cause layout, which in turn can cause this object to clear its m_children. This can cause `insertionIndex` to no longer be valid. Detect this and break early if necessary.
+                    if (insertionIndex > m_children.size())
+                        break;
                     m_children.insert(insertionIndex, grandchild);
                     ++insertionIndex;
                 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to