Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9fec56013cb548777900295a2dddbbe60852db8a
https://github.com/WebKit/WebKit/commit/9fec56013cb548777900295a2dddbbe60852db8a
Author: Tyler Wilcock <[email protected]>
Date: 2026-04-14 (Tue, 14 Apr 2026)
Changed paths:
A LayoutTests/accessibility/svg-use-cycle-no-crash-expected.txt
A LayoutTests/accessibility/svg-use-cycle-no-crash.html
M Source/WebCore/accessibility/AccessibilitySVGObject.cpp
Log Message:
-----------
AX: Accessibility can infinitely recurse with circular SVG use-element
references, causing a crash
https://bugs.webkit.org/show_bug.cgi?id=312276
rdar://174749401
Reviewed by Joshua Hoffman.
AccessibilitySVGObject::description() and helpText() resolve <use> element
hrefs via targetForUseElement() and recurse into the target's description()
or helpText(). Circular references (e.g., <use href="#a"> and <use href="#b">
referencing each other) cause infinite recursion, in turn causing a crash.
Fix this by tracking which elements are currently being resolved using a
static HashSet. If an element is already in the set when we try to resolve
its use-element target's description or help text, we skip the recursive
call, breaking the cycle.
* LayoutTests/accessibility/svg-use-cycle-no-crash-expected.txt: Added.
* LayoutTests/accessibility/svg-use-cycle-no-crash.html: Added.
* Source/WebCore/accessibility/AccessibilitySVGObject.cpp:
(WebCore::AccessibilitySVGObject::descriptionFromTitleChild const):
(WebCore::AccessibilitySVGObject::helpTextFromChildren const):
Canonical link: https://commits.webkit.org/311222@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
