Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 600557bf817fc4df334e4bac941bb4c84c0495c3
https://github.com/WebKit/WebKit/commit/600557bf817fc4df334e4bac941bb4c84c0495c3
Author: Tyler Wilcock <[email protected]>
Date: 2026-04-15 (Wed, 15 Apr 2026)
Changed paths:
A LayoutTests/accessibility/svg-use-cycle-no-crash-expected.txt
A LayoutTests/accessibility/svg-use-cycle-no-crash.html
M Source/WebCore/accessibility/AccessibilitySVGObject.cpp
Log Message:
-----------
Cherry-pick 311222@main (9fec56013cb5).
https://bugs.webkit.org/show_bug.cgi?id=312276
AX: Accessibility can infinitely recurse with circular SVG use-element
references, causing a crash
https://bugs.webkit.org/show_bug.cgi?id=312276
rdar://174749401
Reviewed by Joshua Hoffman.
AccessibilitySVGObject::description() and helpText() resolve <use> element
hrefs via targetForUseElement() and recurse into the target's description()
or helpText(). Circular references (e.g., <use href="#a"> and <use
href="#b">
referencing each other) cause infinite recursion, in turn causing a crash.
Fix this by tracking which elements are currently being resolved using a
static HashSet. If an element is already in the set when we try to resolve
its use-element target's description or help text, we skip the recursive
call, breaking the cycle.
* LayoutTests/accessibility/svg-use-cycle-no-crash-expected.txt: Added.
* LayoutTests/accessibility/svg-use-cycle-no-crash.html: Added.
* Source/WebCore/accessibility/AccessibilitySVGObject.cpp:
(WebCore::AccessibilitySVGObject::descriptionFromTitleChild const):
(WebCore::AccessibilitySVGObject::helpTextFromChildren const):
Canonical link: https://commits.webkit.org/311222@main
Canonical link: https://commits.webkit.org/305877.427@webkitglib/2.52
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
