Title: [174330] trunk
- Revision
- 174330
- Author
- cfleiz...@apple.com
- Date
- 2014-10-05 16:09:59 -0700 (Sun, 05 Oct 2014)
Log Message
AX: iOS8: Crash at -[WebAccessibilityObjectWrapper accessibilityElementAtIndex:]
https://bugs.webkit.org/show_bug.cgi?id=137289
Reviewed by Mario Sanchez Prada.
Source/WebCore:
Casting a NSInteger to an unsigned can bypass the check we were hoping to achieve,
because size_t is not the same as unsigned.
Test: platform/ios-sim/accessibility/out-of-bounds-child-access.html
* accessibility/ios/WebAccessibilityObjectWrapperIOS.mm:
(-[WebAccessibilityObjectWrapper accessibilityElementAtIndex:]):
LayoutTests:
* platform/ios-sim/accessibility/out-of-bounds-child-access-expected.txt: Added.
* platform/ios-sim/accessibility/out-of-bounds-child-access.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (174329 => 174330)
--- trunk/LayoutTests/ChangeLog 2014-10-05 22:14:47 UTC (rev 174329)
+++ trunk/LayoutTests/ChangeLog 2014-10-05 23:09:59 UTC (rev 174330)
@@ -1,3 +1,13 @@
+2014-10-05 Chris Fleizach <cfleiz...@apple.com>
+
+ AX: iOS8: Crash at -[WebAccessibilityObjectWrapper accessibilityElementAtIndex:]
+ https://bugs.webkit.org/show_bug.cgi?id=137289
+
+ Reviewed by Mario Sanchez Prada.
+
+ * platform/ios-sim/accessibility/out-of-bounds-child-access-expected.txt: Added.
+ * platform/ios-sim/accessibility/out-of-bounds-child-access.html: Added.
+
2014-10-04 Dhi Aurrahman <diorah...@rockybars.com>
Implement Element.closest() API
Added: trunk/LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access-expected.txt (0 => 174330)
--- trunk/LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access-expected.txt 2014-10-05 23:09:59 UTC (rev 174330)
@@ -0,0 +1,10 @@
+test
+This makes sure if out of bounds ranges come into accessibilityElementAtIndex: then we don't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access.html (0 => 174330)
--- trunk/LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access.html (rev 0)
+++ trunk/LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access.html 2014-10-05 23:09:59 UTC (rev 174330)
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+<script>
+var successfullyParsed = false;
+</script>
+</head>
+<body id="body">
+
+<div id="group" role="group"><button>test</button></div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+ description("This makes sure if out of bounds ranges come into accessibilityElementAtIndex: then we don't crash.");
+
+ if (window.accessibilityController) {
+
+ var group = accessibilityController.accessibleElementById("group");
+
+ // Don't crash!
+ group.childAtIndex(9223372036854775806);
+ }
+
+ successfullyParsed = true;
+</script>
+
+<script src=""
+</body>
+</html>
+
Modified: trunk/Source/WebCore/ChangeLog (174329 => 174330)
--- trunk/Source/WebCore/ChangeLog 2014-10-05 22:14:47 UTC (rev 174329)
+++ trunk/Source/WebCore/ChangeLog 2014-10-05 23:09:59 UTC (rev 174330)
@@ -1,3 +1,18 @@
+2014-10-05 Chris Fleizach <cfleiz...@apple.com>
+
+ AX: iOS8: Crash at -[WebAccessibilityObjectWrapper accessibilityElementAtIndex:]
+ https://bugs.webkit.org/show_bug.cgi?id=137289
+
+ Reviewed by Mario Sanchez Prada.
+
+ Casting a NSInteger to an unsigned can bypass the check we were hoping to achieve,
+ because size_t is not the same as unsigned.
+
+ Test: platform/ios-sim/accessibility/out-of-bounds-child-access.html
+
+ * accessibility/ios/WebAccessibilityObjectWrapperIOS.mm:
+ (-[WebAccessibilityObjectWrapper accessibilityElementAtIndex:]):
+
2014-10-05 Christophe Dumez <cdu...@apple.com>
Use is<>() / downcast<>() for ElementData subclasses
Modified: trunk/Source/WebCore/accessibility/ios/WebAccessibilityObjectWrapperIOS.mm (174329 => 174330)
--- trunk/Source/WebCore/accessibility/ios/WebAccessibilityObjectWrapperIOS.mm 2014-10-05 22:14:47 UTC (rev 174329)
+++ trunk/Source/WebCore/accessibility/ios/WebAccessibilityObjectWrapperIOS.mm 2014-10-05 23:09:59 UTC (rev 174330)
@@ -375,11 +375,12 @@
return [[self attachmentView] accessibilityElementAtIndex:index];
const auto& children = m_object->children();
- if (static_cast<unsigned>(index) >= children.size())
+ size_t elementIndex = static_cast<size_t>(index);
+ if (elementIndex >= children.size())
return nil;
- AccessibilityObjectWrapper* wrapper = children[index]->wrapper();
- if (children[index]->isAttachment())
+ AccessibilityObjectWrapper* wrapper = children[elementIndex]->wrapper();
+ if (children[elementIndex]->isAttachment())
return [wrapper attachmentView];
return wrapper;
Modified: trunk/Tools/DumpRenderTree/ios/AccessibilityUIElementIOS.mm (174329 => 174330)
--- trunk/Tools/DumpRenderTree/ios/AccessibilityUIElementIOS.mm 2014-10-05 22:14:47 UTC (rev 174329)
+++ trunk/Tools/DumpRenderTree/ios/AccessibilityUIElementIOS.mm 2014-10-05 23:09:59 UTC (rev 174330)
@@ -191,8 +191,7 @@
void AccessibilityUIElement::getChildrenWithRange(Vector<AccessibilityUIElement>& elementVector, unsigned location, unsigned length)
{
- NSUInteger childCount = [m_element accessibilityElementCount];
- for (NSUInteger k = location; k < childCount && k < (location+length); ++k)
+ for (NSInteger k = location; k < (location+length); ++k)
elementVector.append(AccessibilityUIElement([m_element accessibilityElementAtIndex:k]));
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
