[webkit-changes] [WebKit/WebKit] 7d93b0: AXObjectCache::characterOffsetFromVisiblePosition ...
Tyler Wilcock
noreply at github.com
Fri Mar 31 11:58:25 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 7d93b07962d543ef64c35852350eceef1fd40260
https://github.com/WebKit/WebKit/commit/7d93b07962d543ef64c35852350eceef1fd40260
Author: Tyler Wilcock <tyler_w at apple.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
M Source/WebCore/accessibility/AXObjectCache.cpp
Log Message:
-----------
AXObjectCache::characterOffsetFromVisiblePosition can deref a nullptr when underlying renderer is destroyed
https://bugs.webkit.org/show_bug.cgi?id=254798
rdar://103456792
Reviewed by Chris Fleizach.
AXObjectCache::characterOffsetFromVisiblePosition creates an AX object from the node backing a VisiblePosition
at the beginning of the method. Then, it does non-trivial work that could cause the renderer backing the AX object
to be destroyed, and afterwards unconditionally deferences that AX object's node() at the end of the method. This
can cause a null pointer dereference crash (because AccessibilityRenderObject::node() depends on a non-null renderer),
and is generally poor pointer hygiene.
With this patch, we now keep the VisiblePosition's node in a `Ref<Node>` and re-use it at the end of the method to prevent a crash.
I could not reproduce this crash myself in the browser or in a testcase, so this is a speculative fix based on crash reports.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::characterOffsetFromVisiblePosition):
Canonical link: https://commits.webkit.org/262432@main
More information about the webkit-changes
mailing list