[Webkit-unassigned] [Bug 236988] New: AX: AccessibilityObject::ariaTreeRows can crash in a deep hierarchy due to recursive descent

Mon Feb 21 12:01:39 PST 2022

https://bugs.webkit.org/show_bug.cgi?id=236988

            Bug ID: 236988
           Summary: AX: AccessibilityObject::ariaTreeRows can crash in a
                    deep hierarchy due to recursive descent
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tyler_w at apple.com
                CC: andresg_22 at apple.com,
                    webkit-bug-importer at group.apple.com

AccessibilityObject::ariaTreeRows calls itself recursively on its child objects all the way down to the leaves. Although WebKit tree depth is limited to 512 levels (https://github.com/WebKit/WebKit/blob/2077b50205f4d8f943b88e233302b52c8b4699af/Source/WebCore/page/SettingsBase.h#L72#L73), this can still sometimes cause a stack overflow.

ITM is especially vulnerable to this, as currently we call ariaTreeRows on every single isolated object we create.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220221/fe8a3f02/attachment.htm>