[Webkit-unassigned] [Bug 254798] New: AXObjectCache::characterOffsetFromVisiblePosition can deref a nullptr when underlying renderer is destroyed
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 30 23:41:56 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=254798
Bug ID: 254798
Summary: AXObjectCache::characterOffsetFromVisiblePosition can
deref a nullptr when underlying renderer is destroyed
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Accessibility
Assignee: webkit-unassigned at lists.webkit.org
Reporter: tyler_w at apple.com
CC: andresg_22 at apple.com,
webkit-bug-importer at group.apple.com
AXObjectCache::characterOffsetFromVisiblePosition creates an AX object from the node backing a VisiblePosition at the beginning of the method. Then, it does non-trivial work that could cause the renderer backing the AX object to be destroyed, and afterwards unconditionally deferences that AX object's node() at the end of the method. This can cause a null pointer dereference crash (because AccessibilityRenderObject::node() depends on a non-null renderer), and is generally poor pointer hygiene.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230331/bc59783c/attachment.htm>
More information about the webkit-unassigned
mailing list