[Webkit-unassigned] [Bug 254798] New: AXObjectCache::characterOffsetFromVisiblePosition can deref a nullptr when underlying renderer is destroyed

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 30 23:41:56 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=254798

            Bug ID: 254798
           Summary: AXObjectCache::characterOffsetFromVisiblePosition can
                    deref a nullptr when underlying renderer is destroyed
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tyler_w at apple.com
                CC: andresg_22 at apple.com,
                    webkit-bug-importer at group.apple.com

AXObjectCache::characterOffsetFromVisiblePosition creates an AX object from the node backing a VisiblePosition at the beginning of the method. Then, it does non-trivial work that could cause the renderer backing the AX object to be destroyed, and afterwards unconditionally deferences that AX object's node() at the end of the method. This can cause a null pointer dereference crash (because AccessibilityRenderObject::node() depends on a non-null renderer), and is generally poor pointer hygiene.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230331/bc59783c/attachment.htm>

More information about the webkit-unassigned mailing list