Title: [283127] trunk/Source/WebCore
- Revision
- 283127
- Author
- [email protected]
- Date
- 2021-09-27 10:59:47 -0700 (Mon, 27 Sep 2021)
Log Message
Boundary check of AccessibilityMathMLElement::mathOverObject is incorrect
https://bugs.webkit.org/show_bug.cgi?id=230828
<rdar://problem/83571752>
Reviewed by Chris Fleizach.
* accessibility/AccessibilityMathMLElement.cpp:
(WebCore::AccessibilityMathMLElement::mathOverObject):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (283126 => 283127)
--- trunk/Source/WebCore/ChangeLog 2021-09-27 17:18:12 UTC (rev 283126)
+++ trunk/Source/WebCore/ChangeLog 2021-09-27 17:59:47 UTC (rev 283127)
@@ -1,3 +1,14 @@
+2021-09-27 Andres Gonzalez <[email protected]>
+
+ Boundary check of AccessibilityMathMLElement::mathOverObject is incorrect
+ https://bugs.webkit.org/show_bug.cgi?id=230828
+ <rdar://problem/83571752>
+
+ Reviewed by Chris Fleizach.
+
+ * accessibility/AccessibilityMathMLElement.cpp:
+ (WebCore::AccessibilityMathMLElement::mathOverObject):
+
2021-09-27 Antti Koivisto <[email protected]>
[CSS Cascade Layers] Support @layer statement before @import statements
Modified: trunk/Source/WebCore/accessibility/AccessibilityMathMLElement.cpp (283126 => 283127)
--- trunk/Source/WebCore/accessibility/AccessibilityMathMLElement.cpp 2021-09-27 17:18:12 UTC (rev 283126)
+++ trunk/Source/WebCore/accessibility/AccessibilityMathMLElement.cpp 2021-09-27 17:59:47 UTC (rev 283127)
@@ -307,12 +307,11 @@
return nullptr;
const auto& children = this->children();
- if (children.size() < 2)
- return nullptr;
- if (node()->hasTagName(MathMLNames::moverTag))
+ if (children.size() >= 2 && node()->hasTagName(MathMLNames::moverTag))
return children[1].get();
- if (node()->hasTagName(MathMLNames::munderoverTag))
+
+ if (children.size() >= 3 && node()->hasTagName(MathMLNames::munderoverTag))
return children[2].get();
return nullptr;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
