Title: [292276] trunk/Source/WebCore
- Revision
- 292276
- Author
- tyle...@apple.com
- Date
- 2022-04-03 12:51:59 -0700 (Sun, 03 Apr 2022)
Log Message
-[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:] should fail fast if the given parameter wrapper has no backing object
https://bugs.webkit.org/show_bug.cgi?id=238635
Reviewed by Chris Fleizach.
If this method is called with a parameter wrapper object that has lost
its backing object, we should return early to avoid dereferencing a
null pointer.
This could happen in rare split-second transition states where a wrapper
has lost its backing object but has not yet been cleaned up by a notification.
This could also happen if WebKit is vending detached objects (e.g. via AXChildren)
in a similar transition state.
No test added because I haven't been able to find any scenario reproducing
this issue either in our existing layout tests or on real webpages.
rdar://90925399
* accessibility/mac/WebAccessibilityObjectWrapperMac.mm:
(-[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (292275 => 292276)
--- trunk/Source/WebCore/ChangeLog 2022-04-03 08:04:07 UTC (rev 292275)
+++ trunk/Source/WebCore/ChangeLog 2022-04-03 19:51:59 UTC (rev 292276)
@@ -1,3 +1,27 @@
+2022-04-03 Tyler Wilcock <tyle...@apple.com>
+
+ -[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:] should fail fast if the given parameter wrapper has no backing object
+ https://bugs.webkit.org/show_bug.cgi?id=238635
+
+ Reviewed by Chris Fleizach.
+
+ If this method is called with a parameter wrapper object that has lost
+ its backing object, we should return early to avoid dereferencing a
+ null pointer.
+
+ This could happen in rare split-second transition states where a wrapper
+ has lost its backing object but has not yet been cleaned up by a notification.
+ This could also happen if WebKit is vending detached objects (e.g. via AXChildren)
+ in a similar transition state.
+
+ No test added because I haven't been able to find any scenario reproducing
+ this issue either in our existing layout tests or on real webpages.
+
+ rdar://90925399
+
+ * accessibility/mac/WebAccessibilityObjectWrapperMac.mm:
+ (-[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
+
2022-04-02 Myles C. Maxfield <mmaxfi...@apple.com>
[Cocoa] Automatically relayout the page when new fonts are installed
Modified: trunk/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm (292275 => 292276)
--- trunk/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm 2022-04-03 08:04:07 UTC (rev 292275)
+++ trunk/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm 2022-04-03 19:51:59 UTC (rev 292276)
@@ -3500,8 +3500,12 @@
textMarker = (AXTextMarkerRef)parameter;
else if (AXObjectIsTextMarkerRange(parameter))
textMarkerRange = (AXTextMarkerRangeRef)parameter;
- else if ([parameter isKindOfClass:[WebAccessibilityObjectWrapper class]])
+ else if ([parameter isKindOfClass:[WebAccessibilityObjectWrapper class]]) {
uiElement = [(WebAccessibilityObjectWrapper*)parameter axBackingObject];
+ // The parameter wrapper object has lost its AX object since being given to the client, so bail early.
+ if (!uiElement)
+ return nil;
+ }
else if ([parameter isKindOfClass:[NSNumber class]])
number = parameter;
else if ([parameter isKindOfClass:[NSArray class]])
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
