Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 7d93b07962d543ef64c35852350eceef1fd40260 https://github.com/WebKit/WebKit/commit/7d93b07962d543ef64c35852350eceef1fd40260 Author: Tyler Wilcock <tyle...@apple.com> Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths: M Source/WebCore/accessibility/AXObjectCache.cpp Log Message: ----------- AXObjectCache::characterOffsetFromVisiblePosition can deref a nullptr when underlying renderer is destroyed https://bugs.webkit.org/show_bug.cgi?id=254798 rdar://103456792 Reviewed by Chris Fleizach. AXObjectCache::characterOffsetFromVisiblePosition creates an AX object from the node backing a VisiblePosition at the beginning of the method. Then, it does non-trivial work that could cause the renderer backing the AX object to be destroyed, and afterwards unconditionally deferences that AX object's node() at the end of the method. This can cause a null pointer dereference crash (because AccessibilityRenderObject::node() depends on a non-null renderer), and is generally poor pointer hygiene. With this patch, we now keep the VisiblePosition's node in a `Ref<Node>` and re-use it at the end of the method to prevent a crash. I could not reproduce this crash myself in the browser or in a testcase, so this is a speculative fix based on crash reports. * Source/WebCore/accessibility/AXObjectCache.cpp: (WebCore::AXObjectCache::characterOffsetFromVisiblePosition): Canonical link: https://commits.webkit.org/262432@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes