Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 7d93b07962d543ef64c35852350eceef1fd40260
https://github.com/WebKit/WebKit/commit/7d93b07962d543ef64c35852350eceef1fd40260
Author: Tyler Wilcock <[email protected]>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
M Source/WebCore/accessibility/AXObjectCache.cpp
Log Message:
-----------
AXObjectCache::characterOffsetFromVisiblePosition can deref a nullptr when
underlying renderer is destroyed
https://bugs.webkit.org/show_bug.cgi?id=254798
rdar://103456792
Reviewed by Chris Fleizach.
AXObjectCache::characterOffsetFromVisiblePosition creates an AX object from the
node backing a VisiblePosition
at the beginning of the method. Then, it does non-trivial work that could cause
the renderer backing the AX object
to be destroyed, and afterwards unconditionally deferences that AX object's
node() at the end of the method. This
can cause a null pointer dereference crash (because
AccessibilityRenderObject::node() depends on a non-null renderer),
and is generally poor pointer hygiene.
With this patch, we now keep the VisiblePosition's node in a `Ref<Node>` and
re-use it at the end of the method to prevent a crash.
I could not reproduce this crash myself in the browser or in a testcase, so
this is a speculative fix based on crash reports.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::characterOffsetFromVisiblePosition):
Canonical link: https://commits.webkit.org/262432@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
