Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b952846cd5b13e621a9f87977649d201fd1b3726
https://github.com/WebKit/WebKit/commit/b952846cd5b13e621a9f87977649d201fd1b3726
Author: Tyler Wilcock <[email protected]>
Date: 2025-10-16 (Thu, 16 Oct 2025)
Changed paths:
M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
Log Message:
-----------
AX: AccessibilityNodeObject::clearChildren() can dereference a nullptr
https://bugs.webkit.org/show_bug.cgi?id=300851
rdar://161093750
Reviewed by Chris Fleizach.
Given this sequence:
1. Element::~Element()
2. AXObjectCache::remove(WebCore::Node&)
3. AXObjectCache::remove(AXID)
4. AccessibilityNodeObject::detachRemoteParts()
5. AccessibilityNodeObject::clearChildren()
6. AccessibilityNodeObject::isNativeLabel()
We dereference a nullptr when trying to check
dynamicDowncast<HTMLLabelElement>(node()), because while the node is non-null
and not yet destroyed, it's m_tagName field has been cleared (and is this
null), so the is<HTMLLabelElement> check dereferences
the null tagname.
Avoid this by removing the isNativeLabel() branch entirely. This virtual
function call is not necessary, we can just
unconditionally reset the m_containsOnlyStaticText and
m_containsOnlyStaticTextDirty bools. Also remove unnecessary
virtual function call to isTable() to avoid similar issues.
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::clearChildren):
Canonical link: https://commits.webkit.org/301612@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
