AX: Crash under WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored()
authorcfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Apr 2019 20:31:34 +0000 (20:31 +0000)
committercfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Apr 2019 20:31:34 +0000 (20:31 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196600
<rdar://problem/49572996>

Reviewed by Joanmarie Diggs.

Audit AX code to not dereference renderer before checking if it's null.
Not clear how to reproduce at this time.

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::webAreaIsPresentational):
(WebCore::AccessibilityRenderObject::layoutCount const):
(WebCore::AccessibilityRenderObject::widget const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243894 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/accessibility/AccessibilityRenderObject.cpp

index b4ac7f1..0fe93bb 100644 (file)
@@ -1,3 +1,19 @@
+2019-04-04  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: Crash under WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored()
+        https://bugs.webkit.org/show_bug.cgi?id=196600
+        <rdar://problem/49572996>
+
+        Reviewed by Joanmarie Diggs.
+
+        Audit AX code to not dereference renderer before checking if it's null.
+        Not clear how to reproduce at this time.
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::webAreaIsPresentational):
+        (WebCore::AccessibilityRenderObject::layoutCount const):
+        (WebCore::AccessibilityRenderObject::widget const):
+
 2019-04-04  Antti Koivisto  <antti@apple.com>
 
         Compute accurate regions for touch-action
index 35949a0..b044703 100644 (file)
@@ -1156,7 +1156,7 @@ AccessibilityObjectInclusion AccessibilityRenderObject::defaultObjectInclusion()
     
 static bool webAreaIsPresentational(RenderObject* renderer)
 {
-    if (!is<RenderView>(*renderer))
+    if (!renderer || !is<RenderView>(*renderer))
         return false;
     
     if (auto ownerElement = renderer->document().ownerElement())
@@ -1445,7 +1445,7 @@ double AccessibilityRenderObject::estimatedLoadingProgress() const
     
 int AccessibilityRenderObject::layoutCount() const
 {
-    if (!is<RenderView>(*m_renderer))
+    if (!m_renderer || !is<RenderView>(*m_renderer))
         return 0;
     return downcast<RenderView>(*m_renderer).frameView().layoutContext().layoutCount();
 }
@@ -1816,7 +1816,7 @@ Document* AccessibilityRenderObject::document() const
 
 Widget* AccessibilityRenderObject::widget() const
 {
-    if (!is<RenderWidget>(*m_renderer))
+    if (!m_renderer || !is<RenderWidget>(*m_renderer))
         return nullptr;
     return downcast<RenderWidget>(*m_renderer).widget();
 }