Security: Heap-use-after-free in WebCore::AXObjectCache::getOrCreate
authordmazzoni@google.com <dmazzoni@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Mar 2013 00:27:16 +0000 (00:27 +0000)
committerdmazzoni@google.com <dmazzoni@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Mar 2013 00:27:16 +0000 (00:27 +0000)
https://bugs.webkit.org/show_bug.cgi?id=112044

Reviewed by Chris Fleizach.

Source/WebCore:

Always call recalcSectionsIfNeeded before accessing
table sections.

Test: accessibility/table-remove-cell-crash.html

* accessibility/AccessibilityTable.cpp:
(WebCore::AccessibilityTable::addChildren):

LayoutTests:

Adds test showing a crash / assertion failure if a cell is
deleted from a table and the table's AX object is accessed.

* accessibility/table-remove-cell-crash-expected.txt: Added.
* accessibility/table-remove-cell-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@146282 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/accessibility/table-remove-cell-crash-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/table-remove-cell-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/accessibility/AccessibilityTable.cpp

index 07aa1ad..1079c8c 100644 (file)
@@ -1,3 +1,16 @@
+2013-03-19  Dominic Mazzoni  <dmazzoni@google.com>
+
+        Security: Heap-use-after-free in WebCore::AXObjectCache::getOrCreate
+        https://bugs.webkit.org/show_bug.cgi?id=112044
+
+        Reviewed by Chris Fleizach.
+
+        Adds test showing a crash / assertion failure if a cell is
+        deleted from a table and the table's AX object is accessed.
+
+        * accessibility/table-remove-cell-crash-expected.txt: Added.
+        * accessibility/table-remove-cell-crash.html: Added.
+
 2013-03-19  Antti Koivisto  <antti@apple.com>
 
         Don't compute background obscuration on every repaint
diff --git a/LayoutTests/accessibility/table-remove-cell-crash-expected.txt b/LayoutTests/accessibility/table-remove-cell-crash-expected.txt
new file mode 100644 (file)
index 0000000..e7e4e7f
--- /dev/null
@@ -0,0 +1,9 @@
+This test makes sure we do not crash if javascript removes a cell.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/table-remove-cell-crash.html b/LayoutTests/accessibility/table-remove-cell-crash.html
new file mode 100644 (file)
index 0000000..aa7d12b
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../fast/js/resources/js-test-pre.js"></script>
+</head>
+<body>
+
+<table id=table1 tabindex=0><td rowspan=141></table>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+    description("This test makes sure we do not crash if javascript removes a cell.");
+
+    if (window.accessibilityController) {
+        var table = document.getElementById("table1");
+        table.focus();
+        tableAX = accessibilityController.focusedElement;
+
+        table.childNodes[0].removeChild(table.childNodes[0].childNodes[0]);
+
+        string = tableAX.attributesOfChildren();
+    }
+</script>
+
+<script src="../fast/js/resources/js-test-post.js"></script>
+</body>
+</html>
index ce80f08..70409e6 100644 (file)
@@ -1,3 +1,18 @@
+2013-03-19  Dominic Mazzoni  <dmazzoni@google.com>
+
+        Security: Heap-use-after-free in WebCore::AXObjectCache::getOrCreate
+        https://bugs.webkit.org/show_bug.cgi?id=112044
+
+        Reviewed by Chris Fleizach.
+
+        Always call recalcSectionsIfNeeded before accessing
+        table sections.
+
+        Test: accessibility/table-remove-cell-crash.html
+
+        * accessibility/AccessibilityTable.cpp:
+        (WebCore::AccessibilityTable::addChildren):
+
 2013-03-19  Arnaud Renevier  <a.renevier@sisa.samsung.com>
 
         [v8] add IDL 'enum' in DOM methods
index 467ea1e..71afab5 100644 (file)
@@ -345,6 +345,7 @@ void AccessibilityTable::addChildren()
     AXObjectCache* axCache = m_renderer->document()->axObjectCache();
 
     // Go through all the available sections to pull out the rows and add them as children.
+    table->recalcSectionsIfNeeded();
     RenderTableSection* tableSection = table->topSection();
     if (!tableSection)
         return;