AX: iOS8: Crash at -[WebAccessibilityObjectWrapper accessibilityElementAtIndex:]
authorcfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 5 Oct 2014 23:09:59 +0000 (23:09 +0000)
committercfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 5 Oct 2014 23:09:59 +0000 (23:09 +0000)
https://bugs.webkit.org/show_bug.cgi?id=137289

Reviewed by Mario Sanchez Prada.

Source/WebCore:

Casting a NSInteger to an unsigned can bypass the check we were hoping to achieve,
because size_t is not the same as unsigned.

Test: platform/ios-sim/accessibility/out-of-bounds-child-access.html

* accessibility/ios/WebAccessibilityObjectWrapperIOS.mm:
(-[WebAccessibilityObjectWrapper accessibilityElementAtIndex:]):

LayoutTests:

* platform/ios-sim/accessibility/out-of-bounds-child-access-expected.txt: Added.
* platform/ios-sim/accessibility/out-of-bounds-child-access.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@174330 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access-expected.txt [new file with mode: 0644]
LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/accessibility/ios/WebAccessibilityObjectWrapperIOS.mm
Tools/DumpRenderTree/ios/AccessibilityUIElementIOS.mm

index ec80b55..5863ee7 100644 (file)
@@ -1,3 +1,13 @@
+2014-10-05  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: iOS8: Crash at -[WebAccessibilityObjectWrapper accessibilityElementAtIndex:]
+        https://bugs.webkit.org/show_bug.cgi?id=137289
+
+        Reviewed by Mario Sanchez Prada.
+
+        * platform/ios-sim/accessibility/out-of-bounds-child-access-expected.txt: Added.
+        * platform/ios-sim/accessibility/out-of-bounds-child-access.html: Added.
+
 2014-10-04  Dhi Aurrahman  <diorahman@rockybars.com>
 
         Implement Element.closest() API
diff --git a/LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access-expected.txt b/LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access-expected.txt
new file mode 100644 (file)
index 0000000..e743045
--- /dev/null
@@ -0,0 +1,10 @@
+test
+This makes sure if out of bounds ranges come into accessibilityElementAtIndex: then we don't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access.html b/LayoutTests/platform/ios-sim/accessibility/out-of-bounds-child-access.html
new file mode 100644 (file)
index 0000000..97dddb7
--- /dev/null
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../../resources/js-test-pre.js"></script>
+<script>
+var successfullyParsed = false;
+</script>
+</head>
+<body id="body">
+
+<div id="group" role="group"><button>test</button></div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+    description("This makes sure if out of bounds ranges come into accessibilityElementAtIndex: then we don't crash.");
+
+    if (window.accessibilityController) {
+
+        var group = accessibilityController.accessibleElementById("group");
+
+        // Don't crash!
+        group.childAtIndex(9223372036854775806);
+    }
+
+    successfullyParsed = true;
+</script>
+
+<script src="../../../resources/js-test-post.js"></script>
+</body>
+</html>
+
index e5d12f8..a9246de 100644 (file)
@@ -1,3 +1,18 @@
+2014-10-05  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: iOS8: Crash at -[WebAccessibilityObjectWrapper accessibilityElementAtIndex:]
+        https://bugs.webkit.org/show_bug.cgi?id=137289
+
+        Reviewed by Mario Sanchez Prada.
+
+        Casting a NSInteger to an unsigned can bypass the check we were hoping to achieve, 
+        because size_t is not the same as unsigned.
+
+        Test: platform/ios-sim/accessibility/out-of-bounds-child-access.html
+
+        * accessibility/ios/WebAccessibilityObjectWrapperIOS.mm:
+        (-[WebAccessibilityObjectWrapper accessibilityElementAtIndex:]):
+
 2014-10-05  Christophe Dumez  <cdumez@apple.com>
 
         Use is<>() / downcast<>() for ElementData subclasses
index cdf1251..f45b096 100644 (file)
@@ -375,11 +375,12 @@ static AccessibilityObjectWrapper* AccessibilityUnignoredAncestor(AccessibilityO
         return [[self attachmentView] accessibilityElementAtIndex:index];
     
     const auto& children = m_object->children();
-    if (static_cast<unsigned>(index) >= children.size())
+    size_t elementIndex = static_cast<size_t>(index);
+    if (elementIndex >= children.size())
         return nil;
     
-    AccessibilityObjectWrapper* wrapper = children[index]->wrapper();
-    if (children[index]->isAttachment())
+    AccessibilityObjectWrapper* wrapper = children[elementIndex]->wrapper();
+    if (children[elementIndex]->isAttachment())
         return [wrapper attachmentView];
 
     return wrapper;
index 4b45f68..5250aca 100644 (file)
@@ -191,8 +191,7 @@ void AccessibilityUIElement::getChildren(Vector<AccessibilityUIElement>& element
 
 void AccessibilityUIElement::getChildrenWithRange(Vector<AccessibilityUIElement>& elementVector, unsigned location, unsigned length)
 {
-    NSUInteger childCount = [m_element accessibilityElementCount];
-    for (NSUInteger k = location; k < childCount && k < (location+length); ++k)
+    for (NSInteger k = location; k < (location+length); ++k)
         elementVector.append(AccessibilityUIElement([m_element accessibilityElementAtIndex:k]));    
 }