WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
[patch]
Patch
bug-238635-20220331172340.patch (text/plain), 2.62 KB, created by
Tyler Wilcock
on 2022-03-31 15:23:41 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Tyler Wilcock
Created:
2022-03-31 15:23:41 PDT
Size:
2.62 KB
patch
obsolete
>Subversion Revision: 292105 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index aa206433f6e6448c5138f1cd0481646545e454b9..47464344755c8fca2978202c46374b4b305c6599 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,27 @@ >+2022-03-31 Tyler Wilcock <tyler_w@apple.com> >+ >+ -[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:] should fail fast if the given parameter wrapper has no backing object >+ https://bugs.webkit.org/show_bug.cgi?id=238635 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ If this method is called with a parameter wrapper object that has lost >+ its backing object, we should return early to avoid dereferencing a >+ null pointer. >+ >+ This could happen in rare split-second transition states where a wrapper >+ has lost its backing object but has not yet been cleaned up by a notification. >+ This could also happen if WebKit is vending detached objects (e.g. via AXChildren) >+ in a similar transition state. >+ >+ No test added because I haven't been able to find any scenario reproducing >+ this issue either in our existing layout tests or on real webpages. >+ >+ rdar://90925399 >+ >+ * accessibility/mac/WebAccessibilityObjectWrapperMac.mm: >+ (-[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]): >+ > 2022-03-30 Youenn Fablet <youenn@apple.com> > > Implement ServiceWorker WindowClient.ancestorOrigins >diff --git a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm b/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm >index ee99006291d318d5293acc9448d0578061a4e547..c33252dad335ff3ac6887f2dc19a4a575459926e 100644 >--- a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm >+++ b/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm >@@ -3500,8 +3500,12 @@ ALLOW_DEPRECATED_IMPLEMENTATIONS_END > textMarker = (AXTextMarkerRef)parameter; > else if (AXObjectIsTextMarkerRange(parameter)) > textMarkerRange = (AXTextMarkerRangeRef)parameter; >- else if ([parameter isKindOfClass:[WebAccessibilityObjectWrapper class]]) >+ else if ([parameter isKindOfClass:[WebAccessibilityObjectWrapper class]]) { > uiElement = [(WebAccessibilityObjectWrapper*)parameter axBackingObject]; >+ // The parameter wrapper object has lost its AX object since being given to the client, so bail early. >+ if (!uiElement) >+ return nil; >+ } > else if ([parameter isKindOfClass:[NSNumber class]]) > number = parameter; > else if ([parameter isKindOfClass:[NSArray class]])
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=456291">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 238635
:
456286
|
456288
| 456291