Bug 120300

Summary: AX:Null pointer may be dereferenced.
Product: WebKit Reporter: Lukasz Gajowy <l.gajowy>
Component: AccessibilityAssignee: Lukasz Gajowy <l.gajowy>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, apinheiro, cfleizach, commit-queue, dmazzoni, g.czajkowski, jdiggs, k.czech, mario, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch
cfleizach: review-
Patch #2
cfleizach: review-
Patch #3 none

Lukasz Gajowy
Reported 2013-08-26 05:25:52 PDT
In function getOrCreate(Widget *widget) from AXObjectCache.cpp: null pointer 'newObj' that comes from line 325 may be dereferenced in method getAXID() and below this method.
Attachments
Patch (1.75 KB, patch)
2013-08-27 06:18 PDT, Lukasz Gajowy 		cfleizach: review-
DetailsFormatted DiffDiff
Patch #2 (1.82 KB, patch)
2013-08-27 23:31 PDT, Lukasz Gajowy 		cfleizach: review-
DetailsFormatted DiffDiff
Patch #3 (1.85 KB, patch)
2013-08-27 23:44 PDT, Lukasz Gajowy 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2013-08-26 05:26:24 PDT
<rdar://problem/14833466>
chris fleizach
Comment 2 2013-08-26 12:22:40 PDT
that would indicate that we're passing in a new Widget type. Certainly that should be protected and ASSERTED, but I don't think that is actually happening anywhere
Lukasz Gajowy
Comment 3 2013-08-27 06:18:11 PDT
Created attachment 209761 [details] Patch
chris fleizach
Comment 4 2013-08-27 08:57:30 PDT
Comment on attachment 209761 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=209761&action=review > Source/WebCore/accessibility/AXObjectCache.cpp:334 > + // Will crash later when widget type is other than FrameView or ScrollBar. This comment should read something like -- "Catch the case if an (unsupported) widget type is used. Only FrameView and ScrollBar are supported now." > Source/WebCore/accessibility/AXObjectCache.cpp:335 > + ASSERT(newObj); we should also do a if (!newObject) return; here the ASSERT will catch this problem in DEBUG, but not in release
Lukasz Gajowy
Comment 5 2013-08-27 23:31:21 PDT
Created attachment 209849 [details] Patch #2
chris fleizach
Comment 6 2013-08-27 23:34:03 PDT
Comment on attachment 209849 [details] Patch #2 View in context: https://bugs.webkit.org/attachment.cgi?id=209849&action=review > Source/WebCore/accessibility/AXObjectCache.cpp:334 > + // Catch the case if an (unsupported) widget type is used. Only FrameView and ScrollBar are supported now. But we should still have the ASSERT. We want both assert and (!newObj) check. That way if it happens in DEBUG we'll know right away, but if it happens in release, no one will crash Thanks
Lukasz Gajowy
Comment 7 2013-08-27 23:44:27 PDT
Created attachment 209850 [details] Patch #3 Sorry, I misread your review the last time. No it is the way you explained it.
chris fleizach
Comment 8 2013-08-27 23:45:34 PDT
Comment on attachment 209850 [details] Patch #3 thanks. looks good. let's make sure the EWS bots are good before committing
Build Bot
Comment 9 2013-08-28 00:23:46 PDT
Comment on attachment 209850 [details] Patch #3 Attachment 209850 [details] did not pass win-ews (win): Output: http://webkit-queues.appspot.com/results/1605174
chris fleizach
Comment 10 2013-08-28 12:15:13 PDT
Comment on attachment 209850 [details] Patch #3 Windows build bot seems busted, so moving forward with this
WebKit Commit Bot
Comment 11 2013-08-28 12:40:10 PDT
Comment on attachment 209850 [details] Patch #3 Clearing flags on attachment: 209850 Committed r154767: <http://trac.webkit.org/changeset/154767>
WebKit Commit Bot
Comment 12 2013-08-28 12:40:12 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.