RESOLVED FIXED 237373
AX: [WebAccessibilityObjectWrapperMac AXAttributeStringSetFont] crashes when given a font with a nil postscript name, font family, or display name 
https://bugs.webkit.org/show_bug.cgi?id=237373
Summary AX: [WebAccessibilityObjectWrapperMac AXAttributeStringSetFont] crashes when ...
Tyler Wilcock
Reported 2022-03-02 08:47:16 PST
[WebAccessibilityObjectWrapperMac AXAttributeStringSetFont] crashes when given a font with a nil postscript name, font family, or display name. This can be triggered with CSS: @font-face { font-family: 'Litherum'; src: url("resources/Litherum.svg") format(svg); } * { font-family: 'Litherum'; }
Attachments
Patch (8.64 KB, patch)
2022-03-02 08:51 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (10.13 KB, patch)
2022-03-02 09:08 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (22.85 KB, patch)
2022-03-02 14:52 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (22.77 KB, patch)
2022-03-02 17:15 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (21.64 KB, patch)
2022-03-02 17:46 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (22.69 KB, patch)
2022-03-03 10:39 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (22.10 KB, patch)
2022-03-03 15:09 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (22.10 KB, patch)
2022-03-04 07:47 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (22.11 KB, patch)
2022-03-04 07:49 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Show Obsolete (8) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-03-02 08:47:38 PST
<rdar://problem/89690380>
Tyler Wilcock
Comment 2 2022-03-02 08:51:25 PST
Created attachment 453617 [details] Patch
Tyler Wilcock
Comment 3 2022-03-02 09:08:31 PST
Created attachment 453621 [details] Patch
chris fleizach
Comment 4 2022-03-02 09:09:46 PST
Comment on attachment 453621 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=453621&action=review > Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:784 > + NSString *fontName = (__bridge NSString *)adoptCF(CTFontCopyPostScriptName(font)).get(); can we take this opportunity to centralize both of these methods which appear to be mostly duplicated
Tyler Wilcock
Comment 5 2022-03-02 14:52:28 PST
Created attachment 453664 [details] Patch
chris fleizach
Comment 6 2022-03-02 15:00:10 PST
Comment on attachment 453664 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=453664&action=review > Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm:602 > + RetainPtr<CFStringRef> fullName = adoptCF(CTFontCopyFullName(font)); it looks like on the Mac side we're adding a whole dictionary and on iOS side we're doing addAttribute:value for each item Can we pick one way (like make a dictionary with the right platform keys) and then set it one time? > Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:806 > + [WebAccessibilityObjectWrapperBase applyFontToAttributedString:attrString font:style.fontCascade().primaryFont().getCTFont() range:range]; can we make this a C function instead of a class function?
Tyler Wilcock
Comment 7 2022-03-02 17:15:26 PST
Created attachment 453680 [details] Patch
chris fleizach
Comment 8 2022-03-02 17:24:48 PST
Comment on attachment 453680 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=453680&action=review > Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h:112 > ++ (void)applyFontToAttributedString:(NSMutableAttributedString*)attributedString font:(CTFontRef)font range:(NSRange)range; NSMutableAttributedString * > Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm:585 > + return range.location < [attributedString length] && NSMaxRange(range) <= [attributedString length]; the NSMaxRange check should be sufficient. I don't think you need the range.location check > Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm:593 > + if (!font) { we can wrap this whole block in MAC > Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm:600 > + NSMutableDictionary *fontAttributes = [[NSMutableDictionary alloc] init]; we should RetainPtr this or release it. pretty sure ARC is not on
Tyler Wilcock
Comment 9 2022-03-02 17:46:50 PST
Created attachment 453685 [details] Patch
Tyler Wilcock
Comment 10 2022-03-02 17:48:22 PST
> > Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm:593 > > + if (!font) { > > we can wrap this whole block in MAC Can we? We do still need to return early if the font is null on iOS. Fixed everything else, and made them C functions as you requested (I think it's nicer too).
Andres Gonzalez
Comment 11 2022-03-03 05:00:18 PST
(In reply to Tyler Wilcock from comment #9) > Created attachment 453685 [details] > Patch --- a/Source/WebCore/ChangeLog +++ a/Source/WebCore/ChangeLog + Test: accessibility/svg-font-face-should-not-crash.html Can we rename this test to just svg-font-face.html. Nothing should crash, so it is extra typing and reading with no valuable information. It is like adding accessibility to the name of accessibility tests under the accessibility dir.
Andres Gonzalez
Comment 12 2022-03-03 05:08:10 PST
(In reply to Tyler Wilcock from comment #9) > Created attachment 453685 [details] > Patch --- a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h +++ a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h +#import "FontPlatformData.h" Can we forward declare what we need from this header and #import in the .mm instead. This helps with compile time.
Andres Gonzalez
Comment 13 2022-03-03 05:10:39 PST
(In reply to Andres Gonzalez from comment #12) > (In reply to Tyler Wilcock from comment #9) > > Created attachment 453685 [details] > > Patch > > --- a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h > +++ a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h > > +#import "FontPlatformData.h" > > Can we forward declare what we need from this header and #import in the .mm > instead. This helps with compile time. +void AXAttributeStringSetFont(NSMutableAttributedString*, CTFontRef, NSRange); Shouldn't this be AXAttributedStringSetFont instead of AXAttributeStringSetFont?
Andres Gonzalez
Comment 14 2022-03-03 07:07:45 PST
(In reply to Tyler Wilcock from comment #9) > Created attachment 453685 [details] > Patch --- a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm +++ a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm +bool AXAttributedStringRangeIsValid(NSAttributedString *attributedString, NSRange range) +{ + return NSMaxRange(range) <= [attributedString length]; +} Do we need a function to make this check? I believe it is more readable to have the check inline where it is needed. Otherwise you would be wondering what AXAttributedStringRangeIsValid is doing? +void AXAttributeStringSetFont(NSMutableAttributedString* attributedString, CTFontRef font, NSRange range) Shouldn't the name be AXAttributedStringSetFont? NSMutableAttributedString* attributedString has the * in the wrong side. Shouldn't we pass NSRange by reference? + RetainPtr<NSMutableDictionary> fontAttributes = adoptNS([[NSMutableDictionary alloc] init]); + RetainPtr<CFStringRef> familyName = adoptCF(CTFontCopyFamilyName(font)); Do we need to retain all these local variables? NSNumber* size = [NSNumber numberWithFloat:CTFontGetSize(font)]; * in the wrong side. - [attrString addAttribute:UIAccessibilityTokenFontName value:(NSString*)fullName.get() range:range]; + [fontAttributes setValue:(__bridge NSString*)fullName.get() forKey:UIAccessibilityTokenFontName]; Use bridge_cast instead of (__bridge NSString*). + CTFontSymbolicTraits traits = CTFontGetSymbolicTraits(font); Can we use auto here? + [fontAttributes setValue:(__bridge NSString*)familyName.get() forKey:NSAccessibilityFontFamilyKey]; bridge_cast + [fontAttributes setValue:(__bridge NSString*)postScriptName.get() forKey:NSAccessibilityFontNameKey]; bridge_cast + [fontAttributes setValue:(__bridge NSString*)displayName.get() forKey:NSAccessibilityVisibleNameKey]; bridge_cast
Tyler Wilcock
Comment 15 2022-03-03 10:39:42 PST
Created attachment 453760 [details] Patch
Tyler Wilcock
Comment 16 2022-03-03 15:09:24 PST
Created attachment 453788 [details] Patch
chris fleizach
Comment 17 2022-03-03 20:55:27 PST
Comment on attachment 453788 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=453788&action=review > Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h:61 > +bool AXAttributedStringRangeIsValid(NSAttributedString*, NSRange); * in wrong place
Andres Gonzalez
Comment 18 2022-03-04 07:45:46 PST
(In reply to Tyler Wilcock from comment #16) > Created attachment 453788 [details] > Patch --- a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h +++ a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h +bool AXAttributedStringRangeIsValid(NSAttributedString*, NSRange); if we are keeping this function, if should be: bool AXAttributedStringRangeIsValid(NSAttributedString *, const NSRange&); or we can get rid of it altogether. +void AXAttributedStringSetFont(NSMutableAttributedString*, CTFontRef, const NSRange&); NSMutableAttributedString* -> NSMutableAttributedString * --- a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm +++ a/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm +bool AXAttributedStringRangeIsValid(NSAttributedString *attributedString, NSRange range) Same as above, remove or pass NSRange by reference.
Tyler Wilcock
Comment 19 2022-03-04 07:47:49 PST
Created attachment 453841 [details] Patch
Tyler Wilcock
Comment 20 2022-03-04 07:49:51 PST
Created attachment 453842 [details] Patch
EWS
Comment 21 2022-03-04 18:05:06 PST
Committed r290858 (248089@main): <https://commits.webkit.org/248089@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 453842 [details].
Note You need to log in before you can comment on or make changes to this bug.