From 984e2a6b7a92b8c144f2b4463f5904e449cb3cc1 Mon Sep 17 00:00:00 2001 From: Georges Basile Stavracas Neto Date: Tue, 15 Oct 2024 11:44:23 -0300 Subject: [PATCH] AX: [GTK]: Fix crash in AccessibilityObjectAtspi::textAttributes https://bugs.webkit.org/show_bug.cgi?id=281492 Reviewed by NOBODY (OOPS!). In the AccessibilityObjectAtspi::textAttributes() method, the accessibilityTextAttributes() function is called for various AXObjects. These objects are retrived by querying the AXObjectCache of the document. However, the cache can legitimately return nullptr when the AXObject is not cached. The AccessibilityObjectAtspi::textAttributes() method did not check for nullptr, and the accessibilityTextAttributes() function is not nullptr safe. This crashes. Make AccessibilityObjectAtspi::textAttributes() check if the AXObject is a nullptr before passing it down to accessibilityTextAttributes(). * Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp: (WebCore::AccessibilityObjectAtspi::textAttributes const): --- .../atspi/AccessibilityObjectTextAtspi.cpp | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp b/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp index 50b4f58be2f3..a49bfd939716 100644 --- a/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp +++ b/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp @@ -38,6 +38,7 @@ #include "TextIterator.h" #include "VisibleUnits.h" #include +#include #include namespace WebCore { @@ -763,6 +764,9 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute auto accessibilityTextAttributes = [this](AXCoreObject* axObject, const HashMap& defaultAttributes) -> HashMap { HashMap attributes; + + RELEASE_ASSERT(axObject); + auto& style = axObject->renderer()->style(); auto addAttributeIfNeeded = [&](const String& name, const String& value) { @@ -838,8 +842,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute return { WTFMove(defaultAttributes), -1, -1 }; if (!*utf16Offset && m_hasListMarkerAtStart) { + auto axObject = m_coreObject->children()[0].get(); + RELEASE_ASSERT(axObject); + // Always consider list marker an independent run. - auto attributes = accessibilityTextAttributes(m_coreObject->children()[0].get(), defaultAttributes); + auto attributes = accessibilityTextAttributes(axObject, defaultAttributes); if (!includeDefault) return { WTFMove(attributes), 0, 1 }; @@ -871,7 +878,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute if (r->firstChildSlow()) continue; - auto childAttributes = accessibilityTextAttributes(r->document().axObjectCache()->get(r), defaultAttributes); + auto axObject = r->document().axObjectCache()->get(r); + if (!axObject) + continue; + + auto childAttributes = accessibilityTextAttributes(axObject, defaultAttributes); if (childAttributes != attributes) break; @@ -885,7 +896,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute if (r->firstChildSlow()) continue; - auto childAttributes = accessibilityTextAttributes(r->document().axObjectCache()->get(r), defaultAttributes); + auto axObject = r->document().axObjectCache()->get(r); + if (!axObject) + continue; + + auto childAttributes = accessibilityTextAttributes(axObject, defaultAttributes); if (childAttributes != attributes) break; -- 2.46.1