webkit2gtk3/bug281492.patch

From 984e2a6b7a92b8c144f2b4463f5904e449cb3cc1 Mon Sep 17 00:00:00 2001
From: Georges Basile Stavracas Neto <feaneron@igalia.com>
Date: Tue, 15 Oct 2024 11:44:23 -0300
Subject: [PATCH] AX: [GTK]: Fix crash in
 AccessibilityObjectAtspi::textAttributes
 https://bugs.webkit.org/show_bug.cgi?id=281492

Reviewed by NOBODY (OOPS!).

In the AccessibilityObjectAtspi::textAttributes() method, the
accessibilityTextAttributes() function is called for various AXObjects.
These objects are retrived by querying the AXObjectCache of the
document.

However, the cache can legitimately return nullptr when the AXObject is
not cached. The AccessibilityObjectAtspi::textAttributes() method did
not check for nullptr, and the accessibilityTextAttributes() function
is not nullptr safe.

This crashes.

Make AccessibilityObjectAtspi::textAttributes() check if the AXObject
is a nullptr before passing it down to accessibilityTextAttributes().

* Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp:
(WebCore::AccessibilityObjectAtspi::textAttributes const):
---
 .../atspi/AccessibilityObjectTextAtspi.cpp    | 21 ++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp b/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp
index 50b4f58be2f3..a49bfd939716 100644
--- a/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp
+++ b/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp
@@ -38,6 +38,7 @@
 #include "TextIterator.h"
 #include "VisibleUnits.h"
 #include <gio/gio.h>
+#include <wtf/Assertions.h>
 #include <wtf/unicode/CharacterNames.h>
 
 namespace WebCore {
@@ -763,6 +764,9 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute
 
     auto accessibilityTextAttributes = [this](AXCoreObject* axObject, const HashMap<String, String>& defaultAttributes) -> HashMap<String, String> {
         HashMap<String, String> attributes;
+
+        RELEASE_ASSERT(axObject);
+
         auto& style = axObject->renderer()->style();
 
         auto addAttributeIfNeeded = [&](const String& name, const String& value) {
@@ -838,8 +842,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute
         return { WTFMove(defaultAttributes), -1, -1 };
 
     if (!*utf16Offset && m_hasListMarkerAtStart) {
+        auto axObject = m_coreObject->children()[0].get();
+        RELEASE_ASSERT(axObject);
+
         // Always consider list marker an independent run.
-        auto attributes = accessibilityTextAttributes(m_coreObject->children()[0].get(), defaultAttributes);
+        auto attributes = accessibilityTextAttributes(axObject, defaultAttributes);
         if (!includeDefault)
             return { WTFMove(attributes), 0, 1 };
 
@@ -871,7 +878,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute
         if (r->firstChildSlow())
             continue;
 
-        auto childAttributes = accessibilityTextAttributes(r->document().axObjectCache()->get(r), defaultAttributes);
+        auto axObject = r->document().axObjectCache()->get(r);
+        if (!axObject)
+            continue;
+
+        auto childAttributes = accessibilityTextAttributes(axObject, defaultAttributes);
         if (childAttributes != attributes)
             break;
 
@@ -885,7 +896,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute
         if (r->firstChildSlow())
             continue;
 
-        auto childAttributes = accessibilityTextAttributes(r->document().axObjectCache()->get(r), defaultAttributes);
+        auto axObject = r->document().axObjectCache()->get(r);
+        if (!axObject)
+            continue;
+
+        auto childAttributes = accessibilityTextAttributes(axObject, defaultAttributes);
         if (childAttributes != attributes)
             break;
 
-- 
2.46.1