AX: AccessibilityObject::insertChild does not check the validity of the insertionIndex while processing grandchildren
https://bugs.webkit.org/show_bug.cgi?id=241650
Reviewed by Chris Fleizach.
When AccessibilityObject::insertChild is asked to insert a child that's
ignored, we instead add that object's children. However, both
`accessibilityIsIgnored` and `children` can cause layout, and said
layout could cause AccessibilityObject::m_children to be cleared. This
makes the `insertionIndex` invalid, which causes a crash.
In this patch, right before m_children.insert(), we check to make sure
the index is still valid.
I wasn't able to make a test for this bug. It is difficult to reproduce,
and the circumstances to reproduce are complex.
* Source/WebCore/accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::insertChild):
Canonical link: https://commits.webkit.org/251623@main
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@295618 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/accessibility/AccessibilityObject.cpp b/Source/WebCore/accessibility/AccessibilityObject.cpp
index 89cbf3e..1e7f090 100644
--- a/Source/WebCore/accessibility/AccessibilityObject.cpp
+++ b/Source/WebCore/accessibility/AccessibilityObject.cpp
@@ -632,6 +632,9 @@
// Even though `child` is ignored, we still need to set ancestry flags based on it.
grandchild->initializeAncestorFlags(childAncestorFlags);
grandchild->addAncestorFlags(thisAncestorFlags);
+ // Calls to `child->accessibilityIsIgnored()` or `child->children()` can cause layout, which in turn can cause this object to clear its m_children. This can cause `insertionIndex` to no longer be valid. Detect this and break early if necessary.
+ if (insertionIndex > m_children.size())
+ break;
m_children.insert(insertionIndex, grandchild);
++insertionIndex;
}
