Google Git
Sign in
webkit / WebKit / b4307dfcb9a2061cb17b972c32a8eeb087cd0342^! / .
commitb4307dfcb9a2061cb17b972c32a8eeb087cd0342[log] [tgz]
authorn_wang@apple.com <n_wang@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Sep 28 04:09:21 2016 +0000
committern_wang@apple.com <n_wang@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Sep 28 04:09:21 2016 +0000
treed4495960e7e3d0a28cdd8c02a382803c8146d4a4
parentd509fcb7e121d62f6a524de0be1c848d2d2e2086 [diff]
AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AXObjectCache::localCaretRectForCharacterOffset(WebCore::RenderObject*&, WebCore::CharacterOffset const&) + 116
https://bugs.webkit.org/show_bug.cgi?id=162654

Reviewed by Chris Fleizach.

Source/WebCore:

rangeForUnorderedCharacterOffsets() can return a null Range but we failed to
do a null check in localCaretRectForCharacterOffset() before dereferencing it.

Test: accessibility/mac/bounds-for-range-crash.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::localCaretRectForCharacterOffset):

LayoutTests:

* accessibility/mac/bounds-for-range-crash-expected.txt: Added.
* accessibility/mac/bounds-for-range-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@206494 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index caebedc..3180c16 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog

@@ -1,3 +1,13 @@
+2016-09-27  Nan Wang  <n_wang@apple.com>
+
+        AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AXObjectCache::localCaretRectForCharacterOffset(WebCore::RenderObject*&, WebCore::CharacterOffset const&) + 116
+        https://bugs.webkit.org/show_bug.cgi?id=162654
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/mac/bounds-for-range-crash-expected.txt: Added.
+        * accessibility/mac/bounds-for-range-crash.html: Added.
+
 2016-09-27  Ryosuke Niwa  <rniwa@webkit.org>
 
         Toggling display: none on a parent element of a slot which shares style with its parent doesn't update the slot's visibility

diff --git a/LayoutTests/accessibility/mac/bounds-for-range-crash-expected.txt b/LayoutTests/accessibility/mac/bounds-for-range-crash-expected.txt
new file mode 100644
index 0000000..ae85db0
--- /dev/null
+++ b/LayoutTests/accessibility/mac/bounds-for-range-crash-expected.txt

@@ -0,0 +1,10 @@
+Shop
+This tests that boundsForRange with invalid text marker is not causing crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

diff --git a/LayoutTests/accessibility/mac/bounds-for-range-crash.html b/LayoutTests/accessibility/mac/bounds-for-range-crash.html
new file mode 100644
index 0000000..aec3a99
--- /dev/null
+++ b/LayoutTests/accessibility/mac/bounds-for-range-crash.html

@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+
+<a id="link" href="">
+Shop<img alt="">
+</a>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+    description("This tests that boundsForRange with invalid text marker is not causing crash.");
+    
+    if (window.accessibilityController) {
+        var textChild = accessibilityController.accessibleElementById("link").childAtIndex(0);
+        
+        // Make sure calling boundsForRange won't cause crash.
+        var bounds = textChild.boundsForRange(0, 5);
+    }
+</script>
+
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 2839345..f8f7ae7 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog

@@ -1,3 +1,18 @@
+2016-09-27  Nan Wang  <n_wang@apple.com>
+
+        AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AXObjectCache::localCaretRectForCharacterOffset(WebCore::RenderObject*&, WebCore::CharacterOffset const&) + 116
+        https://bugs.webkit.org/show_bug.cgi?id=162654
+
+        Reviewed by Chris Fleizach.
+
+        rangeForUnorderedCharacterOffsets() can return a null Range but we failed to
+        do a null check in localCaretRectForCharacterOffset() before dereferencing it.
+
+        Test: accessibility/mac/bounds-for-range-crash.html
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::localCaretRectForCharacterOffset):
+
 2016-09-27  Alex Christensen  <achristensen@webkit.org>
 
         Inline critical functions in URLParser

diff --git a/Source/WebCore/accessibility/AXObjectCache.cpp b/Source/WebCore/accessibility/AXObjectCache.cpp
index 6516368..9d42cc6 100644
--- a/Source/WebCore/accessibility/AXObjectCache.cpp
+++ b/Source/WebCore/accessibility/AXObjectCache.cpp

@@ -2463,6 +2463,9 @@
     int caretOffset;
     // Use a collapsed range to get the position.
     RefPtr<Range> range = rangeForUnorderedCharacterOffsets(characterOffset, characterOffset);
+    if (!range)
+        return IntRect();
+    
     Position startPosition = range->startPosition();
     startPosition.getInlineBoxAndOffset(DOWNSTREAM, inlineBox, caretOffset);