-
Kevin Babbitt authored
The Microsoft Edge team has reports of a null dereference crash showing up in automated usage testing. The symptom is that, while responding to a UIA Navigate call, we check to see whether the navigated-from element is the child of a fragment root. We come across an entry in the fragment root map from the element's HWND to a null fragment root pointer, dereference that null pointer, and crash. It's not expected that we'll ever have such an entry - the map is supposed to map HWNDs to non-null fragment roots. From the crash data we have, the exact sequence of calls leading up to this scenario is unclear, but I was able to reproduce one way it can occur and captured it in a unit test. The fix for the issue is, when looking up an entry in the map, use unordered_map::find() rather than operator[], the latter of which will create an entry if one doesn't exist. Bug: 1071185 Change-Id: I5f04188e849ffc0969762d870b80603d4b7e15b5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2148850Reviewed-by:
Ian Prest <iapres@microsoft.com> Commit-Queue: Kevin Babbitt <kbabbitt@microsoft.com> Cr-Commit-Position: refs/heads/master@{#759435}
103395c0
