-
Joanmarie Diggs authored
If AXPosition::AsValidDOMPosition is called with kMoveLeft on an inline text box created from generated content, and that text box immediately follows an input with visibility:hidden, an infinite loop can occur: In the case of generated content, AsValidDOMPosition will attempt to create a previous position based on the previous object (i.e. the hidden input, which lacks accessible children). In order to not skip over intervening text in the case of native text controls, CreatePreviousPosition returns a position immediately after that control (i.e. the generated content). In order to prevent this infinite loop, check the resulting AXPosition before calling AsValidDOMPosition on it. If the position hasn't changed after we've tried to convert a generated-content position into a DOM position, return an empty AXPosition. AX-Relnotes: Prevents a page crash when accessibility is enabled. Bug: 1131019 Change-Id: I4d7899bb598ce03a679b553aafb509ef2028ac05 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2426490 Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org> Reviewed-by:
Dominic Mazzoni <dmazzoni@chromium.org> Cr-Commit-Position: refs/heads/master@{#811387}
250248a2
