Prevent infinite loop in AXPosition::AsValidDOMPosition

If AXPosition::AsValidDOMPosition is called with kMoveLeft on an inline text box created from generated content, and that text box immediately follows an input with visibility:hidden, an infinite loop can occur: In the case of generated content, AsValidDOMPosition will attempt to create a previous position based on the previous object (i.e. the hidden input, which lacks accessible children). In order to not skip over intervening text in the case of native text controls, CreatePreviousPosition returns a position immediately after that control (i.e. the generated content). In order to prevent this infinite loop, check the resulting AXPosition before calling AsValidDOMPosition on it. If the position hasn't changed after we've tried to convert a generated-content position into a DOM position, return an empty AXPosition. AX-Relnotes: Prevents a page crash when accessibility is enabled. Bug: 1131019 Change-Id: I4d7899bb598ce03a679b553aafb509ef2028ac05 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2426490 Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org> Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org> Cr-Commit-Position: refs/heads/master@{#811387}

Prevent infinite loop in AXPosition::AsValidDOMPosition
If AXPosition::AsValidDOMPosition is called with kMoveLeft on an inline text box created from generated content, and that text box immediately follows an input with visibility:hidden, an infinite loop can occur: In the case of generated content, AsValidDOMPosition will attempt to create a previous position based on the previous object (i.e. the hidden input, which lacks accessible children). In order to not skip over intervening text in the case of native text controls, CreatePreviousPosition returns a position immediately after that control (i.e. the generated content). In order to prevent this infinite loop, check the resulting AXPosition before calling AsValidDOMPosition on it. If the position hasn't changed after we've tried to convert a generated-content position into a DOM position, return an empty AXPosition. AX-Relnotes: Prevents a page crash when accessibility is enabled. Bug: 1131019 Change-Id: I4d7899bb598ce03a679b553aafb509ef2028ac05 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2426490 Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org> Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org> Cr-Commit-Position: refs/heads/master@{#811387}
250248a2 · Joanmarie Diggs · Commit Bot · 589b9fbe · 250248a2 · 250248a2
Commit 250248a2 authored Sep 28, 2020 by Joanmarie Diggs Committed by Commit Bot Sep 28, 2020
4 changed files
--- a/content/browser/accessibility/dump_accessibility_tree_browsertest.cc
+++ b/content/browser/accessibility/dump_accessibility_tree_browsertest.cc
@@ -1541,6 +1541,11 @@ IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest,
  RunHtmlTest(FILE_PATH_LITERAL("frameset.html"));
 }

+IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest,
+                       AccessibilityGeneratedContentAfterHiddenInput) {
+  RunHtmlTest(FILE_PATH_LITERAL("generated-content-after-hidden-input.html"));
+}
+
 IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest, AccessibilityHead) {
  RunHtmlTest(FILE_PATH_LITERAL("head.html"));
 }

--- a/content/test/data/accessibility/html/generated-content-after-hidden-input-expected-blink.txt
+++ b/content/test/data/accessibility/html/generated-content-after-hidden-input-expected-blink.txt
+rootWebArea
++genericContainer ignored
++++genericContainer ignored
++++++paragraph
++++++++textField ignored invisible
++++++++staticText name='*'
++++++++++inlineTextBox name='*'
--- a/content/test/data/accessibility/html/generated-content-after-hidden-input.html
+++ b/content/test/data/accessibility/html/generated-content-after-hidden-input.html
+<style>p:after { content: '*'; }</style>
+<p><input style="visibility: hidden;"></p>
--- a/third_party/blink/renderer/modules/accessibility/ax_position.cc
+++ b/third_party/blink/renderer/modules/accessibility/ax_position.cc
@@ -757,7 +757,10 @@ const AXPosition AXPosition::AsValidDOMPosition(
      case AXPositionAdjustmentBehavior::kMoveRight:
        return CreateNextPosition().AsValidDOMPosition(adjustment_behavior);
      case AXPositionAdjustmentBehavior::kMoveLeft:
-        return CreatePreviousPosition().AsValidDOMPosition(adjustment_behavior);
+        const AXPosition result = CreatePreviousPosition();
+        if (result != *this)
+          return result.AsValidDOMPosition(adjustment_behavior);
+        return {};
    }
  }