Null-dereference READ in blink::AXPosition::AXPosition
This crash is caused by the following DOM structure (achieved via) DOM manipupation: blink::HTMLBRElement blink::HTMLMapElement blink::Text blink::Text blink::HTMLAreaElement Note that the <br> tag has children, which is not possible via markup, but can be generated easily with JavaScript. In AXPosition::CreatePositionBeforeObject, the crash occurs here: const AXObject* parent = child.ParentObjectIncludedInTree(); DCHECK(parent); // parent is nullptr While there is technically a parent node in the DOM, there is no layout node, since the tree is corrupted. The AXObject implementation for this depends on either a valid parent node or a layout node (see AXImageMapLink::ComputeParent). Creating an AXPosition in this state results in the nullptr deference listed above. An alternative would be to generate a parent specifically for AXImageMapLink in this scenario, however I dropped that approach when it became clear that the layout and accessibility engines hit lots of DCHECKS when the DOM tree is invalid (as they should). Instead, the approach taken here is to add additional resilience in AXPosition to handle invalid parent/child relationships. Bug: 996525 Change-Id: I598e4ac930d4caeb10ce74f6328d3a75eb9580fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1830012 Commit-Queue: Nektarios Paisios <nektar@chromium.org> Reviewed-by:Nektarios Paisios <nektar@chromium.org> Reviewed-by:
Aaron Leventhal <aleventhal@chromium.org> Cr-Commit-Position: refs/heads/master@{#703459}
Showing
Please register or sign in to comment