Fix potential UAF if table role changes.

Bug: 903500
Change-Id: I4e55e0323fe642f8af0a79152a52bccc1cb6ac82
Reviewed-on: https://chromium-review.googlesource.com/c/1334195Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Aaron Leventhal <aleventhal@chromium.org>
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#607770}

ui/accessibility/ax_table_info_unittest.cc

@@ -820,4 +820,32 @@ TEST_F(AXTableInfoTest, AriaIndicesinferred) {
   EXPECT_EQ(5, cell_2_2->GetTableCellAriaColIndex());
 }
 
+TEST_F(AXTableInfoTest, TableChanges) {
+  // Simple 2 col x 1 row table
+  AXTreeUpdate initial_state;
+  initial_state.root_id = 1;
+  initial_state.nodes.resize(4);
+  MakeTable(&initial_state.nodes[0], 1, 0, 0);
+  initial_state.nodes[0].child_ids = {2};
+  MakeRow(&initial_state.nodes[1], 2, 0);
+  initial_state.nodes[1].child_ids = {3, 4};
+  MakeCell(&initial_state.nodes[2], 3, 0, 0);
+  MakeCell(&initial_state.nodes[3], 4, 0, 1);
+  AXTree tree(initial_state);
+
+  AXTableInfo* table_info = GetTableInfo(&tree, tree.root());
+  EXPECT_TRUE(table_info);
+
+  EXPECT_EQ(1, table_info->row_count);
+  EXPECT_EQ(2, table_info->col_count);
+
+  // Update the tree to remove the table role.
+  AXTreeUpdate update = initial_state;
+  update.nodes[0].role = ax::mojom::Role::kGroup;
+  ASSERT_TRUE(tree.Unserialize(update));
+
+  table_info = GetTableInfo(&tree, tree.root());
+  EXPECT_FALSE(table_info);
+}
+
 }  // namespace ui

ui/accessibility/ax_tree.cc

@@ -488,6 +488,7 @@ AXTableInfo* AXTree::GetTableInfo(const AXNode* const_table_node) const {
         // If Update() returned false, this is no longer a valid table.
         // Remove it from the map.
         delete table_info;
+        table_info = nullptr;
         table_info_map_.erase(table_node->id());
       }
       // See note about const_cast, above.