Fix null-dereference READ in AXPosition::AsValidDOMPosition

This is a follow-up to http://crrev.com/c/2426490 which prevents an infinite loop in AXPosition::AsValidDOMPosition by ensuring we have a changed AXPosition after calling CreatePreviousPosition in generated content. That fix failed to check that the previous position created was not null prior to seeing if it had indeed changed. Bugs: 1131019, 1133124 AX-Relnotes: Prevents a page crash when accessibility is enabled. Change-Id: Iaa8a7d79c5750809e6a3d39f7077f6593f95488d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2440630 Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org> Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org> Cr-Commit-Position: refs/heads/master@{#812793}

Fix null-dereference READ in AXPosition::AsValidDOMPosition
This is a follow-up to http://crrev.com/c/2426490 which prevents an infinite loop in AXPosition::AsValidDOMPosition by ensuring we have a changed AXPosition after calling CreatePreviousPosition in generated content. That fix failed to check that the previous position created was not null prior to seeing if it had indeed changed. Bugs: 1131019, 1133124 AX-Relnotes: Prevents a page crash when accessibility is enabled. Change-Id: Iaa8a7d79c5750809e6a3d39f7077f6593f95488d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2440630 Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org> Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org> Cr-Commit-Position: refs/heads/master@{#812793}
b42c9751 · Joanmarie Diggs · Commit Bot · 77442252 · b42c9751 · b42c9751
Commit b42c9751 authored Oct 01, 2020 by Joanmarie Diggs Committed by Commit Bot Oct 01, 2020
4 changed files
--- a/content/browser/accessibility/dump_accessibility_tree_browsertest.cc
+++ b/content/browser/accessibility/dump_accessibility_tree_browsertest.cc
@@ -1550,6 +1550,11 @@ IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest,
  RunHtmlTest(FILE_PATH_LITERAL("generated-content-after-hidden-input.html"));
 }
+IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest,
+                       AccessibilityGeneratedContentInEmptyPage) {
+  RunHtmlTest(FILE_PATH_LITERAL("generated-content-in-empty-page.html"));
+}
 IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest, AccessibilityHead) {
  RunHtmlTest(FILE_PATH_LITERAL("head.html"));
 }

--- a/content/test/data/accessibility/html/generated-content-in-empty-page-expected-blink.txt
+++ b/content/test/data/accessibility/html/generated-content-in-empty-page-expected-blink.txt
+rootWebArea
++genericContainer ignored
++++staticText name='"'
++++++inlineTextBox name='"'
++++genericContainer
++++++staticText name='''
++++++++inlineTextBox name='''
--- a/content/test/data/accessibility/html/generated-content-in-empty-page.html
+++ b/content/test/data/accessibility/html/generated-content-in-empty-page.html
+<style type="text/css">*::before{content: open-quote;}</style>
--- a/third_party/blink/renderer/modules/accessibility/ax_position.cc
+++ b/third_party/blink/renderer/modules/accessibility/ax_position.cc
@@ -768,7 +768,7 @@ const AXPosition AXPosition::AsValidDOMPosition(
        return CreateNextPosition().AsValidDOMPosition(adjustment_behavior);
      case AXPositionAdjustmentBehavior::kMoveLeft:
        const AXPosition result = CreatePreviousPosition();
-        if (result != *this)
+        if (result && result != *this)
          return result.AsValidDOMPosition(adjustment_behavior);
        return {};
    }