Fix null-dereference in AXNodeObject::AnchorElement

AXObjectCacheImpl::GetOrCreate(LayoutObject*) can return a nullptr if the node is an area element. This change makes sure that the AXObject is valid before calling |IsAnchor|. Bug: 996460 Change-Id: I63b966615aec010c6df03292addbcd0a71e405ae Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1772283Reviewed-by: Kevin Babbitt <kbabbitt@microsoft.com> Reviewed-by: Aaron Leventhal <aleventhal@chromium.org> Commit-Queue: Adam Ettenberger <adettenb@microsoft.com> Cr-Commit-Position: refs/heads/master@{#691888}

Fix null-dereference in AXNodeObject::AnchorElement
AXObjectCacheImpl::GetOrCreate(LayoutObject*) can return a nullptr if the node is an area element. This change makes sure that the AXObject is valid before calling |IsAnchor|. Bug: 996460 Change-Id: I63b966615aec010c6df03292addbcd0a71e405ae Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1772283Reviewed-by: Kevin Babbitt <kbabbitt@microsoft.com> Reviewed-by: Aaron Leventhal <aleventhal@chromium.org> Commit-Queue: Adam Ettenberger <adettenb@microsoft.com> Cr-Commit-Position: refs/heads/master@{#691888}
c1a95080 · Adam Ettenberger · Commit Bot · 7269950b · c1a95080 · c1a95080
Commit c1a95080 authored Aug 30, 2019 by Adam Ettenberger Committed by Commit Bot Aug 30, 2019
4 changed files
--- a/content/browser/accessibility/dump_accessibility_tree_browsertest.cc
+++ b/content/browser/accessibility/dump_accessibility_tree_browsertest.cc
@@ -315,6 +315,11 @@ IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest, AccessibilityAreaCrash) {
  RunHtmlTest(FILE_PATH_LITERAL("area-crash.html"));
 }

+IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest,
+                       AccessibilityAreaSerializationCrash) {
+  RunHtmlTest(FILE_PATH_LITERAL("area-serialization-crash.html"));
+}
+
 IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest, AccessibilityAName) {
  RunHtmlTest(FILE_PATH_LITERAL("a-name.html"));
 }

--- a/content/test/data/accessibility/html/area-serialization-crash-expected-blink.txt
+++ b/content/test/data/accessibility/html/area-serialization-crash-expected-blink.txt
+rootWebArea
++genericContainer
++++link
++++++genericContainer invisible
++++staticText name='done'
++++++inlineTextBox name='done'
--- a/content/test/data/accessibility/html/area-serialization-crash.html
+++ b/content/test/data/accessibility/html/area-serialization-crash.html
+<!--
+@WAIT-FOR:done
+
+This is a regression test for a bug that crashes during blink serialization
+when determining if an area element is a descendant of an anchor.
+-->
+<!DOCTYPE html>
+<html>
+<script>
+  window.onload = () => {
+    var canvas = document.createElement('canvas');
+    canvas.id = 'canvas';
+    canvas.hidden = true;
+
+    var area = document.createElement('area');
+    area.appendChild(canvas);
+    document.body.appendChild(area);
+    document.body.appendChild(document.createTextNode('done'));
+  };
+</script>
+<body>
+</body>
+</html>
--- a/third_party/blink/renderer/modules/accessibility/ax_node_object.cc
+++ b/third_party/blink/renderer/modules/accessibility/ax_node_object.cc
@@ -2575,10 +2575,14 @@ Element* AXNodeObject::AnchorElement() const {
  // NOTE: this assumes that any non-image with an anchor is an
  // HTMLAnchorElement
  for (; node; node = node->parentNode()) {
-    if (IsA<HTMLAnchorElement>(*node) ||
-        (node->GetLayoutObject() &&
-         cache.GetOrCreate(node->GetLayoutObject())->IsAnchor()))
+    if (IsA<HTMLAnchorElement>(*node))
      return To<Element>(node);
+
+    if (LayoutObject* layout_object = node->GetLayoutObject()) {
+      AXObject* ax_object = cache.GetOrCreate(layout_object);
+      if (ax_object && ax_object->IsAnchor())
+        return To<Element>(node);
+    }
  }

  return nullptr;