Commit ecef46ad authored by James Teh's avatar James Teh
Browse files

Bug 1829167: Construct an invalid TextLeafPoint if null is supplied to the... 

Bug 1829167: Construct an invalid TextLeafPoint if null is supplied to the constructor. r=nlapre, a=RyanVM

DocAccessibleChildBase::RecvSetTextSelection and RecvScrollTextLeafRangeIntoView constructs TextLeafPoints without null checking the retrieved Accessible.
This can be null if the Accessible was destroyed in the content process but the parent process didn't know about this yet when it sent the request.
TextLeafPoint currently crashes if constructed with a null Accessible.
These DocAccessibleChildBase methods do check the validity of the range, which will be invalid if the TextLeafPoints are invalid.
Therefore, just construct an invalid TextLeafPoint if a null Accessible is given.

Differential Revision: https://phabricator.services.mozilla.com/D176494
parent 9bfa9de2

accessible/base/TextLeafRange.cpp

+7 −0
Original line number Diff line number Diff line
@@ -570,6 +570,13 @@ std::pair<nsIContent*, int32_t> TextLeafPoint::ToDOMPoint( 
/*** TextLeafPoint ***/



TextLeafPoint::TextLeafPoint(Accessible* aAcc, int32_t aOffset) {

  if (!aAcc) {

    // Construct an invalid point.

    mAcc = nullptr;

    mOffset = 0;

    return;

  }



  // Even though an OuterDoc contains a document, we treat it as a leaf because

  // we don't want to move into another document.

  if (aOffset != nsIAccessibleText::TEXT_OFFSET_CARET && !aAcc->IsOuterDoc() &&