From f72671ea854ae274aed216981aad292e40bd07b3 Mon Sep 17 00:00:00 2001 From: Ivan Efremov Date: Fri, 5 Feb 2021 04:00:58 +0700 Subject: [PATCH] 13837: Fix yet another a11y crash by properly checking a string range. Fixes https://github.com/brave/brave-browser/issues/13837 --- .../ui/accessibility/platform/ax_platform_node_mac.mm | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/chromium_src/ui/accessibility/platform/ax_platform_node_mac.mm b/chromium_src/ui/accessibility/platform/ax_platform_node_mac.mm index 239300a54e6c..e4073cedae24 100644 --- a/chromium_src/ui/accessibility/platform/ax_platform_node_mac.mm +++ b/chromium_src/ui/accessibility/platform/ax_platform_node_mac.mm @@ -8,8 +8,10 @@ // Assumed to be a temporary fix for // https://github.com/brave/brave-browser/issues/13778 +// and +// https://github.com/brave/brave-browser/issues/13837 #define BRAVE_ACCESSIBILITY_ATTRIBUTED_STRING_FOR_RANGE \ - id value = [self getAXValueAsString]; \ + id value = [self AXValue]; \ if (![value isKindOfClass:[NSString class]]) { \ ax::mojom::Role role = _node->GetData().role; \ base::debug::Alias(&role); \ @@ -19,6 +21,12 @@ << " Name: " << _node->GetName(); \ base::debug::DumpWithoutCrashing(); \ return nil; \ + } \ + NSString* str = value; \ + if (range.location == NSNotFound || \ + range.location + range.length > str.length) { \ + base::debug::DumpWithoutCrashing(); \ + return nil; \ } #include "../../../../ui/accessibility/platform/ax_platform_node_mac.mm"