[Backport] CVE-2022-4194: Use after free in Accessibility

Manual cherry-pick of patch originallt reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3938387:
Remove unneeded codepath AXWidgetObjWrapper::OnVisibilityChanged

This function was once needed[1] because focus changes might not be
conveyed when widgets were hidden.

Since then, focus is computed by AutomationInternalCustomBindings based
on raw tree updates, so this specific path is no longer needed.

This also has the benefit of avoiding a potential UAF (see bug) which
gets triggered when trying to dispatch a focus change during shutdown.

1. https://codereview.chromium.org/2456673002

R=katie@chromium.org

Bug: 1370562
AX-Relnotes: n/a
Test: cq. Manually open find dialog and press escape as per crbug.com/659813 and see bug does not occur.
Change-Id: I495a17defcdbe4be6e562f61a4d1834efa349543
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3938387
Reviewed-by: Katie Dektar <katie@chromium.org>
Commit-Queue: David Tseng <dtseng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1056019}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/447108
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

3 files changed, 3 insertions, 10 deletions

diff --git a/chromium/ui/views/accessibility/ax_aura_obj_cache.h b/chromium/ui/views/accessibility/ax_aura_obj_cache.h
index 674e1048944..448b9523729 100644
--- a/chromium/ui/views/accessibility/ax_aura_obj_cache.h
+++ b/chromium/ui/views/accessibility/ax_aura_obj_cache.h
@@ -88,9 +88,6 @@ class VIEWS_EXPORT AXAuraObjCache : public aura::client::FocusChangeObserver {
   // Get the object that has focus.
   AXAuraObjWrapper* GetFocus();
 
-  // Send a notification that the focused view may have changed.
-  void OnFocusedViewChanged();
-
   // Tell our delegate to fire an event on a given object.
   void FireEvent(AXAuraObjWrapper* aura_obj, ax::mojom::Event event_type);
 
@@ -122,6 +119,9 @@ class VIEWS_EXPORT AXAuraObjCache : public aura::client::FocusChangeObserver {
 
   View* GetFocusedView();
 
+  // Send a notification that the focused view may have changed.
+  void OnFocusedViewChanged();
+
   // aura::client::FocusChangeObserver override.
   void OnWindowFocused(aura::Window* gained_focus,
                        aura::Window* lost_focus) override;
diff --git a/chromium/ui/views/accessibility/ax_widget_obj_wrapper.cc b/chromium/ui/views/accessibility/ax_widget_obj_wrapper.cc
index 7aba1f32a1d..58340cfbaf7 100644
--- a/chromium/ui/views/accessibility/ax_widget_obj_wrapper.cc
+++ b/chromium/ui/views/accessibility/ax_widget_obj_wrapper.cc
@@ -78,12 +78,6 @@ void AXWidgetObjWrapper::OnWidgetClosing(Widget* widget) {
   aura_obj_cache_->Remove(widget);
 }
 
-void AXWidgetObjWrapper::OnWidgetVisibilityChanged(Widget*, bool) {
-  // If a widget changes visibility it may affect what's focused, in particular
-  // when a widget that contains the focused view gets hidden.
-  aura_obj_cache_->OnFocusedViewChanged();
-}
-
 void AXWidgetObjWrapper::OnWillRemoveView(Widget* widget, View* view) {
   aura_obj_cache_->RemoveViewSubtree(view);
 }
diff --git a/chromium/ui/views/accessibility/ax_widget_obj_wrapper.h b/chromium/ui/views/accessibility/ax_widget_obj_wrapper.h
index 53f3c600a0a..d4b8026101e 100644
--- a/chromium/ui/views/accessibility/ax_widget_obj_wrapper.h
+++ b/chromium/ui/views/accessibility/ax_widget_obj_wrapper.h
@@ -43,7 +43,6 @@ class AXWidgetObjWrapper : public AXAuraObjWrapper,
   void OnWidgetDestroying(Widget* widget) override;
   void OnWidgetDestroyed(Widget* widget) override;
   void OnWidgetClosing(Widget* widget) override;
-  void OnWidgetVisibilityChanged(Widget*, bool) override;
 
   // WidgetRemovalsObserver overrides.
   void OnWillRemoveView(Widget* widget, View* view) override;