[Backport] Security bug 1333970

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3757922: Speculative fix for IsValidCodePointInIndex() range crash Bug: 1333970 Cq-Include-Trybots: luci.chromium.try:linux-blink-web-tests-force-accessibility-rel Change-Id: I5a4c78e708357074fdec1f7a18fa928e39f9c51a Auto-Submit: Aaron Leventhal <aleventhal@chromium.org> Reviewed-by: Nektarios Paisios <nektar@chromium.org> Commit-Queue: Aaron Leventhal <aleventhal@chromium.org> Cr-Commit-Position: refs/heads/main@{#1025405} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Aaron Leventhal <aleventhal@google.com> 2022-07-18 21:22:33 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2022-08-09 11:36:21 +0000
commit: 9a8385241542eaad285501be6dc66d96a76c20aa (patch)
tree: 591abc71b9c3cebd277185b0d032bfc49c90b178
parent: 4b6ec8b20c9bcf0ecc0ee9ee174e50282f696011 (diff)
download: qtwebengine-chromium-9a8385241542eaad285501be6dc66d96a76c20aa.tar.gz
8 files changed, 56 insertions, 7 deletions
diff --git a/chromium/content/browser/accessibility/browser_accessibility_manager.cc b/chromium/content/browser/accessibility/browser_accessibility_manager.cc
index b52d3af532e..8b490c467d0 100644
--- a/chromium/content/browser/accessibility/browser_accessibility_manager.cc
+++ b/chromium/content/browser/accessibility/browser_accessibility_manager.cc
@@ -395,6 +395,10 @@ const ui::AXTreeData& BrowserAccessibilityManager::GetTreeData() const {
   return ax_tree()->data();
 }
 
+std::string BrowserAccessibilityManager::ToString() const {
+  return GetTreeData().ToString();
+}
+
 void BrowserAccessibilityManager::OnWindowFocused() {
   if (IsRootTree())
     FireFocusEventsIfNeeded();
diff --git a/chromium/content/browser/accessibility/browser_accessibility_manager.h b/chromium/content/browser/accessibility/browser_accessibility_manager.h
index 105729b3150..f0fcd7bedb6 100644
--- a/chromium/content/browser/accessibility/browser_accessibility_manager.h
+++ b/chromium/content/browser/accessibility/browser_accessibility_manager.h
@@ -216,6 +216,8 @@ class CONTENT_EXPORT BrowserAccessibilityManager : public ui::AXTreeObserver,
   // Get the AXTreeData for this frame.
   const ui::AXTreeData& GetTreeData() const;
 
+  std::string ToString() const override;
+
   // Called to notify the accessibility manager that its associated native
   // view got focused.
   virtual void OnWindowFocused();
diff --git a/chromium/extensions/renderer/api/automation/automation_ax_tree_wrapper.cc b/chromium/extensions/renderer/api/automation/automation_ax_tree_wrapper.cc
index f8725107d78..40ca2d22f32 100644
--- a/chromium/extensions/renderer/api/automation/automation_ax_tree_wrapper.cc
+++ b/chromium/extensions/renderer/api/automation/automation_ax_tree_wrapper.cc
@@ -530,4 +530,8 @@ ui::AXNode* AutomationAXTreeWrapper::GetParentNodeFromParentTreeAsAXNode()
   return owner_->GetParent(tree_.root(), &wrapper);
 }
 
+std::string AutomationAXTreeWrapper::ToString() const {
+  return "<AutomationAXTreeWrapper>";
+}
+
 }  // namespace extensions
diff --git a/chromium/extensions/renderer/api/automation/automation_ax_tree_wrapper.h b/chromium/extensions/renderer/api/automation/automation_ax_tree_wrapper.h
index d2439216d13..487d3d4d666 100644
--- a/chromium/extensions/renderer/api/automation/automation_ax_tree_wrapper.h
+++ b/chromium/extensions/renderer/api/automation/automation_ax_tree_wrapper.h
@@ -108,6 +108,7 @@ class AutomationAXTreeWrapper : public ui::AXTreeObserver,
   ui::AXTreeID GetParentTreeID() const override;
   ui::AXNode* GetRootAsAXNode() const override;
   ui::AXNode* GetParentNodeFromParentTreeAsAXNode() const override;
+  std::string ToString() const override;
 
  private:
   // AXTreeObserver overrides.
diff --git a/chromium/ui/accessibility/ax_position.h b/chromium/ui/accessibility/ax_position.h
index 3cfc26a861c..0a226126e73 100644
--- a/chromium/ui/accessibility/ax_position.h
+++ b/chromium/ui/accessibility/ax_position.h
@@ -24,6 +24,7 @@
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
+#include "ui/accessibility/ax_common.h"
 #include "ui/accessibility/ax_enum_util.h"
 #include "ui/accessibility/ax_enums.mojom.h"
 #include "ui/accessibility/ax_node.h"
@@ -362,15 +363,31 @@ class AXPosition {
     return str + " annotated_text=" + base::UTF16ToUTF8(annotated_text);
   }
 
+  // Helper for logging the position, the AXTreeManager and the anchor node.
+  std::string ToDebugString() const {
+    if (IsNullPosition()) {
+      return "* Position: null";
+    }
+    DCHECK(GetAnchor());
+    DCHECK(GetManager());
+    std::ostringstream str;
+    str << "* Position: " << ToString()
+        << "\n* Manager: " << GetManager()->ToString()
+        << "\n* Anchor node: " << *GetAnchor();
+    return str.str();
+  }
+
   AXTreeID tree_id() const { return tree_id_; }
   AXNodeID anchor_id() const { return anchor_id_; }
 
+  AXTreeManager* GetManager() const {
+    return AXTreeManagerMap::GetInstance().GetManager(tree_id());
+  }
+
   AXNode* GetAnchor() const {
     if (tree_id_ == AXTreeIDUnknown() || anchor_id_ == kInvalidAXNodeID)
       return nullptr;
-
-    const AXTreeManager* manager =
-        AXTreeManagerMap::GetInstance().GetManager(tree_id());
+    const AXTreeManager* manager = GetManager();
     if (manager)
       return manager->GetNodeFromTree(tree_id(), anchor_id());
 
@@ -2380,6 +2397,16 @@ class AXPosition {
     if (!text_position->IsIgnored() && !text_position->AtEndOfAnchor()) {
       std::unique_ptr<base::i18n::BreakIterator> grapheme_iterator =
           text_position->GetGraphemeIterator();
+      // The following situation should not be possible but there are existing
+      // crashes in the field.
+      //
+      // TODO(nektar): Remove this workaround as soon as the source of the bug
+      // is identified.
+      if (text_position->text_offset_ < 0 ||
+          text_position->text_offset_ > text_position->MaxTextOffset()) {
+        SANITIZER_NOTREACHED() << "Offset range error:\n" << ToDebugString();
+        return CreateNullPosition();
+      }
       DCHECK_GE(text_position->text_offset_, 0);
       DCHECK_LE(text_position->text_offset_, text_position->MaxTextOffset());
       while (!text_position->AtStartOfAnchor() &&
@@ -2432,9 +2459,11 @@ class AXPosition {
       //
       // TODO(nektar): Remove this workaround as soon as the source of the bug
       // is identified.
-      if (text_position->text_offset_ > text_position->MaxTextOffset())
+      if (text_position->text_offset_ < 0 ||
+          text_position->text_offset_ > text_position->MaxTextOffset()) {
+        SANITIZER_NOTREACHED() << "Offset range error:\n" << ToDebugString();
         return CreateNullPosition();
-
+      }
       DCHECK_GE(text_position->text_offset_, 0);
       DCHECK_LE(text_position->text_offset_, text_position->MaxTextOffset());
       while (!text_position->AtEndOfAnchor() &&
diff --git a/chromium/ui/accessibility/ax_tree_manager.h b/chromium/ui/accessibility/ax_tree_manager.h
index ba8b4b654ac..80c636f100c 100644
--- a/chromium/ui/accessibility/ax_tree_manager.h
+++ b/chromium/ui/accessibility/ax_tree_manager.h
@@ -50,6 +50,11 @@ class AX_EXPORT AXTreeManager {
   // Called when the tree manager is about to be removed from the tree map,
   // `AXTreeManagerMap`.
   virtual void WillBeRemovedFromMap() {}
+
+  // For debugging.
+  // TODO(benjamin.beaudry) Instead of this, implement GetTreeData() on all
+  // AXTreeManager subclasses, and have callers use GetTreeData().ToString();
+  virtual std::string ToString() const = 0;
 };
 
 }  // namespace ui
diff --git a/chromium/ui/views/accessibility/views_ax_tree_manager.cc b/chromium/ui/views/accessibility/views_ax_tree_manager.cc
index 861009afe4f..f2bb1571b86 100644
--- a/chromium/ui/views/accessibility/views_ax_tree_manager.cc
+++ b/chromium/ui/views/accessibility/views_ax_tree_manager.cc
@@ -4,8 +4,6 @@
 
 #include "ui/views/accessibility/views_ax_tree_manager.h"
 
-#include <string>
-
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/check.h"
@@ -99,6 +97,10 @@ ui::AXNode* ViewsAXTreeManager::GetParentNodeFromParentTreeAsAXNode() const {
   return nullptr;
 }
 
+std::string ViewsAXTreeManager::ToString() const {
+  return "<ViewsAXTreeManager>";
+}
+
 void ViewsAXTreeManager::OnViewEvent(View* view, ax::mojom::Event event) {
   DCHECK(view);
   AXAuraObjWrapper* wrapper = cache_.GetOrCreate(view);
diff --git a/chromium/ui/views/accessibility/views_ax_tree_manager.h b/chromium/ui/views/accessibility/views_ax_tree_manager.h
index ab7313ce3cf..89cdde44155 100644
--- a/chromium/ui/views/accessibility/views_ax_tree_manager.h
+++ b/chromium/ui/views/accessibility/views_ax_tree_manager.h
@@ -7,6 +7,7 @@
 
 #include <memory>
 #include <set>
+#include <string>
 #include <vector>
 
 #include "base/callback_forward.h"
@@ -88,6 +89,7 @@ class VIEWS_EXPORT ViewsAXTreeManager : public ui::AXTreeManager,
   ui::AXTreeID GetParentTreeID() const override;
   ui::AXNode* GetRootAsAXNode() const override;
   ui::AXNode* GetParentNodeFromParentTreeAsAXNode() const override;
+  std::string ToString() const override;
 
   // AXActionHandlerBase implementation.
   void PerformAction(const ui::AXActionData& data) override;
author	Aaron Leventhal <aleventhal@google.com>	2022-07-18 21:22:33 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2022-08-09 11:36:21 +0000
commit	9a8385241542eaad285501be6dc66d96a76c20aa (patch)
tree	591abc71b9c3cebd277185b0d032bfc49c90b178
parent	4b6ec8b20c9bcf0ecc0ee9ee174e50282f696011 (diff)
download	qtwebengine-chromium-9a8385241542eaad285501be6dc66d96a76c20aa.tar.gz