Bug 1319640: Ensure that a11y::ChildrenEnumVariant does not output bad native accessible pointers; r=tbsaunde, a=gchang
MozReview-Commit-ID: l0RDW9zDOo
--- a/accessible/windows/msaa/EnumVariant.cpp
+++ b/accessible/windows/msaa/EnumVariant.cpp
@@ -29,23 +29,34 @@ ChildrenEnumVariant::Next(ULONG aCount,
return E_INVALIDARG;
*aCountFetched = 0;
if (mAnchorAcc->IsDefunct() || mAnchorAcc->GetChildAt(mCurIndex) != mCurAcc)
return CO_E_OBJNOTCONNECTED;
ULONG countFetched = 0;
- for (; mCurAcc && countFetched < aCount; countFetched++) {
+ while (mCurAcc && countFetched < aCount) {
VariantInit(aItems + countFetched);
- aItems[countFetched].pdispVal = AccessibleWrap::NativeAccessible(mCurAcc);
+
+ IDispatch* accNative = AccessibleWrap::NativeAccessible(mCurAcc);
+
+ ++mCurIndex;
+ mCurAcc = mAnchorAcc->GetChildAt(mCurIndex);
+
+ // Don't output the accessible and count it as having been fetched unless
+ // it is non-null
+ MOZ_ASSERT(accNative);
+ if (!accNative) {
+ continue;
+ }
+
+ aItems[countFetched].pdispVal = accNative;
aItems[countFetched].vt = VT_DISPATCH;
-
- mCurIndex++;
- mCurAcc = mAnchorAcc->GetChildAt(mCurIndex);
+ ++countFetched;
}
(*aCountFetched) = countFetched;
return countFetched < aCount ? S_FALSE : S_OK;
A11Y_TRYBLOCK_END
}