Bug 1383501 - Do not crash when TabParent::RecvPDocAccessibleConstructor receives a null COM proxy sent to the parent process. r=jimm
authorAaron Klotz <aklotz@mozilla.com>
Wed, 04 Oct 2017 09:12:25 -0600
changeset 427325 e2a6e2ddfa184b5a1f410408d7232ed0041a360f
parent 427324 fb36ba32359ba3b0f4d45491e0356442812e0178
child 427326 fa55d49d1b7b81cd4d1610b0050bd27020a0bb98
push id97
push userfmarier@mozilla.com
push dateSat, 14 Oct 2017 01:12:59 +0000
reviewersjimm
bugs1383501
milestone58.0a1
Bug 1383501 - Do not crash when TabParent::RecvPDocAccessibleConstructor receives a null COM proxy sent to the parent process. r=jimm MozReview-Commit-ID: 5IOuLXc375T
accessible/ipc/win/ProxyAccessible.cpp
accessible/ipc/win/ProxyAccessible.h
dom/ipc/TabParent.cpp
--- a/accessible/ipc/win/ProxyAccessible.cpp
+++ b/accessible/ipc/win/ProxyAccessible.cpp
@@ -29,17 +29,17 @@ namespace a11y {
 
 bool
 ProxyAccessible::GetCOMInterface(void** aOutAccessible) const
 {
   if (!aOutAccessible) {
     return false;
   }
 
-  if (!mCOMProxy) {
+  if (!mCOMProxy && mSafeToRecurse) {
     // See if we can lazily obtain a COM proxy
     AccessibleWrap* wrap = WrapperFor(this);
     bool isDefunct = false;
     ProxyAccessible* thisPtr = const_cast<ProxyAccessible*>(this);
     // NB: Don't pass CHILDID_SELF here, use the absolute MSAA ID. Otherwise
     // GetIAccessibleFor will recurse into this function and we will just
     // overflow the stack.
     VARIANT realId = {VT_I4};
--- a/accessible/ipc/win/ProxyAccessible.h
+++ b/accessible/ipc/win/ProxyAccessible.h
@@ -22,36 +22,47 @@ namespace mozilla {
 namespace a11y {
 
 class ProxyAccessible : public ProxyAccessibleBase<ProxyAccessible>
 {
 public:
   ProxyAccessible(uint64_t aID, ProxyAccessible* aParent,
                   DocAccessibleParent* aDoc, role aRole, uint32_t aInterfaces)
     : ProxyAccessibleBase(aID, aParent, aDoc, aRole, aInterfaces)
+    , mSafeToRecurse(true)
   {
     MOZ_COUNT_CTOR(ProxyAccessible);
   }
 
   ~ProxyAccessible()
   {
     MOZ_COUNT_DTOR(ProxyAccessible);
   }
 
 #include "mozilla/a11y/ProxyAccessibleShared.h"
 
   bool GetCOMInterface(void** aOutAccessible) const;
   void SetCOMInterface(const RefPtr<IAccessible>& aIAccessible)
-  { mCOMProxy = aIAccessible; }
+  {
+    if (aIAccessible) {
+      mCOMProxy = aIAccessible;
+    } else {
+      // If we were supposed to be receiving an interface (hence the call to
+      // this function), but the interface turns out to be null, then we're
+      // broken for some reason.
+      mSafeToRecurse = false;
+    }
+  }
 
 protected:
   explicit ProxyAccessible(DocAccessibleParent* aThisAsDoc)
     : ProxyAccessibleBase(aThisAsDoc)
   { MOZ_COUNT_CTOR(ProxyAccessible); }
 
 private:
   RefPtr<IAccessible> mCOMProxy;
+  bool                mSafeToRecurse;
 };
 
 }
 }
 
 #endif
--- a/dom/ipc/TabParent.cpp
+++ b/dom/ipc/TabParent.cpp
@@ -968,19 +968,21 @@ TabParent::RecvPDocAccessibleConstructor
       return IPC_FAIL_NO_REASON(this);
     }
 
     doc->SetTopLevel();
     a11y::DocManager::RemoteDocAdded(doc);
 #ifdef XP_WIN
     a11y::WrapperFor(doc)->SetID(aMsaaID);
     MOZ_ASSERT(!aDocCOMProxy.IsNull());
+#ifdef NIGHTLY_BUILD
     if (aDocCOMProxy.IsNull()) {
       return IPC_FAIL(this, "Constructing a top-level PDocAccessible with null COM proxy");
     }
+#endif
 
     RefPtr<IAccessible> proxy(aDocCOMProxy.Get());
     doc->SetCOMInterface(proxy);
     doc->MaybeInitWindowEmulation();
     doc->SendParentCOMProxy();
 #endif
   }
 #endif