Bug 1319640: Ensure that a11y::ChildrenEnumVariant does not output bad native accessible pointers; r=tbsaunde
authorAaron Klotz <aklotz@mozilla.com>
Sat, 03 Dec 2016 15:42:21 -0700
changeset 325248 522ef8286421b04ade4f963542ac35aa51e72e6a
parent 325247 6520346b0a23bda448e25df6b50ab309e940cdbd
child 325249 96749829f50afb4e1fd86195b8ca2e6b269c1ba6
push id24
push usermaklebus@msu.edu
push dateTue, 20 Dec 2016 03:11:33 +0000
reviewerstbsaunde
bugs1319640
milestone53.0a1
Bug 1319640: Ensure that a11y::ChildrenEnumVariant does not output bad native accessible pointers; r=tbsaunde MozReview-Commit-ID: l0RDW9zDOo
accessible/windows/msaa/EnumVariant.cpp
--- a/accessible/windows/msaa/EnumVariant.cpp
+++ b/accessible/windows/msaa/EnumVariant.cpp
@@ -27,23 +27,34 @@ ChildrenEnumVariant::Next(ULONG aCount, 
     return E_INVALIDARG;
 
   *aCountFetched = 0;
 
   if (mAnchorAcc->IsDefunct() || mAnchorAcc->GetChildAt(mCurIndex) != mCurAcc)
     return CO_E_OBJNOTCONNECTED;
 
   ULONG countFetched = 0;
-  for (; mCurAcc && countFetched < aCount; countFetched++) {
+  while (mCurAcc && countFetched < aCount) {
     VariantInit(aItems + countFetched);
-    aItems[countFetched].pdispVal = AccessibleWrap::NativeAccessible(mCurAcc);
+
+    IDispatch* accNative = AccessibleWrap::NativeAccessible(mCurAcc);
+
+    ++mCurIndex;
+    mCurAcc = mAnchorAcc->GetChildAt(mCurIndex);
+
+    // Don't output the accessible and count it as having been fetched unless
+    // it is non-null
+    MOZ_ASSERT(accNative);
+    if (!accNative) {
+      continue;
+    }
+
+    aItems[countFetched].pdispVal = accNative;
     aItems[countFetched].vt = VT_DISPATCH;
-
-    mCurIndex++;
-    mCurAcc = mAnchorAcc->GetChildAt(mCurIndex);
+    ++countFetched;
   }
 
   (*aCountFetched) = countFetched;
 
   return countFetched < aCount ? S_FALSE : S_OK;
 
   A11Y_TRYBLOCK_END
 }