NVDA with Japanese branch
Revision | 1d464fe9c9ba53d0e84c16df6308e56c89d2f634 (tree) |
---|---|
Zeit | 2018-09-26 12:40:06 |
Autor | Michael Curran <michaelDCurran@user...> |
Commiter | GitHub |
Work around crash in Google Chrome when navigating tweets on twitter.com (#8779)
* Gecko vbufBackend: work around bug in Google Chrome causing a crash on twitter.com due to IAccessible2_2::relationTargetsOfType buffer overrunning.
* Update what's new
* Address review comment.
@@ -30,10 +30,18 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html | ||
30 | 30 | |
31 | 31 | using namespace std; |
32 | 32 | |
33 | -CComPtr<IAccessible2> getLabelElement(IAccessible2_2* element) { | |
33 | +CComPtr<IAccessible2> GeckoVBufBackend_t::getLabelElement(IAccessible2_2* element) { | |
34 | 34 | IUnknown** ppUnk=nullptr; |
35 | 35 | long nTargets=0; |
36 | - constexpr int numRelations=2; | |
36 | + // We only need to request one relation target | |
37 | + int numRelations=1; | |
38 | + // However, a bug in Chrome causes a buffer overrun if numRelations is less than the total number of targets the node has. | |
39 | + // Therefore, If this is Chrome, request all targets (by setting numRelations to 0) as this works around the bug. | |
40 | + // There is no major performance hit to fetch all targets in Chrome as Chrome is already fetching all targets either way. | |
41 | + // In Firefox there would be extra cross-proc calls. | |
42 | + if(this->toolkitName.compare(L"Chrome")==0) { | |
43 | + numRelations=0; | |
44 | + } | |
37 | 45 | // the relation type string *must* be passed correctly as a BSTR otherwise we can see crashes in 32 bit Firefox. |
38 | 46 | HRESULT res=element->get_relationTargetsOfType(CComBSTR(IA2_RELATION_LABELLED_BY),numRelations,&ppUnk,&nTargets); |
39 | 47 | if(res!=S_OK) return nullptr; |
@@ -275,6 +283,9 @@ void GeckoVBufBackend_t::versionSpecificInit(IAccessible2* pacc) { | ||
275 | 283 | iaApp->Release(); |
276 | 284 | return; |
277 | 285 | } |
286 | + if(toolkitName) { | |
287 | + this->toolkitName = std::wstring(toolkitName, SysStringLen(toolkitName)); | |
288 | + } | |
278 | 289 | BSTR toolkitVersion = NULL; |
279 | 290 | if (iaApp->get_toolkitVersion(&toolkitVersion) != S_OK) { |
280 | 291 | iaApp->Release(); |
@@ -306,7 +317,7 @@ void GeckoVBufBackend_t::versionSpecificInit(IAccessible2* pacc) { | ||
306 | 317 | SysFreeString(toolkitVersion); |
307 | 318 | } |
308 | 319 | |
309 | -bool isLabelVisible(IAccessible2* pacc2) { | |
320 | +bool GeckoVBufBackend_t::isLabelVisible(IAccessible2* pacc2) { | |
310 | 321 | CComQIPtr<IAccessible2_2> pacc2_2=pacc2; |
311 | 322 | if(!pacc2_2) return false; |
312 | 323 | auto targetAcc=getLabelElement(pacc2_2); |
@@ -32,6 +32,10 @@ class GeckoVBufBackend_t: public VBufBackend_t { | ||
32 | 32 | |
33 | 33 | bool shouldDisableTableHeaders; |
34 | 34 | bool hasEncodedAccDescription; |
35 | + std::wstring toolkitName; | |
36 | + | |
37 | + bool isLabelVisible(IAccessible2* pacc2); | |
38 | + CComPtr<IAccessible2> getLabelElement(IAccessible2_2* element); | |
35 | 39 | |
36 | 40 | protected: |
37 | 41 |
@@ -3,6 +3,10 @@ What's New in NVDA | ||
3 | 3 | |
4 | 4 | %!includeconf: ../changes.t2tconf |
5 | 5 | |
6 | += 2018.3.2 = | |
7 | +This is a minor release to work around a crash in Google Chrome when navigating tweetts on www.twitter.com/ | |
8 | + | |
9 | + | |
6 | 10 | = 2018.3.1 = |
7 | 11 | This is a minor release to fix a critical bug in NVDA which caused 32 bit versions of Mozilla Firefox to crash. (#8759) |
8 | 12 |