| Revision | 1d464fe9c9ba53d0e84c16df6308e56c89d2f634 (tree) |
|---|---|
| Zeit | 2018-09-26 12:40:06 |
| Autor | Michael Curran <michaelDCurran@user...> |
| Commiter | GitHub |
Work around crash in Google Chrome when navigating tweets on twitter.com (#8779)
* Gecko vbufBackend: work around bug in Google Chrome causing a crash on twitter.com due to IAccessible2_2::relationTargetsOfType buffer overrunning.
* Update what's new
* Address review comment.
nvdaHelper/vbufBackends/gecko_ia2/gecko_ia2.cpp (diff)
nvdaHelper/vbufBackends/gecko_ia2/gecko_ia2.h (diff)
user_docs/en/changes.t2t (diff)| @@ -30,10 +30,18 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html | ||
| 30 | 30 | |
| 31 | 31 | using namespace std; |
| 32 | 32 | |
| 33 | -CComPtr<IAccessible2> getLabelElement(IAccessible2_2* element) { | |
| 33 | +CComPtr<IAccessible2> GeckoVBufBackend_t::getLabelElement(IAccessible2_2* element) { | |
| 34 | 34 | IUnknown** ppUnk=nullptr; |
| 35 | 35 | long nTargets=0; |
| 36 | - constexpr int numRelations=2; | |
| 36 | + // We only need to request one relation target | |
| 37 | + int numRelations=1; | |
| 38 | + // However, a bug in Chrome causes a buffer overrun if numRelations is less than the total number of targets the node has. | |
| 39 | + // Therefore, If this is Chrome, request all targets (by setting numRelations to 0) as this works around the bug. | |
| 40 | + // There is no major performance hit to fetch all targets in Chrome as Chrome is already fetching all targets either way. | |
| 41 | + // In Firefox there would be extra cross-proc calls. | |
| 42 | + if(this->toolkitName.compare(L"Chrome")==0) { | |
| 43 | + numRelations=0; | |
| 44 | + } | |
| 37 | 45 | // the relation type string *must* be passed correctly as a BSTR otherwise we can see crashes in 32 bit Firefox. |
| 38 | 46 | HRESULT res=element->get_relationTargetsOfType(CComBSTR(IA2_RELATION_LABELLED_BY),numRelations,&ppUnk,&nTargets); |
| 39 | 47 | if(res!=S_OK) return nullptr; |
| @@ -275,6 +283,9 @@ void GeckoVBufBackend_t::versionSpecificInit(IAccessible2* pacc) { | ||
| 275 | 283 | iaApp->Release(); |
| 276 | 284 | return; |
| 277 | 285 | } |
| 286 | + if(toolkitName) { | |
| 287 | + this->toolkitName = std::wstring(toolkitName, SysStringLen(toolkitName)); | |
| 288 | + } | |
| 278 | 289 | BSTR toolkitVersion = NULL; |
| 279 | 290 | if (iaApp->get_toolkitVersion(&toolkitVersion) != S_OK) { |
| 280 | 291 | iaApp->Release(); |
| @@ -306,7 +317,7 @@ void GeckoVBufBackend_t::versionSpecificInit(IAccessible2* pacc) { | ||
| 306 | 317 | SysFreeString(toolkitVersion); |
| 307 | 318 | } |
| 308 | 319 | |
| 309 | -bool isLabelVisible(IAccessible2* pacc2) { | |
| 320 | +bool GeckoVBufBackend_t::isLabelVisible(IAccessible2* pacc2) { | |
| 310 | 321 | CComQIPtr<IAccessible2_2> pacc2_2=pacc2; |
| 311 | 322 | if(!pacc2_2) return false; |
| 312 | 323 | auto targetAcc=getLabelElement(pacc2_2); |
| @@ -32,6 +32,10 @@ class GeckoVBufBackend_t: public VBufBackend_t { | ||
| 32 | 32 | |
| 33 | 33 | bool shouldDisableTableHeaders; |
| 34 | 34 | bool hasEncodedAccDescription; |
| 35 | + std::wstring toolkitName; | |
| 36 | + | |
| 37 | + bool isLabelVisible(IAccessible2* pacc2); | |
| 38 | + CComPtr<IAccessible2> getLabelElement(IAccessible2_2* element); | |
| 35 | 39 | |
| 36 | 40 | protected: |
| 37 | 41 |
| @@ -3,6 +3,10 @@ What's New in NVDA | ||
| 3 | 3 | |
| 4 | 4 | %!includeconf: ../changes.t2tconf |
| 5 | 5 | |
| 6 | += 2018.3.2 = | |
| 7 | +This is a minor release to work around a crash in Google Chrome when navigating tweetts on www.twitter.com/ | |
| 8 | + | |
| 9 | + | |
| 6 | 10 | = 2018.3.1 = |
| 7 | 11 | This is a minor release to fix a critical bug in NVDA which caused 32 bit versions of Mozilla Firefox to crash. (#8759) |
| 8 | 12 |
Screen Reader NVDA Japanese
Fork