[CTW] Potential infinite loop in OffsetAtPoint
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox106 | --- | fixed |
People
(Reporter: Jamie, Assigned: Jamie)
References
Details
(Whiteboard: [ctw-m3])
Attachments
(1 file)
Real world STR (JAWS + CTW):
- Open https://www.mozilla.org/
- Press 3 to move to the "Love the Web" heading.
- Down arrow several times to move to the email address text box.
- Expected: This should work without problems.
- Actual: JAWS moves into the field, switches into forms mode, then Firefox hangs.
Distilled STR (slightly different conditions to the real world one, but causes the same loop):
- Open this test case:
data:text/html,a<div style="width: 5px; height: 5px;"><p></p></div> - Get the top left point for the div.
- Call OffsetAtPoint on the div with the point from 2).
- Expected: Return -1.
- Actual: Hang.
When a container isn't empty but contains no usable characters, moving backward a character steps past the start point. That means the loop can never reach the end point. Since FindBoundary will intentionally return the end of the document if you try to move past it, we get into an infinite loop. I was worried about this possibility when I reviewed, but I couldn't come up with a way it could happen.
The fix is fairly simple. We protect the loop so it only runs if (point <= endPoint). Again, the test is probably going to be annoying.
|
Assignee | |
Comment 1•2 years ago
|
||
This can happen in a container containing no actual characters.
Previously, we would end up in an infinite loop in this case.
|
||
Updated•2 years ago
|
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ad4255fd4560 HyperTextAccessibleBase::OffsetAtPoint: Don't try to move forward if the end point moves before the start point. r=morgan
|
||
Comment 3•2 years ago
|
||
| bugherder | ||
Description
•