Don't add invalid webkit accessibility objects to the renderer accessibility tree.

BUG=55740
TEST=For M7, verify renderer_crash.html from bug doesn't crash the renderer.


Review URL: http://codereview.chromium.org/3408008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@59620 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 2 deletions

diff --git a/webkit/glue/webaccessibility.cc b/webkit/glue/webaccessibility.cc
index d600d67..38b1cfd 100644
--- a/webkit/glue/webaccessibility.cc
+++ b/webkit/glue/webaccessibility.cc
@@ -331,9 +331,15 @@ void WebAccessibility::Init(const WebKit::WebAccessibilityObject& src,
 
   // Recursively create children.
   int child_count = src.childCount();
-  children.resize(child_count);
   for (int i = 0; i < child_count; i++) {
-    children[i].Init(src.childAt(i), cache);
+    WebAccessibilityObject child = src.childAt(i);
+
+    // The child may be invalid due to issues in webkit accessibility code.
+    // Don't add children are invalid thus preventing a crash.
+    // https://bugs.webkit.org/show_bug.cgi?id=44149
+    // TODO(ctguil): We may want to remove this check as webkit stabilizes.
+    if (child.isValid())
+      children.push_back(WebAccessibility(child, cache));
   }
 }