From 279c891ddf0ad10dd86c8fc836ce385df57593c4 Mon Sep 17 00:00:00 2001
From: Jan Moeller <Jan.Moeller@governikus.de>
Date: Mon, 9 Dec 2024 16:13:08 +0100
Subject: [PATCH] Check for valid QAccessibleInterface before invoking action
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

To avoid illegal access, the change ensures that the QAccessibleInterface
is non-null and valid before accessing its QAccessibleActionInterface.

The check for the validity was also added to existing code which
previously only checked for the QAccessibleInterface not being null.

Fixes: QTBUG-132059
Pick-to: 6.8 6.9
Change-Id: I69fc4f9bb052ded8f188032d324666d0c00b9c3c
Reviewed-by: Michael Weghorn <m.weghorn@posteo.de>
Reviewed-by: Lars Schmertmann <lars.schmertmann@governikus.de>
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@qt.io>
---
 .../platforms/ios/quiaccessibilityelement.mm  | 32 +++++++++++++++----
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/plugins/platforms/ios/quiaccessibilityelement.mm b/src/plugins/platforms/ios/quiaccessibilityelement.mm
index d13b18a859b..02fa0817e40 100644
--- a/src/plugins/platforms/ios/quiaccessibilityelement.mm
+++ b/src/plugins/platforms/ios/quiaccessibilityelement.mm
@@ -70,7 +70,7 @@ QT_NAMESPACE_ALIAS_OBJC_CLASS(QMacAccessibilityElement);
 - (NSString*)accessibilityLabel
 {
     QAccessibleInterface *iface = QAccessible::accessibleInterface(self.axid);
-    if (!iface) {
+    if (!iface || !iface->isValid()) {
         qWarning() << "invalid accessible interface for: " << self.axid;
         return @"";
     }
@@ -82,7 +82,7 @@ QT_NAMESPACE_ALIAS_OBJC_CLASS(QMacAccessibilityElement);
 - (NSString*)accessibilityIdentifier
 {
     QAccessibleInterface *iface = QAccessible::accessibleInterface(self.axid);
-    if (!iface) {
+    if (!iface || !iface->isValid()) {
         qWarning() << "invalid accessible interface for: " << self.axid;
         return @"";
     }
@@ -92,7 +92,7 @@ QT_NAMESPACE_ALIAS_OBJC_CLASS(QMacAccessibilityElement);
 - (NSString*)accessibilityHint
 {
     QAccessibleInterface *iface = QAccessible::accessibleInterface(self.axid);
-    if (!iface) {
+    if (!iface || !iface->isValid()) {
         qWarning() << "invalid accessible interface for: " << self.axid;
         return @"";
     }
@@ -102,7 +102,7 @@ QT_NAMESPACE_ALIAS_OBJC_CLASS(QMacAccessibilityElement);
 - (NSString*)accessibilityValue
 {
     QAccessibleInterface *iface = QAccessible::accessibleInterface(self.axid);
-    if (!iface) {
+    if (!iface || !iface->isValid()) {
         qWarning() << "invalid accessible interface for: " << self.axid;
         return @"";
     }
@@ -127,7 +127,7 @@ QT_NAMESPACE_ALIAS_OBJC_CLASS(QMacAccessibilityElement);
 - (CGRect)accessibilityFrame
 {
     QAccessibleInterface *iface = QAccessible::accessibleInterface(self.axid);
-    if (!iface) {
+    if (!iface || !iface->isValid()) {
         qWarning() << "invalid accessible interface for: " << self.axid;
         return CGRect();
     }
@@ -141,7 +141,7 @@ QT_NAMESPACE_ALIAS_OBJC_CLASS(QMacAccessibilityElement);
     UIAccessibilityTraits traits = UIAccessibilityTraitNone;
 
     QAccessibleInterface *iface = QAccessible::accessibleInterface(self.axid);
-    if (!iface) {
+    if (!iface || !iface->isValid()) {
         qWarning() << "invalid accessible interface for: " << self.axid;
         return traits;
     }
@@ -183,6 +183,11 @@ QT_NAMESPACE_ALIAS_OBJC_CLASS(QMacAccessibilityElement);
 - (BOOL)accessibilityActivate
 {
     QAccessibleInterface *iface = QAccessible::accessibleInterface(self.axid);
+    if (!iface || !iface->isValid()) {
+        qWarning() << "invalid accessible interface for: " << self.axid;
+        return NO;
+    }
+
     if (QAccessibleActionInterface *action = iface->actionInterface()) {
         if (action->actionNames().contains(QAccessibleActionInterface::pressAction())) {
             action->doAction(QAccessibleActionInterface::pressAction());
@@ -198,6 +203,11 @@ QT_NAMESPACE_ALIAS_OBJC_CLASS(QMacAccessibilityElement);
 - (void)accessibilityIncrement
 {
     QAccessibleInterface *iface = QAccessible::accessibleInterface(self.axid);
+    if (!iface || !iface->isValid()) {
+        qWarning() << "invalid accessible interface for: " << self.axid;
+        return;
+    }
+
     if (QAccessibleActionInterface *action = iface->actionInterface())
         action->doAction(QAccessibleActionInterface::increaseAction());
 }
@@ -205,6 +215,11 @@ QT_NAMESPACE_ALIAS_OBJC_CLASS(QMacAccessibilityElement);
 - (void)accessibilityDecrement
 {
     QAccessibleInterface *iface = QAccessible::accessibleInterface(self.axid);
+    if (!iface || !iface->isValid()) {
+        qWarning() << "invalid accessible interface for: " << self.axid;
+        return;
+    }
+
     if (QAccessibleActionInterface *action = iface->actionInterface())
         action->doAction(QAccessibleActionInterface::decreaseAction());
 }
@@ -212,6 +227,11 @@ QT_NAMESPACE_ALIAS_OBJC_CLASS(QMacAccessibilityElement);
 - (BOOL)accessibilityScroll:(UIAccessibilityScrollDirection)direction
 {
     QAccessibleInterface *iface = QAccessible::accessibleInterface(self.axid);
+    if (!iface || !iface->isValid()) {
+        qWarning() << "invalid accessible interface for: " << self.axid;
+        return NO;
+    }
+
     QAccessibleActionInterface *action = iface->actionInterface();
     if (!action)
         return NO;