From 4364371432cd6196881afe4494f00ba44f854eab Mon Sep 17 00:00:00 2001
From: Eitan Isaacson <eitan@monotonous.org>
Date: Thu, 17 Dec 2020 06:09:49 +0000
Subject: [PATCH] Bug 1681072 - Don't recurse into link if it is in more than
 one offset. r=MarcoZ

This is a safeguard for endless recursion in HyperTextIterator::NormalizeForward. Will catch similar corruptions found in bug 1682692.

Differential Revision: https://phabricator.services.mozilla.com/D99926
---
 accessible/mac/HyperTextAccessibleWrap.mm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/accessible/mac/HyperTextAccessibleWrap.mm b/accessible/mac/HyperTextAccessibleWrap.mm
index 74739658ab8d..0fff4621eab6 100644
--- a/accessible/mac/HyperTextAccessibleWrap.mm
+++ b/accessible/mac/HyperTextAccessibleWrap.mm
@@ -96,6 +96,13 @@ bool HyperTextIterator::NormalizeForward() {
 
     // If there is a link at this offset, mutate into it.
     if (link && link->IsHyperText()) {
+      if (mCurrentStartOffset > 0 &&
+          mCurrentContainer->LinkIndexAtOffset(mCurrentStartOffset) ==
+              mCurrentContainer->LinkIndexAtOffset(mCurrentStartOffset - 1)) {
+        MOZ_ASSERT_UNREACHABLE("Same link for previous offset");
+        return false;
+      }
+
       mCurrentContainer = link->AsHyperText();
       if (link->IsHTMLListItem()) {
         Accessible* bullet = link->AsHTMLListItem()->Bullet();