Fix another bug in AXTree caught by libfuzzer

ui/accessibility/ax_tree_unittest.cc

Index: ui/accessibility/ax_tree_unittest.cc
diff --git a/ui/accessibility/ax_tree_unittest.cc b/ui/accessibility/ax_tree_unittest.cc
index 5e8bdcd232106edf5ded355f162dfcda744848ba..8e0bc015b36db23ca112738ccc4533f0f1470142 100644
--- a/ui/accessibility/ax_tree_unittest.cc
+++ b/ui/accessibility/ax_tree_unittest.cc
@@ -508,4 +508,24 @@ TEST(AXTreeTest, BogusAXTree2) {
   tree.Unserialize(initial_state);
 }
 
+// UAF caught by ax_tree_fuzzer
+TEST(AXTreeTest, BogusAXTree3) {
+  AXTreeUpdate initial_state;
+  AXNodeData node3;

[aboxhall, 2016/09/26 20:24:44]

Why node3 and node4 here?

[dmazzoni, 2016/09/27 20:19:26]

Minimized from a larger example, didn't rename.
Changed to node/node2.

+  node3.id = 0;
+  node3.state = 0;
+  node3.child_ids.push_back(1);
+  initial_state.nodes.push_back(node3);
+
+  AXNodeData node4;
+  node4.id = 1;
+  node4.state = 0;
+  node4.child_ids.push_back(1);

[aboxhall, 2016/09/26 20:24:44]

Is this what causes the crash? Does it crash if node3 just points to itself
without node4 present?

[dmazzoni, 2016/09/27 20:19:26]

No, that didn't crash. This was the minimal case
that crashed.

[aboxhall, 2016/09/28 19:23:28]

Ohhh right, because it tries to remove it from node[3] and then again from
node[4/2].

+  node4.child_ids.push_back(1);
+  initial_state.nodes.push_back(node4);
+
+  ui::AXTree tree;
+  tree.Unserialize(initial_state);
+}
+
 }  // namespace ui