[Backport] CVE-2023-1819: Out of bounds read in Accessibility

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4201191:
Remove use of g_utf8_substring

Bug: 1406588
Change-Id: Iae03fce3d8332fdc5144b9b80a9ba146bf359693
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4201191
Reviewed-by: David Tseng <dtseng@chromium.org>
Commit-Queue: Valerie Young <spectranaut@igalia.com>
Cr-Commit-Position: refs/heads/main@{#1098756}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474367
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 2 insertions, 6 deletions

diff --git a/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc b/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc
index 14078b22739..3e6524f996c 100644
--- a/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc
+++ b/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc
@@ -238,13 +238,9 @@ void AccessibilityTreeFormatterAuraLinux::AddHypertextProperties(
       gchar* link_start = g_utf8_offset_to_pointer(character_text, utf8_offset);
       int offset = link_start - character_text;
 
-      gchar* character_substring =
-          g_utf8_substring(character_text, utf8_offset, utf8_offset + 1);
-      DCHECK(std::string(character_substring) == "\uFFFC");
-
-      base::ReplaceFirstSubstringAfterOffset(&text, offset, character_substring,
+      std::string replacement_char = "\uFFFC";
+      base::ReplaceFirstSubstringAfterOffset(&text, offset, replacement_char,
                                              link_str);
-      g_free(character_substring);
     }
   }