diff options
author | Valerie Young <spectranaut@igalia.com> | 2023-01-30 19:06:45 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-02 08:58:42 +0000 |
commit | 4c73b43a3c83c120d6ac4279c06e7f013fafc42d (patch) | |
tree | 49a762375c63ed985bffa52c98ffb1a95c2afa89 /chromium | |
parent | a99df132095a77867b52ce933161380a88eaf245 (diff) | |
download | qtwebengine-chromium-4c73b43a3c83c120d6ac4279c06e7f013fafc42d.tar.gz |
[Backport] CVE-2023-1819: Out of bounds read in Accessibility
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4201191:
Remove use of g_utf8_substring
Bug: 1406588
Change-Id: Iae03fce3d8332fdc5144b9b80a9ba146bf359693
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4201191
Reviewed-by: David Tseng <dtseng@chromium.org>
Commit-Queue: Valerie Young <spectranaut@igalia.com>
Cr-Commit-Position: refs/heads/main@{#1098756}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474367
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium')
-rw-r--r-- | chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc b/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc index 14078b22739..3e6524f996c 100644 --- a/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc +++ b/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc @@ -238,13 +238,9 @@ void AccessibilityTreeFormatterAuraLinux::AddHypertextProperties( gchar* link_start = g_utf8_offset_to_pointer(character_text, utf8_offset); int offset = link_start - character_text; - gchar* character_substring = - g_utf8_substring(character_text, utf8_offset, utf8_offset + 1); - DCHECK(std::string(character_substring) == "\uFFFC"); - - base::ReplaceFirstSubstringAfterOffset(&text, offset, character_substring, + std::string replacement_char = "\uFFFC"; + base::ReplaceFirstSubstringAfterOffset(&text, offset, replacement_char, link_str); - g_free(character_substring); } } |