From 4c73b43a3c83c120d6ac4279c06e7f013fafc42d Mon Sep 17 00:00:00 2001 From: Valerie Young Date: Mon, 30 Jan 2023 19:06:45 +0000 Subject: [Backport] CVE-2023-1819: Out of bounds read in Accessibility Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4201191: Remove use of g_utf8_substring Bug: 1406588 Change-Id: Iae03fce3d8332fdc5144b9b80a9ba146bf359693 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4201191 Reviewed-by: David Tseng Commit-Queue: Valerie Young Cr-Commit-Position: refs/heads/main@{#1098756} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474367 Reviewed-by: Allan Sandfeld Jensen --- .../accessibility/accessibility_tree_formatter_auralinux.cc | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc b/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc index 14078b22739..3e6524f996c 100644 --- a/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc +++ b/chromium/content/browser/accessibility/accessibility_tree_formatter_auralinux.cc @@ -238,13 +238,9 @@ void AccessibilityTreeFormatterAuraLinux::AddHypertextProperties( gchar* link_start = g_utf8_offset_to_pointer(character_text, utf8_offset); int offset = link_start - character_text; - gchar* character_substring = - g_utf8_substring(character_text, utf8_offset, utf8_offset + 1); - DCHECK(std::string(character_substring) == "\uFFFC"); - - base::ReplaceFirstSubstringAfterOffset(&text, offset, character_substring, + std::string replacement_char = "\uFFFC"; + base::ReplaceFirstSubstringAfterOffset(&text, offset, replacement_char, link_str); - g_free(character_substring); } } -- cgit v1.2.1