Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash in Google Chrome when navigating tweets on twitter.com #8777

Closed
michaelDCurran opened this issue Sep 25, 2018 · 0 comments
Closed

Crash in Google Chrome when navigating tweets on twitter.com #8777

michaelDCurran opened this issue Sep 25, 2018 · 0 comments
Labels
p2 https://github.com/nvaccess/nvda/blob/master/projectDocs/issues/triage.md#priority
Milestone

Comments

@michaelDCurran
Copy link
Member

michaelDCurran commented Sep 25, 2018

Steps to reproduce:

With NVDA 2018.3 or newer:

  1. Open Google Chrome.
  2. Go to www.twitter.com/ and log in if necessary.
  3. Arrow down to the tweets in your timeline.
  4. Switch off NVDA's single leter navigation with NVDA+shift+space.
  5. Press Twitter's j and k tweet navigation shortcut keys to move between the tweets.

Actual behavior:

Google Chrome crashes.

Expected behavior:

Google Chrome should not crash.

Technical details

Some of the nodes in the tweets contain multiple labelledBy relations. As NVDA must fetch at least the first labelledBy relation on any given node to work out whether the accessible label is visible somewhere else on the page, NVDA calls IAccessible2_2::get_relationTargetsOfType with relationType of IA2_RELATION_LABELLED_BY and maxTargets of 1.
However, there seems to be a bug in Google Chrome's implementation of relationTargetsOfType that causes a buffer overrun. In short, Chrome allocates a buffer suitable to fit maxTargets, but then fills it with the total number of relation targets for the node. If the total number of targets is greater than maxTargets, then Chrome overruns the buffer and eventually causes heap corruption.

This
[Uploading dynamic multiple labelled by.html.txt…](simplified testcase) when run in Chrome specifically shows the crash. Load the page, and then press the 'show' button. This causes a text input field to appear that has 4 labelled by relations on it.

Chrome version: 69.0.3497.100 (Official Build) (64-bit) (cohort: Stable)

@michaelDCurran michaelDCurran added the p2 https://github.com/nvaccess/nvda/blob/master/projectDocs/issues/triage.md#priority label Sep 25, 2018
@nvaccessAuto nvaccessAuto added this to the 2018.4 milestone Sep 26, 2018
seanbudd added a commit that referenced this issue Jan 9, 2023
A comment refers to an outdated and fixed Chromium bug.
I don't believe there is a public chromium bug tracker issue for this bug, which was fixed in 2018.
However, NVDA tracked the bug in this issue #8777
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p2 https://github.com/nvaccess/nvda/blob/master/projectDocs/issues/triage.md#priority
Projects
None yet
Development

No branches or pull requests

3 participants