Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash in Google Chrome when navigating tweets on #8777

michaelDCurran opened this issue Sep 25, 2018 · 0 comments

Crash in Google Chrome when navigating tweets on #8777

michaelDCurran opened this issue Sep 25, 2018 · 0 comments


Copy link

@michaelDCurran michaelDCurran commented Sep 25, 2018

Steps to reproduce:

With NVDA 2018.3 or newer:

  1. Open Google Chrome.
  2. Go to and log in if necessary.
  3. Arrow down to the tweets in your timeline.
  4. Switch off NVDA's single leter navigation with NVDA+shift+space.
  5. Press Twitter's j and k tweet navigation shortcut keys to move between the tweets.

Actual behavior:

Google Chrome crashes.

Expected behavior:

Google Chrome should not crash.

Technical details

Some of the nodes in the tweets contain multiple labelledBy relations. As NVDA must fetch at least the first labelledBy relation on any given node to work out whether the accessible label is visible somewhere else on the page, NVDA calls IAccessible2_2::get_relationTargetsOfType with relationType of IA2_RELATION_LABELLED_BY and maxTargets of 1.
However, there seems to be a bug in Google Chrome's implementation of relationTargetsOfType that causes a buffer overrun. In short, Chrome allocates a buffer suitable to fit maxTargets, but then fills it with the total number of relation targets for the node. If the total number of targets is greater than maxTargets, then Chrome overruns the buffer and eventually causes heap corruption.

[Uploading dynamic multiple labelled by.html.txt…](simplified testcase) when run in Chrome specifically shows the crash. Load the page, and then press the 'show' button. This causes a text input field to appear that has 4 labelled by relations on it.

Chrome version: 69.0.3497.100 (Official Build) (64-bit) (cohort: Stable)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

3 participants