Steps to reproduce:
With NVDA 2018.3 or newer:
- Open Google Chrome.
- Go to www.twitter.com/ and log in if necessary.
- Arrow down to the tweets in your timeline.
- Switch off NVDA's single leter navigation with NVDA+shift+space.
- Press Twitter's j and k tweet navigation shortcut keys to move between the tweets.
Actual behavior:
Google Chrome crashes.
Expected behavior:
Google Chrome should not crash.
Technical details
Some of the nodes in the tweets contain multiple labelledBy relations. As NVDA must fetch at least the first labelledBy relation on any given node to work out whether the accessible label is visible somewhere else on the page, NVDA calls IAccessible2_2::get_relationTargetsOfType with relationType of IA2_RELATION_LABELLED_BY and maxTargets of 1.
However, there seems to be a bug in Google Chrome's implementation of relationTargetsOfType that causes a buffer overrun. In short, Chrome allocates a buffer suitable to fit maxTargets, but then fills it with the total number of relation targets for the node. If the total number of targets is greater than maxTargets, then Chrome overruns the buffer and eventually causes heap corruption.
This
[Uploading dynamic multiple labelled by.html.txt…](simplified testcase) when run in Chrome specifically shows the crash. Load the page, and then press the 'show' button. This causes a text input field to appear that has 4 labelled by relations on it.
Chrome version: 69.0.3497.100 (Official Build) (64-bit) (cohort: Stable)
Steps to reproduce:
With NVDA 2018.3 or newer:
Actual behavior:
Google Chrome crashes.
Expected behavior:
Google Chrome should not crash.
Technical details
Some of the nodes in the tweets contain multiple labelledBy relations. As NVDA must fetch at least the first labelledBy relation on any given node to work out whether the accessible label is visible somewhere else on the page, NVDA calls IAccessible2_2::get_relationTargetsOfType with relationType of IA2_RELATION_LABELLED_BY and maxTargets of 1.
However, there seems to be a bug in Google Chrome's implementation of relationTargetsOfType that causes a buffer overrun. In short, Chrome allocates a buffer suitable to fit maxTargets, but then fills it with the total number of relation targets for the node. If the total number of targets is greater than maxTargets, then Chrome overruns the buffer and eventually causes heap corruption.
This
[Uploading dynamic multiple labelled by.html.txt…](simplified testcase) when run in Chrome specifically shows the crash. Load the page, and then press the 'show' button. This causes a text input field to appear that has 4 labelled by relations on it.
Chrome version: 69.0.3497.100 (Official Build) (64-bit) (cohort: Stable)