The EditingStyle::mergeStyle function in WebKit/Source/core/editing/EditingStyle.cpp in Blink mishandles custom properties, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site that leverages "type confusion" in the StylePropertySerializer class.
The EditingStyle::mergeStyle function in WebKit/Source/core/editing/EditingStyle.cpp in Blink mishandles custom properties, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site that leverages "type confusion" in the StylePropertySerializer class.
https://bugs.chromium.org/p/chromium/issues/detail?id=622420