RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-09-14 01:57:59 +00:00
Code Issues Activity Actions

LibWeb/CSS: Fix stack use after scope in matches_attribute()

Browse source 
If a short string is used for the attribute value, then the result of:
```cpp
auto const view = element.attribute(attribute_name).value_or({})
    .bytes_as_string_view().split_view(' ');
```
is an array of string views pointing into a temporarily allocated
string.

With this change we keep string on stack until the end of scope.

Page that allows to reproduce the problem.
```html
<!DOCTYPE html><style>
    div[data-info~="a"] {
        background-color: yellow;
    }
</style><div data-info="a">a</div>
```
This commit is contained in:
Aliaksandr Kalenik 2023-12-24 02:51:02 +01:00 committed by Sam Atkins
parent 95e9c89a15
commit 32a6bf908a
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Userland/Libraries/LibWeb/CSS/SelectorEngine.cpp
View file

@ -151,7 +151,8 @@ static inline bool matches_attribute(CSS::Selector::SimpleSelector::Attribute co
// This selector is always false is match value is empty.
return false;
}
auto const view = element.attribute(attribute_name).value_or({}).bytes_as_string_view().split_view(' ');
auto attribute_value = element.attribute(attribute_name).value_or({});
auto const view = attribute_value.bytes_as_string_view().split_view(' ');
auto const size = view.size();
for (size_t i = 0; i < size; ++i) {
auto const value = view.at(i);