From 459aa44f6bd38225a29d0e46ae5d0fd82dc5d04d Mon Sep 17 00:00:00 2001 From: Alexander Date: Fri, 16 Jul 2021 21:47:48 +0200 Subject: [PATCH] LibWeb: Avoid UAF in query_selector{,_all}() This fixes a bug that caused the selector to be dumped. It would relase the RefPtr into a dump function, and then use it. --- Userland/Libraries/LibWeb/DOM/ParentNode.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Userland/Libraries/LibWeb/DOM/ParentNode.cpp b/Userland/Libraries/LibWeb/DOM/ParentNode.cpp index 447954e6b2..9a8ffdde32 100644 --- a/Userland/Libraries/LibWeb/DOM/ParentNode.cpp +++ b/Userland/Libraries/LibWeb/DOM/ParentNode.cpp @@ -17,11 +17,11 @@ RefPtr ParentNode::query_selector(const StringView& selector_text) if (!selector) return {}; - dump_selector(selector.release_nonnull()); + dump_selector(*selector); RefPtr result; for_each_in_inclusive_subtree_of_type([&](auto& element) { - if (SelectorEngine::matches(selector.release_nonnull(), element)) { + if (SelectorEngine::matches(*selector, element)) { result = element; return IterationDecision::Break; } @@ -37,11 +37,11 @@ NonnullRefPtrVector ParentNode::query_selector_all(const StringView& se if (!selector) return {}; - dump_selector(selector.release_nonnull()); + dump_selector(*selector); NonnullRefPtrVector elements; for_each_in_inclusive_subtree_of_type([&](auto& element) { - if (SelectorEngine::matches(selector.release_nonnull(), element)) { + if (SelectorEngine::matches(*selector, element)) { elements.append(element); } return IterationDecision::Continue;