RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 05:07:34 +00:00
Code Issues Activity Actions

LibWeb: Avoid UAF in query_selector{,_all}()

Browse source 
This fixes a bug that caused the selector to be dumped.
It would relase the RefPtr into a dump function, and then use it.
This commit is contained in:
Alexander 2021-07-16 21:47:48 +02:00 committed by Ali Mohammad Pur
parent 86c6e68431
commit 459aa44f6b
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Userland/Libraries/LibWeb/DOM/ParentNode.cpp
View file

@ -17,11 +17,11 @@ RefPtr<Element> ParentNode::query_selector(const StringView& selector_text)
if (!selector)
return {};
dump_selector(selector.release_nonnull());
dump_selector(*selector);
RefPtr<Element> result;
for_each_in_inclusive_subtree_of_type<Element>([&](auto& element) {
if (SelectorEngine::matches(selector.release_nonnull(), element)) {
if (SelectorEngine::matches(*selector, element)) {
result = element;
return IterationDecision::Break;
}
@ -37,11 +37,11 @@ NonnullRefPtrVector<Element> ParentNode::query_selector_all(const StringView& se
if (!selector)
return {};
dump_selector(selector.release_nonnull());
dump_selector(*selector);
NonnullRefPtrVector<Element> elements;
for_each_in_inclusive_subtree_of_type<Element>([&](auto& element) {
if (SelectorEngine::matches(selector.release_nonnull(), element)) {
if (SelectorEngine::matches(*selector, element)) {
elements.append(element);
}
return IterationDecision::Continue;