From 546143e9a62a8cb32fc9941a3dccf9e31373c9f2 Mon Sep 17 00:00:00 2001 From: Andreas Kling Date: Sat, 27 Jan 2024 16:13:47 +0100 Subject: [PATCH] LibWeb: Fix vector OOB access when comparing some calc() values Before comparing the elements of two vectors, we have to check that they have the same length. :^) Fixes a crash seen on https://chat.openai.com/ --- ...-function-with-same-kind-but-fewer-arguments.txt | 1 + ...function-with-same-kind-but-fewer-arguments.html | 13 +++++++++++++ .../LibWeb/CSS/StyleValues/CalculatedStyleValue.cpp | 8 ++++++++ 3 files changed, 22 insertions(+) create mode 100644 Tests/LibWeb/Text/expected/css/replace-calc-function-with-same-kind-but-fewer-arguments.txt create mode 100644 Tests/LibWeb/Text/input/css/replace-calc-function-with-same-kind-but-fewer-arguments.html diff --git a/Tests/LibWeb/Text/expected/css/replace-calc-function-with-same-kind-but-fewer-arguments.txt b/Tests/LibWeb/Text/expected/css/replace-calc-function-with-same-kind-but-fewer-arguments.txt new file mode 100644 index 0000000000..1c2cf4d94a --- /dev/null +++ b/Tests/LibWeb/Text/expected/css/replace-calc-function-with-same-kind-but-fewer-arguments.txt @@ -0,0 +1 @@ +PASS! (didn't crash) \ No newline at end of file diff --git a/Tests/LibWeb/Text/input/css/replace-calc-function-with-same-kind-but-fewer-arguments.html b/Tests/LibWeb/Text/input/css/replace-calc-function-with-same-kind-but-fewer-arguments.html new file mode 100644 index 0000000000..b297b92f8e --- /dev/null +++ b/Tests/LibWeb/Text/input/css/replace-calc-function-with-same-kind-but-fewer-arguments.html @@ -0,0 +1,13 @@ +PASS! (didn't crash) diff --git a/Userland/Libraries/LibWeb/CSS/StyleValues/CalculatedStyleValue.cpp b/Userland/Libraries/LibWeb/CSS/StyleValues/CalculatedStyleValue.cpp index cffe10e09b..7733e4e9bf 100644 --- a/Userland/Libraries/LibWeb/CSS/StyleValues/CalculatedStyleValue.cpp +++ b/Userland/Libraries/LibWeb/CSS/StyleValues/CalculatedStyleValue.cpp @@ -372,6 +372,8 @@ bool SumCalculationNode::equals(CalculationNode const& other) const return true; if (type() != other.type()) return false; + if (m_values.size() != static_cast(other).m_values.size()) + return false; for (size_t i = 0; i < m_values.size(); ++i) { if (!m_values[i]->equals(*static_cast(other).m_values[i])) return false; @@ -508,6 +510,8 @@ bool ProductCalculationNode::equals(CalculationNode const& other) const return true; if (type() != other.type()) return false; + if (m_values.size() != static_cast(other).m_values.size()) + return false; for (size_t i = 0; i < m_values.size(); ++i) { if (!m_values[i]->equals(*static_cast(other).m_values[i])) return false; @@ -736,6 +740,8 @@ bool MinCalculationNode::equals(CalculationNode const& other) const return true; if (type() != other.type()) return false; + if (m_values.size() != static_cast(other).m_values.size()) + return false; for (size_t i = 0; i < m_values.size(); ++i) { if (!m_values[i]->equals(*static_cast(other).m_values[i])) return false; @@ -831,6 +837,8 @@ bool MaxCalculationNode::equals(CalculationNode const& other) const return true; if (type() != other.type()) return false; + if (m_values.size() != static_cast(other).m_values.size()) + return false; for (size_t i = 0; i < m_values.size(); ++i) { if (!m_values[i]->equals(*static_cast(other).m_values[i])) return false;