RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 16:27:35 +00:00
Code Issues Activity Actions

LibWeb: Fix vector OOB access when comparing some calc() values

Browse source 
Before comparing the elements of two vectors, we have to check that
they have the same length. :^)

Fixes a crash seen on https://chat.openai.com/
This commit is contained in:
Andreas Kling 2024-01-27 16:13:47 +01:00
parent 9272d185ad
commit 546143e9a6
3 changed files with 22 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Userland/Libraries/LibWeb/CSS/StyleValues/CalculatedStyleValue.cpp
View file

@ -372,6 +372,8 @@ bool SumCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<SumCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<SumCalculationNode const&>(other).m_values[i]))
return false;
@ -508,6 +510,8 @@ bool ProductCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<ProductCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<ProductCalculationNode const&>(other).m_values[i]))
return false;
@ -736,6 +740,8 @@ bool MinCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<MinCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<MinCalculationNode const&>(other).m_values[i]))
return false;
@ -831,6 +837,8 @@ bool MaxCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<MaxCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<MaxCalculationNode const&>(other).m_values[i]))
return false;