RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 14:38:11 +00:00
Code Issues Activity Actions

LibWeb: Fix use-after-free in CSSNamespaceRule parsing

Browse source 
Holding the `prefix` as a StringView meant it pointed at string data
held by `token`. `token` gets reassigned shortly afterwards, meaning
`prefix` would hold invalid character data.
This commit is contained in:
Sam Atkins 2023-08-07 17:29:38 +01:00 committed by Sam Atkins
parent 5042c903be
commit 6c2ed0f51b
3 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
View file

@ -3331,7 +3331,7 @@ CSSRule* Parser::convert_to_rule(NonnullRefPtr<Rule> rule)
token_stream.skip_whitespace();
auto token = token_stream.next_token();
Optional<StringView> prefix = {};
Optional<DeprecatedString> prefix = {};
if (token.is(Token::Type::Ident)) {
prefix = token.token().ident();
token_stream.skip_whitespace();