mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 17:17:44 +00:00
LibWeb: Fix use-after-free in CSSNamespaceRule parsing
Holding the `prefix` as a StringView meant it pointed at string data held by `token`. `token` gets reassigned shortly afterwards, meaning `prefix` would hold invalid character data.
This commit is contained in:
Sam Atkins
Sam Atkins
parent
5042c903be
commit
6c2ed0f51b
3 changed files with 6 additions and 6 deletions
|
|
@ -14,14 +14,14 @@
|
||||||
|
|
||||||
namespace Web::CSS {
|
namespace Web::CSS {
|
||||||
|
|
||||||
CSSNamespaceRule::CSSNamespaceRule(JS::Realm& realm, Optional<StringView> prefix, StringView namespace_uri)
|
CSSNamespaceRule::CSSNamespaceRule(JS::Realm& realm, Optional<DeprecatedString> prefix, StringView namespace_uri)
|
||||||
: CSSRule(realm)
|
: CSSRule(realm)
|
||||||
, m_namespace_uri(namespace_uri)
|
, m_namespace_uri(namespace_uri)
|
||||||
, m_prefix(prefix.has_value() ? prefix.value() : ""sv)
|
, m_prefix(prefix.value_or(""sv))
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
WebIDL::ExceptionOr<JS::NonnullGCPtr<CSSNamespaceRule>> CSSNamespaceRule::create(JS::Realm& realm, Optional<AK::StringView> prefix, AK::StringView namespace_uri)
|
WebIDL::ExceptionOr<JS::NonnullGCPtr<CSSNamespaceRule>> CSSNamespaceRule::create(JS::Realm& realm, Optional<DeprecatedString> prefix, AK::StringView namespace_uri)
|
||||||
{
|
{
|
||||||
return MUST_OR_THROW_OOM(realm.heap().allocate<CSSNamespaceRule>(realm, realm, prefix, namespace_uri));
|
return MUST_OR_THROW_OOM(realm.heap().allocate<CSSNamespaceRule>(realm, realm, prefix, namespace_uri));
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@ class CSSNamespaceRule final : public CSSRule {
|
||||||
WEB_PLATFORM_OBJECT(CSSNamespaceRule, CSSRule);
|
WEB_PLATFORM_OBJECT(CSSNamespaceRule, CSSRule);
|
||||||
|
|
||||||
public:
|
public:
|
||||||
static WebIDL::ExceptionOr<JS::NonnullGCPtr<CSSNamespaceRule>> create(JS::Realm&, Optional<StringView> prefix, StringView namespace_uri);
|
static WebIDL::ExceptionOr<JS::NonnullGCPtr<CSSNamespaceRule>> create(JS::Realm&, Optional<DeprecatedString> prefix, StringView namespace_uri);
|
||||||
|
|
||||||
virtual ~CSSNamespaceRule() = default;
|
virtual ~CSSNamespaceRule() = default;
|
||||||
|
|
||||||
|
|
@ -25,7 +25,7 @@ public:
|
||||||
virtual Type type() const override { return Type::Namespace; }
|
virtual Type type() const override { return Type::Namespace; }
|
||||||
|
|
||||||
private:
|
private:
|
||||||
CSSNamespaceRule(JS::Realm&, Optional<StringView> prefix, StringView namespace_uri);
|
CSSNamespaceRule(JS::Realm&, Optional<DeprecatedString> prefix, StringView namespace_uri);
|
||||||
|
|
||||||
virtual void initialize(JS::Realm&) override;
|
virtual void initialize(JS::Realm&) override;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3331,7 +3331,7 @@ CSSRule* Parser::convert_to_rule(NonnullRefPtr<Rule> rule)
|
||||||
token_stream.skip_whitespace();
|
token_stream.skip_whitespace();
|
||||||
|
|
||||||
auto token = token_stream.next_token();
|
auto token = token_stream.next_token();
|
||||||
Optional<StringView> prefix = {};
|
Optional<DeprecatedString> prefix = {};
|
||||||
if (token.is(Token::Type::Ident)) {
|
if (token.is(Token::Type::Ident)) {
|
||||||
prefix = token.token().ident();
|
prefix = token.token().ident();
|
||||||
token_stream.skip_whitespace();
|
token_stream.skip_whitespace();
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue