RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 15:47:44 +00:00
Code Issues Activity Actions

LibWeb: Unregister IntersectionObserver in finalize, not the destructor

Browse source 
Otherwise it UAFs the intersection root. Not sure how this didn't cause
a lot of crashes!
This commit is contained in:
Luke Wilde 2023-08-09 21:08:52 +01:00 committed by Tim Flynn
parent 5694981352
commit 7550b4175e
2 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Userland/Libraries/LibWeb/IntersectionObserver/IntersectionObserver.cpp
View file

@ -53,7 +53,9 @@ IntersectionObserver::IntersectionObserver(JS::Realm& realm, JS::GCPtr<WebIDL::C
}); });
} }
IntersectionObserver::~IntersectionObserver() IntersectionObserver::~IntersectionObserver() = default;
void IntersectionObserver::finalize()
{ {
intersection_root().visit([this](auto& node) { intersection_root().visit([this](auto& node) {
node->document().unregister_intersection_observer({}, *this); node->document().unregister_intersection_observer({}, *this);

1
Userland/Libraries/LibWeb/IntersectionObserver/IntersectionObserver.h
View file

@ -66,6 +66,7 @@ private:
virtual void initialize(JS::Realm&) override; virtual void initialize(JS::Realm&) override;
virtual void visit_edges(JS::Cell::Visitor&) override; virtual void visit_edges(JS::Cell::Visitor&) override;
virtual void finalize() override;
// https://www.w3.org/TR/intersection-observer/#dom-intersectionobserver-callback-slot // https://www.w3.org/TR/intersection-observer/#dom-intersectionobserver-callback-slot
JS::GCPtr<WebIDL::CallbackType> m_callback; JS::GCPtr<WebIDL::CallbackType> m_callback;