From b7bcdf7c531f241dc4bfdbae7cfcf80052eb0643 Mon Sep 17 00:00:00 2001
From: Shannon Booth <shannon@serenityos.org>
Date: Fri, 24 Nov 2023 19:14:24 +1300
Subject: [PATCH] LibWeb: Fix UAF in CSSStyleSheet

CSSNamespaceRule returns a copy of a DeprecatedString, meaning that the
view returned by the namespace in CSSStyleSheet is into a temporary
string.
---
 Userland/Libraries/LibWeb/CSS/CSSStyleSheet.cpp | 8 ++++----
 Userland/Libraries/LibWeb/CSS/CSSStyleSheet.h   | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Userland/Libraries/LibWeb/CSS/CSSStyleSheet.cpp b/Userland/Libraries/LibWeb/CSS/CSSStyleSheet.cpp
index 4da64b356c..92dff7a129 100644
--- a/Userland/Libraries/LibWeb/CSS/CSSStyleSheet.cpp
+++ b/Userland/Libraries/LibWeb/CSS/CSSStyleSheet.cpp
@@ -146,19 +146,19 @@ void CSSStyleSheet::set_style_sheet_list(Badge<StyleSheetList>, StyleSheetList*
     m_style_sheet_list = list;
 }
 
-Optional<StringView> CSSStyleSheet::default_namespace() const
+Optional<FlyString> CSSStyleSheet::default_namespace() const
 {
     if (m_default_namespace_rule)
-        return m_default_namespace_rule->namespace_uri().view();
+        return MUST(FlyString::from_deprecated_fly_string(m_default_namespace_rule->namespace_uri()));
 
     return {};
 }
 
-Optional<StringView> CSSStyleSheet::namespace_uri(StringView namespace_prefix) const
+Optional<FlyString> CSSStyleSheet::namespace_uri(StringView namespace_prefix) const
 {
     return m_namespace_rules.get(namespace_prefix)
         .map([](JS::GCPtr<CSSNamespaceRule> namespace_) {
-            return namespace_->namespace_uri().view();
+            return MUST(FlyString::from_deprecated_fly_string(namespace_->namespace_uri()));
         });
 }
 
diff --git a/Userland/Libraries/LibWeb/CSS/CSSStyleSheet.h b/Userland/Libraries/LibWeb/CSS/CSSStyleSheet.h
index 9c4cc71eed..e7760d76e5 100644
--- a/Userland/Libraries/LibWeb/CSS/CSSStyleSheet.h
+++ b/Userland/Libraries/LibWeb/CSS/CSSStyleSheet.h
@@ -50,8 +50,8 @@ public:
 
     void set_style_sheet_list(Badge<StyleSheetList>, StyleSheetList*);
 
-    Optional<StringView> default_namespace() const;
-    Optional<StringView> namespace_uri(StringView namespace_prefix) const;
+    Optional<FlyString> default_namespace() const;
+    Optional<FlyString> namespace_uri(StringView namespace_prefix) const;
 
 private:
     CSSStyleSheet(JS::Realm&, CSSRuleList&, MediaList&, Optional<AK::URL> location);