From c8fa0c3cd7600dbdba65423c9c82c2508c211a7f Mon Sep 17 00:00:00 2001 From: Luke Wilde Date: Sat, 11 Jun 2022 18:40:06 +0100 Subject: [PATCH] LibWeb: Hold a strong ref to old_rule in CSSRuleList::remove_a_css_rule Using auto& when indexing an NNRPVector doesn't cause it to hold a strong reference and is instead just a plain old reference. If m_rules was the only storage holding a strong reference to old_rule, we would remove it in step 4 and subsequently UAF it in step 5. --- Userland/Libraries/LibWeb/CSS/CSSRuleList.cpp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Userland/Libraries/LibWeb/CSS/CSSRuleList.cpp b/Userland/Libraries/LibWeb/CSS/CSSRuleList.cpp index d92f9d72eb..1ea00262e7 100644 --- a/Userland/Libraries/LibWeb/CSS/CSSRuleList.cpp +++ b/Userland/Libraries/LibWeb/CSS/CSSRuleList.cpp @@ -72,17 +72,16 @@ DOM::ExceptionOr CSSRuleList::remove_a_css_rule(u32 index) return DOM::IndexSizeError::create("CSS rule index out of bounds."); // 3. Set old rule to the indexth item in list. - auto& old_rule = m_rules[index]; + NonnullRefPtr old_rule = m_rules[index]; // FIXME: 4. If old rule is an @namespace at-rule, and list contains anything other than @import at-rules, and @namespace at-rules, throw an InvalidStateError exception. - (void)old_rule; // 5. Remove rule old rule from list at the zero-indexed position index. m_rules.remove(index); // 6. Set old rule’s parent CSS rule and parent CSS style sheet to null. - old_rule.set_parent_rule(nullptr); - old_rule.set_parent_style_sheet(nullptr); + old_rule->set_parent_rule(nullptr); + old_rule->set_parent_style_sheet(nullptr); return {}; }