From cc9de38ea4ccf06024913b78b6283d8e4bc26536 Mon Sep 17 00:00:00 2001 From: Andreas Kling Date: Mon, 20 Nov 2023 20:03:43 +0100 Subject: [PATCH] LibWeb: Fix null pointer dereference in DOM::Node::remove() Instead of blindly dereferencing m_registered_observer_list, just use the add_registered_observer() helper. Fixes #22005 --- .../expected/MutationObserver/removing-a-node.txt | 1 + .../input/MutationObserver/removing-a-node.html | 13 +++++++++++++ Userland/Libraries/LibWeb/DOM/Node.cpp | 2 +- 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 Tests/LibWeb/Text/expected/MutationObserver/removing-a-node.txt create mode 100644 Tests/LibWeb/Text/input/MutationObserver/removing-a-node.html diff --git a/Tests/LibWeb/Text/expected/MutationObserver/removing-a-node.txt b/Tests/LibWeb/Text/expected/MutationObserver/removing-a-node.txt new file mode 100644 index 0000000000..be36d109cd --- /dev/null +++ b/Tests/LibWeb/Text/expected/MutationObserver/removing-a-node.txt @@ -0,0 +1 @@ + PASS! (Didn't crash) diff --git a/Tests/LibWeb/Text/input/MutationObserver/removing-a-node.html b/Tests/LibWeb/Text/input/MutationObserver/removing-a-node.html new file mode 100644 index 0000000000..6a8324c04f --- /dev/null +++ b/Tests/LibWeb/Text/input/MutationObserver/removing-a-node.html @@ -0,0 +1,13 @@ + + + diff --git a/Userland/Libraries/LibWeb/DOM/Node.cpp b/Userland/Libraries/LibWeb/DOM/Node.cpp index c1c901a561..6166a28929 100644 --- a/Userland/Libraries/LibWeb/DOM/Node.cpp +++ b/Userland/Libraries/LibWeb/DOM/Node.cpp @@ -693,7 +693,7 @@ void Node::remove(bool suppress_observers) for (auto& registered : *inclusive_ancestor->m_registered_observer_list) { if (registered->options().subtree) { auto transient_observer = TransientRegisteredObserver::create(registered->observer(), registered->options(), registered); - m_registered_observer_list->append(move(transient_observer)); + add_registered_observer(move(transient_observer)); } } }