RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-19 03:55:07 +00:00
Code Issues Activity Actions
serenity/Tests/LibWeb/Text/expected/HTML/custom-elements-throw-in-constructor.txt
Luke Wilde 48e11a1f12 LibWeb: Empty CE reaction queue instead of destroying it on exception 
If an exception occurs in a custom element constructor, we clear the
reaction queue by destroying it, instead of emptying the Vector.
3da6916383/Userland/Libraries/LibWeb/DOM/Element.cpp (L2033)

This causes a UAF here, as async upgrades (i.e. custom elements not
created by document.createElement) are performed in this loop:
3da6916383/Userland/Libraries/LibWeb/Bindings/MainThreadVM.cpp (L657)

Fixes crash when loading https://github.com/SerenityOS/serenity
2024-02-29 21:58:01 -05:00

2 lines
67 B
Text
Raw Permalink Blame History

Entered TestElement constructor, throwing.
PASS! (Didn't crash)
Reference in a new issue View git blame Copy permalink