LibWeb: Fix null pointer dereference in DOM::Node::remove()

Instead of blindly dereferencing m_registered_observer_list, just use the add_registered_observer() helper. Fixes #22005
Author: https://github.com/awesomekling Commit: https://github.com/SerenityOS/serenity/commit/cc9de38ea4 Pull-request: https://github.com/SerenityOS/serenity/pull/22007 Issue: https://github.com/SerenityOS/serenity/issues/22005 Reviewed-by: https://github.com/Lubrsi ✅
2023-11-20 20:03:43 +01:00 · 2023-11-20 20:03:43 +01:00 · cc9de38ea4 · 2024-07-17 08:27:05 +09:00
commit cc9de38ea4
parent 7320fdc1f5
3 changed files with 15 additions and 1 deletions
--- a/Tests/LibWeb/Text/expected/MutationObserver/removing-a-node.txt
+++ b/Tests/LibWeb/Text/expected/MutationObserver/removing-a-node.txt
@ -0,0 +1 @@
+   PASS! (Didn't crash)
--- a/Tests/LibWeb/Text/input/MutationObserver/removing-a-node.html
+++ b/Tests/LibWeb/Text/input/MutationObserver/removing-a-node.html
@ -0,0 +1,13 @@
+<body>
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        let observer = new MutationObserver(function() {});
+        observer.observe(document.body, { attributes: true, childList: true, subtree: true });
+
+        let div = document.createElement("div");
+        document.body.appendChild(div);
+        div.remove();
+        println("PASS! (Didn't crash)");
+    });
+</script>
--- a/Userland/Libraries/LibWeb/DOM/Node.cpp
+++ b/Userland/Libraries/LibWeb/DOM/Node.cpp
@ -693,7 +693,7 @@ void Node::remove(bool suppress_observers)
        for (auto& registered : *inclusive_ancestor->m_registered_observer_list) {
            if (registered->options().subtree) {
                auto transient_observer = TransientRegisteredObserver::create(registered->observer(), registered->options(), registered);
-                m_registered_observer_list->append(move(transient_observer));
+                add_registered_observer(move(transient_observer));
            }
        }
    }