LibWeb: Fix vector OOB access when comparing some calc() values

Before comparing the elements of two vectors, we have to check that
they have the same length. :^)

Fixes a crash seen on https://chat.openai.com/
This commit is contained in:
Andreas Kling 2024-01-27 16:13:47 +01:00
parent 9272d185ad
commit 546143e9a6
Notes: sideshowbarker 2024-07-16 21:34:08 +09:00
3 changed files with 22 additions and 0 deletions

View file

@ -0,0 +1 @@
PASS! (didn't crash)

View file

@ -0,0 +1,13 @@
<!doctype html><script src="../include.js"></script><body><script>
test(() => {
let body = document.body;
body.style.width = 'max(10px, 20px, 30px)';
body.style.width = 'max(10px, 20px)';
body.style.width = 'min(10px, 20px, 30px)';
body.style.width = 'min(10px, 20px)';
body.style.width = 'calc(10px + 20px + 30px)';
body.style.width = 'calc(10px + 20px)';
body.style.width = 'calc(10px * 20px * 30px)';
body.style.width = 'calc(10px * 20px)';
});
</script>PASS! (didn't crash)

View file

@ -372,6 +372,8 @@ bool SumCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<SumCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<SumCalculationNode const&>(other).m_values[i]))
return false;
@ -508,6 +510,8 @@ bool ProductCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<ProductCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<ProductCalculationNode const&>(other).m_values[i]))
return false;
@ -736,6 +740,8 @@ bool MinCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<MinCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<MinCalculationNode const&>(other).m_values[i]))
return false;
@ -831,6 +837,8 @@ bool MaxCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<MaxCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<MaxCalculationNode const&>(other).m_values[i]))
return false;