beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-26 09:30:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

LibWeb: Fix vector OOB access when comparing some calc() values

Browse source 
Before comparing the elements of two vectors, we have to check that
they have the same length. :^)

Fixes a crash seen on https://chat.openai.com/
This commit is contained in:
Andreas Kling 2024-01-27 16:13:47 +01:00
parent 9272d185ad
commit 546143e9a6
Notes: sideshowbarker 2024-07-16 21:34:08 +09:00 
Author: https://github.com/awesomekling
Commit: https://github.com/SerenityOS/serenity/commit/546143e9a6
Pull-request: https://github.com/SerenityOS/serenity/pull/22964
3 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Tests/LibWeb/Text/expected/css/replace-calc-function-with-same-kind-but-fewer-arguments.txt Normal file
View file

@ -0,0 +1 @@
PASS! (didn't crash)

13
Tests/LibWeb/Text/input/css/replace-calc-function-with-same-kind-but-fewer-arguments.html Normal file
View file

@ -0,0 +1,13 @@
<!doctype html><script src="../include.js"></script><body><script>
test(() => {
let body = document.body;
body.style.width = 'max(10px, 20px, 30px)';
body.style.width = 'max(10px, 20px)';
body.style.width = 'min(10px, 20px, 30px)';
body.style.width = 'min(10px, 20px)';
body.style.width = 'calc(10px + 20px + 30px)';
body.style.width = 'calc(10px + 20px)';
body.style.width = 'calc(10px * 20px * 30px)';
body.style.width = 'calc(10px * 20px)';
});
</script>PASS! (didn't crash)

8
Userland/Libraries/LibWeb/CSS/StyleValues/CalculatedStyleValue.cpp
View file

@ -372,6 +372,8 @@ bool SumCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<SumCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<SumCalculationNode const&>(other).m_values[i]))
return false;
@ -508,6 +510,8 @@ bool ProductCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<ProductCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<ProductCalculationNode const&>(other).m_values[i]))
return false;
@ -736,6 +740,8 @@ bool MinCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<MinCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<MinCalculationNode const&>(other).m_values[i]))
return false;
@ -831,6 +837,8 @@ bool MaxCalculationNode::equals(CalculationNode const& other) const
return true;
if (type() != other.type())
return false;
if (m_values.size() != static_cast<MaxCalculationNode const&>(other).m_values.size())
return false;
for (size_t i = 0; i < m_values.size(); ++i) {
if (!m_values[i]->equals(*static_cast<MaxCalculationNode const&>(other).m_values[i]))
return false;