From de80f544d8698f21c50a48bb291b163613237374 Mon Sep 17 00:00:00 2001 From: Timothy Flynn Date: Wed, 3 Apr 2024 22:00:23 -0400 Subject: [PATCH] AK: Disallow calling String methods that return a view on rvalues This prevents, for example: StringView view = "foo"_string.bytes_as_string_view(); This prevents a class of potential UAF. --- AK/String.cpp | 4 ++-- AK/String.h | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/AK/String.cpp b/AK/String.cpp index 17eb6313d1b..6bcd168acba 100644 --- a/AK/String.cpp +++ b/AK/String.cpp @@ -77,7 +77,7 @@ ErrorOr String::repeated(u32 code_point, size_t count) return result; } -StringView String::bytes_as_string_view() const +StringView String::bytes_as_string_view() const& { return StringView(bytes()); } @@ -197,7 +197,7 @@ u32 String::ascii_case_insensitive_hash() const return case_insensitive_string_hash(reinterpret_cast(bytes().data()), bytes().size()); } -Utf8View String::code_points() const +Utf8View String::code_points() const& { return Utf8View(bytes_as_string_view()); } diff --git a/AK/String.h b/AK/String.h index 99417acb4b8..418426cd441 100644 --- a/AK/String.h +++ b/AK/String.h @@ -107,13 +107,15 @@ public: ErrorOr substring_from_byte_offset_with_shared_superstring(size_t start) const; // Returns an iterable view over the Unicode code points. - [[nodiscard]] Utf8View code_points() const; + [[nodiscard]] Utf8View code_points() const&; + [[nodiscard]] Utf8View code_points() const&& = delete; // Returns true if the String is zero-length. [[nodiscard]] bool is_empty() const; // Returns a StringView covering the full length of the string. Note that iterating this will go byte-at-a-time, not code-point-at-a-time. - [[nodiscard]] StringView bytes_as_string_view() const; + [[nodiscard]] StringView bytes_as_string_view() const&; + [[nodiscard]] StringView bytes_as_string_view() const&& = delete; [[nodiscard]] size_t count(StringView needle) const { return StringUtils::count(bytes_as_string_view(), needle); }