LibWeb: Fix stack-use-after-scope

The refactor in the previous commit was storing a reference to a stack allocated `Infrastructure::Request::BodyType` which was then immediately freed. To fix this, we can store the `Infrastructure::Request::BodyType` in a variable beforehand, so it becomes safe to reference.
Author: https://github.com/yyny Commit: 211dc5659c Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/2567 Reviewed-by: https://github.com/alimpfard Reviewed-by: https://github.com/gmta ✅
2025-06-01 16:02:53 +00:00 · 2024-11-26 18:17:44 +01:00 · 2024-11-26 18:17:44 +01:00 · 211dc5659c · 2024-12-04 00:59:15 +00:00
commit 211dc5659c
parent d7596a0a61
2 changed files with 9 additions and 8 deletions
--- a/Libraries/LibWeb/Fetch/Request.cpp
+++ b/Libraries/LibWeb/Fetch/Request.cpp
@ -448,7 +448,7 @@ WebIDL::ExceptionOr<GC::Ref<Request>> Request::construct_impl(JS::Realm& realm,
        return WebIDL::SimpleException { WebIDL::SimpleExceptionType::TypeError, "Method must not be GET or HEAD when body is provided"sv };

    // 36. Let initBody be null.
-    GC::Ptr<Infrastructure::Body> init_body;
+    Optional<Infrastructure::Request::BodyType> init_body;

    // 37. If init["body"] exists and is non-null, then:
    if (init.body.has_value() && (*init.body).has_value()) {
@ -467,15 +467,13 @@ WebIDL::ExceptionOr<GC::Ref<Request>> Request::construct_impl(JS::Realm& realm,
    }

    // 38. Let inputOrInitBody be initBody if it is non-null; otherwise inputBody.
-    Optional<Infrastructure::Request::BodyType const&> input_or_init_body = init_body
-        ? Infrastructure::Request::BodyType { *init_body }
-        : input_body;
+    auto input_or_init_body = init_body.value_or<Optional<Infrastructure::Request::BodyType const&>>(input_body);

    // 39. If inputOrInitBody is non-null and inputOrInitBody’s source is null, then:
    // FIXME: The spec doesn't check if inputOrInitBody is a body before accessing source.
    if (input_or_init_body.has_value() && input_or_init_body->has<GC::Ref<Infrastructure::Body>>() && input_or_init_body->get<GC::Ref<Infrastructure::Body>>()->source().has<Empty>()) {
        // 1. If initBody is non-null and init["duplex"] does not exist, then throw a TypeError.
-        if (init_body && !init.duplex.has_value())
+        if (init_body.has_value() && !init.duplex.has_value())
            return WebIDL::SimpleException { WebIDL::SimpleExceptionType::TypeError, "Body without source requires 'duplex' value to be set"sv };

        // 2. If this’s request’s mode is neither "same-origin" nor "cors", then throw a TypeError.
@ -490,7 +488,7 @@ WebIDL::ExceptionOr<GC::Ref<Request>> Request::construct_impl(JS::Realm& realm,
    auto const& final_body = input_or_init_body;

    // 41. If initBody is null and inputBody is non-null, then:
-    if (!init_body && input_body.has_value()) {
+    if (!init_body.has_value() && input_body.has_value()) {
        // 2. If input is unusable, then throw a TypeError.
        if (input.has<GC::Root<Request>>() && input.get<GC::Root<Request>>()->is_unusable())
            return WebIDL::SimpleException { WebIDL::SimpleExceptionType::TypeError, "Request is unusable"sv };