mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-07-29 12:19:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

LibWeb: Do not capture local lambda by reference in HTMLTrackElement

Browse source 
This is UAF. It will cause a crash in an upcoming commit.
This commit is contained in:
Timothy Flynn 2025-06-12 08:31:30 -04:00 committed by Tim Flynn
commit 8da6731048
Notes: github-actions[bot] 2025-06-12 16:27:04 +00:00
2 changed files with 16 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

28
Libraries/LibWeb/HTML/HTMLTrackElement.cpp
View file

@ -182,13 +182,6 @@ void HTMLTrackElement::start_the_track_processing_model_parallel_steps(JS::Realm
// 9. End the synchronous section, continuing the remaining steps in parallel. // 9. End the synchronous section, continuing the remaining steps in parallel.
auto fire_error_event = [&]() {
queue_an_element_task(Task::Source::DOMManipulation, [this, &realm]() {
m_track->set_readiness_state(TextTrack::ReadinessState::FailedToLoad);
dispatch_event(DOM::Event::create(realm, HTML::EventNames::error));
});
};
// 10. If URL is not the empty string, then: // 10. If URL is not the empty string, then:
if (!url.is_empty()) { if (!url.is_empty()) {
// 1. Let request be the result of creating a potential-CORS request given URL, "track", and corsAttributeState, // 1. Let request be the result of creating a potential-CORS request given URL, "track", and corsAttributeState,
@ -204,14 +197,14 @@ void HTMLTrackElement::start_the_track_processing_model_parallel_steps(JS::Realm
request->set_initiator_type(Fetch::Infrastructure::Request::InitiatorType::Track); request->set_initiator_type(Fetch::Infrastructure::Request::InitiatorType::Track);
Fetch::Infrastructure::FetchAlgorithms::Input fetch_algorithms_input {}; Fetch::Infrastructure::FetchAlgorithms::Input fetch_algorithms_input {};
fetch_algorithms_input.process_response_consume_body = [this, &realm, &fire_error_event](auto response, auto body_bytes) { fetch_algorithms_input.process_response_consume_body = [this, &realm](auto response, auto body_bytes) {
m_loading = false; m_loading = false;
// If fetching fails for any reason (network error, the server returns an error code, CORS fails, etc.), // If fetching fails for any reason (network error, the server returns an error code, CORS fails, etc.),
// or if URL is the empty string, then queue an element task on the DOM manipulation task source given the media element // or if URL is the empty string, then queue an element task on the DOM manipulation task source given the media element
// to first change the text track readiness state to failed to load and then fire an event named error at the track element. // to first change the text track readiness state to failed to load and then fire an event named error at the track element.
if (!response->url().has_value() || body_bytes.template has<Empty>() || body_bytes.template has<Fetch::Infrastructure::FetchAlgorithms::ConsumeBodyFailureTag>() || !Fetch::Infrastructure::is_ok_status(response->status()) || response->is_network_error()) { if (!response->url().has_value() || body_bytes.template has<Empty>() || body_bytes.template has<Fetch::Infrastructure::FetchAlgorithms::ConsumeBodyFailureTag>() || !Fetch::Infrastructure::is_ok_status(response->status()) || response->is_network_error()) {
fire_error_event(); track_failed_to_load();
return; return;
} }
@ -220,10 +213,7 @@ void HTMLTrackElement::start_the_track_processing_model_parallel_steps(JS::Realm
// then the task that is queued on the networking task source in which the aforementioned problem is found must change the text track readiness state to failed to // then the task that is queued on the networking task source in which the aforementioned problem is found must change the text track readiness state to failed to
// load and fire an event named error at the track element. // load and fire an event named error at the track element.
// FIXME: Currently we always fail here, since we don't support loading any track formats. // FIXME: Currently we always fail here, since we don't support loading any track formats.
queue_an_element_task(Task::Source::Networking, [this, &realm]() { track_failed_to_load();
m_track->set_readiness_state(TextTrack::ReadinessState::FailedToLoad);
dispatch_event(DOM::Event::create(realm, HTML::EventNames::error));
});
// If fetching does not fail, and the file was successfully processed, then the final task that is queued by the networking task source, // If fetching does not fail, and the file was successfully processed, then the final task that is queued by the networking task source,
// after it has finished parsing the data, must change the text track readiness state to loaded, and fire an event named load at the track element. // after it has finished parsing the data, must change the text track readiness state to loaded, and fire an event named load at the track element.
@ -240,7 +230,7 @@ void HTMLTrackElement::start_the_track_processing_model_parallel_steps(JS::Realm
m_fetch_algorithms = Fetch::Infrastructure::FetchAlgorithms::create(vm(), move(fetch_algorithms_input)); m_fetch_algorithms = Fetch::Infrastructure::FetchAlgorithms::create(vm(), move(fetch_algorithms_input));
m_fetch_controller = MUST(Fetch::Fetching::fetch(realm, request, *m_fetch_algorithms)); m_fetch_controller = MUST(Fetch::Fetching::fetch(realm, request, *m_fetch_algorithms));
} else { } else {
fire_error_event(); track_failed_to_load();
return; return;
} }
@ -258,4 +248,14 @@ void HTMLTrackElement::start_the_track_processing_model_parallel_steps(JS::Realm
start_the_track_processing_model_parallel_steps(realm); start_the_track_processing_model_parallel_steps(realm);
} }
void HTMLTrackElement::track_failed_to_load()
{
queue_an_element_task(Task::Source::DOMManipulation, [this]() {
auto& realm = this->realm();
m_track->set_readiness_state(TextTrack::ReadinessState::FailedToLoad);
dispatch_event(DOM::Event::create(realm, HTML::EventNames::error));
});
}
} }

2
Libraries/LibWeb/HTML/HTMLTrackElement.h
View file

@ -35,6 +35,8 @@ private:
void start_the_track_processing_model(); void start_the_track_processing_model();
void start_the_track_processing_model_parallel_steps(JS::Realm& realm); void start_the_track_processing_model_parallel_steps(JS::Realm& realm);
void track_failed_to_load();
// ^DOM::Element // ^DOM::Element
virtual void attribute_changed(FlyString const& name, Optional<String> const& old_value, Optional<String> const& value, Optional<FlyString> const& namespace_) override; virtual void attribute_changed(FlyString const& name, Optional<String> const& old_value, Optional<String> const& value, Optional<FlyString> const& namespace_) override;
virtual void inserted() override; virtual void inserted() override;