LibWeb: Copy m_resize_observers before iterating

An inopportune garbage collection may cause collected `ResizeObserver`s to unregister themselves from `m_resize_observers` while we are iterating over it, resulting in a use-after-free.
Author: https://github.com/yyny Commit: https://github.com/LadybirdBrowser/ladybird/commit/f093a8af67f Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/2483 Reviewed-by: https://github.com/awesomekling
2025-04-24 21:45:20 +00:00 · 2024-11-21 16:09:31 +01:00 · 2024-11-21 16:09:31 +01:00 · f093a8af67 · 2024-11-21 18:19:22 +00:00
commit f093a8af67
parent 94b97aa365
1 changed files with 9 additions and 1 deletions
--- a/Libraries/LibWeb/DOM/Document.cpp
+++ b/Libraries/LibWeb/DOM/Document.cpp
@ -15,6 +15,7 @@
 #include <AK/StringBuilder.h>
 #include <AK/Utf8View.h>
 #include <LibCore/Timer.h>
+#include <LibGC/MarkedVector.h>
 #include <LibJS/Runtime/Array.h>
 #include <LibJS/Runtime/FunctionObject.h>
 #include <LibJS/Runtime/NativeFunction.h>
@ -5160,7 +5161,14 @@ size_t Document::broadcast_active_resize_observations()
    auto shallowest_target_depth = NumericLimits<size_t>::max();

    // 2. For each observer in document.[[resizeObservers]] run these steps:
-    for (auto const& observer : m_resize_observers) {
+
+    // NOTE: We make a copy of the resize observers list to avoid modifying it while iterating.
+    GC::MarkedVector<GC::Ref<ResizeObserver::ResizeObserver>> resize_observers(heap());
+    resize_observers.ensure_capacity(m_resize_observers.size());
+    for (auto const& observer : m_resize_observers)
+        resize_observers.append(observer);
+
+    for (auto const& observer : resize_observers) {
        // 1. If observer.[[activeTargets]] slot is empty, continue.
        if (observer->active_targets().is_empty()) {
            continue;