LibWeb: Empty CE reaction queue instead of destroying it on exception

If an exception occurs in a custom element constructor, we clear the reaction queue by destroying it, instead of emptying the Vector. 3da6916383/Userland/Libraries/LibWeb/DOM/Element.cpp (L2033) This causes a UAF here, as async upgrades (i.e. custom elements not created by document.createElement) are performed in this loop: 3da6916383/Userland/Libraries/LibWeb/Bindings/MainThreadVM.cpp (L657) Fixes crash when loading https://github.com/SerenityOS/serenity
2026-01-06 16:45:03 +00:00 · 2024-03-01 00:58:51 +00:00
parent 5b4533cab8
commit 48e11a1f12
3 changed files with 24 additions and 1 deletions
--- a/Userland/Libraries/LibWeb/DOM/Element.cpp
+++ b/Userland/Libraries/LibWeb/DOM/Element.cpp
@@ -2030,7 +2030,8 @@ JS::ThrowCompletionOr<void> Element::upgrade_element(JS::NonnullGCPtr<HTML::Cust
        m_custom_element_definition = nullptr;

        // 2. Empty element's custom element reaction queue.
-        m_custom_element_reaction_queue = nullptr;
+        if (m_custom_element_reaction_queue)
+            m_custom_element_reaction_queue->clear();

        // 3. Rethrow the exception (thus terminating this algorithm).
        return maybe_exception.release_error();