LibWeb: Fix use-after-free in CSSNamespaceRule parsing

Holding the `prefix` as a StringView meant it pointed at string data held by `token`. `token` gets reassigned shortly afterwards, meaning `prefix` would hold invalid character data.
2026-01-03 23:25:20 +00:00 · 2023-08-07 17:29:38 +01:00
parent 5042c903be
commit 6c2ed0f51b
3 changed files with 6 additions and 6 deletions
--- a/Userland/Libraries/LibWeb/CSS/CSSNamespaceRule.cpp
+++ b/Userland/Libraries/LibWeb/CSS/CSSNamespaceRule.cpp
@@ -14,14 +14,14 @@

 namespace Web::CSS {

-CSSNamespaceRule::CSSNamespaceRule(JS::Realm& realm, Optional<StringView> prefix, StringView namespace_uri)
+CSSNamespaceRule::CSSNamespaceRule(JS::Realm& realm, Optional<DeprecatedString> prefix, StringView namespace_uri)
    : CSSRule(realm)
    , m_namespace_uri(namespace_uri)
-    , m_prefix(prefix.has_value() ? prefix.value() : ""sv)
+    , m_prefix(prefix.value_or(""sv))
 {
 }

-WebIDL::ExceptionOr<JS::NonnullGCPtr<CSSNamespaceRule>> CSSNamespaceRule::create(JS::Realm& realm, Optional<AK::StringView> prefix, AK::StringView namespace_uri)
+WebIDL::ExceptionOr<JS::NonnullGCPtr<CSSNamespaceRule>> CSSNamespaceRule::create(JS::Realm& realm, Optional<DeprecatedString> prefix, AK::StringView namespace_uri)
 {
    return MUST_OR_THROW_OOM(realm.heap().allocate<CSSNamespaceRule>(realm, realm, prefix, namespace_uri));
 }