mirror of
https://github.com/fergalmoran/ladybird.git
synced 2026-01-08 09:35:15 +00:00
5146bbe296
Previously, we would only keep the cell that must survive alive, but none of it's edges. This cropped up with a GC UAF in must_survive_garbage_collection of WebSocket in .NET's SignalR frontend implementation, where an out-of-scope WebSocket had it's underlying EventTarget properties garbage collected, and must_survive_garbage_collection read from the destroyed EventTarget properties. See: https://github.com/dotnet/aspnetcore/blob/main/src/SignalR/clients/ts/signalr/src/WebSocketTransport.ts#L81 Found on https://www.formula1.com/ during a live session. Co-Authored-By: Tim Flynn <trflynn89@pm.me>
22 lines
459 B
HTML
22 lines
459 B
HTML
<script src="../include.js"></script>
|
|
<script>
|
|
asyncTest((done) => {
|
|
{
|
|
const ws = new WebSocket('wss://echo.websocket.org');
|
|
|
|
ws.onopen = () => {
|
|
};
|
|
ws.onmessage = () => {
|
|
};
|
|
ws.onerror = () => {
|
|
};
|
|
}
|
|
|
|
setTimeout(() => {
|
|
internals.gc();
|
|
println("PASS! (Didn't crash)");
|
|
done();
|
|
}, 0);
|
|
});
|
|
</script>
|