[webkit-changes] [WebKit/WebKit] 04f0e8: AX: Heap-use-after-free in WebCore::AXObjectCache:...

AndresGonzalezApple Thu, 09 Nov 2023 14:08:18 -0800

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 04f0e806cbcad334e1294304efb26d3be8120abd
      
https://github.com/WebKit/WebKit/commit/04f0e806cbcad334e1294304efb26d3be8120abd
  Author: Andres Gonzalez <andresg...@apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)


  Changed paths:
    M Source/WebCore/accessibility/AXObjectCache.cpp

  Log Message:
  -----------
  AX: Heap-use-after-free in WebCore::AXObjectCache::get(WebCore::Node*)+0x41c
rdar://113770369

Reviewed by Ryosuke Niwa.

This UAF is most likely caused by a mutation in the WeakListHashSet while 
iterating over it. This patch avoids the problem by copying the set to a Vector 
and iterating over the Vector.
The same technique is applied to another iteration over a WeakListHashsSet, 
m_deferredNodeAddedOrRemovedList, in the same method.

* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::performDeferredCacheUpdate):

Originally-landed-as: 0f4469003671. rdar://117810598
Canonical link: https://commits.webkit.org/270478@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [WebKit/WebKit] 04f0e8: AX: Heap-use-after-free in WebCore::AXObjectCache:...

Reply via email to