[webkit-changes] [WebKit/WebKit] 04f0e8: AX: Heap-use-after-free in WebCore::AXObjectCache:...
AndresGonzalezApple
noreply at github.com
Thu Nov 9 14:08:05 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 04f0e806cbcad334e1294304efb26d3be8120abd
https://github.com/WebKit/WebKit/commit/04f0e806cbcad334e1294304efb26d3be8120abd
Author: Andres Gonzalez <andresg_22 at apple.com>
Date: 2023-11-09 (Thu, 09 Nov 2023)
Changed paths:
M Source/WebCore/accessibility/AXObjectCache.cpp
Log Message:
-----------
AX: Heap-use-after-free in WebCore::AXObjectCache::get(WebCore::Node*)+0x41c
rdar://113770369
Reviewed by Ryosuke Niwa.
This UAF is most likely caused by a mutation in the WeakListHashSet while iterating over it. This patch avoids the problem by copying the set to a Vector and iterating over the Vector.
The same technique is applied to another iteration over a WeakListHashsSet, m_deferredNodeAddedOrRemovedList, in the same method.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::performDeferredCacheUpdate):
Originally-landed-as: 0f4469003671. rdar://117810598
Canonical link: https://commits.webkit.org/270478@main
More information about the webkit-changes
mailing list