AX: Heap-use-after-free in WebCore::AXObjectCache::get(WebCore::Node*…

…)+0x41c rdar://113770369 Reviewed by Ryosuke Niwa. This UAF is most likely caused by a mutation in the WeakListHashSet while iterating over it. This patch avoids the problem by copying the set to a Vector and iterating over the Vector. The same technique is applied to another iteration over a WeakListHashsSet, m_deferredNodeAddedOrRemovedList, in the same method. * Source/WebCore/accessibility/AXObjectCache.cpp: (WebCore::AXObjectCache::performDeferredCacheUpdate): Originally-landed-as: 0f44690. rdar://117810598 Canonical link: https://commits.webkit.org/270478@main
WebKit · Nov 9, 2023 · 04f0e80 · 04f0e80
1 parent a4a79e4
commit 04f0e80
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/Source/WebCore/accessibility/AXObjectCache.cpp b/Source/WebCore/accessibility/AXObjectCache.cpp
@@ -3945,10 +3945,13 @@ void AXObjectCache::performDeferredCacheUpdate()
     m_deferredRecomputeTableIsExposedList.clear();
 
     AXLOGDeferredCollection("NodeAddedOrRemovedList"_s, m_deferredNodeAddedOrRemovedList);
-    for (auto& nodeChild : m_deferredNodeAddedOrRemovedList) {
-        handleMenuOpened(&nodeChild);
-        handleLiveRegionCreated(&nodeChild);
-        handleLabelCreated(dynamicDowncast<HTMLLabelElement>(&nodeChild));
+    auto nodeAddedOrRemovedList = copyToVector(m_deferredNodeAddedOrRemovedList);
+    for (auto& weakNode : nodeAddedOrRemovedList) {
+        if (RefPtr node = weakNode.get()) {
+            handleMenuOpened(node.get());
+            handleLiveRegionCreated(node.get());
+            handleLabelCreated(dynamicDowncast<HTMLLabelElement>(node.get()));
+        }
     }
     m_deferredNodeAddedOrRemovedList.clear();
 
@@ -3970,8 +3973,11 @@ void AXObjectCache::performDeferredCacheUpdate()
 #endif
 
     AXLOGDeferredCollection("TextChangedList"_s, m_deferredTextChangedList);
-    for (auto& node : m_deferredTextChangedList)
-        handleTextChanged(getOrCreate(&node));
+    auto textChangedList = copyToVector(m_deferredTextChangedList);
+    for (auto& weakNode : textChangedList) {
+        if (RefPtr node = weakNode.get())
+            handleTextChanged(getOrCreate(node.get()));
+    }
     m_deferredTextChangedList.clear();
 
     AXLOGDeferredCollection("RecomputeIsIgnoredList"_s, m_deferredRecomputeIsIgnoredList);