eliott/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird synced 2026-04-25 17:25:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

AK: Avoid UAF for consecutive SinglyLinkedList removals

Browse Source 
The iterator returned by SinglyLinkedList::remove() left `m_prev`
default-initialized to `nullptr`. If the caller removed another element
without first advancing, the previous node's next pointer was left
dangling to the freed node.

This caused a UAF in FinalizationRegistry's `remove_by_token()` when
two consecutive records shared an unregister token.
This commit is contained in:
Tim Ledbetter
2026-04-21 16:11:52 +01:00
committed by Jelle Raaijmakers
parent 75ae9abe7a
commit df34c626d8
Notes: github-actions[bot] 2026-04-21 16:10:38 +00:00 
Author: https://github.com/tcl3
Commit: https://github.com/LadybirdBrowser/ladybird/commit/df34c626d8a
Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/9015
Reviewed-by: https://github.com/gmta
2 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
AK/SinglyLinkedList.h
View File

@@ -281,6 +281,7 @@ public:
auto* next = node->next;
new_iterator.m_node = next;
new_iterator.m_next = next ? next->next : nullptr;
new_iterator.m_prev = iterator.m_prev;
delete node;
return new_iterator;
}