Bug 1918629 [wpt PR 48150] - Fix UAF in GetAttrSubstitutionValue, a=t…

…estonly Automatic update from web-platform-tests Fix UAF in GetAttrSubstitutionValue CSSParserTokenStream needs to stay alive until the CSSParserToken is appended to out TokenSequence, since CSSParserToken is holding a reference to CSSParserTokenStream. Bug: 365802556 Change-Id: Ic3f5a5277d5ab754630eb26fad120f217dab2ea2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5853990 Reviewed-by: Anders Hartvoll Ruud <andruudchromium.org> Commit-Queue: Munira Tursunova <mooniragoogle.com> Cr-Commit-Position: refs/heads/main{#1355099} -- wpt-commits: e6f01757f6fb3ecd4312dac6cb7e2b18c1ac6c88 wpt-pr: 48150 UltraBlame original commit: c10ef0fbdb67ea0639f2f5f8d74e4c92d6475c59
marco-c · Sep 20, 2024 · 5ce22a1 · 5ce22a1
1 parent 1b8eb2e
commit 5ce22a1
Showing 1 changed file with 150 additions and 0 deletions.
diff --git a/testing/web-platform/tests/css/css-values/attr-crash.html b/testing/web-platform/tests/css/css-values/attr-crash.html
@@ -0,0 +1,150 @@
+<
+!
+DOCTYPE
+html
+>
+<
+title
+>
+CSS
+Values
+and
+Units
+Test
+:
+attr
+<
+/
+title
+>
+<
+meta
+name
+=
+"
+assert
+"
+content
+=
+"
+Test
+attr
+use
+after
+free
+crash
+"
+>
+<
+link
+rel
+=
+"
+help
+"
+href
+=
+"
+https
+:
+/
+/
+crbug
+.
+com
+/
+365802556
+"
+>
+<
+head
+>
+<
+style
+>
+#
+div
+{
+-
+-
+prop
+:
+attr
+(
+data
+-
+foo
+ident
+)
+;
+}
+<
+/
+style
+>
+<
+/
+head
+>
+<
+body
+>
+<
+div
+id
+=
+"
+div
+"
+data
+-
+foo
+=
+"
+aaa123
+\
+aaa123aaa
+"
+>
+Content
+<
+/
+div
+>
+<
+/
+body
+>
+<
+script
+>
+var
+elem
+=
+document
+.
+getElementById
+(
+"
+div
+"
+)
+;
+getComputedStyle
+(
+elem
+)
+.
+getPropertyValue
+(
+"
+-
+-
+prop
+"
+)
+;
+<
+/
+script
+>