[wpt-sync] Sync PR 36779 - [css-nesting] Fix a use-after-free on inserted parent selectors.
Categories
(Core :: CSS Parsing and Computation, task, P4)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox108 | --- | fixed |
People
(Reporter: wpt-sync, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream])
Sync web-platform-tests PR 36779 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/36779
Details from upstream follow.
Steinar H. Gunderson <sesse@chromium.org> wrote:
[css-nesting] Fix a use-after-free on inserted parent selectors.
When checking whether a selector list is nest containing,
we temporarily set last_in_selector_list_ on the selector
right before the (possibly) inserted &. However, when clearing
it afterwards, we'd clear it on the wrong element (we didn't
take into account that back() pointed to something else),
leaving the flag there. This meant that Oilpan tracing
would stop at the element, missing later complex selectors
in the same list, eventually causing use-after-free.Only relevant when CSS Nesting is activated (which it isn't
by default).Fixed: 1380313
Change-Id: Ia912ee2d5538d7067c0d14786158372a544d5cd3Reviewed-on: https://chromium-review.googlesource.com/3999320
WPT-Export-Revision: 2ec4c27311d5db8f6f0c5d0231a522c795a0c455
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 1•3 years ago
|
||
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
|
Assignee | |
Comment 3•3 years ago
|
||
CI Results
Ran 9 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 1 tests
Status Summary
Firefox
PASS: 1
Chrome
PASS: 1
Safari
PASS: 1
Links
|
||
Comment 5•3 years ago
|
||
| bugherder | ||
Description
•