[WebKit] UAF in removeFromFacesLookupTable [CVE-2021-30858]
Original Post:
We discussed this vulnerability during Episode 92 on 19 October 2021
Amazingly simple issue as far as browser bugs go. The removeFromFacesLookupTable
method in the CSSFontFaceSet
class failed to properly check if they reached the end of the table when looking up a font. This was because they checked the iterator against m_facesLookupTable.end()
in an assert instead of a proper check. In release builds, assert is a no-op. This lead to a situation where the method would try to remove a font that doesn’t exist (such as by adding an invalid font) from the table, accessing stale memory.