[WebKit] UAF in removeFromFacesLookupTable [CVE-2021-30858]

We discussed this vulnerability during Episode 92 on 19 October 2021

Amazingly simple issue as far as browser bugs go. The removeFromFacesLookupTable method in the CSSFontFaceSet class failed to properly check if they reached the end of the table when looking up a font. This was because they checked the iterator against m_facesLookupTable.end() in an assert instead of a proper check. In release builds, assert is a no-op. This lead to a situation where the method would try to remove a font that doesn’t exist (such as by adding an invalid font) from the table, accessing stale memory.