From b8a097f74ba32a4a77c990b3d4530beac64db1e3 Mon Sep 17 00:00:00 2001
From: Andi Gallo <andigallo@proton.me>
Date: Sun, 28 May 2023 12:21:28 +0000
Subject: [PATCH] LibWeb: Add missing check in CrossOriginGetOwnPropertyHelper

We have to check that the entry in CrossOriginProperties is the one
actually requested from the caller before executing the body of the
loop. This fixes a crash triggered by YouTube iframe embedding.
---
 .../LibWeb/HTML/CrossOrigin/AbstractOperations.cpp       | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Userland/Libraries/LibWeb/HTML/CrossOrigin/AbstractOperations.cpp b/Userland/Libraries/LibWeb/HTML/CrossOrigin/AbstractOperations.cpp
index 75f12b32c02..8d1f9f43636 100644
--- a/Userland/Libraries/LibWeb/HTML/CrossOrigin/AbstractOperations.cpp
+++ b/Userland/Libraries/LibWeb/HTML/CrossOrigin/AbstractOperations.cpp
@@ -102,8 +102,17 @@ Optional<JS::PropertyDescriptor> cross_origin_get_own_property_helper(Variant<HT
         .property_key = property_key,
     };
 
+    // SameValue(e.[[Property]], P) can never be true at step 2.1 if P is not a string due to the different type, so we can return early.
+    if (!property_key.is_string()) {
+        return {};
+    }
+    auto const& property_key_string = property_key.as_string();
+
     // 2. For each e of CrossOriginProperties(O):
     for (auto const& entry : cross_origin_properties(object_const_variant)) {
+        if (entry.property != property_key_string)
+            continue;
+        // 1. If SameValue(e.[[Property]], P) is true, then:
         auto& cross_origin_property_descriptor_map = object.visit([](auto* o) -> CrossOriginPropertyDescriptorMap& { return o->cross_origin_property_descriptor_map(); });
 
         // 1. If the value of the [[CrossOriginPropertyDescriptorMap]] internal slot of O contains an entry whose key is crossOriginKey, then return that entry's value.