beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-22 23:50:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

LibWeb: Reject nullptr StyleValues as invalid ColorStops

Browse source 
This would cause a nullptr-deref during painting of invalid
linear-gradients, such as `linear-gradient(top, #f8f9fa, #ececec)`
found in googles sign-in button
This commit is contained in:
Hendiadyoin1 2023-08-16 18:13:34 +02:00 committed by Andreas Kling
parent d5f54956ba
commit 30cb4cb69b
Notes: sideshowbarker 2024-07-17 18:08:55 +09:00 
Author: https://github.com/Hendiadyoin1
Commit: https://github.com/SerenityOS/serenity/commit/30cb4cb69b
Pull-request: https://github.com/SerenityOS/serenity/pull/20601
Issue: https://github.com/SerenityOS/serenity/issues/20599
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
View file

@ -2454,13 +2454,13 @@ static Optional<Vector<TElement>> parse_color_stop_list(auto& tokens, auto is_po
}
// <T-percentage> <color>
auto maybe_color = parse_color(tokens.next_token());
if (maybe_color.is_error())
if (maybe_color.is_error() || maybe_color.value() == nullptr)
return ElementType::Garbage;
color = maybe_color.release_value();
} else {
// [<color> <T-percentage>?]
auto maybe_color = parse_color(token);
if (maybe_color.is_error())
if (maybe_color.is_error() || maybe_color.value() == nullptr)
return ElementType::Garbage;
color = maybe_color.release_value();
tokens.skip_whitespace();