[Backport] CVE-2023-1215: Type Confusion in CSS

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4307470:
In Typed CSSOM, reject adding to something that is not a list.

M102 merge issues:
  third_party/blink/renderer/core/css/cssom/style_property_map.cc:
    The check before the added IsValueList check isn't present in 102

Fixed: 1417176
Change-Id: Idef1a81af46d334c181979778c28f19ce6369718
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4293477
Commit-Queue: Steinar H Gunderson <sesse@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1110281}
(cherry picked from commit 7301cf1e40fdd97594ea491676b867cf4e577edc)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469818
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 11 insertions, 0 deletions

diff --git a/chromium/third_party/blink/renderer/core/css/cssom/style_property_map.cc b/chromium/third_party/blink/renderer/core/css/cssom/style_property_map.cc
index c76f2b79ed8..15b794b6669 100644
--- a/chromium/third_party/blink/renderer/core/css/cssom/style_property_map.cc
+++ b/chromium/third_party/blink/renderer/core/css/cssom/style_property_map.cc
@@ -354,6 +354,17 @@ void StylePropertyMap::append(const ExecutionContext* execution_context,
 
   CSSValueList* current_value = nullptr;
   if (const CSSValue* css_value = GetProperty(property_id)) {
+    if (!css_value->IsValueList()) {
+      // The standard doesn't seem to cover this explicitly
+      // (https://github.com/w3c/css-houdini-drafts/issues/823),
+      // but the only really reasonable solution seems to be
+      // to throw a TypeError.
+      //
+      // This covers e.g. system-wide CSS keywords, like inherit.
+      exception_state.ThrowTypeError(
+          "Cannot append to something that is not a list");
+      return;
+    }
     current_value = To<CSSValueList>(css_value)->Copy();
   } else {
     current_value = CssValueListForPropertyID(property_id);