From 48d580fabbe8658bab6ad6136b95e46a7463386d Mon Sep 17 00:00:00 2001 From: "Steinar H. Gunderson" Date: Fri, 3 Mar 2023 13:19:22 +0000 Subject: [Backport] CVE-2023-1215: Type Confusion in CSS Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4307470: In Typed CSSOM, reject adding to something that is not a list. M102 merge issues: third_party/blink/renderer/core/css/cssom/style_property_map.cc: The check before the added IsValueList check isn't present in 102 Fixed: 1417176 Change-Id: Idef1a81af46d334c181979778c28f19ce6369718 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4293477 Commit-Queue: Steinar H Gunderson Cr-Commit-Position: refs/heads/main@{#1110281} (cherry picked from commit 7301cf1e40fdd97594ea491676b867cf4e577edc) Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468217 Reviewed-by: Michal Klocek --- .../blink/renderer/core/css/cssom/style_property_map.cc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/chromium/third_party/blink/renderer/core/css/cssom/style_property_map.cc b/chromium/third_party/blink/renderer/core/css/cssom/style_property_map.cc index 7e255a23711..7b0823095fb 100644 --- a/chromium/third_party/blink/renderer/core/css/cssom/style_property_map.cc +++ b/chromium/third_party/blink/renderer/core/css/cssom/style_property_map.cc @@ -377,6 +377,17 @@ void StylePropertyMap::append( CSSValueList* current_value = nullptr; if (const CSSValue* css_value = GetProperty(property_id)) { + if (!css_value->IsValueList()) { + // The standard doesn't seem to cover this explicitly + // (https://github.com/w3c/css-houdini-drafts/issues/823), + // but the only really reasonable solution seems to be + // to throw a TypeError. + // + // This covers e.g. system-wide CSS keywords, like inherit. + exception_state.ThrowTypeError( + "Cannot append to something that is not a list"); + return; + } current_value = To(css_value)->Copy(); } else { current_value = CssValueListForPropertyID(property_id); -- cgit v1.2.1