From 30cb4cb69bb4b79b1d9862eb84546b8c60406687 Mon Sep 17 00:00:00 2001
From: Hendiadyoin1 <leon.a@serenityos.org>
Date: Wed, 16 Aug 2023 18:13:34 +0200
Subject: [PATCH] LibWeb: Reject `nullptr` StyleValues as invalid ColorStops

This would cause a nullptr-deref during painting of invalid
linear-gradients, such as `linear-gradient(top, #f8f9fa, #ececec)`
found in googles sign-in button
---
 Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp b/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
index 255109bbdb..7e17e9ad12 100644
--- a/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
+++ b/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
@@ -2454,13 +2454,13 @@ static Optional<Vector<TElement>> parse_color_stop_list(auto& tokens, auto is_po
             }
             // <T-percentage> <color>
             auto maybe_color = parse_color(tokens.next_token());
-            if (maybe_color.is_error())
+            if (maybe_color.is_error() || maybe_color.value() == nullptr)
                 return ElementType::Garbage;
             color = maybe_color.release_value();
         } else {
             // [<color> <T-percentage>?]
             auto maybe_color = parse_color(token);
-            if (maybe_color.is_error())
+            if (maybe_color.is_error() || maybe_color.value() == nullptr)
                 return ElementType::Garbage;
             color = maybe_color.release_value();
             tokens.skip_whitespace();