From 3df0bf2c8d58da73ddd9f37f02ad42f80b48e4b5 Mon Sep 17 00:00:00 2001
From: Sam Atkins <atkinssj@serenityos.org>
Date: Fri, 3 Dec 2021 13:10:21 +0000
Subject: [PATCH] LibWeb: Mitigate the billion-laughs attack on CSS variables

We now stop processing variables once a length of 16384 tokens is
reached. This is an arbitrary number, but should be far beyond what
anyone will reasonably use, and small enough to not crash.
---
 Userland/Libraries/LibWeb/CSS/StyleComputer.cpp | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibWeb/CSS/StyleComputer.cpp b/Userland/Libraries/LibWeb/CSS/StyleComputer.cpp
index c8ab27f583..e8436c87bd 100644
--- a/Userland/Libraries/LibWeb/CSS/StyleComputer.cpp
+++ b/Userland/Libraries/LibWeb/CSS/StyleComputer.cpp
@@ -459,7 +459,14 @@ bool StyleComputer::expand_unresolved_values(DOM::Element& element, Vector<Style
     // This is a very naive solution, and we could do better if the CSS Parser could accept tokens one at a time.
 
     // FIXME: Handle dependency cycles. https://www.w3.org/TR/css-variables-1/#cycles
-    // FIXME: Handle overly-long variables. https://www.w3.org/TR/css-variables-1/#long-variables
+
+    // Arbitrary large value chosen to avoid the billion-laughs attack.
+    // https://www.w3.org/TR/css-variables-1/#long-variables
+    const size_t MAX_VALUE_COUNT = 16384;
+    if (source.size() + dest.size() > MAX_VALUE_COUNT) {
+        dbgln("Stopped expanding CSS variables: maximum length reached.");
+        return false;
+    }
 
     auto get_custom_property = [this, &element](auto& name) -> RefPtr<StyleValue> {
         auto custom_property = resolve_custom_property(element, name);