From 576f8e8fa876aeca15609e69e27c7550abf67e12 Mon Sep 17 00:00:00 2001
From: Shannon Booth <shannon@serenityos.org>
Date: Mon, 14 Aug 2023 20:42:18 +1200
Subject: [PATCH] LibWeb: Fix crash parsing an invalid pseudo compound selector

Reduced from a crash on: https://github.com/SerenityOS/serenity/pulls

Fixes #20568
---
 .../expected/css-invalid-psuedo-compound-selector.txt | 11 +++++++++++
 .../input/css-invalid-psuedo-compound-selector.html   |  5 +++++
 Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp       |  6 +++---
 3 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 Tests/LibWeb/Layout/expected/css-invalid-psuedo-compound-selector.txt
 create mode 100644 Tests/LibWeb/Layout/input/css-invalid-psuedo-compound-selector.html

diff --git a/Tests/LibWeb/Layout/expected/css-invalid-psuedo-compound-selector.txt b/Tests/LibWeb/Layout/expected/css-invalid-psuedo-compound-selector.txt
new file mode 100644
index 0000000000..f0e638a291
--- /dev/null
+++ b/Tests/LibWeb/Layout/expected/css-invalid-psuedo-compound-selector.txt
@@ -0,0 +1,11 @@
+Viewport <#document> at (0,0) content-size 800x600 children: not-inline
+  BlockContainer <html> at (0,0) content-size 800x600 [BFC] children: not-inline
+    BlockContainer <body> at (8,8) content-size 784x0 children: not-inline
+      BlockContainer <div> at (8,8) content-size 784x0 children: inline
+        TextNode <#text>
+        TextNode <#text>
+
+PaintableWithLines (Viewport<#document>) [0,0 800x600]
+  PaintableWithLines (BlockContainer<HTML>) [0,0 800x600]
+    PaintableWithLines (BlockContainer<BODY>) [8,8 784x0]
+      PaintableWithLines (BlockContainer<DIV>) [8,8 784x0]
diff --git a/Tests/LibWeb/Layout/input/css-invalid-psuedo-compound-selector.html b/Tests/LibWeb/Layout/input/css-invalid-psuedo-compound-selector.html
new file mode 100644
index 0000000000..f9490094da
--- /dev/null
+++ b/Tests/LibWeb/Layout/input/css-invalid-psuedo-compound-selector.html
@@ -0,0 +1,5 @@
+<div>
+<style>
+:host(:thing) {}
+</style>
+</div>
\ No newline at end of file
diff --git a/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp b/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
index 0f9c4a6d60..4be5ec262f 100644
--- a/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
+++ b/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
@@ -635,13 +635,13 @@ Parser::ParseErrorOr<Selector::SimpleSelector> Parser::parse_pseudo_simple_selec
             return parse_nth_child_selector(pseudo_class, pseudo_function.values(), true);
         case PseudoClassMetadata::ParameterType::CompoundSelector: {
             auto function_token_stream = TokenStream(pseudo_function.values());
-            auto compound_selector = MUST(parse_compound_selector(function_token_stream));
-            if (!compound_selector.has_value()) {
+            auto compound_selector_or_error = parse_compound_selector(function_token_stream);
+            if (compound_selector_or_error.is_error() || !compound_selector_or_error.value().has_value()) {
                 dbgln_if(CSS_PARSER_DEBUG, "Failed to parse :{}() parameter as a compound selector", pseudo_function.name());
                 return ParseError::SyntaxError;
             }
 
-            Vector compound_selectors { compound_selector.release_value() };
+            Vector compound_selectors { compound_selector_or_error.release_value().release_value() };
             auto selector = Selector::create(move(compound_selectors));
 
             return Selector::SimpleSelector {