From 5e54ff18584cdb369bbe6382622614b01d87d01c Mon Sep 17 00:00:00 2001
From: Sam Atkins <atkinssj@serenityos.org>
Date: Tue, 21 Nov 2023 11:39:06 +0000
Subject: [PATCH] LibWeb: Don't assume rect() contents are Tokens

This stops `clip: rect({});` from crashing.
---
 .../css-values/rect-non-token-contents-crash.txt     | 12 ++++++++++++
 .../css-values/rect-non-token-contents-crash.html    |  1 +
 Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp      |  4 ++--
 3 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 Tests/LibWeb/Layout/expected/css-values/rect-non-token-contents-crash.txt
 create mode 100644 Tests/LibWeb/Layout/input/css-values/rect-non-token-contents-crash.html

diff --git a/Tests/LibWeb/Layout/expected/css-values/rect-non-token-contents-crash.txt b/Tests/LibWeb/Layout/expected/css-values/rect-non-token-contents-crash.txt
new file mode 100644
index 0000000000..9c6f931a1f
--- /dev/null
+++ b/Tests/LibWeb/Layout/expected/css-values/rect-non-token-contents-crash.txt
@@ -0,0 +1,12 @@
+Viewport <#document> at (0,0) content-size 800x600 children: not-inline
+  BlockContainer <html> at (0,0) content-size 800x600 [BFC] children: not-inline
+    BlockContainer <body> at (8,8) content-size 784x0 children: not-inline
+      BlockContainer <div> at (8,8) content-size 784x0 children: not-inline
+      BlockContainer <(anonymous)> at (8,16) content-size 784x0 children: inline
+        TextNode <#text>
+
+ViewportPaintable (Viewport<#document>) [0,0 800x600]
+  PaintableWithLines (BlockContainer<HTML>) [0,0 800x600]
+    PaintableWithLines (BlockContainer<BODY>) [8,8 784x0] overflow: [8,16 784x0]
+      PaintableWithLines (BlockContainer<DIV>) [8,8 784x0]
+      PaintableWithLines (BlockContainer(anonymous)) [8,16 784x0]
diff --git a/Tests/LibWeb/Layout/input/css-values/rect-non-token-contents-crash.html b/Tests/LibWeb/Layout/input/css-values/rect-non-token-contents-crash.html
new file mode 100644
index 0000000000..4fae7b5cb8
--- /dev/null
+++ b/Tests/LibWeb/Layout/input/css-values/rect-non-token-contents-crash.html
@@ -0,0 +1 @@
+<div style="clip: rect({})"></div>
diff --git a/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp b/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
index d3020d9027..4afcbc5b3e 100644
--- a/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
+++ b/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
@@ -2122,8 +2122,8 @@ RefPtr<StyleValue> Parser::parse_rect_value(ComponentValue const& component_valu
 
         // <top>, <right>, <bottom>, and <left> may either have a <length> value or 'auto'.
         // Negative lengths are permitted.
-        auto current_token = tokens.next_token().token();
-        if (current_token.is(Token::Type::Ident) && current_token.ident().equals_ignoring_ascii_case("auto"sv)) {
+        auto& current_token = tokens.next_token();
+        if (current_token.is_ident("auto"sv)) {
             params.append(Length::make_auto());
         } else {
             auto maybe_length = parse_length(current_token);