From 31c074ce15f63628f61f63127e80ed416ec6ca4d Mon Sep 17 00:00:00 2001
From: FranklinDM <mrmineshafter17@gmail.com>
Date: Mon, 20 Feb 2023 22:28:50 +0800
Subject: Issue #2078 - Part 6: Replace empty list head with the next non-empty
 list for forgiving selector lists

What happens here if aListHead is an empty selector list:
(1) next selector group is parsed and continues to the next iteration if it's empty or invalid
(2) if we're a forgiving selector list and aListHead is empty, replace it with the selector group that we've just parsed
(3) step 1 ignores invalid/empty, so we assert that step 2 should never have an empty selector list
---
 layout/style/nsCSSParser.cpp | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'layout')

diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp
index 7775df29cd..c81de2d9f6 100644
--- a/layout/style/nsCSSParser.cpp
+++ b/layout/style/nsCSSParser.cpp
@@ -5492,8 +5492,15 @@ CSSParserImpl::ParseSelectorList(nsCSSSelectorList*& aListHead,
           }
           break;
         }
-        // add new list to the end of the selector list
-        list->mNext = newList;
+        // Replace the list head if: it's empty and we're a forgiving selector
+        // list. Otherwise, add the new list to the end of the selector list.
+        if (aIsForgiving && !aListHead->mSelectors) {
+          MOZ_ASSERT(newList->mSelectors,
+                     "replacing empty list head with an empty selector list?");
+          aListHead = newList;
+        } else {
+          list->mNext = newList;
+        }
         list = newList;
         continue;
       } else if (aStopChar == tk->mSymbol && aStopChar != char16_t(0)) {
-- 
cgit v1.2.3