From 17f14a277bfb8add7a0d237db18f757a1ebdc480 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <tim.ledbetter@ladybird.org>
Date: Sun, 1 Jun 2025 16:20:45 +0100
Subject: [PATCH] LibWeb: Don't crash when interpolating single-value
 repeatable lists

Previously, when interpolating a repeatable list from a list with
multiple values to a single value, we would crash.
---
 Libraries/LibWeb/CSS/Interpolation.cpp        |  2 +-
 .../css/background-size-animation-crash.txt   |  1 +
 .../css/background-size-animation-crash.html  | 24 +++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibWeb/Text/expected/css/background-size-animation-crash.txt
 create mode 100644 Tests/LibWeb/Text/input/css/background-size-animation-crash.html

diff --git a/Libraries/LibWeb/CSS/Interpolation.cpp b/Libraries/LibWeb/CSS/Interpolation.cpp
index 961819a6af0..382db54c5a5 100644
--- a/Libraries/LibWeb/CSS/Interpolation.cpp
+++ b/Libraries/LibWeb/CSS/Interpolation.cpp
@@ -932,7 +932,7 @@ RefPtr<CSSStyleValue const> interpolate_repeatable_list(DOM::Element& element, C
     if (!from.is_value_list() && to.is_value_list())
         from_list = make_single_value_list(from, to.as_value_list().size(), to.as_value_list().separator());
     else if (!to.is_value_list() && from.is_value_list())
-        to_list = make_single_value_list(to, from.as_value_list().size(), to.as_value_list().separator());
+        to_list = make_single_value_list(to, from.as_value_list().size(), from.as_value_list().separator());
     else if (!from.is_value_list() && !to.is_value_list())
         return interpolate_value(element, calculation_context, from, to, delta, allow_discrete);
 
diff --git a/Tests/LibWeb/Text/expected/css/background-size-animation-crash.txt b/Tests/LibWeb/Text/expected/css/background-size-animation-crash.txt
new file mode 100644
index 00000000000..da17eba72e1
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/css/background-size-animation-crash.txt
@@ -0,0 +1 @@
+PASS (didn't crash!)
diff --git a/Tests/LibWeb/Text/input/css/background-size-animation-crash.html b/Tests/LibWeb/Text/input/css/background-size-animation-crash.html
new file mode 100644
index 00000000000..78347ea9c21
--- /dev/null
+++ b/Tests/LibWeb/Text/input/css/background-size-animation-crash.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<!-- FIXME: Ideally this would be a crash test, but the test harness doesn't wait long enough for the crash to occur -->
+<script src="../include.js"></script>
+<div></div>
+<script>
+    asyncTest(done => {
+        const element = document.querySelector('div');
+        const animation = element.animate([
+            { backgroundSize: '10% 10%, 20% 20%' },
+            { backgroundSize: 'auto auto' }
+        ], {
+            duration: 1000,
+        });
+        animation.finished.then(() => {
+            println("PASS (didn't crash!)");
+            done();
+        });
+        requestAnimationFrame(() => {
+            requestAnimationFrame(() => {
+                animation.finish();
+            });
+        });
+    });
+</script>