From 39dae6fb2db58156dda7c58cb5293ca52ff35d4e Mon Sep 17 00:00:00 2001
From: Lyra <teromene@teromene.fr>
Date: Tue, 6 May 2025 15:41:23 +0200
Subject: [PATCH] LibWeb: Fix SRI handling of badly-formatted strings

---
 Libraries/LibWeb/SRI/SRI.cpp                     |  2 +-
 .../Crash/HTML/invalid-integrity-attribute.css   |  1 +
 .../Crash/HTML/invalid-integrity-attribute.html  | 16 ++++++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibWeb/Crash/HTML/invalid-integrity-attribute.css
 create mode 100644 Tests/LibWeb/Crash/HTML/invalid-integrity-attribute.html

diff --git a/Libraries/LibWeb/SRI/SRI.cpp b/Libraries/LibWeb/SRI/SRI.cpp
index ebec7c89821..43c4b72390c 100644
--- a/Libraries/LibWeb/SRI/SRI.cpp
+++ b/Libraries/LibWeb/SRI/SRI.cpp
@@ -90,7 +90,7 @@ ErrorOr<Vector<Metadata>> parse_metadata(StringView metadata)
         auto algorithm = hash_expr_token_list[0];
 
         // 6. If hash-expr-token-list[1] exists, set base64-value to hash-expr-token-list[1].
-        if (hash_expr_token_list.size() >= 1)
+        if (hash_expr_token_list.size() > 1)
             base64_value = hash_expr_token_list[1];
 
         // 7. If algorithm is not a hash function recognized by the user agent, continue.
diff --git a/Tests/LibWeb/Crash/HTML/invalid-integrity-attribute.css b/Tests/LibWeb/Crash/HTML/invalid-integrity-attribute.css
new file mode 100644
index 00000000000..ef6f29e90d2
--- /dev/null
+++ b/Tests/LibWeb/Crash/HTML/invalid-integrity-attribute.css
@@ -0,0 +1 @@
+.body {}
diff --git a/Tests/LibWeb/Crash/HTML/invalid-integrity-attribute.html b/Tests/LibWeb/Crash/HTML/invalid-integrity-attribute.html
new file mode 100644
index 00000000000..79b7962d92e
--- /dev/null
+++ b/Tests/LibWeb/Crash/HTML/invalid-integrity-attribute.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+  <link
+    href="invalid-integrity-attribute.css"
+    type="text/css"
+    rel="stylesheet"
+    crossorigin="anonymous"
+    integrity="051df3b15e50dd8711b1fa2f4e11f69060b4d77e0a3950a5ae2dc9f5c6bf8a37"
+    nonce=""
+  >
+  <title>Test</title>
+</head>
+<body>