SVGLength: Avoid reading out-of-bounds when parsing incorrect 'rem' unit

SVGLength: Avoid reading out-of-bounds when parsing incorrect 'rem' unit

The read/check of the third char ('m') could end up reading outside the
buffer if unlucky.

BUG=368598, 470449
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=193523

[fs, 2015-04-09 12:58:44]

fs@opera.com changed reviewers:
+ ed@opera.com

[fs, 2015-04-09 12:58:45]

Stumbled upon by inspection, but will be triggered by ASAN with the "right"
input.

[pdr., 2015-04-10 05:15:37]

pdr@chromium.org changed reviewers:
+ inferno@chromium.org

[pdr., 2015-04-10 05:16:01]

pdr@chromium.org changed reviewers:
+ pdr@chromium.org
- inferno@chromium.org

[pdr., 2015-04-10 05:16:01]

LGTM

@inferno, why didn't clusterfuzz catch this?

[fs, 2015-04-10 07:55:19]

The CQ bit was checked by fs@opera.com

[commit-bot: I haz the power, 2015-04-10 07:55:49]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1069213003/1

[commit-bot: I haz the power, 2015-04-10 08:00:35]

Committed patchset #1 (id:1) as
https://src.chromium.org/viewvc/blink?view=rev&revision=193523