Prevent integer overflows in ANPlusB handling

third_party/WebKit/Source/core/css/CSSSelector.cpp

Index: third_party/WebKit/Source/core/css/CSSSelector.cpp
diff --git a/third_party/WebKit/Source/core/css/CSSSelector.cpp b/third_party/WebKit/Source/core/css/CSSSelector.cpp
index 3a40cb6d6e723789f75dbb111b07a776a24d645e..10fc2bc3cd1182ff986c72acda5fca7c37819628 100644
--- a/third_party/WebKit/Source/core/css/CSSSelector.cpp
+++ b/third_party/WebKit/Source/core/css/CSSSelector.cpp
@@ -933,10 +933,22 @@ bool CSSSelector::RareData::matchNth(int count)
     if (nthAValue() > 0) {
         if (count < nthBValue())
             return false;
+        // Avoid overflow and underflow.
+        if (UNLIKELY((nthBValue() > 0 && count < std::numeric_limits<int>::min() + nthBValue())
+            || (nthBValue() < 0 && count > std::numeric_limits<int>::max() + nthBValue())))
+            return false;
         return (count - nthBValue()) % nthAValue() == 0;
     }
     if (count > nthBValue())
         return false;
+    int minInt = std::numeric_limits<int>::min();
+    // Avoid negating minimum int as it negates to itself.
+    if (UNLIKELY(nthAValue() == minInt || count == minInt))

[esprehn, 2016/08/15 16:19:23]

how can count be minInt? count is the index of the element, I think it has to be
a positive value. I'm actually not sure why we use int instead of unsigned?

+        return false;
+    // Avoid overflow and underflow.
+    if ((UNLIKELY(count > 0 && nthBValue() < std::numeric_limits<int>::min() + count)
+        || (count < 0 && nthBValue() > std::numeric_limits<int>::max() + count)))
+        return false;
     return (nthBValue() - count) % (-nthAValue()) == 0;
 }