Fix integer overflow in FEGaussianBlur::mapRect.

third_party/WebKit/Source/platform/graphics/filters/FEGaussianBlur.cpp

Index: third_party/WebKit/Source/platform/graphics/filters/FEGaussianBlur.cpp
diff --git a/third_party/WebKit/Source/platform/graphics/filters/FEGaussianBlur.cpp b/third_party/WebKit/Source/platform/graphics/filters/FEGaussianBlur.cpp
index c7f5e5f89722d7f12b41f67e19272a85d3d4420a..c0f1e8a98fc0b852709beff061535a2f7e71a610 100644
--- a/third_party/WebKit/Source/platform/graphics/filters/FEGaussianBlur.cpp
+++ b/third_party/WebKit/Source/platform/graphics/filters/FEGaussianBlur.cpp
@@ -82,8 +82,8 @@ FloatRect FEGaussianBlur::mapRect(const FloatRect& rect, bool) const
     IntSize kernelSize = calculateKernelSize(getFilter(), FloatPoint(m_stdX, m_stdY));
 
     // We take the half kernel size and multiply it with three, because we run box blur three times.
-    result.inflateX(3 * kernelSize.width() * 0.5f);
-    result.inflateY(3 * kernelSize.height() * 0.5f);
+    result.inflateX(3.0f * kernelSize.width() * 0.5f);
+    result.inflateY(3.0f * kernelSize.height() * 0.5f);
     return result;
 }