Prevent floating point overflow when using calc() with large values

third_party/WebKit/Source/core/css/CSSCalculationValue.cpp

 /*
  * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 167 matching lines @@
   bool isZero() const override { return !m_value->getDoubleValue(); }
 
   String customCSSText() const override { return m_value->cssText(); }
 
   void accumulatePixelsAndPercent(
       const CSSToLengthConversionData& conversionData,
       PixelsAndPercent& value,
       float multiplier) const override {
     switch (m_category) {
       case CalcLength:
-        value.pixels +=
-            m_value->computeLength<float>(conversionData) * multiplier;
+        value.pixels = clampTo<float>(
+            value.pixels +
+            m_value->computeLength<double>(conversionData) * multiplier);
         break;
       case CalcPercent:
         ASSERT(m_value->isPercentage());
-        value.percent += m_value->getDoubleValue() * multiplier;
+        value.percent = clampTo<float>(value.percent +
+                                       m_value->getDoubleValue() * multiplier);
         break;
       case CalcNumber:
         // TODO(alancutter): Stop treating numbers like pixels unconditionally
         // in calcs to be able to accomodate border-image-width
         // https://drafts.csswg.org/css-backgrounds-3/#the-border-image-width
-        value.pixels +=
-            m_value->getDoubleValue() * conversionData.zoom() * multiplier;
+        value.pixels = clampTo<float>(value.pixels +
+                                      m_value->getDoubleValue() *
+                                          conversionData.zoom() * multiplier);
         break;
       default:
         ASSERT_NOT_REACHED();
     }
   }
 
   double doubleValue() const override {
     if (hasDoubleValue(typeWithCalcResolved()))
       return m_value->getDoubleValue();
     ASSERT_NOT_REACHED();
@@ skipping 178 matching lines @@
                 leftType, isInteger);
           CSSPrimitiveValue::UnitCategory leftUnitCategory =
               CSSPrimitiveValue::unitTypeToUnitCategory(leftType);
           if (leftUnitCategory != CSSPrimitiveValue::UOther &&
               leftUnitCategory ==
                   CSSPrimitiveValue::unitTypeToUnitCategory(rightType)) {
             CSSPrimitiveValue::UnitType canonicalType =
                 CSSPrimitiveValue::canonicalUnitTypeForCategory(
                     leftUnitCategory);
             if (canonicalType != CSSPrimitiveValue::UnitType::Unknown) {
-              double leftValue =
+              double leftValue = clampTo<double>(
                   leftSide->doubleValue() *
                   CSSPrimitiveValue::conversionToCanonicalUnitsScaleFactor(
-                      leftType);
-              double rightValue =
+                      leftType));
+              double rightValue = clampTo<double>(
                   rightSide->doubleValue() *
                   CSSPrimitiveValue::conversionToCanonicalUnitsScaleFactor(
-                      rightType);
+                      rightType));
               return CSSCalcPrimitiveValue::create(
                   evaluateOperator(leftValue, rightValue, op), canonicalType,
                   isInteger);
             }
           }
         }
       }
     } else {
       // Simplify multiplying or dividing by a number for simplifiable types.
       ASSERT(op == CalcMultiply || op == CalcDivide);
@@ skipping 199 matching lines @@
 
   double evaluate(double leftSide, double rightSide) const {
     return evaluateOperator(leftSide, rightSide, m_operator);
   }
 
   static double evaluateOperator(double leftValue,
                                  double rightValue,
                                  CalcOperator op) {
     switch (op) {
       case CalcAdd:
-        return leftValue + rightValue;
+        return clampTo<double>(leftValue + rightValue);
       case CalcSubtract:
-        return leftValue - rightValue;
+        return clampTo<double>(leftValue - rightValue);
       case CalcMultiply:
-        return leftValue * rightValue;
+        return clampTo<double>(leftValue * rightValue);
       case CalcDivide:
         if (rightValue)
-          return leftValue / rightValue;
+          return clampTo<double>(leftValue / rightValue);
         return std::numeric_limits<double>::quiet_NaN();
     }
     return 0;
   }
 
   const Member<CSSCalcExpressionNode> m_leftSide;
   const Member<CSSCalcExpressionNode> m_rightSide;
   const CalcOperator m_operator;
 };
 
@@ skipping 168 matching lines @@
 
   return expression ? new CSSCalcValue(expression, range) : nullptr;
 }
 
 CSSCalcValue* CSSCalcValue::create(CSSCalcExpressionNode* expression,
                                    ValueRange range) {
   return new CSSCalcValue(expression, range);
 }
 
 }  // namespace blink