Prevent floating point overflow when using calc() with large values

third_party/WebKit/Source/core/css/CSSCalculationValue.cpp

Index: third_party/WebKit/Source/core/css/CSSCalculationValue.cpp
diff --git a/third_party/WebKit/Source/core/css/CSSCalculationValue.cpp b/third_party/WebKit/Source/core/css/CSSCalculationValue.cpp
index 71464e4f49692b8986bcb2efe01cf2fa13c546e5..fc1115d290b7b75ae992881544438374426eb800 100644
--- a/third_party/WebKit/Source/core/css/CSSCalculationValue.cpp
+++ b/third_party/WebKit/Source/core/css/CSSCalculationValue.cpp
@@ -185,19 +185,22 @@ class CSSCalcPrimitiveValue final : public CSSCalcExpressionNode {
       float multiplier) const override {
     switch (m_category) {
       case CalcLength:
-        value.pixels +=
-            m_value->computeLength<float>(conversionData) * multiplier;
+        value.pixels = clampTo<float>(
+            value.pixels +
+            m_value->computeLength<double>(conversionData) * multiplier);
         break;
       case CalcPercent:
         ASSERT(m_value->isPercentage());
-        value.percent += m_value->getDoubleValue() * multiplier;
+        value.percent = clampTo<float>(value.percent +
+                                       m_value->getDoubleValue() * multiplier);
         break;
       case CalcNumber:
         // TODO(alancutter): Stop treating numbers like pixels unconditionally
         // in calcs to be able to accomodate border-image-width
         // https://drafts.csswg.org/css-backgrounds-3/#the-border-image-width
-        value.pixels +=
-            m_value->getDoubleValue() * conversionData.zoom() * multiplier;
+        value.pixels = clampTo<float>(value.pixels +
+                                      m_value->getDoubleValue() *
+                                          conversionData.zoom() * multiplier);
         break;
       default:
         ASSERT_NOT_REACHED();
@@ -396,14 +399,14 @@ class CSSCalcBinaryOperation final : public CSSCalcExpressionNode {
                 CSSPrimitiveValue::canonicalUnitTypeForCategory(
                     leftUnitCategory);
             if (canonicalType != CSSPrimitiveValue::UnitType::Unknown) {
-              double leftValue =
+              double leftValue = clampTo<double>(
                   leftSide->doubleValue() *
                   CSSPrimitiveValue::conversionToCanonicalUnitsScaleFactor(
-                      leftType);
-              double rightValue =
+                      leftType));
+              double rightValue = clampTo<double>(
                   rightSide->doubleValue() *
                   CSSPrimitiveValue::conversionToCanonicalUnitsScaleFactor(
-                      rightType);
+                      rightType));
               return CSSCalcPrimitiveValue::create(
                   evaluateOperator(leftValue, rightValue, op), canonicalType,
                   isInteger);
@@ -623,14 +626,14 @@ class CSSCalcBinaryOperation final : public CSSCalcExpressionNode {
                                  CalcOperator op) {
     switch (op) {
       case CalcAdd:
-        return leftValue + rightValue;
+        return clampTo<double>(leftValue + rightValue);
       case CalcSubtract:
-        return leftValue - rightValue;
+        return clampTo<double>(leftValue - rightValue);
       case CalcMultiply:
-        return leftValue * rightValue;
+        return clampTo<double>(leftValue * rightValue);
       case CalcDivide:
         if (rightValue)
-          return leftValue / rightValue;
+          return clampTo<double>(leftValue / rightValue);
         return std::numeric_limits<double>::quiet_NaN();
     }
     return 0;