| Index: third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp
|
| diff --git a/third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp b/third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp
|
| index 92e75170fa0a97bd7b82ae5fc521192534c75cba..df48a8857ffeb417af21c52c59f72f23d4df8a2d 100644
|
| --- a/third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp
|
| +++ b/third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp
|
| @@ -630,7 +630,7 @@ bool CSSSelectorParser::ConsumeANPlusB(CSSParserTokenRange& range,
|
| const CSSParserToken& token = range.Consume();
|
| if (token.GetType() == kNumberToken &&
|
| token.GetNumericValueType() == kIntegerValueType) {
|
| - result = std::make_pair(0, static_cast<int>(token.NumericValue()));
|
| + result = std::make_pair(0, clampTo<int>(token.NumericValue()));
|
| return true;
|
| }
|
| if (token.GetType() == kIdentToken) {
|
| @@ -654,7 +654,7 @@ bool CSSSelectorParser::ConsumeANPlusB(CSSParserTokenRange& range,
|
| n_string = range.Consume().Value().ToString();
|
| } else if (token.GetType() == kDimensionToken &&
|
| token.GetNumericValueType() == kIntegerValueType) {
|
| - result.first = token.NumericValue();
|
| + result.first = clampTo<int>(token.NumericValue());
|
| n_string = token.Value().ToString();
|
| } else if (token.GetType() == kIdentToken) {
|
| if (token.Value()[0] == '-') {
|
| @@ -701,9 +701,14 @@ bool CSSSelectorParser::ConsumeANPlusB(CSSParserTokenRange& range,
|
| return false;
|
| if ((b.GetNumericSign() == kNoSign) == (sign == kNoSign))
|
| return false;
|
| - result.second = b.NumericValue();
|
| - if (sign == kMinusSign)
|
| - result.second = -result.second;
|
| + result.second = clampTo<int>(b.NumericValue());
|
| + if (sign == kMinusSign) {
|
| + // Negating minimum integer returns itself, instead return max integer.
|
| + if (UNLIKELY(result.second == std::numeric_limits<int>::min()))
|
| + result.second = std::numeric_limits<int>::max();
|
| + else
|
| + result.second = -result.second;
|
| + }
|
| return true;
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 2825993002:
Prevent integer overflows in ANPlusB handling (Closed)
