Fix another FastMalloc call site with potential integer overflow.

third_party/WebKit/Source/core/xml/XSLTProcessorLibxslt.cpp

Index: third_party/WebKit/Source/core/xml/XSLTProcessorLibxslt.cpp
diff --git a/third_party/WebKit/Source/core/xml/XSLTProcessorLibxslt.cpp b/third_party/WebKit/Source/core/xml/XSLTProcessorLibxslt.cpp
index 7a5741905557d3a96df9c4959cb7b34147a61e48..925346675e57a5f8061ed4c3443750f1b30eed63 100644
--- a/third_party/WebKit/Source/core/xml/XSLTProcessorLibxslt.cpp
+++ b/third_party/WebKit/Source/core/xml/XSLTProcessorLibxslt.cpp
@@ -231,9 +231,13 @@ static const char** XsltParamArrayFromParameterMap(
   if (parameters.IsEmpty())
     return nullptr;
 
-  const char** parameter_array = static_cast<const char**>(
-      WTF::Partitions::FastMalloc(((parameters.size() * 2) + 1) * sizeof(char*),
-                                  WTF_HEAP_PROFILER_TYPE_NAME(XSLTProcessor)));
+  WTF::CheckedSizeT size = parameters.size();

[Tom Sepez, 2017/06/26 22:33:36]

Blink is pretty slap-happy about using "unsigned" for counts, lengths, etc, so
if the caclulation overflows a uint32 we probably want to bail, even if we have
64-bit size_ts.

+  size *= 2;
+  ++size;
+  size *= sizeof(char*);
+  const char** parameter_array =
+      static_cast<const char**>(WTF::Partitions::FastMalloc(
+          size.ValueOrDie(), WTF_HEAP_PROFILER_TYPE_NAME(XSLTProcessor)));
 
   unsigned index = 0;
   for (auto& parameter : parameters) {