[css-grid] Fix crash clamping grid lines

Avoid issues with very big values for the grid lines clamping them during parsing time. BUG=670241 TEST=CSSPropertyParserTest.GridPositionLimit* Review-Url: https://codereview.chromium.org/2546993002 Cr-Commit-Position: refs/heads/master@{#439094}

[css-grid] Fix crash clamping grid lines
Avoid issues with very big values for the grid lines clamping them during parsing time. BUG=670241 TEST=CSSPropertyParserTest.GridPositionLimit* Review-Url: https://codereview.chromium.org/2546993002 Cr-Commit-Position: refs/heads/master@{#439094}
784fc71c · rego · Commit bot · bf9901fe · 784fc71c · 784fc71c
Commit 784fc71c authored Dec 16, 2016 by rego Committed by Commit bot Dec 16, 2016
2 changed files
--- a/third_party/WebKit/Source/core/css/parser/CSSPropertyParser.cpp
+++ b/third_party/WebKit/Source/core/css/parser/CSSPropertyParser.cpp
@@ -3062,6 +3062,12 @@ static CSSValue* consumeGridLine(CSSParserTokenRange& range) {
    return nullptr;  // An <integer> value of zero makes the declaration
                     // invalid.
+  if (numericValue) {
+    numericValue = CSSPrimitiveValue::create(
+        clampTo(numericValue->getIntValue(), -kGridMaxTracks, kGridMaxTracks),
+        CSSPrimitiveValue::UnitType::Integer);
+  }
  CSSValueList* values = CSSValueList::createSpaceSeparated();
  if (spanValue)
    values->append(*spanValue);

--- a/third_party/WebKit/Source/core/css/parser/CSSPropertyParserTest.cpp
+++ b/third_party/WebKit/Source/core/css/parser/CSSPropertyParserTest.cpp
@@ -156,4 +156,69 @@ TEST(CSSPropertyParserTest, GridTrackLimit16) {
  EXPECT_EQ(computeNumberOfTracks(toCSSValueList(value)), 999999);
 }
+static int getGridPositionInteger(const CSSValue& value) {
+  DCHECK(value.isValueList());
+  const auto& list = toCSSValueList(value);
+  DCHECK_EQ(list.length(), static_cast<size_t>(1));
+  const auto& primitiveValue = toCSSPrimitiveValue(list.item(0));
+  DCHECK(primitiveValue.isNumber());
+  return primitiveValue.getIntValue();
+}
+TEST(CSSPropertyParserTest, GridPositionLimit1) {
+  const CSSValue* value =
+      CSSParser::parseSingleValue(CSSPropertyGridColumnStart, "999999");
+  DCHECK(value);
+  EXPECT_EQ(getGridPositionInteger(*value), 999999);
+}
+TEST(CSSPropertyParserTest, GridPositionLimit2) {
+  const CSSValue* value =
+      CSSParser::parseSingleValue(CSSPropertyGridColumnEnd, "1000000");
+  DCHECK(value);
+  EXPECT_EQ(getGridPositionInteger(*value), 1000000);
+}
+TEST(CSSPropertyParserTest, GridPositionLimit3) {
+  const CSSValue* value =
+      CSSParser::parseSingleValue(CSSPropertyGridRowStart, "1000001");
+  DCHECK(value);
+  EXPECT_EQ(getGridPositionInteger(*value), 1000000);
+}
+TEST(CSSPropertyParserTest, GridPositionLimit4) {
+  const CSSValue* value =
+      CSSParser::parseSingleValue(CSSPropertyGridRowEnd, "5000000000");
+  DCHECK(value);
+  EXPECT_EQ(getGridPositionInteger(*value), 1000000);
+}
+TEST(CSSPropertyParserTest, GridPositionLimit5) {
+  const CSSValue* value =
+      CSSParser::parseSingleValue(CSSPropertyGridColumnStart, "-999999");
+  DCHECK(value);
+  EXPECT_EQ(getGridPositionInteger(*value), -999999);
+}
+TEST(CSSPropertyParserTest, GridPositionLimit6) {
+  const CSSValue* value =
+      CSSParser::parseSingleValue(CSSPropertyGridColumnEnd, "-1000000");
+  DCHECK(value);
+  EXPECT_EQ(getGridPositionInteger(*value), -1000000);
+}
+TEST(CSSPropertyParserTest, GridPositionLimit7) {
+  const CSSValue* value =
+      CSSParser::parseSingleValue(CSSPropertyGridRowStart, "-1000001");
+  DCHECK(value);
+  EXPECT_EQ(getGridPositionInteger(*value), -1000000);
+}
+TEST(CSSPropertyParserTest, GridPositionLimit8) {
+  const CSSValue* value =
+      CSSParser::parseSingleValue(CSSPropertyGridRowEnd, "-5000000000");
+  DCHECK(value);
+  EXPECT_EQ(getGridPositionInteger(*value), -1000000);
+}
 }  // namespace blink