From 21a32e4b6dc594c2fe8dd3ee11c829c250a103ad Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <tim.ledbetter@ladybird.org>
Date: Wed, 30 Oct 2024 19:56:43 +0000
Subject: [PATCH] LibWeb: Don't crash when parsing large floating point number
 values

Previously, attempting to parse a floating point number with an integer
part larger than `(2 ^ 31) - 1` would cause the browser to crash. We now
avoid this by converting the integer part of the number to a `double`
rather than an `i32`.
---
 .../HTML/HTMLProgressElement-large-max-value.txt         | 1 +
 .../input/HTML/HTMLProgressElement-large-max-value.html  | 9 +++++++++
 Userland/Libraries/LibWeb/HTML/Numbers.cpp               | 2 +-
 3 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibWeb/Text/expected/HTML/HTMLProgressElement-large-max-value.txt
 create mode 100644 Tests/LibWeb/Text/input/HTML/HTMLProgressElement-large-max-value.html

diff --git a/Tests/LibWeb/Text/expected/HTML/HTMLProgressElement-large-max-value.txt b/Tests/LibWeb/Text/expected/HTML/HTMLProgressElement-large-max-value.txt
new file mode 100644
index 00000000000..542d4b7e8d8
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/HTML/HTMLProgressElement-large-max-value.txt
@@ -0,0 +1 @@
+progressElement.max: 1e+21
diff --git a/Tests/LibWeb/Text/input/HTML/HTMLProgressElement-large-max-value.html b/Tests/LibWeb/Text/input/HTML/HTMLProgressElement-large-max-value.html
new file mode 100644
index 00000000000..de37852f9ae
--- /dev/null
+++ b/Tests/LibWeb/Text/input/HTML/HTMLProgressElement-large-max-value.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<progress max="1000000000000000000000"></progress>
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        const progressElement = document.querySelector("progress");
+        println(`progressElement.max: ${progressElement.max}`);
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/HTML/Numbers.cpp b/Userland/Libraries/LibWeb/HTML/Numbers.cpp
index 5fcf69cb6ee..1b22418d449 100644
--- a/Userland/Libraries/LibWeb/HTML/Numbers.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Numbers.cpp
@@ -150,7 +150,7 @@ Optional<double> parse_floating_point_number(StringView string)
         lexer.consume_while(is_ascii_digit);
         size_t end_index = lexer.tell();
         auto digits = lexer.input().substring_view(start_index, end_index - start_index);
-        auto optional_value = AK::StringUtils::convert_to_int<i32>(digits);
+        auto optional_value = AK::StringUtils::convert_to_floating_point<double>(digits, TrimWhitespace::No);
         value *= optional_value.value();
     }