From 4e0edd42b95abf8ad707c64414dbe618313ce89e Mon Sep 17 00:00:00 2001
From: Andreas Kling <andreas@ladybird.org>
Date: Fri, 19 Jul 2024 16:15:07 +0200
Subject: [PATCH] LibWeb: Cap HTML dimension values at 17895700 (same as
 Firefox)

Instead of allowing arbitrarily large values (which could eventually
overflow an i32), let's just cap them at the same limit as Firefox does.

Found by Domato.
---
 .../Text/expected/HTML/maxed-out-dimension-value.txt  |  1 +
 .../Text/input/HTML/maxed-out-dimension-value.html    |  9 +++++++++
 Userland/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp  | 11 +++++++----
 3 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 Tests/LibWeb/Text/expected/HTML/maxed-out-dimension-value.txt
 create mode 100644 Tests/LibWeb/Text/input/HTML/maxed-out-dimension-value.html

diff --git a/Tests/LibWeb/Text/expected/HTML/maxed-out-dimension-value.txt b/Tests/LibWeb/Text/expected/HTML/maxed-out-dimension-value.txt
new file mode 100644
index 00000000000..c5da913f2cf
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/HTML/maxed-out-dimension-value.txt
@@ -0,0 +1 @@
+   Image height: 17895700
diff --git a/Tests/LibWeb/Text/input/HTML/maxed-out-dimension-value.html b/Tests/LibWeb/Text/input/HTML/maxed-out-dimension-value.html
new file mode 100644
index 00000000000..9a5709f3277
--- /dev/null
+++ b/Tests/LibWeb/Text/input/HTML/maxed-out-dimension-value.html
@@ -0,0 +1,9 @@
+<img height="2147483647">
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        let img = document.querySelector("img");
+        println("Image height: " + img.offsetHeight);
+        img.remove();
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp b/Userland/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp
index 6de3d078f6d..b52088e3edb 100644
--- a/Userland/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp
@@ -4691,13 +4691,16 @@ RefPtr<CSS::StyleValue> parse_dimension_value(StringView string)
         number_string.append(*position);
         ++position;
     }
-    auto integer_value = number_string.string_view().to_number<int>();
+    auto integer_value = number_string.string_view().to_number<double>();
+
+    // NOTE: This is apparently the largest value allowed by Firefox.
+    static float max_dimension_value = 17895700;
+
+    float value = min(*integer_value, max_dimension_value);
 
     // 6. If position is past the end of input, then return value as a length.
     if (position == input.end())
-        return CSS::LengthStyleValue::create(CSS::Length::make_px(*integer_value));
-
-    float value = *integer_value;
+        return CSS::LengthStyleValue::create(CSS::Length::make_px(CSSPixels(value)));
 
     // 7. If the code point at position within input is U+002E (.), then:
     if (*position == '.') {