From 57d684b5aa39f6cb5fa33df229cff7096052ce81 Mon Sep 17 00:00:00 2001
From: violet <violet.bugreport@gmail.com>
Date: Sun, 17 Mar 2019 23:34:02 +0000
Subject: [PATCH] Bug 1413319 - Correctly check a double is within long's limit
 r=birtles

When close to int64_t's limit, the int64 can't be precisely converted to
double because of rounding error, rounding-up is also allowed. To ensure
a double `d` is within int64's limit, we should check
`d < std::numeric_limits<int64_t>::max()`, instead of `<=`.

Because `std::numeric_limits<int64_t>::max()` might be converted to a larger
double, when they are equal, we can't be sure if `d` is indeed within the actual
int64 limit.

Differential Revision: https://phabricator.services.mozilla.com/D23680

--HG--
extra : moz-landing-system : lando
---
 dom/smil/SMILTimedElement.cpp       | 2 +-
 dom/smil/crashtests/1413319-1.html  | 2 ++
 dom/smil/crashtests/crashtests.list | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 dom/smil/crashtests/1413319-1.html

diff --git a/dom/smil/SMILTimedElement.cpp b/dom/smil/SMILTimedElement.cpp
index 59770bd367bf..e752f239c0ee 100644
--- a/dom/smil/SMILTimedElement.cpp
+++ b/dom/smil/SMILTimedElement.cpp
@@ -1713,7 +1713,7 @@ SMILTimeValue SMILTimedElement::CalcActiveEnd(const SMILTimeValue& aBegin,
 SMILTimeValue SMILTimedElement::GetRepeatDuration() const {
   SMILTimeValue multipliedDuration;
   if (mRepeatCount.IsDefinite() && mSimpleDur.IsDefinite()) {
-    if (mRepeatCount * double(mSimpleDur.GetMillis()) <=
+    if (mRepeatCount * double(mSimpleDur.GetMillis()) <
         std::numeric_limits<SMILTime>::max()) {
       multipliedDuration.SetMillis(
           SMILTime(mRepeatCount * mSimpleDur.GetMillis()));
diff --git a/dom/smil/crashtests/1413319-1.html b/dom/smil/crashtests/1413319-1.html
new file mode 100644
index 000000000000..9bfeef3bddb7
--- /dev/null
+++ b/dom/smil/crashtests/1413319-1.html
@@ -0,0 +1,2 @@
+<svg width=''>
+<animate dur='2ms' repeatCount='4611686018427387903' fill='freeze'/>
diff --git a/dom/smil/crashtests/crashtests.list b/dom/smil/crashtests/crashtests.list
index 4fb4c1b698f4..dc20a438406c 100644
--- a/dom/smil/crashtests/crashtests.list
+++ b/dom/smil/crashtests/crashtests.list
@@ -59,3 +59,4 @@ load 1343357-1.html
 load 1375596-1.svg
 load 1402547-1.html
 load 1411963-1.html
+load 1413319-1.html