box_construct: clamp rowspan and colspan

In order to not blow up on massive rowspan/colspan values (which
could be an issue according to #2873) we clamp them according to
the HTML spec section 4.9.11

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>

content/handlers/html/box_construct.c

@@ -35,6 +35,7 @@
 #include "utils/string.h"
 #include "utils/ascii.h"
 #include "utils/nsurl.h"
+#include "utils/utils.h"
 #include "netsurf/misc.h"
 #include "css/select.h"
 #include "desktop/gui_internal.h"
@@ -552,8 +553,9 @@ box_construct_element(struct box_construct_ctx *ctx, bool *convert_children)
 	if (s != NULL) {
 		const char *val = dom_string_data(s);
 
+		/* Convert to a number, clamping to [1,1000] according to 4.9.11 */
 		if ('0' <= val[0] && val[0] <= '9')
-			box->columns = strtol(val, NULL, 10);
+			box->columns = clamp(strtol(val, NULL, 10), 1, 1000);
 
 		dom_string_unref(s);
 	}
@@ -565,8 +567,9 @@ box_construct_element(struct box_construct_ctx *ctx, bool *convert_children)
 	if (s != NULL) {
 		const char *val = dom_string_data(s);
 
+		/* Convert to a number, clamping to [0,65534] according to 4.9.11 */
 		if ('0' <= val[0] && val[0] <= '9')
-			box->rows = strtol(val, NULL, 10);
+			box->rows = clamp(strtol(val, NULL, 10), 0, 65534);
 
 		dom_string_unref(s);
 	}