From 8f36058e21da36c63015a4685834d8aae7eac635 Mon Sep 17 00:00:00 2001
From: Manish Goregaokar <manishsmail@gmail.com>
Date: Thu, 8 Jan 2026 08:44:21 -0800
Subject: [PATCH] Fix Duration out of bounds crash

---
 src/builtins/core/duration.rs       | 7 ++++---
 src/builtins/core/duration/tests.rs | 9 +++++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/builtins/core/duration.rs b/src/builtins/core/duration.rs
index 9062e29dc..e613f4976 100644
--- a/src/builtins/core/duration.rs
+++ b/src/builtins/core/duration.rs
@@ -1549,9 +1549,10 @@ pub(crate) fn is_valid_duration(
         + minutes as i128 * 60_000_000_000
         + seconds as i128 * 1_000_000_000;
     // Subseconds part
-    let normalized_subseconds_parts = (milliseconds as i128).saturating_mul(1_000_000)
-        + microseconds.saturating_mul(1_000)
-        + nanoseconds;
+    let normalized_subseconds_parts = (milliseconds as i128)
+        .saturating_mul(1_000_000)
+        .saturating_add(microseconds.saturating_mul(1_000))
+        .saturating_add(nanoseconds);
 
     let total_normalized_seconds =
         normalized_nanoseconds.saturating_add(normalized_subseconds_parts);
diff --git a/src/builtins/core/duration/tests.rs b/src/builtins/core/duration/tests.rs
index 0777933ce..113d56802 100644
--- a/src/builtins/core/duration/tests.rs
+++ b/src/builtins/core/duration/tests.rs
@@ -596,3 +596,12 @@ fn zero_duration() {
 
     assert_eq!(result, Duration::default(), "Duration's must be zero");
 }
+
+// https://issues.chromium.org/issues/474201847
+#[test]
+fn out_of_bounds_duration_no_crash() {
+    let large = 9223372036854775807 * 9223372036854775807;
+    let duration = Duration::new(0, 0, 0, 0, 0, 0, 0, 0, large, large);
+
+    assert!(duration.is_err());
+}