Sanitize lengthValue in CSS parser

Limit the LengthData to the integer range before rounding it, taking
into account that qRound() substracts 1 from negative values.

Fixes: oss-fuzz-23220
Change-Id: I1b4383f3c33aac22746831002b2c74fc134faf77
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
(cherry picked from commit 188501fe27899cdc6a1aacf0d8c1a11144bd564a)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

src/gui/text/qcssparser.cpp

@@ -416,11 +416,10 @@ LengthData ValueExtractor::lengthValue(const Value& v)
 
 static int lengthValueFromData(const LengthData& data, const QFont& f)
 {
-    if (data.unit == LengthData::Ex)
+    const int scale = (data.unit == LengthData::Ex ? QFontMetrics(f).xHeight()
-        return qRound(QFontMetrics(f).xHeight() * data.number);
+                      : data.unit == LengthData::Em ? QFontMetrics(f).height() : 1);
-    else if (data.unit == LengthData::Em)
+    // raised lower limit due to the implementation of qRound()
-        return qRound(QFontMetrics(f).height() * data.number);
+    return qRound(qBound(double(INT_MIN) + 0.1, scale * data.number, double(INT_MAX)));
-    return qRound(data.number);
 }
 
 int ValueExtractor::lengthValue(const Declaration &decl)