Fix overflow/underflow in gfx geometry once and for all

ui/gfx/geometry/rect.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Defines a simple integer rectangle class.  The containment semantics
 // are array-like; that is, the coordinate (x, y) is considered to be
 // contained by the rectangle, but the coordinate (x + width, y) is not.
 // The class will happily let you create malformed rectangles (that is,
 // rectangles with negative width and/or height), but there will be assertions
 // in the operations (such as Contains()) to complain in this case.
 
 #ifndef UI_GFX_GEOMETRY_RECT_H_
 #define UI_GFX_GEOMETRY_RECT_H_
 
 #include <cmath>
 #include <iosfwd>
 #include <string>
 
-#include "base/numerics/safe_conversions.h"
 #include "build/build_config.h"
 #include "ui/gfx/geometry/point.h"
+#include "ui/gfx/geometry/safe_integer_conversions.h"
 #include "ui/gfx/geometry/size.h"
 #include "ui/gfx/geometry/vector2d.h"
 
 #if defined(OS_WIN)
 typedef struct tagRECT RECT;
 #elif defined(OS_MACOSX)
 typedef struct CGRect CGRect;
 #endif
 
 namespace gfx {
@@ skipping 168 matching lines @@
 
   std::string ToString() const;
 
   bool ApproximatelyEqual(const Rect& rect, int tolerance) const;
 
  private:
   gfx::Point origin_;
   gfx::Size size_;
 
   // Clamp the size to avoid integer overflow in bottom() and right().
-  // There are three conditions to determine whether there is a potential
-  // overflow:
-  // 1) Origin > 0: if the origin is a negative value, origin + size will
-  //    definitely be less than int_max.
-  // 2) size > 0: if size <= 0, it will be clamped to 0 making x + 0 valid for
-  //    all x.
-  // 3) We cast the values to unsigned int because the compiler can optimize
-  //    this check away entirely but it is not smart enough to know that it
-  //    won't overflow. It can't overflow since origin is positive ensured by
-  //    part 1). If size > int_max - origin it will overflow when added to
-  //    origin.
+  // This returns the width given an origin and a width.
   static constexpr int GetClampedValue(int origin, int size) {
-    return origin > 0 && size > 0 &&
-                   static_cast<unsigned>(std::numeric_limits<int>::max() -
-                                         origin) < static_cast<unsigned>(size)
+    return AddWouldOverflow(origin, size)
                ? std::numeric_limits<int>::max() - origin
                : size;
   }
+
+  // Returns a clamped width given a right and a left, assuming right > left.
+  static constexpr int GetClampedWidthFromExtents(int left, int right) {
+    return SubtractWouldOverflow(right, left) ? std::numeric_limits<int>::max()
+                                              : right - left;
+  }
 };
 
 inline bool operator==(const Rect& lhs, const Rect& rhs) {
   return lhs.origin() == rhs.origin() && lhs.size() == rhs.size();
 }
 
 inline bool operator!=(const Rect& lhs, const Rect& rhs) {
   return !(lhs == rhs);
 }
 
@@ skipping 94 matching lines @@
 }
 
 // This is declared here for use in gtest-based unit tests but is defined in
 // the //ui/gfx:test_support target. Depend on that to use this in your unit
 // test. This should not be used in production code - call ToString() instead.
 void PrintTo(const Rect& rect, ::std::ostream* os);
 
 }  // namespace gfx
 
 #endif  // UI_GFX_GEOMETRY_RECT_H_