Fix integer-overflow in blink::IntRect::uniteEvenIfEmpty

third_party/WebKit/Source/platform/geometry/IntRect.cpp

Index: third_party/WebKit/Source/platform/geometry/IntRect.cpp
diff --git a/third_party/WebKit/Source/platform/geometry/IntRect.cpp b/third_party/WebKit/Source/platform/geometry/IntRect.cpp
index 5cd63b58f16a83c0023641a22b879440e84a6cdc..07ae36c46e5eb57fd41a4870de9b8f60da89d9a5 100644
--- a/third_party/WebKit/Source/platform/geometry/IntRect.cpp
+++ b/third_party/WebKit/Source/platform/geometry/IntRect.cpp
@@ -43,6 +43,13 @@ IntRect::IntRect(const LayoutRect& r)
     : m_location(r.x().toInt(), r.y().toInt()),
       m_size(r.width().toInt(), r.height().toInt()) {}
 
+// Use long instead of int to avoid undefined behavior of storing -2147483648
+static inline int GetClampedDiff(const long& a, const long& b) {
+  return a - b <= std::numeric_limits<int>::max()
+             ? a - b
+             : std::numeric_limits<int>::max();
+}
+
 bool IntRect::intersects(const IntRect& other) const {
   // Checking emptiness handles negative widths as well as zero.
   return !isEmpty() && !other.isEmpty() && x() < other.maxX() &&
@@ -70,8 +77,8 @@ void IntRect::intersect(const IntRect& other) {
 
   m_location.setX(left);
   m_location.setY(top);
-  m_size.setWidth(right - left);
-  m_size.setHeight(bottom - top);
+  m_size.setWidth(GetClampedDiff(right, left));
+  m_size.setHeight(GetClampedDiff(bottom, top));
 }
 
 void IntRect::unite(const IntRect& other) {
@@ -106,8 +113,8 @@ void IntRect::uniteEvenIfEmpty(const IntRect& other) {
 
   m_location.setX(left);
   m_location.setY(top);
-  m_size.setWidth(right - left);
-  m_size.setHeight(bottom - top);
+  m_size.setWidth(GetClampedDiff(right, left));
+  m_size.setHeight(GetClampedDiff(bottom, top));
 }
 
 void IntRect::scale(float s) {