Fix the integer overflow in ChromeClientImpl::ViewportToScreen

This CL uses CheckedNumeric to avoid UBSAN issue of the integer
overflow when calculating rect coordinates in
ChromeClientImpl::ViewportToScreen.

Fuzzer report: https://clusterfuzz.com/testcase-detail/4895093060861952

Bug: 1067114
Change-Id: Ibe0b4f353d06885024b915afedf22c125ee595d5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2134178Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Miyoung Shin <myid.shin@igalia.com>
Cr-Commit-Position: refs/heads/master@{#756188}

third_party/blink/renderer/core/page/chrome_client_impl.cc

@@ -436,8 +436,17 @@ IntRect ChromeClientImpl::ViewportToScreen(
   if (client) {
     client->ConvertViewportToWindow(&screen_rect);
     WebRect view_rect = client->ViewRect();
-    screen_rect.x += view_rect.x;
-    screen_rect.y += view_rect.y;
+
+    base::CheckedNumeric<int> screen_rect_x = screen_rect.x;
+    base::CheckedNumeric<int> screen_rect_y = screen_rect.y;
+
+    screen_rect_x += view_rect.x;
+    screen_rect_y += view_rect.y;
+
+    screen_rect.x =
+        screen_rect_x.ValueOrDefault(std::numeric_limits<int>::max());
+    screen_rect.y =
+        screen_rect_y.ValueOrDefault(std::numeric_limits<int>::max());
   }
 
   return screen_rect;