Clamp size+location of LocalFrameView::frame_rect_.

It makes no sense to allow a frame_rect with overflowing max
coordinates. This doesn't come up in actual pages, but it is a source
of annoying fuzzer bugs.

R=skobes@chromium.org,bokan@chromium.org
BUG=842417

Change-Id: I5b1435f5972b160fbf5f1daaf4bae7ef00748608
Reviewed-on: https://chromium-review.googlesource.com/1060027Reviewed-by: Steve Kobes <skobes@chromium.org>
Reviewed-by: David Bokan <bokan@chromium.org>
Commit-Queue: Stefan Zager <szager@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558854}

third_party/blink/renderer/core/frame/local_frame_view.cc

@@ -601,7 +601,8 @@ void LocalFrameView::InvalidateRect(const IntRect& rect) {
   layout_object->InvalidatePaintRectangle(LayoutRect(paint_invalidation_rect));
 }
 
-void LocalFrameView::SetFrameRect(const IntRect& frame_rect) {
+void LocalFrameView::SetFrameRect(const IntRect& unclamped_frame_rect) {
+  IntRect frame_rect(SaturatedRect(unclamped_frame_rect));
   if (frame_rect == frame_rect_)
     return;
   const bool width_changed = frame_rect_.Width() != frame_rect.Width();

third_party/blink/renderer/platform/geometry/int_rect.h

@@ -32,6 +32,7 @@
 #include "third_party/blink/renderer/platform/geometry/int_rect_outsets.h"
 #include "third_party/blink/renderer/platform/wtf/allocator.h"
 #include "third_party/blink/renderer/platform/wtf/forward.h"
+#include "third_party/blink/renderer/platform/wtf/saturated_arithmetic.h"
 
 #if defined(OS_MACOSX)
 typedef struct CGRect CGRect;
@@ -217,6 +218,11 @@ inline IntRect UnionRectEvenIfEmpty(const IntRect& a, const IntRect& b) {
 
 PLATFORM_EXPORT IntRect UnionRectEvenIfEmpty(const Vector<IntRect>&);
 
+inline IntRect SaturatedRect(const IntRect& r) {
+  return IntRect(r.X(), r.Y(), ClampAdd(r.X(), r.Width()) - r.X(),
+                 ClampAdd(r.Y(), r.Height()) - r.Y());
+}
+
 inline bool operator==(const IntRect& a, const IntRect& b) {
   return a.Location() == b.Location() && a.Size() == b.Size();
 }