Fix integer overflow in hit_test_query_fuzzer.

HitTestQuery sometimes uses the negation of the position in rect,
making fuzzer min to be (min + 1) to avoid integer overflow after
negation.

Bug: 910592
Test: hit_test_query_fuzzer
Change-Id: I78d1d15467d13d8cb65278dff85408fd22e73c3c
Reviewed-on: https://chromium-review.googlesource.com/c/1372920Reviewed-by: Abhishek Arya <inferno@chromium.org>
Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org>
Commit-Queue: Ria Jiang <riajiang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#615907}

components/viz/host/hit_test/hit_test_query_fuzzer.cc

@@ -29,8 +29,12 @@ void AddHitTestRegion(base::FuzzedDataProvider* fuzz,
                          ? fuzz->ConsumeIntegralInRange<uint32_t>(
                                1, std::numeric_limits<uint32_t>::max())
                          : viz::AsyncHitTestReasons::kNotAsyncHitTest;
-  gfx::Rect rect(fuzz->ConsumeIntegral<int>(), fuzz->ConsumeIntegral<int>(),
-                 fuzz->ConsumeIntegral<int>(), fuzz->ConsumeIntegral<int>());
+  gfx::Rect rect(
+      fuzz->ConsumeIntegralInRange<int>(std::numeric_limits<int>::min() + 1,
+                                        std::numeric_limits<int>::max()),
+      fuzz->ConsumeIntegralInRange<int>(std::numeric_limits<int>::min() + 1,
+                                        std::numeric_limits<int>::max()),
+      fuzz->ConsumeIntegral<int>(), fuzz->ConsumeIntegral<int>());
   int32_t child_count =
       depth < kMaxDepthAllowed ? fuzz->ConsumeIntegralInRange(0, 10) : 0;
   gfx::Transform transform;