APNG: Check for overflow in ParseFrameInfo

Bug: 993266

When checking to ensure that the frame rect fits inside the canvas,
check for overflow.

Change-Id: I70c7c6a2b0f2700c0446c23ba6c9fb44a22577d7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1752126
Commit-Queue: Noel Gordon <noel@chromium.org>
Reviewed-by: Noel Gordon <noel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#686582}

third_party/blink/renderer/platform/image-decoders/png/png_image_reader.cc

@@ -688,8 +688,18 @@ bool PNGImageReader::ParseFrameInfo(const png_byte* data) {
     return false;
   if (!frame_width || !frame_height)
     return false;
-  if (x_offset + frame_width > width_ || y_offset + frame_height > height_)
-    return false;
+  {
+    png_uint_32 frame_right;
+    if (!base::CheckAdd(x_offset, frame_width).AssignIfValid(&frame_right) ||
+        frame_right > width_)
+      return false;
+  }
+  {
+    png_uint_32 frame_bottom;
+    if (!base::CheckAdd(y_offset, frame_height).AssignIfValid(&frame_bottom) ||
+        frame_bottom > height_)
+      return false;
+  }
 
   new_frame_.frame_rect =
       IntRect(x_offset, y_offset, frame_width, frame_height);