safe_timer_diff is unsafe under wrapping

safe_timer_diff is meant to avoid overflow (or perhaps negative return values) but doesn't. (It was introduced to tor 0.2.8.0-alpha-dev in #3199 (moved).)

For example:

• safe_timer_diff(INT_MIN, INT_MAX) returns -1 on a system where TIME_T_IS_SIGNED. It should return a (clipped) value representing the largest integer difference possible, such as INT_MAX.

I'm sure there are equivalent issues where TIME_T_IS_UNSIGNED, but I can't think of any right now.