LibWeb: Clamp paintable box maximum scroll offset to 0

Previously calling `PaintableBox::set_scroll_offset()` with a
PaintableBox whose content size was larger than its scrollble overflow
rect would cause a crash.

Found by Domato.

Tests/LibWeb/Text/expected/Element-scrollby-negative-scroll-offset-crash.txt

@@ -0,0 +1 @@
+  PASS (didn't crash)

Tests/LibWeb/Text/input/Element-scrollby-negative-scroll-offset-crash.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<style>
+    #test {
+        height: 0;
+    }
+</style>
+<script src="include.js"></script>
+<div id="test">test</div>
+<script>
+    test(() => {
+        const divElement = document.getElementById("test");
+        divElement.scrollBy(1, 1);
+        divElement.remove();
+        println("PASS (didn't crash)");
+    });
+</script>

Userland/Libraries/LibWeb/Painting/PaintableBox.cpp

@@ -82,8 +82,9 @@ void PaintableBox::set_scroll_offset(CSSPixelPoint offset)
     document().set_needs_to_refresh_clip_state(true);
     document().set_needs_to_refresh_scroll_state(true);
 
-    auto max_x_offset = scrollable_overflow_rect->width() - content_size().width();
-    auto max_y_offset = scrollable_overflow_rect->height() - content_size().height();
+    auto max_x_offset = max(scrollable_overflow_rect->width() - content_size().width(), 0);
+    auto max_y_offset = max(scrollable_overflow_rect->height() - content_size().height(), 0);
+
     offset.set_x(clamp(offset.x(), 0, max_x_offset));
     offset.set_y(clamp(offset.y(), 0, max_y_offset));