LibWeb: Clamp paintable box maximum scroll offset to 0

Previously calling `PaintableBox::set_scroll_offset()` with a
PaintableBox whose content size was larger than its scrollble overflow
rect would cause a crash.

Found by Domato.

Tests/LibWeb/Text/input/Element-scrollby-negative-scroll-offset-crash.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<style>
+    #test {
+        height: 0;
+    }
+</style>
+<script src="include.js"></script>
+<div id="test">test</div>
+<script>
+    test(() => {
+        const divElement = document.getElementById("test");
+        divElement.scrollBy(1, 1);
+        divElement.remove();
+        println("PASS (didn't crash)");
+    });
+</script>