macOS: Yet another speculative fix for crashes on IME input

We still saw crashes at a base::checked_cast<> in a gfx::Range
constructor.  This CL adds a base::saturated_cast<> to a parameter
of the constructor to avoid the crashes.

Bug: 40226470, 40060200, 40945573
Change-Id: Icc72cfbc5f9dc0efbbdfe50dd6a795cd463e2db5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6040040
Auto-Submit: Kent Tamura <tkent@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1386844}

content/app_shim_remote_cocoa/render_widget_host_view_cocoa.mm

@@ -2273,8 +2273,9 @@ extern NSString* NSTextInputReplacementRangeAttributeName;
       // the maximum uint32_t. See crbug.com/40060200.
       uint32_t new_end = base::saturated_cast<uint32_t>(
           _markedRange.location + NSMaxRange(newSelRange));
-      _textSelectionRange =
-          gfx::Range(_markedRange.location + newSelRange.location, new_end);
+      uint32_t new_start = base::saturated_cast<uint32_t>(
+          _markedRange.location + newSelRange.location);
+      _textSelectionRange = gfx::Range(new_start, new_end);
     }
   } else {
     // An empty text means the composition is about to be cancelled,