Add CHECK to `LazyLineBreakIterator::NextBreakablePosition`

This patch adds CHECKs to `LazyLineBreakIterator::
NextBreakablePosition` before reading from a raw pointer.

This is a speculative fix. It is likely that there's a case
where `NGLineBreaker` over runs `NGInlineItem::EndOffset()`,
but we have not be able to find a locally reproducing case
yet. The case in issue 967167 has a broken surrogate pair at
the end, but it's still not enough to reproduce.

Bug: 967167, 967439
Change-Id: I64973e8e7e41b5089147b0383178af6217b4db47
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1630141
Commit-Queue: Emil A Eklund <eae@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Cr-Commit-Position: refs/heads/master@{#663759}

third_party/blink/renderer/platform/text/text_break_iterator.cc

@@ -301,9 +301,9 @@ inline int LazyLineBreakIterator::NextBreakablePosition(
     int pos,
     const CharacterType* str,
     int len) const {
-  DCHECK_GE(pos, 0);
+  CHECK_GE(pos, 0);
   DCHECK_GE(static_cast<unsigned>(pos), start_offset_);
-  DCHECK_LE(pos, len);
+  CHECK_LE(pos, len);
   int next_break = -1;
   UChar last_last_ch = pos > 1 ? str[pos - 2] : SecondToLastCharacter();
   UChar last_ch = pos > 0 ? str[pos - 1] : LastCharacter();