Handle int overflow in rnn (#28003)
### Description
Fixes two overflow/underflow bugs in the CPU RNN kernel (`rnn.cc`):
- **`SafeInt` for GEMM M-dimension**: `seq_length * batch_size` was
computed as a raw `int64_t` multiply before `narrow<int>()`, meaning an
overflow would be UB before the check could fire. Replaced with
`SafeInt<int64_t>(seq_length) * batch_size` for a checked multiply.
- **`seq_length == 0` guard in `Assign_Y_h`**: For the forward
direction, `last_time_step = seq_length - 1` underflows to `-1` when
`seq_length == 0`, producing a negative `y_offset` and out-of-bounds
read. Added an early-exit that zero-fills Y_h for the direction and
returns. Also handles `sequence_lens[batch] == 0` (same underflow path),
zeroing the affected batch slot and skipping via `continue`.
### Motivation and Context
Silent UB from integer overflow/underflow in shape-derived index
arithmetic can corrupt memory or produce incorrect results without any
diagnostic signal. These cases are legal per the ONNX spec (empty
sequences, per-batch zero-length sequences) and must be handled
explicitly.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
