Fix a buffer overflow in `png_image_finish_read`

Reject bit-depth mismatches between IHDR and the requested output
format. When a 16-bit PNG is processed with an 8-bit output format
request, `png_combine_row` writes using the IHDR depth before
transformation, causing writes beyond the buffer allocated via
`PNG_IMAGE_SIZE(image)`.

The validation establishes a safe API contract where
`PNG_IMAGE_SIZE(image)` is guaranteed to be sufficient across the
transformation pipeline.

Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA):
- Input format: 16 bits/channel × 3 channels = 6144 bytes
- Output buffer: 8 bits/channel × 4 channels = 4096 bytes
- Overflow: 6144 bytes - 4096 bytes = 2048 bytes

Larger images produce proportionally larger overflows. For example,
for 256×256 pixels, the overflow is 131072 bytes.

Reported-by: yosiimich <yosiimich@users.noreply.github.com>

Bug: 463998243
Test: TreeHugger
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:941175abd35156755bba7074c801691dccc45770
Merged-In: I02fa8b13c17e1c5a0f441687c11463bf874c9010
Change-Id: I02fa8b13c17e1c5a0f441687c11463bf874c9010
1 file changed