use size_t for dds and ktx surface size to avoid overflow

[sahvx655-wq]

Fuzzing the image loaders with crafted KTX and DDS headers turned this up. The surface size in load_ktx_uncompressed_image and load_dds_uncompressed_image is computed in uint32_t, so large width/height/depth truncate the byte count and the buffer is allocated too small while the scanline copy still walks the full dimensions, reading off the end of the heap. The KTX size check is bypassed by setting the stored surface size to the truncated value. Same shape as the recent .astc fix, so compute in size_t and reject on overflow here too.

[solidpixel]

Thanks for the PR - will review in the next few days.

[solidpixel]

I've refactored the overflow checks into common library functions in #628, which should simplify the added code here. Will rebase this after the other PR has merged.

[Copilot]

Pull request overview

This PR hardens the CLI’s uncompressed KTX and DDS loaders against crafted headers that previously triggered uint32_t truncation during surface-size computation, leading to undersized allocations and out-of-bounds heap reads during scanline copies.

Changes:

• Switch KTX and DDS surface size/stride computation to size_t with astc::mul_safe() overflow detection and reject inconsistent or overflowing sizes.
• Update related local fields (components, bitness, bytes_per_component, and DDS DXGI table fields) to unsigned types.
• Improve DDS robustness by handling allocation failure for the input surface buffer and updating stride-based source addressing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[solidpixel]

Existing issues spotted while reviewing, I'll pick up in follow-on PRs for these:

• Error messages for KTX and DDS image loading do not use print_error(), and should be cleaned up to follow the standard message formatting too. Raised issue Error messages for KTX and DDS image loading do not use print_error() and need cleaning up #629.
• Not all uses of new[] for file inputs are wrapped in "bad_alloc" catches - we should probably hoist a single check for those somewhere in common code higher up the call stack. Raised issue Not all uses of new[] for file inputs are wrapped in "bad_alloc" catches #630.
• It would be good to use scoped memory/resource management in the frontend to avoid all of the manual cleanup in the error paths. This has been a long-time TODO, but we've never done it. We should because the current code makes ASAN throw leak errors currently if the wrapper catches an error and exits without releasing the resources, which means we can miss real leaks we care about. Raised issue Use scoped memory/resource management #631.