Validate source map source indices

[VoltVoks]

Fixes #489.

ForEachVLQSegment() accumulates source-file deltas from attacker-controlled source-map mappings and then uses the result to index the sources vector without validating the index. A malformed source map can therefore drive an out-of-range vector read while Bloaty processes compile-unit or inline source-map data.

This change validates the accumulated source-file index before looking up the source name and rejects negative or out-of-range values. The source-file accumulator is also widened to avoid wrapping before the bounds check.

I added a wasm source-map regression test using the malformed mapping from the issue:

AACA,AgxTAA,AAAA

Instead of indexing outside sources, Bloaty now reports:

source map source file index out of range

Local verification:

cmake --build build-asan --target bloaty -j2
python3 /usr/bin/lit -sv build-asan/tests \
  --param bloaty=build-asan/bloaty \
  --filter sourcemap_invalid_source_index
python3 /usr/bin/lit -sv build-asan/tests \
  --param bloaty=build-asan/bloaty \
  --filter 'wasm/sourcemap'
python3 /usr/bin/lit -sv build-asan/tests \
  --param bloaty=build-asan/bloaty
git diff --check HEAD~1..HEAD

Results:

Targeted regression lit test passed.
Source-map lit subset passed 4/4.
Full lit suite passed 54/54.
git diff --check HEAD~1..HEAD passed.

Before/after repro:

• Baseline parent commit aborts on the malformed source map with a vector bounds assertion.
• This patch returns the controlled error source map source file index out of range.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.