Two memory-safety/robustness fixes for input whose size is attacker- or
peer-controlled:
- ReadTIFF: a large IMAGELENGTH could overflow scanline_bytes * lines,
undersizing the buffer that TIFFReadScanline then writes past. Guard the
product against overflow before resize and reuse scanline_bytes in the loop.
- Raw-TCP image path: an uncapped header payload_size drove a huge resize()
that took down the receive thread (wedging the writer-facing acceptor).
Add JFJOCH_TCP_MAX_PAYLOAD_SIZE and reject oversized frames at the single
receive-loop choke point on both the pusher and puller sides.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>