clang-tidy: disable clang-analyzer-security.ArrayBound

[vszakats]

It's causing false-positives with clang-tidy v21, in cases in system
headers (seen in FD_ISSET() with macOS SDK). In some cases in
tests/server, there was no distinct source line that was triggering it.

Example:

/Applications/Xcode_16.4.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX15.5.sdk/usr/include/sys/_types/_fd_def.h:83:10: error: Potential out of bound access to 'fds_read.fds_bits' with tainted index [clang-analyzer-security.ArrayBound,-warnings-as-errors]
   83 |                 return _p->fds_bits[(unsigned long)_fd / __DARWIN_NFDBITS] & ((__int32_t)(((unsigned long)1) << ((unsigned long)_fd % __DARWIN_NFDBITS)));
      |                        ^
[...]
/Users/runner/work/curl/curl/tests/server/socksd.c:679:5: note: Taking false branch
  679 |     if(rc < 0) {
      |     ^

---

Appeared after a CI image bumped llvm from v20 to v21:

false positive:

lib/cf-https-connect.c:78:13: error: Out of bound access to memory after the end
of the field 'ballers' [clang-analyzer-security.ArrayBound,-warnings-as-errors]
   78 |   return b->cf && !b->result;
      |             ^

Ref: https://github.com/curl/curl/actions/runs/17289458226/job/49073168175#step:11:35

false positive:

lib/content_encoding.c:657:5: error: Out of bound access to memory preceding
'all' [clang-analyzer-security.ArrayBound,-warnings-as-errors]
  657 |     p[-2] = '\0';
      |     ^

Ref: https://github.com/curl/curl/actions/runs/17295803554/job/49093573741?pr=18422#step:11:40

false positive:

lib/mime.c:1756:12: error: Out of bound access to memory after the end
of the string literal [clang-analyzer-security.ArrayBound,-warnings-as-errors]
 1756 |     switch(contenttype[len]) {
      |            ^

Ref: https://github.com/curl/curl/actions/runs/17295955998/job/49094149140?pr=18422#step:11:127

lib/vauth/ntlm.c:414:5: error: Out of bound access to memory after the end
of 'ntlmbuf' [clang-analyzer-security.ArrayBound,-warnings-as-errors]
  414 |     dest[2 * i] = (unsigned char)src[i];
      |     ^

Ref: https://github.com/curl/curl/actions/runs/17296813157/job/49097003881?pr=18422#step:11:157

lib/vauth/ntlm.c:836:17: error: Out of bound access to memory after the end
of 'ntlmbuf' [clang-analyzer-security.ArrayBound,-warnings-as-errors]
  836 |     unicodecpy(&ntlmbuf[size], host, hostlen / 2);
      |                 ^~~~~~~~~~~~~

Ref: https://github.com/curl/curl/actions/runs/17296961941/job/49097574789?pr=18422#step:11:157

[vszakats]

clang-tidy 21 became really picky with "out of bounds" warnings.

[vszakats]

Can't decide if the ntlm.c ones are valid issues or false positives.
The rest seems to be the latter.

[vszakats]

Oh, it also trips on FD_[IS]SET(), within Apple headers:
https://github.com/curl/curl/actions/runs/17297304862/job/49098795447?pr=18422

FD_[IS]SET() were never without problems, but this fallout is a new one.

[bagder]

It's almost getting out of hand...

[vszakats]

One of the less lucky toolchain updates.

Hopefully it's going to be fixed in a .1 revision, perhaps something to re-verify
in future llvm bumps.

Meanwhile trying to fix the remaining ones locally, but hitting a snag where
it's unclear which line is triggering a warning. It's showing up in an Apple
header. Should be FD_ISSET() but those are all silenced. (tests/server)

[vszakats]

I think the -clang-analyzer-security.ArrayBound option is broken in clang-tidy 21.

In tests/server, it's coming up in nonsense places, and couldn't find the single line
where it could be suppressed.