* fix: OOB reads in UGM tokenizer (precompiled_charsmap handling)
- Validate minimum size (4 bytes) before reading xcda_blob_size
- Use strnlen with bounds check instead of unsafe strlen
Both issues allow heap-buffer-overflow from malicious T5/UGM GGUF files.
* Replace unsafe strnlen() with a bounds-checked loop that scans for \0 within the remaining array size.
* move bounds checks to load
* typo merge fix
---------
Co-authored-by: hourhl <hourhl8200@gmail.com>
Co-authored-by: Sigbjørn Skjæret <1629204+CISC@users.noreply.github.com>