4.40.1: Robustness fixes for malformed and truncated input

Fixed

• Truncated or malformed metadata no longer throws an uncaught error out of
  load and loadView. This fixes several crashes on crafted input, including
  a short WebP VP8X chunk, a truncated PNG iCCP chunk in async mode, a
  HEIC/AVIF Exif item whose TIFF header offset points outside the file, a
  truncated JPEG MPF segment, and a unicode string whose region ends on an odd
  byte.
• HEIC and AVIF files that store Exif or XMP via iloc construction_method 1
  (the idat box) are now read at the correct offset. The box was previously
  parsed as a full box, which shifted its content offset by 4 bytes.
• The buffer assembled for multi-extent HEIC and AVIF items is now capped to the
  source file size. This prevents a memory-amplification path from overlapping
  extents.
• length: 'auto' over a URL no longer corrupts the buffer when a
  Range-ignoring server returns a full 200 response during the fallback read.
  The Node (non-fetch) path now falls back correctly on a 416 response
  instead of rejecting.

Security

• Fix denial-of-service from an uncaught exception when parsing crafted
  HEIC/AVIF files with malformed ISO-BMFF boxes
  (GHSA-g77h-45rf-hcx4).
  Reported by @YHalo-wyh.