fix: bounds checks for MaterialChunk shaderSize=0 and Ktx1Bundle constructor overflow

MaterialChunk::getTextShader: Add early return when shaderSize is 0 to
prevent out-of-bounds write of null terminator at line 284. The bounds
checks added in commit 92dc063 protect the loop body but not the
unconditional null-terminator write after the loop.

Ktx1Bundle 3-argument constructor: Add the same 64-bit overflow check
that the deserialization constructor received in commit 16a7047. The
multiplication numMipLevels * arrayLength * mNumCubeFaces can overflow
uint32_t, causing sizes vector to be undersized.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mohammadmseet-hue

libs/filaflat/src/MaterialChunk.cpp

@@ -186,6 +186,9 @@ bool MaterialChunk::getTextShader(Unflattener unflattener,
     if (!unflattener.read(&shaderSize)){
         return false;
     }
+    if (shaderSize == 0) {
+        return false;
+    }
 
     // Read how many lines there are.
     uint32_t lineCount = 0;

libs/image/src/Ktx1Bundle.cpp

@@ -106,7 +106,10 @@ Ktx1Bundle::Ktx1Bundle(uint32_t numMipLevels, uint32_t arrayLength, bool isCubem
     mNumMipLevels = numMipLevels;
     mArrayLength = arrayLength;
     mNumCubeFaces = isCubemap ? 6 : 1;
-    mBlobs->sizes.resize(numMipLevels * arrayLength * mNumCubeFaces);
+    uint64_t const totalBlobs = (uint64_t)numMipLevels * arrayLength * mNumCubeFaces;
+    FILAMENT_CHECK_POSTCONDITION(totalBlobs <= (uint64_t)std::numeric_limits<uint32_t>::max())
+            << "KTX dimensions overflow";
+    mBlobs->sizes.resize((uint32_t)totalBlobs);
 }
 
 Ktx1Bundle::Ktx1Bundle(uint8_t const* bytes, uint32_t nbytes) :