sixel: clamp max width/height in 'CSI ? 2 ; 3 ; W ; H S'

This ensures the user cannot raise the maximum sixel size, where
width*height cannot be represented as an integer.

Note, we should consider moving all sixel width/height variables from
int to size_t. But, since it doesn't make any sense with overly large
sixel images, clamping the max width/height is enough. Add a
static_assert() that checks SIXEL_MAX_WIDTH * SIXEL_MAX_HEIGHT doesn't
overflow.

Closes #2343

CHANGELOG.md

@@ -82,10 +82,13 @@
 * DECCRA not clamping or verifying the destination rectangle
   ([#2352][2352]).
 * Empty selection clearing the clipboard ([#2327][2327]).
+* Sixel image max size not clamped, causing foot to crash on very
+  large sixel images ([#2343][2343]).
 
 [2353]: https://codeberg.org/dnkl/foot/issues/2353
 [2352]: https://codeberg.org/dnkl/foot/issues/2352
 [2327]: https://codeberg.org/dnkl/foot/issues/2327
+[2343]: https://codeberg.org/dnkl/foot/issues/2343
 
 
 ### Security

sixel.c

@@ -2207,9 +2207,11 @@ sixel_geometry_reset(struct terminal *term)
 void
 sixel_geometry_set(struct terminal *term, unsigned width, unsigned height)
 {
-    LOG_DBG("sixel geometry set to %ux%u", width, height);
+    const unsigned new_width = min(width, SIXEL_MAX_WIDTH);
-    term->sixel.max_width = width;
+    const unsigned new_height = min(height, SIXEL_MAX_HEIGHT);
-    term->sixel.max_height = height;
+    LOG_DBG("sixel geometry set to %ux%u", new_width, new_height);
+    term->sixel.max_width = new_width;
+    term->sixel.max_height = new_height;
     sixel_geometry_report_current(term);
 }
 

sixel.h

@@ -6,6 +6,10 @@
 #define SIXEL_MAX_WIDTH  10000u
 #define SIXEL_MAX_HEIGHT 10000u
 
+static_assert(SIXEL_MAX_WIDTH * SIXEL_MAX_HEIGHT ==
+              (size_t)SIXEL_MAX_WIDTH * SIXEL_MAX_HEIGHT,
+              "sixel max size triggers integer overflow");
+
 typedef void (*sixel_put)(struct terminal *term, uint8_t c);
 
 void sixel_fini(struct terminal *term);