Address code review feedback on security fixes

- Fix buffer size for strncpy to match actual buffer (32 bytes)
- Use strtoul instead of strtol for unsigned color values
- Improve strncat bounds checking with accurate length tracking
- Free wordexp results immediately after use instead of batching
- Add strdup for wordexp strings to avoid use-after-free

Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>

_codeql_detected_source_root

@@ -0,0 +1 @@
+.