security: fix unchecked alloca in pulse-server property list handling

Memory Safety: Medium

Two alloca() calls in the PulseAudio protocol server were missed by the
previous alloca bounds-checking fix (commit 0d2877c0d):

1. fill_node_info_proplist() adds n_items counts from node properties
   and client properties without checking the total before alloca().
   A client with a very large number of properties can exhaust the stack.

2. fill_card_info() uses pi->n_props from port info for an alloca()
   without bounds checking. A card object with many port properties can
   similarly exhaust the stack.

Add MAX_ALLOCA_SIZE checks consistent with the existing pattern to
prevent stack overflow from large property counts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/modules/module-protocol-pulse/pulse-server.c

@@ -3646,7 +3646,8 @@ static int fill_card_info(struct client *client, struct message *m,
 
 			pi = &port_info[n];
 
-			if (pi->info && pi->n_props > 0) {
+			if (pi->info && pi->n_props > 0 &&
+			    pi->n_props <= MAX_ALLOCA_SIZE / sizeof(*items)) {
 				items = alloca(pi->n_props * sizeof(*items));
 				dict.items = items;
 				pdict = collect_props(pi->info, &dict);
@@ -4100,6 +4101,9 @@ static int fill_node_info_proplist(struct message *m, const struct spa_dict *nod
 		n_items += client_props->n_items;
 	}
 
+	if (n_items > MAX_ALLOCA_SIZE / sizeof(struct spa_dict_item))
+		return -ENOMEM;
+
 	dict.n_items = n = 0;
 	dict.items = items = alloca(n_items * sizeof(struct spa_dict_item));