Describe the bug

In src/webpimage.cpp, the function inject_VP8X checks width > 0 on both line 766 and line 773. Line 773 was intended to check height > 0 instead. This is a copy-paste error introduced in commit bf151a1.

When height is 0, the enforce on line 773 does not catch it because it checks width. Then height - 1 wraps to 0xFFFFFFFF as an unsigned integer, and the VP8X chunk is written with a wrong height value.

// src/webpimage.cpp:766-774
/* set width - stored in 24bits*/
Internal::enforce(width > 0, Exiv2::ErrorCode::kerCorruptedMetadata);   // line 766: correct
uint32_t w = width - 1;
data[4] = w & 0xFF;
data[5] = (w >> 8) & 0xFF;
data[6] = (w >> 16) & 0xFF;

/* set height - stored in 24bits */
Internal::enforce(width > 0, Exiv2::ErrorCode::kerCorruptedMetadata);   // line 773: should be "height > 0"
uint32_t h = height - 1;

To Reproduce

1. Use a WebP file where inject_VP8X is called with height == 0. This can happen when writing metadata to a WebP file that has no valid VP8/VP8L frame header.
2. Run exiv2 -de file.webp to trigger a metadata write.
3. Observed on main branch, current HEAD.

In practice this only triggers on already-malformed WebP files where no frame dimensions are available.

Expected behavior

Line 773 should enforce height > 0 so that the height check matches the width check on line 766.

Desktop (please complete the following information):

• OS and version: macOS (Darwin 25.3.0, arm64)
• Exiv2 version and source: main branch, built from source
• Compiler and version: Clang 22.1.1 (homebrew llvm)
• Compilation mode and/or compiler flags: Debug, -fsanitize=address

Additional context

The fix is a one-character change on line 773: replace width with height.

Internal::enforce(height > 0, Exiv2::ErrorCode::kerCorruptedMetadata);

I can submit a PR if helpful.