fix: Comprehensive CVE mitigations for image libraries

This commit addresses all requested CVE vulnerabilities in image processing
libraries with defense-in-depth hardening:

CVE Coverage:
- CVE-2015-8540 (libpng): Buffer overflow in PNG chunk processing
- CVE-2019-7317 (libpng): Use-after-free in png_image_free
- CVE-2018-14498 (libjpeg): Heap-based buffer over-read
- CVE-2019-15133 (giflib): Out-of-bounds read in DGifSlurp
- CVE-2016-3977 (giflib): Heap-based buffer overflow in gif2rgb

Changes:

1. build.sh
   - Added giflib 5.2.1 with hardening flags
   - Updated comments to reference specific CVEs
   - Ensured all libraries use clang with CET/CFI/RELRO

2. image_harden/wrapper.c
   - Added comprehensive GIF safety wrappers
   - Implemented safe_DGifOpen() with dimension validation
   - Implemented safe_DGifSlurp() with bounds checking
   - Added CVE-specific documentation for all mitigations
   - Validates color indices, extension counts, RasterBits

3. image_harden/build.rs
   - Added giflib linking and header includes
   - Updated to generate bindings for gif_lib.h
   - Added CVE comments for traceability

4. image_harden/src/lib.rs
   - Added GifError variant to ImageHardenError
   - Implemented decode_gif() with CVE-2019-15133 mitigations
   - Added color index validation (prevents OOB reads)
   - Added bounds checking on all pixel writes
   - Validates GIF signature, dimensions, color maps
   - Safe memory-based GIF reading with atomic positioning

5. image_harden/fuzz/fuzz_targets/fuzz_gif.rs (NEW)
   - Created fuzz target for GIF decoder
   - Tests CVE-2019-15133, CVE-2016-3977 mitigations

6. CVE_COVERAGE.md (NEW)
   - Comprehensive CVE documentation (7KB)
   - Detailed mitigation strategies for each CVE
   - Defense-in-depth architecture explanation
   - Fuzzing results and verification checklist
   - Code references for all mitigations

Security Enhancements:
- 4-layer defense: compile-time, runtime, memory-safety, fuzzing
- All CVE-specific bounds checks and validations
- Fail-closed error handling
- Latest patched library versions
- Comprehensive fuzz testing coverage

All changes tested with:
- cargo clippy (no warnings)
- Fuzz targets (fuzz_png, fuzz_jpeg, fuzz_gif)
- Build verification on Debian-based systems

Author: claude