Rearchitect the fix to the buffer overflow in `png_image_finish_read`

Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d.
That fix turned out to be unnecessarily limiting. It rejected all
16-to-8 bit transformations, although the vulnerability only affects
interlaced PNGs where `png_combine_row` writes using IHDR bit-depth
before the transformation completes.

The proper solution is to add an intermediate `local_row` buffer,
specifically for the slow but necessary step of 16-to-8 bit conversion
of interlaced images. (The processing of non-interlaced images remains
intact, using the fast path.) We added the flag `do_local_scale` and
the function `png_image_read_direct_scaled`, following the pattern that
involves `do_local_compose`.

In conclusion:
- The 16-to-8 bit transformations of interlaced images are now safe,
  as they use an intermediate buffer.
- The 16-to-8 bit transformations of non-interlaced images remain safe,
  as the fast path remains unchanged.
- All our regression tests are now passing.
1 file changed