Add integer overflow guards to upb buffer growth functions

[kodareef5]

upb_String_Append and jsondec_resize perform unchecked arithmetic during buffer growth that can overflow size_t:

upb/io/string.h — upb_String_Append

size_ + size can wrap on 32-bit platforms when the existing string is large and the append size is large. When it wraps, the capacity check at line 87 passes incorrectly (the wrapped sum is smaller than capacity), and memcpy writes past the allocated buffer. The subsequent 2 * (size_ + size) + 1 compounds the overflow.

Added two guards:

• Check size > SIZE_MAX - s->size_ before the addition
• Check sum > (SIZE_MAX - 1) / 2 before the doubling

On overflow, upb_String_Append returns false instead of corrupting memory.

upb/json/decode.c — jsondec_resize

2 * oldsize wraps to 0 when oldsize > SIZE_MAX / 2. UPB_MAX(8, 0) then selects 8, and the buffer is reallocated to 8 bytes while existing data may be much larger.

Added a guard: check oldsize > SIZE_MAX / 2 before doubling, and report an error via jsondec_err on overflow.

Tests

Added two tests to upb/io/string_test.cc:

• AppendOverflowReturnsFailure — verifies that an append causing size_ + size to wrap returns false and leaves the string unchanged
• AppendNormalStillWorks — verifies normal appends are unaffected

All existing tests pass (//upb/io:string_test, //upb/json:decode_test).

[kodareef5]

@themavik Thanks for the thorough review. Good catch on the jsondec_resize observation — jsondec_err is indeed noreturn (UPB_NORETURN), so size won't be used uninitialized in practice, but I can add a defensive initialization to 0 to be safe against future changes. Happy to push that if desired.

Regarding CI: the "Set Variables" / "All Blocking Tests (fork)" failure appears to be a fork permissions issue rather than a code problem — the workflow can't access required secrets from a fork. The actual test suite can't run in this context. If a maintainer can confirm or retrigger from the upstream side, that would help.