Add fbounds-safety annotations for palette.

Reasoning:

The `palette` parameter in `GetColorPalette` (src/utils/palette.c:100)
was annotated with `WEBP_COUNTED_BY_OR_NULL(MAX_PALETTE_SIZE)` to fix
an array subscript error at src/utils/palette.c:146. This annotation
reflects the function's contract, documented in src/utils/palette.h,
which states that if `palette` is not NULL, it must point to memory
allocated for at least `MAX_PALETTE_SIZE` elements. To make
`MAX_PALETTE_SIZE` visible, `src/webp/format_constants.h` was included
in `src/utils/palette.h`. Consequently, the wrapper function
`WebPGetColorPalette` (src/utils/utils.c:273) and its declaration in
`src/utils/utils.h` were also annotated similarly, requiring the
inclusion of `src/webp/format_constants.h` in `src/utils/utils.h` as
well. This resolved a compilation error caused by the type mismatch
when calling the annotated `GetColorPalette` from `WebPGetColorPalette`.

Bug: 432511821
Change-Id: Iceebf2facf9558dd49889f056f028d9a3fb22d41

src/utils/palette.c

@@ -97,7 +97,9 @@ void PrepareMapToPalette(const uint32_t palette[], uint32_t num_colors,
 #define COLOR_HASH_SIZE (MAX_PALETTE_SIZE * 4)
 #define COLOR_HASH_RIGHT_SHIFT 22  // 32 - log2(COLOR_HASH_SIZE).
 
-int GetColorPalette(const WebPPicture* const pic, uint32_t* const palette) {
+int GetColorPalette(const WebPPicture* const pic,
+                    uint32_t* const WEBP_COUNTED_BY_OR_NULL(MAX_PALETTE_SIZE)
+                        palette) {
   int i;
   int x, y;
   int num_colors = 0;

src/utils/palette.h

@@ -15,6 +15,7 @@
 #define WEBP_UTILS_PALETTE_H_
 
 #include "src/utils/bounds_safety.h"
+#include "src/webp/format_constants.h"
 #include "src/webp/types.h"
 
 WEBP_ASSUME_UNSAFE_INDEXABLE_ABI
@@ -51,7 +52,8 @@ void PrepareMapToPalette(const uint32_t palette[], uint32_t num_colors,
 // 'palette' in a sorted order. Note: 'palette' is assumed to be an array
 // already allocated with at least MAX_PALETTE_SIZE elements.
 int GetColorPalette(const struct WebPPicture* const pic,
-                    uint32_t* const palette);
+                    uint32_t* const WEBP_COUNTED_BY_OR_NULL(MAX_PALETTE_SIZE)
+                        palette);
 
 // Sorts the palette according to the criterion defined by 'method'.
 // 'palette_sorted' is the input palette sorted lexicographically, as done in

src/utils/utils.c

@@ -271,7 +271,9 @@ void WebPCopyPixels(const WebPPicture* const src, WebPPicture* const dst) {
 
 //------------------------------------------------------------------------------
 
-int WebPGetColorPalette(const WebPPicture* const pic, uint32_t* const palette) {
+int WebPGetColorPalette(
+    const WebPPicture* const pic,
+    uint32_t* const WEBP_COUNTED_BY_OR_NULL(MAX_PALETTE_SIZE) palette) {
   return GetColorPalette(pic, palette);
 }
 

src/utils/utils.h

@@ -22,6 +22,7 @@
 #include <assert.h>
 
 #include "src/utils/bounds_safety.h"
+#include "src/webp/format_constants.h"
 #include "src/webp/types.h"
 
 WEBP_ASSUME_UNSAFE_INDEXABLE_ABI
@@ -200,8 +201,9 @@ WEBP_EXTERN void WebPCopyPixels(const struct WebPPicture* const src,
 // Note: 'palette' is assumed to be an array already allocated with at least
 // MAX_PALETTE_SIZE elements.
 // TODO(vrabaud) remove whenever we can break the ABI.
-WEBP_EXTERN int WebPGetColorPalette(const struct WebPPicture* const pic,
-                                    uint32_t* const palette);
+WEBP_EXTERN int WebPGetColorPalette(
+    const struct WebPPicture* const pic,
+    uint32_t* const WEBP_COUNTED_BY_OR_NULL(MAX_PALETTE_SIZE) palette);
 
 //------------------------------------------------------------------------------