fix jdimension overflow in jpegli_crop_scanline bounds check

[rootvector2]

Description

*xoffset + *width in jpegli_crop_scanline is computed in 32-bit JDIMENSION, so a large *xoffset wraps the sum below output_width and the bounds check accepts an out-of-range crop window; master->xoffset_ is then left out of range and WriteToOutput reads the decoded component rows past their end, with the bytes landing in the caller's scanline buffer. found auditing the crop api. the check is rewritten to compare without the addition, which also covers the jpeg_crop_scanline wrapper, and a regression test is added.

Pull Request Checklist

• CLA Signed: Have you signed the Contributor License Agreement (individual or corporate, as appropriate)? Only contributions from signed contributors can be accepted.
• Authors: Have you considered adding your name to the AUTHORS file?
• Code Style: Have you ensured your code adheres to the project's coding style guidelines? You can use ./ci.sh lint for automatic code formatting.