Guard Amiga hill sprite copy against short buffers

[segrax]

Motivation

• The legacy Amiga hill-loading code performs writes at hard-coded offsets into mImageHillSprites after sizing that buffer from attacker-controlled hills.lbm BMHD fields, which can lead to out-of-bounds heap writes when a crafted asset uses small dimensions/plane counts.
• A minimal runtime guard is needed to prevent the legacy fixed-offset copy loop from accessing memory beyond the decoded buffer.

Description

• Add a minimum-size check in cGraphics_Amiga::Load_Hill_Data() to ensure mImageHillSprites.mData is at least 0x42A0E bytes before running the legacy fixed-offset copy loop.
• Return early from Load_Hill_Data() when the decoded hill sprite buffer is too small, preserving existing behavior for valid assets.
• Change is localized to Source/Amiga/Graphics_Amiga.cpp and does not alter the copy logic itself, only guards its execution.

Testing

• Ran an automated offset computation script to derive the highest accessed byte and confirm the required minimum buffer size (script succeeded and produced 0x42A0E as the threshold).
• Applied the patch and performed an automated source inspection to verify the inserted constexpr size_t kHillSpriteMinSize = 0x42A0E; check is present before the legacy copy loop (inspection succeeded).
• The patch was applied successfully without modifying the legacy copy logic, and no automated unit tests were run against the runtime code path in this environment.

---

Codex Task