Fix DnD memory safety issues, protocol output bugs, and undefined behavior

[Copilot]

Thorough audit of the DnD protocol implementation (dnd.c) revealed memory leaks, a buffer overflow, protocol output bugs, and undefined behavior across several code paths.

Protocol output bugs

• drag_notify missing OSC prefix — output was t=e:x=1:y=0\x1b\\ instead of \x1b]CODE;t=e:x=1:y=0\x1b\\, making notifications unparseable by clients
• drag_notify missing colon separators — produced t=e:x=1y=0 instead of t=e:x=1:y=0

Memory leaks

• drag_free_remote_item — children array pointer never freed after recursive child cleanup
• drag_free_offer — free_pending(&ds.pending) never called, leaking queued unflushed entries
• toplevel_data_for_drag — old strdup'd URI overwritten without free():

  // Before: leak
  mi.uri_list[uri_item_idx] = as_file_url(...);
  // After:
  free(mi.uri_list[uri_item_idx]);
  mi.uri_list[uri_item_idx] = as_file_url(...);

• Realloc anti-pattern in 7 call sites (drop_register_window, drop_dispatch_data, drag_add_mimes, drag_add_pre_sent_data, drag_add_image, add_payload, queue_payload_to_child) — ptr = realloc(ptr, ...) loses the old pointer on failure

Buffer overflow

• add_payload symlink case — ri->data[ri->data_sz] = 0 writes past allocation when decoded data fills capacity exactly. Now ensures data_capacity >= data_sz + 1 before the null terminator write.

Integer overflow

• expand_rgb_data — img.width * img.height * 4 used int arithmetic before size_t conversion. Fixed with explicit (size_t) casts.

Undefined behavior

• queue_payload_to_child — memcpy(dst, NULL, 0) when data is NULL and data_sz is 0. Guarded with size check.

Tests

• 5 new tests exercising the drag_notify colon separator fix, children array cleanup, and URI replacement. Added dnd_test_drag_notify C test helper to invoke drag_notify with controlled parameters.