fix off-by-one quant table index check in jpegli_add_quant_table

[rootvector2]

Description

jpegli_add_quant_table bounds-checks the caller-supplied which_tbl with which_tbl > NUM_QUANT_TBLS instead of >=, so which_tbl == NUM_QUANT_TBLS (4) slips through and the function then indexes quant_tbl_ptrs[4], one past the four-entry array. In jpeg_compress_struct that read aliases q_scale_factor[0], which jpegli_set_defaults initializes to 100, so the == nullptr check is skipped and 64 coefficients get written through (JQUANT_TBL*)100. Reachable through both this entry point and the libjpeg-compatible jpeg_add_quant_table wrapper.

Noticed comparing this setter to the decoder's DQT path (decode_marker.cc, JPEG_VERIFY_INPUT(quant_table_index, 0, NUM_QUANT_TBLS - 1)) and to libjpeg's jcparam.c, both of which bound the index at NUM_QUANT_TBLS - 1. The fix matches that. Added a regression test that calls the setter with NUM_QUANT_TBLS and expects a clean error rather than the out-of-bounds access.

Pull Request Checklist

• CLA Signed: Have you signed the Contributor License Agreement (individual or corporate, as appropriate)? Only contributions from signed contributors can be accepted.
• Authors: Have you considered adding your name to the AUTHORS file?
• Code Style: Have you ensured your code adheres to the project's coding style guidelines? You can use ./ci.sh lint for automatic code formatting.