fix(wob+wom): reject corrupted header counts before allocating

Adds upfront sanity bounds to both WoB and WOM load:
  WOM: vert<=1M, index<=4M, tex<=1K
  WOB: groups<=4K, portals<=8K, doodads<=64K
Real WoW models stay well under these limits (M2 vert is uint16 anyway).
Without these checks a corrupted header could trigger a multi-GB
allocation and OOM the process before we finish reading the body. Also
caps name length to 1KB on WoB load (already done on WOM).

src/pipeline/wowee_model.cpp

@@ -39,6 +39,14 @@ WoweeModel WoweeModelLoader::load(const std::string& basePath) {
     f.read(reinterpret_cast<char*>(&model.boundRadius), 4);
     f.read(reinterpret_cast<char*>(&model.boundMin), 12);
     f.read(reinterpret_cast<char*>(&model.boundMax), 12);
+    // Sanity bounds. Real M2 models cap at 65k vertices (uint16 indices) and
+    // typically 64 textures. Reject obviously corrupted counts before we
+    // try to allocate huge vertex/index buffers.
+    if (vertCount > 1'000'000 || indexCount > 4'000'000 || texCount > 1024) {
+        LOG_ERROR("WOM header rejected (verts=", vertCount,
+                  " indices=", indexCount, " textures=", texCount, "): ", basePath);
+        return WoweeModel{};
+    }
 
     // Bound sanity — radius drives M2 culling, min/max drive collision AABBs.
     // NaN/inf would either cull-out the model or crash the cull math.