[sfnt] Additional bounds checks in `COLR` v1.
- src/sfnt/ttcolr.c (read_paint): Use new ENSURE_READ_BYTES macro, ensure that 3 bytes can be read. (tt_face_get_paint_layers): Ensure that the 4-byte paint table offset can be read.
Follow up to !124 (merged) and issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404