fix: Prevent double-freeing `png_struct` members on allocation failure

Clear the pointers inside `png_struct` after `png_free`, following the
existing idiom in `png_read_buffer`, to ensure that a subsequent free
will be a no-op.

Several read-side functions free a `png_struct` member and allocate
a replacement without clearing the pointer in between. When that
allocation fails, `png_malloc` calls `png_error`, which longjmps out
before the assignment, leaving the member pointing at freed memory.
The application's cleanup path (`png_destroy_read_struct`, then
`png_read_destroy`) then frees it a second time.

The same defect occurs at five members across four functions:
 - `big_row_buf` and `big_prev_row` in `png_read_start_row`;
 - `palette` in `png_set_PLTE`;
 - `trans_alpha` in `png_set_tRNS`;
 - `quantize_index` in `png_set_quantize`.

This is robustness hardening, not a fix for untrusted input. Arming
the double-free needs a prior successful pass through the same site,
and PNG content alone cannot deliver one: duplicate PLTE and tRNS
chunks are rejected before their setters run, and within a single
decode the row dimensions never grow, so the row-buffer reallocation
guard cannot re-fire.

The trigger is an application that causes a setter to run twice on one
`png_struct` or reuses the struct across decodes, and then meets an
allocation failure.

This is a cherry-pick of commit a22696be0aadb185de33c152cc81df899eeefe6a
from branch 'libpng18'.

Co-authored-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Anthony Hurtado <amhurtado@pm.me>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>