Add an option to limit the maximum decode frame size

Chromium's fuzzer found an OOM. It's not entirely dav1d's fault. The frame is huge (48,000 x 32,256), so it's not surprising the allocation fails on a 32-bit system (and dav1d correctly checks for malloc failure, which is good).

But this could lead an application to OOM and for the OS to terminate it. A simple, but effective, defensive strategy would be to do something like libvpx's configurable --size-limit. dav1d could have a configurable size limit (either at compile time or at run time via Dav1dSettings) and raise an error if a frame exceeds the size limit (thus avoiding huge malloc calls).

This would also assist fuzzing (minimizing the false positives from OOMs like this, for example).