fix(security): use LOAD_LIBRARY_SEARCH_* safe flags in Windows loader

Replace LOAD_WITH_ALTERED_SEARCH_PATH (0x8) with
LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR | _USER_DIRS | _SYSTEM32. The old flag
sets the DLL's own directory as the first search path but leaves the
legacy unsafe search order (CWD, %PATH%) enabled for transitive
dependencies — a real DLL-hijack vector if libwebp.dll itself
depends on or is patched to depend on an attacker-droppable basename.

The new flag set restricts dependency resolution to the DLL's directory
plus System32 (and any user-added directories), explicitly excluding
CWD and %PATH%.

Fall back to LOAD_WITH_ALTERED_SEARCH_PATH on ERROR_INVALID_PARAMETER
(87) for pre-KB2533623 Windows, so we don't regress loading on very old
hosts. Only applies to !NETCOREAPP — .NET Core uses NativeLibrary.TryLoad
and the DllImportResolver in NativeLibraryBootstrap.

Author: lilith

src/Imazen.WebP/NativeLibraryLoading.cs

@@ -491,10 +491,38 @@ internal static class WindowsLoadLibrary
             SetLastError = true)]
         private static extern IntPtr LoadLibraryEx(string fileName, IntPtr reservedNull, uint flags);
 
+        // Safe-search flags (Windows 7 SP1+KB2533623 and later — universally
+        // available on supported Windows today). These restrict dependency
+        // resolution to the DLL's own directory plus System32 plus the
+        // user-added directories. They explicitly exclude the legacy unsafe
+        // search order (current working directory, %PATH%, etc.) that
+        // LOAD_WITH_ALTERED_SEARCH_PATH leaves enabled for transitive
+        // dependencies.
+        private const uint LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR = 0x00000100;
+        private const uint LOAD_LIBRARY_SEARCH_USER_DIRS    = 0x00000400;
+        private const uint LOAD_LIBRARY_SEARCH_SYSTEM32     = 0x00000800;
+        private const uint LOAD_WITH_ALTERED_SEARCH_PATH    = 0x00000008;
+
         public static IntPtr Execute(string fileName)
         {
-            const uint loadWithAlteredSearchPath = 0x00000008;
-            return LoadLibraryEx(fileName, IntPtr.Zero, loadWithAlteredSearchPath);
+            const uint safeSearch =
+                LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR |
+                LOAD_LIBRARY_SEARCH_USER_DIRS |
+                LOAD_LIBRARY_SEARCH_SYSTEM32;
+
+            IntPtr handle = LoadLibraryEx(fileName, IntPtr.Zero, safeSearch);
+            if (handle != IntPtr.Zero) return handle;
+
+            // ERROR_INVALID_PARAMETER (87) on very old Windows without the
+            // KB2533623 update — fall back to the legacy flag rather than
+            // failing outright. Any other error (file not found, image
+            // format, etc.) propagates the original error code.
+            int err = Marshal.GetLastWin32Error();
+            if (err == 87)
+            {
+                handle = LoadLibraryEx(fileName, IntPtr.Zero, LOAD_WITH_ALTERED_SEARCH_PATH);
+            }
+            return handle;
         }
     }