feat(egfx): cascade Arbitrary derives across ironrdp-egfx public PDU types

Extends the Arbitrary cascade from PR Devolutions#1272 (ironrdp-pdu) and PR Devolutions#1284
(extension to pdu types in ironrdp-pdu's egfx-related modules) to the
ironrdp-egfx crate's own public type surface.

Adds the arbitrary feature to ironrdp-egfx and adds the standard
#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] gate
to every public PDU type in crates/ironrdp-egfx/src/pdu/:

- common.rs: Point, Color, PixelFormat
- avc.rs: Avc420BitmapStream, Avc444BitmapStream, Avc420Region
- cmd.rs: GfxPdu plus all 23 variant types, RawCapabilitySet,
  CapabilitySet, CapabilityVersion, Codec1Type, Codec2Type, QueueDepth,
  CacheEntryMetadata, and the six CapabilitiesV*Flags bitflags structs.

Three types use a manual Arbitrary impl rather than the derive because
their fields have implicit wire-bit-width constraints the derive cannot
express. derive(Arbitrary) on these types generates values in the full
underlying type range, which the encoder then panics on when packing
into the narrower wire range. Manual impls mask each field to its
spec-defined width:

- Timestamp (cmd.rs): milliseconds and hours into 10 bits each,
  seconds and minutes into 6 bits each. The encoder packs all four
  into a single u32 via set_bits.
- QuantQuality (avc.rs): quantization_parameter into 6 bits. Encoder
  packs into a u8 via set_bits(0..6).
- Encoding bitflag (avc.rs): masked to 2 bits. The bitflag's
  `const _ = !0` clause otherwise accepts any u8 value, but the
  encoder for Avc444BitmapStream packs encoding.bits() into bits
  30..32 of the stream-info field.

The arbitrary feature cascades through ironrdp-pdu/arbitrary so types
in egfx's variant payloads (ExclusiveRectangle, etc.) pick up their
existing Arbitrary impls. bitflags/arbitrary is activated so the
CapabilitiesV*Flags bitflag types get Arbitrary via the bitflags
crate's own derive support.

Adds the ironrdp-egfx/arbitrary case to the xtask feature matrix
(xtask/src/features.rs), mirroring the ironrdp-pdu/arbitrary entry,
so CI verifies the feature builds cleanly.

Default build (no arbitrary feature) is unchanged. Existing tests
pass. cargo xtask check features --case ironrdp-egfx/arbitrary clean.

This is the prerequisite cascade for the egfx_multi_frame fuzz target
(target 5 under Devolutions#1316), which will use Arbitrary-derived Vec<GfxPdu>
to drive a single decoder + surface-cache pair across each fuzz
iteration. The target itself follows in a separate PR. Per the Devolutions#1122
guidance ("either implement Arbitrary manually and reject invalid
values, or generate a raw value and then sanitize it"), the three
manual impls here follow the sanitize-via-mask shape so generated
values always round-trip through Encode.

Refs Devolutions#1316.

Author: glamberson

Cargo.lock

@@ -17,6 +17,7 @@ doctest = false
 # test = false # FIXME: turn off and keep tests in testsuite crates
 
 [dependencies]
+arbitrary = { version = "1", features = ["derive"], optional = true }
 bit_field = "0.10"
 bitflags = "2.11"
 ironrdp-core = { path = "../ironrdp-core", version = "0.1" } # public
@@ -27,6 +28,7 @@ openh264 = { version = "0.9", optional = true, default-features = false }
 tracing = { version = "0.1", features = ["log"] }
 
 [features]
+arbitrary = ["dep:arbitrary", "bitflags/arbitrary", "ironrdp-pdu/arbitrary"]
 openh264 = ["dep:openh264"]
 openh264-bundled = ["openh264", "openh264/source"]
 openh264-libloading = ["openh264", "openh264/libloading"]

crates/ironrdp-egfx/Cargo.toml

@@ -15,6 +15,21 @@ pub struct QuantQuality {
     pub quality: u8,
 }
 
+// Manual `Arbitrary` impl: the encoder packs `quantization_parameter` into bits 0..6
+// via `set_bits`, which panics when the value exceeds 6 bits. Mask the field to its
+// wire-allowed range so fuzz inputs always round-trip through `Encode`. The other
+// fields use their full type range.
+#[cfg(feature = "arbitrary")]
+impl<'a> arbitrary::Arbitrary<'a> for QuantQuality {
+    fn arbitrary(u: &mut arbitrary::Unstructured<'a>) -> arbitrary::Result<Self> {
+        Ok(Self {
+            quantization_parameter: u.arbitrary::<u8>()? & 0x3F, // 6 bits
+            progressive: u.arbitrary()?,
+            quality: u.arbitrary()?,
+        })
+    }
+}
+
 impl QuantQuality {
     const NAME: &'static str = "GfxQuantQuality";
 
@@ -58,6 +73,7 @@ impl<'de> Decode<'de> for QuantQuality {
     }
 }
 
+#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 #[derive(Clone, PartialEq, Eq)]
 pub struct Avc420BitmapStream<'a> {
     pub rectangles: Vec<InclusiveRectangle>,
@@ -152,6 +168,19 @@ bitflags! {
     }
 }
 
+// Manual `Arbitrary` impl: the encoder packs `encoding.bits()` into 2 bits via
+// `set_bits(30..32, ...)` on the Avc444BitmapStream stream-info field. The bitflag
+// otherwise accepts any u8 value (via `const _ = !0`), so the bitflags-crate-provided
+// derive would generate values that exceed the 2-bit wire range and panic the encoder.
+// Mask to 2 bits.
+#[cfg(feature = "arbitrary")]
+impl<'a> arbitrary::Arbitrary<'a> for Encoding {
+    fn arbitrary(u: &mut arbitrary::Unstructured<'a>) -> arbitrary::Result<Self> {
+        Ok(Self::from_bits_retain(u.arbitrary::<u8>()? & 0x03))
+    }
+}
+
+#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct Avc444BitmapStream<'a> {
     pub encoding: Encoding,
@@ -263,6 +292,7 @@ impl<'de> Decode<'de> for Avc444BitmapStream<'de> {
 /// assert_eq!(region.left, 0);
 /// assert_eq!(region.right, 1919);
 /// ```
+#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct Avc420Region {
     /// Left edge of the region (inclusive)