Fix memory bugs in loading code

This change hardens the C++ code that loads the GGML file format. Some
people download weights off the Internet to run inference on a trained
model. Since weights don't contain code like graph definitions, having
them be able to load in a secure manner is a reasonable expectation to
have. Therefore this change addresses many of the weaknesses in how we
were going about doing things earlier, which would allow untrustworthy
weights to trigger undefined behaviors with memory. I haven't cared to
investigate whether any of these weaknesses are exploitable, but it'll
certainly be more difficult for that to happen, once this gets merged,
which will enable our users to share more freely, happily, and safely.

Author: jart