Skip empty/invalid records/certs in MacOS keychain files

In the original PR that implemented this (#14325), it included a list of references for the keychain format. Multiple of those references include the checks that are added in this commit, and empirically this fixes the loading of a real keychain file that was previously failing (it had both a record with offset 0 and a record with cert_size 0).

Fixes #22870

Author: squeek502

lib/std/crypto/Certificate/Bundle/macos.zig

@@ -61,10 +61,16 @@ pub fn rescanMac(cb: *Bundle, gpa: Allocator) RescanMacError!void {
             }
 
             for (record_list) |record_offset| {
+                // An offset of zero means that the record is not present.
+                // An offset that is not 4-byte-aligned is invalid.
+                if (record_offset == 0 or record_offset % 4 != 0) continue;
+
                 try stream.seekTo(db_header.schema_offset + table_offset + record_offset);
 
                 const cert_header = try reader.readStructEndian(X509CertHeader, .big);
 
+                if (cert_header.cert_size == 0) continue;
+
                 try cb.bytes.ensureUnusedCapacity(gpa, cert_header.cert_size);
 
                 const cert_start = @as(u32, @intCast(cb.bytes.items.len));