Harden CropAndResize against malformed crop_size tensors (#28766)
## Description
This PR closes a validation gap in the Microsoft CropAndResize contrib
op by rejecting malformed `crop_size` tensors before runtime can read
past the end of the array. The fix improves safety for invalid models
and preserves existing behavior for valid inputs.
## Summary of Changes
### Validation and safety
| File | Change |
|------|--------|
| `onnxruntime/contrib_ops/cpu/crop_and_resize.cc` | Added explicit
runtime validation to ensure `crop_size` is a 1-D tensor with exactly 2
elements before indexing `crop_size_data[1]`. |
| `onnxruntime/core/graph/contrib_ops/contrib_defs.cc` | Added
shape-inference validation so malformed `crop_size` shapes are rejected
during model resolution when the size is known. |
### Regression coverage
- Added provider-test coverage in
`onnxruntime/test/contrib_ops/crop_and_resize_op_test.cc` for malformed
`crop_size` inputs of length 1 and 3, confirming they fail validation
instead of reaching the runtime path.
## Testing
Verified locally with:
- `cmake --build build/Linux/Release --target onnxruntime_provider_test
-j2`
- `cd build/Linux/Release && ./onnxruntime_provider_test
--gtest_filter='CropAndResizeTest.*'`
Result: 5 tests ran, 5 passed.
## Motivation and Context
The root cause was that the runtime path only checked the rank of
`crop_size`, not its element count. A rank-1 tensor with fewer than 2
elements could still reach `crop_size_data[1]`, which created an
out-of-bounds read path and exposed adjacent heap bytes. This fix
addresses both runtime execution and model-loading/shape-inference
validation to close the vulnerability path end to end.
## Checklist
- [x] Tests added/updated
- [x] No breaking changes
- [x] CI passes (verified locally via provider test suite)