Fix URL parser delimiter-order underflow

[idrassi]

Summary

Fixes memory-safety and authority-boundary bugs in url_parse.

The parser locates the #, ?, and ; delimiters, then computes each component's length as a pointer difference between the delimiter position and a running end pointer, casting the result to uint32_t and passing it to str_cn.

Previously, when delimiters appeared in an order that did not match the parser's fixed processing sequence (fragment, then query, then params), end could be reassigned to a position before a later-processed delimiter. The subtraction end - delim_pos - 1 then underflowed, the cast wrapped to a value near UINT32_MAX, and str_cn() was asked to copy a huge slice from a pointer near the end of caller-controlled input.

The parser now only processes #, ?, and ; when the delimiter is still inside the active [path_pos, end) span, and delimiter searches start from the path instead of the authority.

This also fixes authority/path boundary handling:

• delimiters in the authority portion are no longer misparsed as path components
• @ is only treated as userinfo when it appears inside the authority span, before the first /, ?, or #
• @ in the path, query, or fragment no longer rewrites the host/user split

Example inputs

These no longer trigger wrapped component lengths or authority misparsing:

• http://host/path#frag?query
• http://host/path#frag;params
• http://host/path?query;notparams
• http://host;param/path
• http://host/path@name
• http://host/path?email=a@b
• http://host/path#frag@tag