Add note for CVE-2017-14034

Add note referinging issue with three libbpg bugs. The third issue from
the referenced link corresponds to CVE-2017-14034.

Since the problematic function is not found in x256, remove that source
entry, but the issue might affect in addition of ffmpeg (to be confirmed
still) as well libav.

Keep TODO item due to the open need of investigation.