[SECURITY] Integer overflow in CFE_TBL_ValidateCodecLoadSize bypasses bounds check on 32-bit targets

[0rbitingZer0]

Checklist (Please check before submitting)

• I reviewed the Contributing Guide.
• I performed a cursory search to see if the bug report is relevant, not redundant, nor in conflict with other tickets.

Describe the bug
Integer overflow in CFE_TBL_ValidateCodecLoadSize() bypasses the table load bounds check on 32-bit targets. The function computes ProjectedSize = Offset + NumBytes using uint32 arithmetic. When the sum exceeds 2^32, the result wraps to a small value that passes the bounds check. The original unwrapped Offset is then used for the destination pointer computation in CFE_TBL_LoadContentFromFile(), enabling out-of-bounds memory writes on 32-bit flight processors (LEON3, RAD750).

This is mitigated on 64-bit targets where pointer arithmetic does not wrap at 2^32.

To Reproduce

1. Craft a table load file with Offset=0xFFFFFF00 and NumBytes=0x200 targeting a 256-byte table
2. The uint32 addition wraps: 0xFFFFFF00 + 0x200 = 0x100 (256), which passes the ProjectedSize > ActualSize check
3. The subsequent memcpy uses the original Offset (0xFFFFFF00) for the destination pointer, writing 512 bytes 4GB beyond the table buffer
4. On 32-bit flight hardware, this wraps into other memory regions — confirmed with three overflow variants

Proof-of-concept source and output are available upon request.

Expected behavior
The bounds-check addition should be performed in 64-bit arithmetic to prevent wraparound, regardless of target architecture.

Code snips
cfe/modules/tbl/fsw/src/cfe_tbl_passthru_codec.c (line 163):

uint32 ProjectedSize;
ProjectedSize = HeaderPtr->Offset + HeaderPtr->NumBytes;  // uint32 wraps at 2^32
if (ProjectedSize > ActualSize)
{
    /* reject as too large */
}

Example overflow:

Offset       = 0xFFFFFF00  (4,294,967,040)
NumBytes     = 0x00000200  (512)
True sum     = 0x100000100 (4,294,967,552)
uint32 wrap  = 0x00000100  (256)  <- passes check for TableSize=256

System observed on:

• Hardware: x86-64 (arithmetic overflow demonstrated via uint32_t; exploitable OOB write requires 32-bit address space as on LEON3/RAD750)
• OS: Linux (Ubuntu 22.04)
• Versions: cFS Draco release, commit 83c735e

Additional context
The primary cFS deployment targets are 32-bit flight processors (LEON3, RAD750) where this vulnerability is exploitable. The fix (casting to uint64_t before addition) is trivial and has zero impact on 64-bit targets. Requires ground operator command authority to issue table load commands.