rimage: avoid reading past the buffer scanning for the marker

The marker scan read a 32-bit word at each offset up to the last byte,
reading a few bytes past the buffer at the tail. Stop once fewer than a
word remains, in both scan sites.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

Author: lrgirdwo

tools/rimage/src/manifest.c

@@ -1678,7 +1678,7 @@ int verify_image(struct image *image)
 		ret = file_error("unable to read whole file", image->verify_file);
 		goto out;
 	}
-	for (i = 0; i < size; i += sizeof(uint32_t)) {
+	for (i = 0; i + sizeof(uint32_t) <= size; i += sizeof(uint32_t)) {
 		/* find CSE header marker "$CPD" */
 		if (*(uint32_t *)(buffer + i) == CSE_HEADER_MAKER) {
 			image->fw_image = buffer + i;
@@ -1749,7 +1749,7 @@ int resign_image(struct image *image)
 
 	fclose(in_file);
 
-	for (i = 0; i < size; i += sizeof(uint32_t)) {
+	for (i = 0; i + sizeof(uint32_t) <= size; i += sizeof(uint32_t)) {
 		/* find CSE header marker "$CPD" */
 		if (*(uint32_t *)(buffer + i) == CSE_HEADER_MAKER) {
 			image->fw_image = buffer + i;