Transaction: Add overflow protection to read_entries

Validates read_entries and read_buf_size to ensure
they don't exceed reasonable limits that could trigger overflow.

Adds explicit checks before the calculation to detect potential integer overflows.

Bug: 322327963
Test: CTS/PTS, GCA_SMOKE TEST
Change-Id: I1b2e99cc83cfd751d3a82e501dbd64ddfebd039f
Signed-off-by: Nick Chung <nickchung@google.com>
(cherry picked from commit e7a59eba1ba9c49d9500935907056fc69ce3a012)
diff --git a/lwis_transaction.c b/lwis_transaction.c
index 823de12..c6ccd42 100644
--- a/lwis_transaction.c
+++ b/lwis_transaction.c
@@ -888,6 +888,15 @@
 	/* Event response payload consists of header, and address and offset pairs. */
 	resp_size = sizeof(struct lwis_transaction_response_header) +
 		    read_entries * sizeof(struct lwis_io_result) + read_buf_size;
+
+	if (read_entries > INT_MAX / sizeof(struct lwis_io_result)) {
+		return -EOVERFLOW;
+	}
+
+	if (read_buf_size > INT_MAX - sizeof(struct lwis_transaction_response_header) -
+				    read_entries * sizeof(struct lwis_io_result)) {
+		return -EOVERFLOW;
+	}
 	/*
 	 * Revisit the use of GFP_ATOMIC here. Reason for this to be atomic is
 	 * because this function can be called by transaction_replace while