qdlt: fix correctness and safety bugs in argument and segmented-msg p…

[SoundMatt]

Problem

Two unrelated but small bugs in qdlt/, both real and reachable:

1. QDltArgument::setValue — toInt() instead of toDouble()

qdlt/qdltargument.cpp:699–705:

case QVariant::Double:
    {
    double bvalue = value.toInt();          // ← bug
    data = QByteArray((const char*)&bvalue, sizeof(double));
    typeInfo = QDltArgument::DltTypeInfoFloa;
    return true;
    }

When a QVariant::Double is passed to setValue(), the code reads
its integer value and stores that as a double. Effects:

• setValue(QVariant(3.14)) → stores 3.0 (fractional part lost).
• setValue(QVariant(NaN)) → stores 0.0 (toInt() returns 0).
• setValue(QVariant(1.5e15)) → silently clamped to int range.

Anywhere DLT messages are constructed programmatically with floating-
point arguments via this overload, the wire output is wrong.

Fix: value.toInt() → value.toDouble(). One-character change.

2. QDltSegmentedMsg::add — sequence * chunkSize overflow

qdlt/qdltsegmentedmsg.cpp:141–154:

uint32_t sequence = argument.getValue().toUInt();
if(sequence>=chunks) {
    error = ...;
    return -1;
}
...
payload.replace(sequence*chunkSize, chunkSize, argument.getData());

Both sequence (chunk segment) and chunkSize (start segment) come
from the wire. The check sequence < chunks only validates the
chunk index; the multiplication sequence * chunkSize is performed
in uint32_t and can wrap. With a crafted start segment declaring a
large chunkSize and a chunk-segment message with a small but
non-zero sequence, the product wraps to a value smaller than
payload.size(), so payload.replace() succeeds but writes the
chunk into the wrong region of the buffer.

Fix: compute the offset in quint64 so the multiplication can't
wrap, then reject any chunk whose end (chunk_offset + chunkSize)
would extend past the resized payload size before calling
replace().

Verification

• Read both functions in full; existing checks before each fix do
  not cover the cases above.
• payload is resized to the start-segment-declared size at
  line 112, which the new bound-check uses as the upper limit.
• Cast back to int for the replace() call is safe after the
  bound check has guaranteed the offset fits.

Notes

• No new tests added; happy to add qdlt/tests/-style coverage if
  maintainers point me at the right harness shape.
• Defensive bounds-checks on mid() calls in qdltargument.cpp:174,178
  and qdltimporter.cpp:942 are real but milder (Qt's mid()
  truncates gracefully rather than reading OOB), and I'll send
  those as a separate PR rather than bundle here.