Fix CRSF buffer overflow and dashboard sizeof bug

CRSF buffer overflow (rx/crsf.c):
- fullFrameLength computed from untrusted frameLength field
- Malformed packet with large frameLength could overflow crsfFrame.bytes[]
- Added bounds check against CRSF_FRAME_SIZE_MAX before writing

Dashboard sizeof bug (io/dashboard.c):
- tickerCharacters was a pointer, so sizeof() returned pointer size (4/8)
- On 64-bit systems, TICKER_CHARACTER_COUNT was 8 instead of 4
- Could read past end of string when indexing tickerCharacters[]
- Changed to array declaration and sizeof()-1 for correct count

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: sensei-hacker

src/main/io/dashboard.c

@@ -172,8 +172,8 @@ static const char* const gpsFixTypeText[] = {
     "3D"
 };
 
-static const char* tickerCharacters = "|/-\\"; // use 2/4/8 characters so that the divide is optimal.
-#define TICKER_CHARACTER_COUNT (sizeof(tickerCharacters) / sizeof(char))
+static const char tickerCharacters[] = "|/-\\"; // use 2/4/8 characters so that the divide is optimal.
+#define TICKER_CHARACTER_COUNT (sizeof(tickerCharacters) - 1)
 
 static timeUs_t nextPageAt;
 static bool forcePageChange;

src/main/rx/crsf.c

@@ -160,6 +160,11 @@ STATIC_UNIT_TESTED void crsfDataReceive(uint16_t c, void *rxCallbackData)
     // full frame length includes the length of the address and framelength fields
     const int fullFrameLength = crsfFramePosition < 3 ? 5 : crsfFrame.frame.frameLength + CRSF_FRAME_LENGTH_ADDRESS + CRSF_FRAME_LENGTH_FRAMELENGTH;
 
+    if (fullFrameLength > CRSF_FRAME_SIZE_MAX) {
+        crsfFramePosition = 0;
+        return;
+    }
+
     if (crsfFramePosition < fullFrameLength) {
         crsfFrame.bytes[crsfFramePosition++] = (uint8_t)c;
         crsfFrameDone = crsfFramePosition < fullFrameLength ? false : true;