Fix possible integer overflow in loader target block check (#3133)

Checking with `loader_ctx->csp_num < depth + 1` has potential integer overflow
issue when depth is UINT_MAX, change to `loader_ctx->csp_num - 1 < depth`
instead.

Reported in #3130.

Author: wenyongh

core/iwasm/interpreter/wasm_loader.c

@@ -7071,7 +7071,8 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth,
     int32 i, available_stack_cell;
     uint16 cell_num;
 
-    if (loader_ctx->csp_num < depth + 1) {
+    bh_assert(loader_ctx->csp_num > 0);
+    if (loader_ctx->csp_num - 1 < depth) {
         set_error_buf(error_buf, error_buf_size,
                       "unknown label, "
                       "unexpected end of section or function");

core/iwasm/interpreter/wasm_mini_loader.c

@@ -5226,7 +5226,8 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth,
     int32 i, available_stack_cell;
     uint16 cell_num;
 
-    if (loader_ctx->csp_num < depth + 1) {
+    bh_assert(loader_ctx->csp_num > 0);
+    if (loader_ctx->csp_num - 1 < depth) {
         set_error_buf(error_buf, error_buf_size,
                       "unknown label, "
                       "unexpected end of section or function");