Don't ensure all the bytes of a security descriptor exist before calling

Don't ensure all the bytes of a security descriptor exist before calling
"dissect_nt_sec_desc()".  Add a Boolean argument to
"dissect_nt_sec_desc()" to indicate whether a length was passed to it
(so we don't treat -1 as a special value; we want to stop treating -1 as
a special length value, and, in fact, want to stop treating *any*
negative length values specially, so that we don't have to worry about
passing arbitrary 32-bit values from packets as lengths), and have
"dissect_nt_sec_desc()" initially create the protocol tree item for the
security descriptor with a length of "go to the end of the tvbuff", and
set the length once we're done dissecting it - and, if the length was
specified, check at *that* point, *after* we've dissected the security
descriptor, whether we have the entire security descriptor in the
tvbuff.

That means that we don't have to worry about overflows after
"dissect_nt_sec_desc()" returns - if the length was so large that we
would have gotten an overflow, we'd have thrown an exception in the
"tvb_ensure_bytes_exist()" call at the end of "dissect_nt_sec_desc()".

Do sanity checks on offsets within the security descriptor, so we know
the item referred to by the offset is after the fixed-length portion of
the descriptor.

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@16113 f5534014-38df-0310-8fa8-9805f1628bb7