cffdec: Fix decode on pixel 2 blob's COMPUTE_CHECKPOINT.

dEQP-GLES31.functional.image_load_store.buffer.image_size.writeonly_7 produces:

t7 opcode: CP_COMPUTE_CHECKPOINT (6e) (8 dwords) { ADDR_0_LO = 0x15000 } { ADDR_0_HI = 0x5 } 0x18 { ADDR_1_LEN = 3 } 0xf { ADDR_1_LO = 0x2e010 } { ADDR_1_HI = 0x5 }

and it was asserting due to sizedwords==7. Without the assert, we were dereffing a len past the end of the packet. This len value we were loading is also suspiciously not the location of the ADDR_1_LEN field in the packet's XML. But then, the command stream at ADDR_1 was clearly 0xf long, and that puts ADDR_1_LEN at the spot we would expect compared to SET_RENDER_MODE's ADDR_1.