Prevent potential integer overflow in sps parser

Bug: webrtc:8275, chromium:800698
Change-Id: I4dcba8ba480cd2a1b97dc09e97f585f2b3cf3279
Reviewed-on: https://webrtc-review.googlesource.com/40443
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Reviewed-by: Magnus Jedvert <magjed@webrtc.org>
Commit-Queue: Erik Språng <sprang@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21971}

common_video/h264/sps_parser.cc

@@ -17,6 +17,7 @@
 #include "rtc_base/bitbuffer.h"
 #include "rtc_base/logging.h"
 
+namespace {
 typedef rtc::Optional<webrtc::SpsParser::SpsState> OptionalSps;
 
 #define RETURN_EMPTY_ON_FAIL(x) \
@@ -24,6 +25,10 @@ typedef rtc::Optional<webrtc::SpsParser::SpsState> OptionalSps;
     return OptionalSps();       \
   }
 
+constexpr int kScalingDeltaMin = -128;
+constexpr int kScaldingDeltaMax = 127;
+}  // namespace
+
 namespace webrtc {
 
 SpsParser::SpsState::SpsState() = default;
@@ -115,6 +120,8 @@ rtc::Optional<SpsParser::SpsState> SpsParser::ParseSpsUpToVui(
               // delta_scale: se(v)
               RETURN_EMPTY_ON_FAIL(
                   buffer->ReadSignedExponentialGolomb(&delta_scale));
+              RETURN_EMPTY_ON_FAIL(delta_scale >= kScalingDeltaMin &&
+                                   delta_scale <= kScaldingDeltaMax);
               next_scale = (last_scale + delta_scale + 256) % 256;
             }
             if (next_scale != 0)

common_video/h264/sps_parser_unittest.cc

@@ -172,7 +172,7 @@ TEST_F(H264SpsParserTest, TestSyntheticSPSWeirdResolution) {
 }
 
 TEST_F(H264SpsParserTest, TestSampleSPSWithScalingLists) {
-  // SPS from a 1920x1080 video. Contains scaling lists (and veritcal cropping).
+  // SPS from a 1920x1080 video. Contains scaling lists (and vertical cropping).
   const uint8_t buffer[] = {0x64, 0x00, 0x2a, 0xad, 0x84, 0x01, 0x0c, 0x20,
                             0x08, 0x61, 0x00, 0x43, 0x08, 0x02, 0x18, 0x40,
                             0x10, 0xc2, 0x00, 0x84, 0x3b, 0x50, 0x3c, 0x01,