media/gpu/v4l2vd: check that crop is smaller than buffer

Check that the visible size of a decoded buffer is smaller than the
coded size. Returning an error here prevents a later crash due to
VideoFrame::IsValidConfig failing.

Bug: b:170727869
Test: android.security.cts.StagefrightTest#testStagefright_cve_2016_2454 on trogdor
Change-Id: I2df5fcb345b925bca9804b5898b15d02df64ce4f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2551854Reviewed-by: Alexandre Courbot <acourbot@chromium.org>
Reviewed-by: Chih-Yu Huang <akahuang@chromium.org>
Commit-Queue: David Stevens <stevensd@chromium.org>
Cr-Commit-Position: refs/heads/master@{#831239}

media/gpu/v4l2/v4l2_video_decoder_backend_stateful.cc

@@ -527,6 +527,11 @@ void V4L2StatefulVideoDecoderBackend::ChangeResolution() {
     return;
   }
 
+  if (!gfx::Rect(pic_size).Contains(*visible_rect)) {
+    client_->OnBackendError();
+    return;
+  }
+
   auto ctrl = device_->GetCtrl(V4L2_CID_MIN_BUFFERS_FOR_CAPTURE);
   constexpr size_t DEFAULT_NUM_OUTPUT_BUFFERS = 7;
   const size_t num_output_buffers =