media: Fix integer overflow for row/col sizes in H265Parser

BUG=chromium:1158107
TEST=Fuzzer test passes

Change-Id: I8451e40e0ac5e89059e336618ebe2ed737ef96c8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2585823
Auto-Submit: Jeffrey Kardatzke <jkardatzke@google.com>
Commit-Queue: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#836738}

media/video/h265_parser.cc

@@ -847,6 +847,9 @@ H265Parser::Result H265Parser::ParsePPS(const H265NALU& nalu, int* pps_id) {
           sps->pic_width_in_ctbs_y - 1;
       for (int i = 0; i < pps->num_tile_columns_minus1; ++i) {
         READ_UE_OR_RETURN(&pps->column_width_minus1[i]);
+        IN_RANGE_OR_RETURN(
+            pps->column_width_minus1[i], 0,
+            pps->column_width_minus1[pps->num_tile_columns_minus1] - 1);
         pps->column_width_minus1[pps->num_tile_columns_minus1] -=
             pps->column_width_minus1[i] + 1;
       }
@@ -854,6 +857,9 @@ H265Parser::Result H265Parser::ParsePPS(const H265NALU& nalu, int* pps_id) {
           sps->pic_height_in_ctbs_y - 1;
       for (int i = 0; i < pps->num_tile_rows_minus1; ++i) {
         READ_UE_OR_RETURN(&pps->row_height_minus1[i]);
+        IN_RANGE_OR_RETURN(
+            pps->row_height_minus1[i], 0,
+            pps->row_height_minus1[pps->num_tile_rows_minus1] - 1);
         pps->row_height_minus1[pps->num_tile_rows_minus1] -=
             pps->row_height_minus1[i] + 1;
       }