media/gpu/vaapi: Fix jpeg header size calculation in encoder

The original formula misses the 4 bytes of APP1 header in [1] and might
crash GPU process when encoding JPEG image due to heap overflow.

[1] https://cs.chromium.org/chromium/src/media/gpu/vaapi/vaapi_jpeg_encoder.cc?l=156&rcl=42946e0e99026e840e2067e02ebfdd9f48fc2e2e

Bug: b:140071851, b:138933987
Test: Take photo in CCA 20 times on Nocturne with an ASAN enabled
Chrome.

Change-Id: Ic1809cf5364640dc11b72891243b69b25c38f439
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1828720Reviewed-by: Ricky Liang <jcliang@chromium.org>
Reviewed-by: Dan Sanders <sandersd@chromium.org>
Commit-Queue: Shik Chen <shik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#701038}

media/gpu/vaapi/vaapi_jpeg_encoder.cc

@@ -376,11 +376,11 @@ bool VaapiJpegEncoder::Encode(const gfx::Size& input_size,
     return false;
   }
 
-  std::vector<uint8_t> jpeg_header;
-  size_t jpeg_header_size = exif_buffer_size > 0
-                                ? kJpegDefaultHeaderSize + exif_buffer_size
-                                : kJpegDefaultHeaderSize + kJFIFApp0Size;
-  jpeg_header.resize(jpeg_header_size);
+  size_t jpeg_header_size =
+      exif_buffer_size > 0
+          ? kJpegDefaultHeaderSize + kJFIFApp1HeaderSize + exif_buffer_size
+          : kJpegDefaultHeaderSize + kJFIFApp0Size;
+  std::vector<uint8_t> jpeg_header(jpeg_header_size);
   size_t length_in_bits =
       FillJpegHeader(input_size, exif_buffer, exif_buffer_size, quality,
                      jpeg_header.data(), exif_offset);

media/parsers/jpeg_parser.h

@@ -68,6 +68,7 @@ constexpr size_t kJpegDefaultHeaderSize =
     (kNumDcCodeWordsHuffVal * 2) + (kNumAcRunSizeBits * 2) +
     (kNumAcCodeWordsHuffVal * 2);
 constexpr size_t kJFIFApp0Size = 16;
+constexpr size_t kJFIFApp1HeaderSize = 4;
 
 const size_t kJpegMaxHuffmanTableNumBaseline = 2;
 const size_t kJpegMaxComponents = 4;