[h264d_parser]: fix decode parser crash

cpb_cnt_minus1 need to check value less than 32. Otherwise,
it will cause memory otherwise.
crash trace:
0)  0x0000007fa03e5864 in update_curbyte_h264 (bitctx=0x325a1b20)
    at mpp/base/mpp_bitread.c:45
1)  0x0000007fa03e59ac in mpp_read_bits ()
    at mpp/base/mpp_bitread.c:106
2)  mpp_read_bits (bitctx=0x325a1b20, num_bits=1, out=0x7f64feb568)
    at mpp/base/mpp_bitread.c:95
3)  0x0000007fa03e5c0c in mpp_read_ue (bitctx=bitctx@entry=0x325a1b20, val=val@entry=0x7f64feb5bc)
    at mpp/base/mpp_bitread.c:225
4)  0x0000007fa03f7034 in read_hrd_parameters (p_bitctx=p_bitctx@entry=0x325a1b20, hrd=hrd@entry=0x325a0e58)
    at mpp/codec/dec/h264/h264d_sps.c:55
5)  0x0000007fa03f7aa0 in read_VUI (vui=0x325a0e08, p_bitctx=0x325a1b20)
    at mpp/codec/dec/h264/h264d_sps.c:117
6)  parser_sps (p_bitctx=p_bitctx@entry=0x325a1b20, cur_sps=cur_sps@entry=0x325a01a0, p_Dec=<optimized out>)
    at mpp/codec/dec/h264/h264d_sps.c:272
7)  0x0000007fa03f7e60 in process_sps (currSlice=currSlice@entry=0x325a1bb0)
    at mpp/codec/dec/h264/h264d_sps.c:453
8)  0x0000007fa03f588c in parser_one_nalu (currSlice=0x325a1bb0)
    at mpp/codec/dec/h264/h264d_parse.c:240
9)  parse_loop (p_Dec=p_Dec@entry=0x3259fa00)
    at mpp/codec/dec/h264/h264d_parse.c:912
10) 0x0000007fa03f38c4 in h264d_parse (decoder=0x3259fa00, in_task=0x7f64feb7e8)
    at mpp/codec/dec/h264/h264d_api.c:594

Change-Id: I3f2bdcb603cdbcf4757f32db162924c575e739fd
Signed-off-by: Rimon Xu <rimon.xu@rock-chips.com>

mpp/codec/dec/h264/h264d_sps.c

@@ -48,6 +48,7 @@ static MPP_RET read_hrd_parameters(BitReadCtx_t *p_bitctx, H264_HRD_t *hrd)
     RK_U32 SchedSelIdx = 0;
     MPP_RET ret = MPP_ERR_UNKNOW;
     READ_UE(p_bitctx, &hrd->cpb_cnt_minus1);
+    VAL_CHECK(ret, hrd->cpb_cnt_minus1 < MAXIMUMVALUEOFcpb_cnt);
     hrd->cpb_cnt_minus1 += 1;
     READ_BITS(p_bitctx, 4, &hrd->bit_rate_scale);
     READ_BITS(p_bitctx, 4, &hrd->cpb_size_scale);
@@ -67,6 +68,8 @@ static MPP_RET read_hrd_parameters(BitReadCtx_t *p_bitctx, H264_HRD_t *hrd)
     return ret = MPP_OK;
 __BITREAD_ERR:
     return ret = p_bitctx->ret;
+__FAILED:
+    return ret;
 }
 
 static void init_VUI(H264_VUI_t *vui)
@@ -242,7 +245,7 @@ static MPP_RET parser_sps(BitReadCtx_t *p_bitctx, H264_SPS_t *cur_sps, H264_DecC
         READ_SE(p_bitctx, &cur_sps->offset_for_non_ref_pic);
         READ_SE(p_bitctx, &cur_sps->offset_for_top_to_bottom_field);
         READ_UE(p_bitctx, &cur_sps->num_ref_frames_in_pic_order_cnt_cycle);
-        ASSERT(cur_sps->num_ref_frames_in_pic_order_cnt_cycle < 256);
+        VAL_CHECK(ret, cur_sps->num_ref_frames_in_pic_order_cnt_cycle < 256);
         for (i = 0; i < cur_sps->num_ref_frames_in_pic_order_cnt_cycle; ++i) {
             READ_SE(p_bitctx, &cur_sps->offset_for_ref_frame[i]);
             cur_sps->expected_delta_per_pic_order_cnt_cycle += cur_sps->offset_for_ref_frame[i];
@@ -287,6 +290,7 @@ static MPP_RET sps_mvc_extension(BitReadCtx_t *p_bitctx, H264_subSPS_t *subset_s
     RK_S32 i = 0, j = 0, num_views = 0;
 
     READ_UE(p_bitctx, &subset_sps->num_views_minus1);
+    VAL_CHECK(ret, subset_sps->num_views_minus1 < 16);
     num_views = 1 + subset_sps->num_views_minus1;
     //========================
     if (num_views > 0) {