h265parser: Fix possible invalid memory access

... and do more strict validation for num_tile_columns_minus1 and
num_tile_rows_minus1.

As per specification Table A.8, allowed maximum number of tile rows
and tile columns are 22 and 20, respectively. So we should adjust the size
of each array.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1372>

gst-libs/gst/codecparsers/gsth265parser.c

@@ -2164,8 +2164,23 @@ gst_h265_parse_pps (GstH265Parser * parser, GstH265NalUnit * nalu,
   READ_UINT8 (&nr, pps->entropy_coding_sync_enabled_flag, 1);
 
   if (pps->tiles_enabled_flag) {
-    READ_UE_ALLOWED (&nr, pps->num_tile_columns_minus1, 0, 19);
-    READ_UE_ALLOWED (&nr, pps->num_tile_rows_minus1, 0, 21);
+    READ_UE_ALLOWED (&nr,
+        pps->num_tile_columns_minus1, 0, pps->PicWidthInCtbsY - 1);
+    READ_UE_ALLOWED (&nr,
+        pps->num_tile_rows_minus1, 0, pps->PicHeightInCtbsY - 1);
+
+    if (pps->num_tile_columns_minus1 + 1 >
+        G_N_ELEMENTS (pps->column_width_minus1)) {
+      GST_WARNING ("Invalid \"num_tile_columns_minus1\" %d",
+          pps->num_tile_columns_minus1);
+      goto error;
+    }
+
+    if (pps->num_tile_rows_minus1 + 1 > G_N_ELEMENTS (pps->row_height_minus1)) {
+      GST_WARNING ("Invalid \"num_tile_rows_minus1\" %d",
+          pps->num_tile_rows_minus1);
+      goto error;
+    }
 
     READ_UINT8 (&nr, pps->uniform_spacing_flag, 1);
     /* 6.5.1, 6-4, 6-5, 7.4.3.3.1 */

gst-libs/gst/codecparsers/gsth265parser.h

@@ -1229,8 +1229,8 @@ struct _GstH265PPS
   guint8 num_tile_columns_minus1;
   guint8 num_tile_rows_minus1;
   guint8 uniform_spacing_flag;
-  guint32 column_width_minus1[19];
-  guint32 row_height_minus1[21];
+  guint32 column_width_minus1[20];
+  guint32 row_height_minus1[22];
   guint8 loop_filter_across_tiles_enabled_flag;
 
   guint8 loop_filter_across_slices_enabled_flag;