Ooh our first real catch? :)

Code is "*val = (1 << num_bits) - 1;" where num_bits = 31.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9373fc3e3743eaf0a3a835033bc89ad7b22df9d7

commit 9373fc3e3743eaf0a3a835033bc89ad7b22df9d7
Author: jrummell <jrummell@chromium.org>
Date: Thu Apr 07 23:20:08 2016

Avoid integer overflow errors when parsing Exp-Golomb codes

Maximum value is 2^31 - 1.

BUG= 600963 
TEST=media_unittests pass

Review URL: https://codereview.chromium.org/1865203002

Cr-Commit-Position: refs/heads/master@{#385918}

[modify] https://crrev.com/9373fc3e3743eaf0a3a835033bc89ad7b22df9d7/media/filters/h264_bit_reader.cc
[modify] https://crrev.com/9373fc3e3743eaf0a3a835033bc89ad7b22df9d7/media/filters/h264_parser.cc

ClusterFuzz has detected this issue as fixed in range 385844:385940.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6273510111969280

Fuzzer: libfuzzer_media_h264_parser_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ReadUE
  media::H264Parser::ParseSPS
  LLVMFuzzerTestOneInput
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=385844:385940

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv940DX7TuO8q_Wi13yh3JoXhnILhtUhVzRGhxtxjoTZ1ttGGN2wMRh2uiSWlA7riMPRB5pGloniPaxOOPwE6PsXYiUwWv-sct5jmG4VgjrY_855S2agugoqw-XQdb2bP1sZ58SUXXPa99_4_SjAd6mEOm9JdBQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 540970  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot