1. Left shifts of signed values are undefined as soon as the result is
no longer representable in the target type. Therefore make nal_size
an uint32_t and drop the check for whether it is < 0.
2. The two checks for overreads (whether the length field is contained
in the packet and whether the actual unit is contained in the packet)
can be combined into one because the packet is padded, i.e. a potential
overread caused by reading the length field without checking whether
said length field is actually part of the packet's buffer is allowed
as one always stays within the padding. But one has to be aware of
a pitfall: The comparison must be performed in (at least) int64_t as
otherwise buf_end - buf might be promoted to uint32_t in which case
an already occured overread would appear as a very large number.
A comment explaining this has been added, too.
3. Units of size zero are now silently dropped; the earlier code would
instead read the first byte of the next length field (or the first byte
of padding) to infer the type of the current unit.
4. Futhermore, the earlier code returned the wrong error code. This has
been fixed, too.

Fixes #8290.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>