This change fixes a few bugs in the HPACK decoder:
 * Excess trailing padding is treated as an error per the HPACK Spec
     section 5.2
 * Non EOS prefix padding is treated as an error
 * Max length is now enforced for all decoded symbols

The idea here is to keep track of the decoded symbol length, rather
than the number of unconsumed bits in cur.  To this end, nbits has
been renamed cbits (cur bits), and sbits (sym bits) has been
introduced.  The main problem with using nbits is that it can easily
be zero, such as when decoding {0xff, 0xff}.  Using a clear moniker
makes it easier to see why checking cbits > 0 at the end of the
function is incorrect.

Fixes golang/go#15614

Change-Id: I1ae868caa9c207fcf9c9dec7f10ee9f400211f99
Reviewed-on: https://go-review.googlesource.com/23067Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>