mdec: check for out of bounds read

Bug-Id: CID 1257501
CC: libav-stable@libav.org

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

libavcodec/mdec.c

@@ -87,6 +87,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
                 break;
             } else if (level != 0) {
                 i += run;
+                if (i > 63) {
+                    av_log(a->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y);
+                    return AVERROR_INVALIDDATA;
+                }
                 j     = scantable[i];
                 level = (level * qscale * quant_matrix[j]) >> 3;
                 level = (level ^ SHOW_SBITS(re, &a->gb, 1)) - SHOW_SBITS(re, &a->gb, 1);
@@ -97,6 +102,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
                 UPDATE_CACHE(re, &a->gb);
                 level = SHOW_SBITS(re, &a->gb, 10); SKIP_BITS(re, &a->gb, 10);
                 i += run;
+                if (i > 63) {
+                    av_log(a->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y);
+                    return AVERROR_INVALIDDATA;
+                }
                 j = scantable[i];
                 if (level < 0) {
                     level = -level;
@@ -108,10 +118,6 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
                     level = (level - 1) | 1;
                 }
             }
-            if (i > 63) {
-                av_log(a->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y);
-                return AVERROR_INVALIDDATA;
-            }
 
             block[j] = level;
         }