avformat/rtpdec_qdm2: Check block_size

Fixes: out of array access
no testcase

Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

libavformat/rtpdec_qdm2.c

@@ -186,8 +186,9 @@ static int qdm2_parse_subpacket(PayloadContext *qdm, AVStream *st,
  */
 static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
 {
-    int to_copy, n, res, include_csum;
+    int to_copy, n, res;
     uint8_t *p, *csum_pos = NULL;
+    int include_csum = qdm->block_type == 2 || qdm->block_type == 4;
 
     /* create packet to hold subpkts into a superblock */
     av_assert0(qdm->cache > 0);
@@ -196,6 +197,11 @@ static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
             break;
     av_assert0(n < 0x80);
 
+    int min_size = 2 + (qdm->len[n] > 0xff) + 2*include_csum;
+
+    if (qdm->block_size < min_size)
+        return AVERROR_INVALIDDATA;
+
     if ((res = av_new_packet(pkt, qdm->block_size)) < 0)
         return res;
     memset(pkt->data, 0, pkt->size);
@@ -211,7 +217,7 @@ static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
         *p++ = qdm->block_type;
         *p++ = qdm->len[n];
     }
-    if ((include_csum = (qdm->block_type == 2 || qdm->block_type == 4))) {
+    if (include_csum) {
         csum_pos = p;
         p       += 2;
     }