lavfi/bwdif: fix heap-buffer-overflow with small height videos

Reproduce:
  ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null -

filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3].
For small height videos (h <= 4), this causes heap-buffer-overflow.

Add boundary check for filter_intra when YADIF_FIELD_END is set.
The boundary condition (y < 3) or (y + 3 >= td->h) precisely matches
filter_intra's 3-line context requirement.

Test file: 160x4 gray16 JPEG
https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15

fix #21570

Reviewed-by: Thomas Mundt <tmundt75@gmail.com>
Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
(cherry picked from commit 795bccdaf5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

libavfilter/vf_bwdif.c

@@ -77,11 +77,20 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
             uint8_t *next = &yadif->next->data[td->plane][y * linesize];
             uint8_t *dst  = &td->frame->data[td->plane][y * td->frame->linesize[td->plane]];
             if (yadif->current_field == YADIF_FIELD_END) {
-                s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs,
-                                y > (df - 1) ? -refs : refs,
-                                (y + 3*df) < td->h ? 3 * refs : -refs,
-                                y > (3*df - 1) ? -3 * refs : refs,
-                                td->parity ^ td->tff, clip_max);
+                if ((y < 3) || ((y + 3) >= td->h)) {
+                    s->dsp.filter_edge(dst, prev, cur, next, td->w,
+                                   (y + df) < td->h ? refs : -refs,
+                                   y > (df - 1) ? -refs : refs,
+                                   refs << 1, -(refs << 1),
+                                   td->parity ^ td->tff, clip_max,
+                                   (y < 2) || ((y + 3) > td->h) ? 0 : 1);
+                } else {
+                    s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs,
+                                    y > (df - 1) ? -refs : refs,
+                                    (y + 3*df) < td->h ? 3 * refs : -refs,
+                                    y > (3*df - 1) ? -3 * refs : refs,
+                                    td->parity ^ td->tff, clip_max);
+                }
             } else if ((y < 4) || ((y + 5) > td->h)) {
                 s->dsp.filter_edge(dst, prev, cur, next, td->w,
                                (y + df) < td->h ? refs : -refs,

tests/ref/fate/filter-bwdif-mode0

@@ -3,7 +3,7 @@
 #codec_id 0: rawvideo
 #dimensions 0: 720x576
 #sar 0: 16/15
-0,          9,          9,        1,   622080, 0xd435648a
+0,          9,          9,        1,   622080, 0x3f25bfc2
 0,         10,         10,        1,   622080, 0x62085455
 0,         11,         11,        1,   622080, 0x60f943a0
 0,         12,         12,        1,   622080, 0x5396f14a

tests/ref/fate/filter-bwdif-mode1

@@ -3,7 +3,7 @@
 #codec_id 0: rawvideo
 #dimensions 0: 720x576
 #sar 0: 16/15
-0,         18,         18,        1,   622080, 0xd435648a
+0,         18,         18,        1,   622080, 0x3f25bfc2
 0,         19,         19,        1,   622080, 0xef4617cc
 0,         20,         20,        1,   622080, 0x62085455
 0,         21,         21,        1,   622080, 0x5b5ae735

tests/ref/fate/filter-bwdif10

@@ -3,7 +3,7 @@
 #codec_id 0: rawvideo
 #dimensions 0: 720x576
 #sar 0: 16/15
-0,          9,          9,        1,  1244160, 0x57c21e2b
+0,          9,          9,        1,  1244160, 0x4f0e6e1c
 0,         10,         10,        1,  1244160, 0x57152296
 0,         11,         11,        1,  1244160, 0x0074598b
 0,         12,         12,        1,  1244160, 0x44537bb8