avcodec/scpr: Fix reading a pixel before the first

Fixes: 5540/clusterfuzz-testcase-minimized-6122458273808384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0fb33a82890753233225c61863fff1fcc9d970d4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 4 insertions, 0 deletions

diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
index 78a6d5c0cd..694450abf0 100644
--- a/libavcodec/scpr.c
+++ b/libavcodec/scpr.c
@@ -679,6 +679,8 @@ static int decompress_p(AVCodecContext *avctx,
                                 return AVERROR_INVALIDDATA;
 
                             if (bx == 0) {
+                                if (by < 2)
+                                    return AVERROR_INVALIDDATA;
                                 z = backstep;
                             } else {
                                 z = 0;
@@ -708,6 +710,8 @@ static int decompress_p(AVCodecContext *avctx,
                                 return AVERROR_INVALIDDATA;
 
                             if (bx == 0) {
+                                if (by < 2)
+                                    return AVERROR_INVALIDDATA;
                                 z = backstep;
                             } else {
                                 z = 0;