decoder/stateless/h264: perform index range check

We might get an out-of-bounds index with an invalid stream - check that
the index is valid before addressing.

This issue has been revealed by fuzzing.

Author: Gnurou

src/decoder/stateless/h264.rs

@@ -607,6 +607,9 @@ where
             .find_short_term_with_pic_num(pic_num_lx)
             .with_context(|| format!("No ShortTerm reference found with pic_num {}", pic_num_lx))?;
 
+        if *ref_idx_lx >= ref_pic_list_x.len() {
+            anyhow::bail!("invalid ref_idx_lx index");
+        }
         ref_pic_list_x.insert(*ref_idx_lx, handle);
         *ref_idx_lx += 1;
 
@@ -651,6 +654,9 @@ where
                 )
             })?;
 
+        if *ref_idx_lx >= ref_pic_list_x.len() {
+            anyhow::bail!("invalid ref_idx_lx index");
+        }
         ref_pic_list_x.insert(*ref_idx_lx, handle);
         *ref_idx_lx += 1;