Fix crash when executing PackedDataContainer._iter_init

(cherry picked from commit 8253a45a1abf1ea5d82a9e1624af73818ce6c12a)

core/packed_data_container.cpp

@@ -97,6 +97,7 @@ Variant PackedDataContainer::_iter_get_ofs(const Variant &p_iter, uint32_t p_off
 }
 
 Variant PackedDataContainer::_get_at_ofs(uint32_t p_ofs, const uint8_t *p_buf, bool &err) const {
+	ERR_FAIL_COND_V(p_ofs + 4 > (uint32_t)data.size(), Variant());
 	uint32_t type = decode_uint32(p_buf + p_ofs);
 
 	if (type == TYPE_ARRAY || type == TYPE_DICT) {
@@ -119,6 +120,7 @@ Variant PackedDataContainer::_get_at_ofs(uint32_t p_ofs, const uint8_t *p_buf, b
 }
 
 uint32_t PackedDataContainer::_type_at_ofs(uint32_t p_ofs) const {
+	ERR_FAIL_COND_V(p_ofs + 4 > (uint32_t)data.size(), 0);
 	PoolVector<uint8_t>::Read rd = data.read();
 	ERR_FAIL_COND_V(!rd.ptr(), 0);
 	const uint8_t *r = &rd[p_ofs];
@@ -128,6 +130,7 @@ uint32_t PackedDataContainer::_type_at_ofs(uint32_t p_ofs) const {
 };
 
 int PackedDataContainer::_size(uint32_t p_ofs) const {
+	ERR_FAIL_COND_V(p_ofs + 4 > (uint32_t)data.size(), 0);
 	PoolVector<uint8_t>::Read rd = data.read();
 	ERR_FAIL_COND_V(!rd.ptr(), 0);
 	const uint8_t *r = &rd[p_ofs];
@@ -146,6 +149,7 @@ int PackedDataContainer::_size(uint32_t p_ofs) const {
 };
 
 Variant PackedDataContainer::_key_at_ofs(uint32_t p_ofs, const Variant &p_key, bool &err) const {
+	ERR_FAIL_COND_V(p_ofs + 4 > (uint32_t)data.size(), Variant());
 	PoolVector<uint8_t>::Read rd = data.read();
 	if (!rd.ptr()) {
 		err = true;