additional hardening against mallformed demos

src/demo/message/packetentities.rs

@@ -297,6 +297,9 @@ impl Parse<'_> for PacketEntitiesMessage {
         for _ in 0..updated_entries {
             let diff: u32 = read_bit_var(&mut data)?;
             last_index = last_index.saturating_add(diff as i32).saturating_add(1);
+            if last_index >= 2048 {
+                return Err(ParseError::InvalidDemo("invalid entity index"));
+            }
             let entity_index = EntityId::from(last_index as u32);
 
             let update_type = data.read()?;

src/demo/message/stringtable.rs

@@ -414,7 +414,7 @@ pub fn parse_string_table_update<'a>(
 
     for _ in 0..entry_count {
         let index = if stream.read()? {
-            (last_entry + 1) as u16
+            last_entry.saturating_add(1) as u16
         } else {
             stream.read_sized(entry_bits as usize)?
         };

src/demo/message/tempentities.rs

@@ -54,7 +54,7 @@ impl Parse<'_> for TempEntitiesMessage {
 
             let class_id = if stream.read()? {
                 let bits = log_base2(state.server_classes.len()) + 1;
-                (stream.read_sized::<u16>(bits as usize)? - 1).into()
+                (stream.read_sized::<u16>(bits as usize)?.saturating_sub(1)).into()
             } else {
                 let last = events.last().ok_or(ParseError::InvalidDemo(
                     "temp entity update without previous",