[FFmpeg-cvslog] avformat/mxfdec: check number of index table entires more strictly

[Marton Balint]

ffmpeg | branch: master | Marton Balint <cus at passwd.hu> | Wed Dec 28 03:20:11 2022 +0100| [af606c232a9ecd30c69e7754547eb0dd232bc29d] | committer: Marton Balint

avformat/mxfdec: check number of index table entires more strictly

Let's ignore the index table if the number of index entries does not match the
index duration (or the special AVID index entry counts).

Fixes: OOM
Fixes: 50551/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6607795234930688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Marton Balint <cus at passwd.hu>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=af606c232a9ecd30c69e7754547eb0dd232bc29d
---

 libavformat/mxfdec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index efd0b9521c..4530617207 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1937,6 +1937,14 @@ static int mxf_compute_ptses_fake_index(MXFContext *mxf, MXFIndexTable *index_ta
             return 0;
         }
 
+        if (s->nb_index_entries != s->index_duration &&
+            s->nb_index_entries != s->index_duration + 1 &&  /* Avid index */
+            s->nb_index_entries != s->index_duration * 2 + 1) {
+            index_table->nb_ptses = 0;
+            av_log(mxf->fc, AV_LOG_ERROR, "ignoring IndexSID %d, duration does not match nb_index_entries\n", s->index_sid);
+            return 0;
+        }
+
         index_table->nb_ptses += s->index_duration;
     }