avformat/cinedec: Check size and pos more

Fixes: signed integer overflow: 9223372036848019263 + 134232320 cannot be represented in type 'long'
Fixes: 48155/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5751429207293952

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

libavformat/cinedec.c

@@ -273,10 +273,11 @@ static int cine_read_header(AVFormatContext *avctx)
     /* parse image offsets */
     avio_seek(pb, offImageOffsets, SEEK_SET);
     for (i = 0; i < st->duration; i++) {
-        if (avio_feof(pb))
+        int64_t pos = avio_rl64(pb);
+        if (avio_feof(pb) || pos < 0)
             return AVERROR_INVALIDDATA;
 
-        av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+        av_add_index_entry(st, pos, i, 0, 0, AVINDEX_KEYFRAME);
     }
 
     return 0;
@@ -302,10 +303,10 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
         return AVERROR_INVALIDDATA;
     avio_skip(pb, n - 8);
     size = avio_rl32(pb);
-    if (avio_feof(pb))
+    if (avio_feof(pb) || size < 0)
         return AVERROR_INVALIDDATA;
 
-    if (cine->maxsize && sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
+    if (cine->maxsize && (uint64_t)sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
         size = cine->maxsize - sti->index_entries[cine->pts].pos - n;
 
     ret = av_get_packet(pb, pkt, size);
@@ -313,7 +314,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
         return ret;
 
     if (ret != size)
-        cine->maxsize = sti->index_entries[cine->pts].pos + n + ret;
+        cine->maxsize = (uint64_t)sti->index_entries[cine->pts].pos + n + ret;
 
     pkt->pts = cine->pts++;
     pkt->stream_index = 0;