From af606c232a9ecd30c69e7754547eb0dd232bc29d Mon Sep 17 00:00:00 2001
From: Marton Balint <cus@passwd.hu>
Date: Wed, 28 Dec 2022 03:20:11 +0100
Subject: [PATCH] avformat/mxfdec: check number of index table entires more
 strictly

Let's ignore the index table if the number of index entries does not match the
index duration (or the special AVID index entry counts).

Fixes: OOM
Fixes: 50551/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6607795234930688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Marton Balint <cus@passwd.hu>
---
 libavformat/mxfdec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index efd0b9521c..4530617207 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1937,6 +1937,14 @@ static int mxf_compute_ptses_fake_index(MXFContext *mxf, MXFIndexTable *index_ta
             return 0;
         }
 
+        if (s->nb_index_entries != s->index_duration &&
+            s->nb_index_entries != s->index_duration + 1 &&  /* Avid index */
+            s->nb_index_entries != s->index_duration * 2 + 1) {
+            index_table->nb_ptses = 0;
+            av_log(mxf->fc, AV_LOG_ERROR, "ignoring IndexSID %d, duration does not match nb_index_entries\n", s->index_sid);
+            return 0;
+        }
+
         index_table->nb_ptses += s->index_duration;
     }