avformat/cinedec: Avoid repeatedly allocating packets beyond the input

Fixes: Timeout
Fixes: 41025/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5540848285122560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

libavformat/cinedec.c

@@ -33,6 +33,7 @@
 
 typedef struct {
     uint64_t pts;
+    uint64_t maxsize;
 } CineDemuxContext;
 
 /** Compression */
@@ -288,21 +289,32 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
     FFStream *const sti = ffstream(st);
     AVIOContext *pb = avctx->pb;
     int n, size, ret;
+    int64_t ret64;
 
     if (cine->pts >= sti->nb_index_entries)
         return AVERROR_EOF;
 
-    avio_seek(pb, sti->index_entries[cine->pts].pos, SEEK_SET);
+    ret64 = avio_seek(pb, sti->index_entries[cine->pts].pos, SEEK_SET);
+    if (ret64 < 0)
+        return ret64;
     n = avio_rl32(pb);
     if (n < 8)
         return AVERROR_INVALIDDATA;
     avio_skip(pb, n - 8);
     size = avio_rl32(pb);
+    if (avio_feof(pb))
+        return AVERROR_INVALIDDATA;
+
+    if (cine->maxsize && sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
+        size = cine->maxsize - sti->index_entries[cine->pts].pos - n;
 
     ret = av_get_packet(pb, pkt, size);
     if (ret < 0)
         return ret;
 
+    if (ret != size)
+        cine->maxsize = sti->index_entries[cine->pts].pos + n + ret;
+
     pkt->pts = cine->pts++;
     pkt->stream_index = 0;
     pkt->flags |= AV_PKT_FLAG_KEY;