avformat/rtpdec_av1: fix buffer overflow due to variable confusion

The pktpos denotes the position in the output packet buffer, while
buf_ptr is the position in the input buffer. As this payload is ignored,
nothing is written to the output packet so increasing the pktpos does
not make sense here, instead the buf_ptr has to be increased to advance
the input buffer to the correct position after this OBU.

This incorrect increment here could result in pktpos exceeding the whole
size of the output packet and the later call to memcpy to write to that
buffer would start its write way past the end of the packet buffer.

Fix #22812

Reported-By: fre3dm4n

libavformat/rtpdec_av1.c

@@ -249,7 +249,7 @@ static int av1_handle_packet(AVFormatContext *ctx, PayloadContext *data,
             // ignore and remove OBUs according to spec
             if ((obu_type == AV1_OBU_TEMPORAL_DELIMITER) ||
                 (obu_type == AV1_OBU_TILE_LIST)) {
-                pktpos += obu_size;
+                buf_ptr += obu_size;
                 rem_pkt_size -= obu_size;
                 // TODO: This probably breaks if the OBU_TILE_LIST is fragmented
                 // into the next RTP packet, so at least check and fail here