avcodec/dvbsubdec: check region dimensions

Fixes: 1408/clusterfuzz-testcase-minimized-6529985844084736 Fixes: integer overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/dvbsubdec: check region dimensions
Fixes: 1408/clusterfuzz-testcase-minimized-6529985844084736 Fixes: integer overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
0075d9ec · Michael Niedermayer · 8824b737 · 0075d9ec
Commit 0075d9ec authored May 08, 2017 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

dvbsubdec.c libavcodec/dvbsubdec.c +8 -0

No files found.
--- a/libavcodec/dvbsubdec.c
+++ b/libavcodec/dvbsubdec.c
@@ -24,6 +24,7 @@
 #include "bytestream.h"
 #include "internal.h"
 #include "libavutil/colorspace.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/opt.h"
 #define DVBSUB_PAGE_SEGMENT     0x10
@@ -1127,6 +1128,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
    DVBSubObject *object;
    DVBSubObjectDisplay *display;
    int fill;
+    int ret;
    if (buf_size < 10)
        return AVERROR_INVALIDDATA;
@@ -1155,6 +1157,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
    region->height = AV_RB16(buf);
    buf += 2;
+    ret = av_image_check_size(region->width, region->height, 0, avctx);
+    if (ret < 0) {
+        region->width= region->height= 0;
+        return ret;
+    }
    if (region->width * region->height != region->buf_size) {
        av_free(region->pbuf);