Commit 49b729d3 authored by Michael Niedermayer's avatar Michael Niedermayer

sanm: check image dimensions before using them

Avoids integer overflows and out of array accesses.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent c4274d11
......@@ -26,6 +26,7 @@
#include "bytestream.h"
#include "internal.h"
#include "libavutil/bswap.h"
#include "libavutil/imgutils.h"
#include "libavcodec/dsputil.h"
#include "sanm_data.h"
......@@ -716,8 +717,11 @@ static int process_frame_obj(SANMVideoContext *ctx)
h = bytestream2_get_le16u(&ctx->gb);
if (ctx->width < left + w || ctx->height < top + h) {
ctx->avctx->width = FFMAX(left + w, ctx->width);
ctx->avctx->height = FFMAX(top + h, ctx->height);
if (av_image_check_size(FFMAX(left + w, ctx->width),
FFMAX(top + h, ctx->height), 0, ctx->avctx) < 0)
return AVERROR_INVALIDDATA;
avcodec_set_dimensions(ctx->avctx, FFMAX(left + w, ctx->width),
FFMAX(top + h, ctx->height));
init_sizes(ctx, left + w, top + h);
if (init_buffers(ctx)) {
av_log(ctx->avctx, AV_LOG_ERROR, "error resizing buffers\n");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment