avcodec/xpmdec: Do not use context dimensions as temporary variables
authorMichael Niedermayer <michael@niedermayer.cc>
Wed, 12 Jun 2019 18:13:34 +0000 (20:13 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Tue, 25 Jun 2019 11:30:09 +0000 (13:30 +0200)
Fixes: Integer overflow
Fixes: 15134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5722635939348480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/xpmdec.c

index 43dd9bc..922dfc0 100644 (file)
@@ -311,6 +311,7 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data,
     int ncolors, cpp, ret, i, j;
     int64_t size;
     uint32_t *dst;
+    int width, height;
 
     avctx->pix_fmt = AV_PIX_FMT_BGRA;
 
@@ -332,12 +333,12 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data,
 
     ptr += mod_strcspn(ptr, "\"");
     if (sscanf(ptr, "\"%u %u %u %u\",",
-               &avctx->width, &avctx->height, &ncolors, &cpp) != 4) {
+               &width, &height, &ncolors, &cpp) != 4) {
         av_log(avctx, AV_LOG_ERROR, "missing image parameters\n");
         return AVERROR_INVALIDDATA;
     }
 
-    if ((ret = ff_set_dimensions(avctx, avctx->width, avctx->height)) < 0)
+    if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
         return ret;
 
     if ((ret = ff_get_buffer(avctx, p, 0)) < 0)