sanm: Check dimensions before use
authorMichael Niedermayer <michaelni@gmx.at>
Tue, 7 May 2013 19:58:27 +0000 (21:58 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 7 May 2013 19:59:05 +0000 (21:59 +0200)
Fixes integer overflow and out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/sanm.c

index f217ef3..e6e866e 100644 (file)
@@ -732,6 +732,11 @@ static int process_frame_obj(SANMVideoContext *ctx)
     w     = bytestream2_get_le16u(&ctx->gb);
     h     = bytestream2_get_le16u(&ctx->gb);
 
+    if (!w || !h) {
+        av_log(ctx->avctx, AV_LOG_ERROR, "dimensions are invalid\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     if (ctx->width < left + w || ctx->height < top + h) {
         if (av_image_check_size(FFMAX(left + w, ctx->width),
                                 FFMAX(top  + h, ctx->height), 0, ctx->avctx) < 0)