sanm: check image dimensions before using them
authorMichael Niedermayer <michaelni@gmx.at>
Tue, 22 Jan 2013 20:30:20 +0000 (21:30 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Thu, 7 Feb 2013 00:00:01 +0000 (01:00 +0100)
Avoids integer overflows and out of array accesses.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 49b729d3af8464de431362e6c5b3027102bc2f88)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/sanm.c

index 3736bd7..e2d8c0d 100644 (file)
@@ -25,6 +25,7 @@
 #include "avcodec.h"
 #include "bytestream.h"
 #include "libavutil/bswap.h"
+#include "libavutil/imgutils.h"
 #include "libavcodec/dsputil.h"
 #include "sanm_data.h"
 
@@ -715,8 +716,11 @@ static int process_frame_obj(SANMVideoContext *ctx)
     h     = bytestream2_get_le16u(&ctx->gb);
 
     if (ctx->width < left + w || ctx->height < top + h) {
-        ctx->avctx->width  = FFMAX(left + w, ctx->width);
-        ctx->avctx->height = FFMAX(top + h, ctx->height);
+        if (av_image_check_size(FFMAX(left + w, ctx->width),
+                                FFMAX(top  + h, ctx->height), 0, ctx->avctx) < 0)
+            return AVERROR_INVALIDDATA;
+        avcodec_set_dimensions(ctx->avctx, FFMAX(left + w, ctx->width),
+                                           FFMAX(top  + h, ctx->height));
         init_sizes(ctx, left + w, top + h);
         if (init_buffers(ctx)) {
             av_log(ctx->avctx, AV_LOG_ERROR, "error resizing buffers\n");