From 7b114d76878f1a542bcb75456492cc43e6414f8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Jun 2019 23:42:43 +0200 Subject: [PATCH] avcodec/svq3: Use ff_set_dimension() Fixes: OOM Fixes: 15410/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5659464805384192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 18a4448ffa..9cea9ac840 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1183,6 +1183,7 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) GetBitContext gb; int frame_size_code; int unk0, unk1, unk2, unk3, unk4; + int w,h; size = AV_RB32(&extradata[4]); if (size > extradata_end - extradata - 8) { @@ -1195,38 +1196,41 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) frame_size_code = get_bits(&gb, 3); switch (frame_size_code) { case 0: - avctx->width = 160; - avctx->height = 120; + w = 160; + h = 120; break; case 1: - avctx->width = 128; - avctx->height = 96; + w = 128; + h = 96; break; case 2: - avctx->width = 176; - avctx->height = 144; + w = 176; + h = 144; break; case 3: - avctx->width = 352; - avctx->height = 288; + w = 352; + h = 288; break; case 4: - avctx->width = 704; - avctx->height = 576; + w = 704; + h = 576; break; case 5: - avctx->width = 240; - avctx->height = 180; + w = 240; + h = 180; break; case 6: - avctx->width = 320; - avctx->height = 240; + w = 320; + h = 240; break; case 7: - avctx->width = get_bits(&gb, 12); - avctx->height = get_bits(&gb, 12); + w = get_bits(&gb, 12); + h = get_bits(&gb, 12); break; } + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + goto fail; s->halfpel_flag = get_bits1(&gb); s->thirdpel_flag = get_bits1(&gb);