From 49b729d3af8464de431362e6c5b3027102bc2f88 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 22 Jan 2013 21:30:20 +0100
Subject: [PATCH] sanm: check image dimensions before using them

Avoids integer overflows and out of array accesses.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/sanm.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index 7432fa273f..ff70f206e6 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -26,6 +26,7 @@
 #include "bytestream.h"
 #include "internal.h"
 #include "libavutil/bswap.h"
+#include "libavutil/imgutils.h"
 #include "libavcodec/dsputil.h"
 #include "sanm_data.h"
 
@@ -716,8 +717,11 @@ static int process_frame_obj(SANMVideoContext *ctx)
     h     = bytestream2_get_le16u(&ctx->gb);
 
     if (ctx->width < left + w || ctx->height < top + h) {
-        ctx->avctx->width  = FFMAX(left + w, ctx->width);
-        ctx->avctx->height = FFMAX(top + h, ctx->height);
+        if (av_image_check_size(FFMAX(left + w, ctx->width),
+                                FFMAX(top  + h, ctx->height), 0, ctx->avctx) < 0)
+            return AVERROR_INVALIDDATA;
+        avcodec_set_dimensions(ctx->avctx, FFMAX(left + w, ctx->width),
+                                           FFMAX(top  + h, ctx->height));
         init_sizes(ctx, left + w, top + h);
         if (init_buffers(ctx)) {
             av_log(ctx->avctx, AV_LOG_ERROR, "error resizing buffers\n");