RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/xpmdec: Do not use context dimensions as temporary variables 

Fixes: Integer overflow
Fixes: 15134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5722635939348480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2019-06-12 20:13:34 +02:00
parent d8716e3df9
commit 5ea7f20500
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavcodec/xpmdec.c
View File

@ -311,6 +311,7 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data,
int ncolors, cpp, ret, i, j;
int64_t size;
uint32_t *dst;
int width, height;
avctx->pix_fmt = AV_PIX_FMT_BGRA;
@ -332,12 +333,12 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data,
ptr += mod_strcspn(ptr, "\"");
if (sscanf(ptr, "\"%u %u %u %u\",",
&avctx->width, &avctx->height, &ncolors, &cpp) != 4) {
&width, &height, &ncolors, &cpp) != 4) {
av_log(avctx, AV_LOG_ERROR, "missing image parameters\n");
return AVERROR_INVALIDDATA;
}
if ((ret = ff_set_dimensions(avctx, avctx->width, avctx->height)) < 0)
if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
return ret;
if ((ret = ff_get_buffer(avctx, p, 0)) < 0)