| Message ID | 20190810210949.1743-8-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 9cd1e939cf26e7a53f28cbbda22d27535981b9db |
| Headers | show |
LGTM On Sat, Aug 10, 2019 at 11:16 PM Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: signed integer overflow: 2082471995 * 36 cannot be represented in > type 'int' > Fixes: > 16025/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DDS_fuzzer-5136663778426880 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/dds.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/libavcodec/dds.c b/libavcodec/dds.c > index f026f9cd5a..9154f692fa 100644 > --- a/libavcodec/dds.c > +++ b/libavcodec/dds.c > @@ -613,6 +613,7 @@ static int dds_decode(AVCodecContext *avctx, void > *data, > AVFrame *frame = data; > int mipmap; > int ret; > + int width, height; > > ff_texturedsp_init(&ctx->texdsp); > bytestream2_init(gbc, avpkt->data, avpkt->size); > @@ -631,9 +632,9 @@ static int dds_decode(AVCodecContext *avctx, void > *data, > > bytestream2_skip(gbc, 4); // flags > > - avctx->height = bytestream2_get_le32(gbc); > - avctx->width = bytestream2_get_le32(gbc); > - ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); > + height = bytestream2_get_le32(gbc); > + width = bytestream2_get_le32(gbc); > + ret = ff_set_dimensions(avctx, width, height); > if (ret < 0) { > av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n", > avctx->width, avctx->height); > -- > 2.22.0 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libavcodec/dds.c b/libavcodec/dds.c index f026f9cd5a..9154f692fa 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -613,6 +613,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, AVFrame *frame = data; int mipmap; int ret; + int width, height; ff_texturedsp_init(&ctx->texdsp); bytestream2_init(gbc, avpkt->data, avpkt->size); @@ -631,9 +632,9 @@ static int dds_decode(AVCodecContext *avctx, void *data, bytestream2_skip(gbc, 4); // flags - avctx->height = bytestream2_get_le32(gbc); - avctx->width = bytestream2_get_le32(gbc); - ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + height = bytestream2_get_le32(gbc); + width = bytestream2_get_le32(gbc); + ret = ff_set_dimensions(avctx, width, height); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n", avctx->width, avctx->height);
Fixes: signed integer overflow: 2082471995 * 36 cannot be represented in type 'int' Fixes: 16025/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DDS_fuzzer-5136663778426880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/dds.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)