From patchwork Wed Jul 19 00:44:29 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 4364
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.1.76 with SMTP id 73csp139993vsb;
	Tue, 18 Jul 2017 17:44:48 -0700 (PDT)
X-Received: by 10.223.161.204 with SMTP id v12mr2507561wrv.125.1500425088515;
	Tue, 18 Jul 2017 17:44:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1500425088; cv=none;
	d=google.com; s=arc-20160816;
	b=pjXTnnygwt1MezdbuhqgMqg27jpiZUtfiRSsRBmROQ59yRKfwXtMa3A1GK9LmuMkec
	qpFBVFm4Qf5h8pqruFBse51Bkv7JIcHxZMN7k0iUtwA8HPa880FJImxF0oEGjKBcFrwM
	pghm0m6CKms/bIO7HNLrYL4z7X74C8SBtQwu/gDX0xv/wVXKfTnV31BPFY/S3SWEO3NE
	iV5Pw3k0qwNfqcTiTaR/Gx9K9B9ttkxNbK85R+icODXviIo3AZWeU3XKy8Ln8yUykEXx
	2ax/Xs/wrJJmFeHTiOV9k89bc4GArSgP3khzMuMJMCOtfqG+MTZEMbn4r45U8G+NzNdf
	jmfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=mLavlm93sKetCcS7dEupdDt5YmekLcfjwf59hfz0PbI=;
	b=qLP1c38TlWOR9w23NR/B//BvydnD0BmWA8ecmZ6LCu7HWqjyX3D3v2HgUbOSmukSv9
	Kj+AqbiAlqr+OSZx3vQoHBxqpQlSoFoPmK7keGVgK6a4Mdrf5ZzcDkD94YL4ixTBn9jd
	g4ngaL5q/OOfvn40XVu+/MoIPc68v98ONBUe2PQL2hZE619rlElJG+GcrPHRCoJ02bE+
	iJ5TfTSEckux20l0Zb5PMv6CP8Z4niojgCvIte97kDtk0gtLXI/gzPkccm0nzTokFcjB
	jObdeJedxBTgRvuZAc5nclnZCF+XdVOOMPfpjI84hcHI0xSYWqcZS75LCanCKYyndVh8
	2kMg==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	l10si2782160wre.249.2017.07.18.17.44.47;
	Tue, 18 Jul 2017 17:44:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DF3C368978C;
	Wed, 19 Jul 2017 03:44:37 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-qmta-pe02-3.mx.upcmail.net
	(vie01a-qmta-pe02-3.mx.upcmail.net [62.179.121.183])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2B7AC68921F
	for <ffmpeg-devel@ffmpeg.org>; Wed, 19 Jul 2017 03:44:32 +0300 (EEST)
Received: from [172.31.218.43] (helo=vie01a-dmta-pe05-1.mx.upcmail.net)
	by vie01a-pqmta-pe02.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dXd6U-0004hh-Ps
	for ffmpeg-devel@ffmpeg.org; Wed, 19 Jul 2017 02:44:38 +0200
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dXd6P-0007xO-8H
	for ffmpeg-devel@ffmpeg.org; Wed, 19 Jul 2017 02:44:33 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id mQkW1v01K0S5wYM01QkXXT; Wed, 19 Jul 2017 02:44:32 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Wed, 19 Jul 2017 02:44:29 +0200
Message-Id: <20170719004430.6747-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.13.0
Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/diracdec: Check dimensions which
	are closer to what is allocated in alloc_sequence_buffers()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes OOM
Fixes: 2674/clusterfuzz-testcase-minimized-4999700518273024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/diracdec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index c031b40b5e..71d0ff41b2 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -2090,7 +2090,10 @@ static int dirac_decode_data_unit(AVCodecContext *avctx, const uint8_t *buf, int
             return ret;
         }
 
-        ret = ff_set_dimensions(avctx, dsh->width, dsh->height);
+        if (CALC_PADDING((int64_t)dsh->width, MAX_DWT_LEVELS) * CALC_PADDING((int64_t)dsh->height, MAX_DWT_LEVELS) > avctx->max_pixels)
+            ret = AVERROR(ERANGE);
+        if (ret >= 0)
+            ret = ff_set_dimensions(avctx, dsh->width, dsh->height);
         if (ret < 0) {
             av_freep(&dsh);
             return ret;