From 3afae0f4409ace1699ebe3fdd32a61f05657c09f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 19 Jun 2025 05:04:30 +0200
Subject: [PATCH] avcodec/sanm: Check w, h for subversion < 2

Fixes: 410609432/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-4935159201988608
Fixes: out of array access

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Manuel Lauss <manuel.lauss@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/sanm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index 642ef02bff..02bb78859a 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1670,6 +1670,8 @@ static int process_frame_obj(SANMVideoContext *ctx, GetByteContext *gb)
             /* Rebel Assault 1: 384x242 internal size */
             xres = 384;
             yres = 242;
+            if (w > xres || h > yres)
+                return AVERROR_INVALIDDATA;
             ctx->have_dimensions = 1;
         } else if (codec == 37 || codec == 47 || codec == 48) {
             /* these codecs work on full frames, trust their dimensions */