From 529a719a25e2949e80a4efee7880e3cf314cb98e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <michael@niedermayer.cc> Date: Wed, 12 Jun 2019 20:13:34 +0200 Subject: [PATCH] avcodec/xpmdec: Do not use context dimensions as temporary variables Fixes: Integer overflow Fixes: 15134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5722635939348480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5ea7f2050050fd6a9177a9b618f2bb2d4add9230) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/xpmdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 03172e4aad..82a484dabb 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -307,6 +307,7 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, int ncolors, cpp, ret, i, j; int64_t size; uint32_t *dst; + int width, height; avctx->pix_fmt = AV_PIX_FMT_BGRA; @@ -328,12 +329,12 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, ptr += mod_strcspn(ptr, "\""); if (sscanf(ptr, "\"%u %u %u %u\",", - &avctx->width, &avctx->height, &ncolors, &cpp) != 4) { + &width, &height, &ncolors, &cpp) != 4) { av_log(avctx, AV_LOG_ERROR, "missing image parameters\n"); return AVERROR_INVALIDDATA; } - if ((ret = ff_set_dimensions(avctx, avctx->width, avctx->height)) < 0) + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; if ((ret = ff_get_buffer(avctx, p, 0)) < 0)