mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-28 20:53:54 +02:00
avcodec/dvbsubdec: check region dimensions
Fixes: 1408/clusterfuzz-testcase-minimized-6529985844084736
Fixes: integer overflow
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0075d9eced
)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
6ec9c902ee
commit
abeb7838ca
@ -24,6 +24,7 @@
|
||||
#include "bytestream.h"
|
||||
#include "internal.h"
|
||||
#include "libavutil/colorspace.h"
|
||||
#include "libavutil/imgutils.h"
|
||||
#include "libavutil/opt.h"
|
||||
|
||||
#define DVBSUB_PAGE_SEGMENT 0x10
|
||||
@ -1184,6 +1185,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
|
||||
DVBSubObject *object;
|
||||
DVBSubObjectDisplay *display;
|
||||
int fill;
|
||||
int ret;
|
||||
|
||||
if (buf_size < 10)
|
||||
return AVERROR_INVALIDDATA;
|
||||
@ -1212,6 +1214,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
|
||||
region->height = AV_RB16(buf);
|
||||
buf += 2;
|
||||
|
||||
ret = av_image_check_size(region->width, region->height, 0, avctx);
|
||||
if (ret < 0) {
|
||||
region->width= region->height= 0;
|
||||
return ret;
|
||||
}
|
||||
|
||||
if (region->width * region->height != region->buf_size) {
|
||||
av_free(region->pbuf);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user