Fixes: Integer overflow Fixes: 15134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5722635939348480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/xpmdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 43dd9bc7e7..922dfc0f67 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -311,6 +311,7 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, int ncolors, cpp, ret, i, j; int64_t size; uint32_t *dst; + int width, height; avctx->pix_fmt = AV_PIX_FMT_BGRA; @@ -332,12 +333,12 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, ptr += mod_strcspn(ptr, "\""); if (sscanf(ptr, "\"%u %u %u %u\",", - &avctx->width, &avctx->height, &ncolors, &cpp) != 4) { + &width, &height, &ncolors, &cpp) != 4) { av_log(avctx, AV_LOG_ERROR, "missing image parameters\n"); return AVERROR_INVALIDDATA; } - if ((ret = ff_set_dimensions(avctx, avctx->width, avctx->height)) < 0) + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) -- 2.21.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
