From 3520590810f7e4ec4ccc652e78852d803f433933 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:49 +0200 Subject: avcodec/dds: Use ff_set_dimensions() Fixes: signed integer overflow: 2082471995 * 36 cannot be represented in type 'int' Fixes: 16025/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DDS_fuzzer-5136663778426880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9cd1e939cf26e7a53f28cbbda22d27535981b9db) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index f026f9cd5a..9154f692fa 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -613,6 +613,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, AVFrame *frame = data; int mipmap; int ret; + int width, height; ff_texturedsp_init(&ctx->texdsp); bytestream2_init(gbc, avpkt->data, avpkt->size); @@ -631,9 +632,9 @@ static int dds_decode(AVCodecContext *avctx, void *data, bytestream2_skip(gbc, 4); // flags - avctx->height = bytestream2_get_le32(gbc); - avctx->width = bytestream2_get_le32(gbc); - ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + height = bytestream2_get_le32(gbc); + width = bytestream2_get_le32(gbc); + ret = ff_set_dimensions(avctx, width, height); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n", avctx->width, avctx->height); -- cgit v1.2.1