avcodec/sanm: Check w,h,left,top

The setup code fow w,h,left,top is complex, the code using it also falls in at least 2 different classes, one using left/top the other not. To ensure no out of array access happens we add this clear check. Fixes: out of array access Fixes: 439261995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5383455572819968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2025-08-17 15:31:48 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2025-08-17 15:39:33 +0200
commit: 134fbfd1dcb59441e38d870ddd231772f4e8e127 (patch)
tree: 4055e8d44af17ec719afc537b2f748aee619387f
parent: a2cfaf1b916cd4519249031adc37e339baca7a7b (diff)
download: ffmpeg-134fbfd1dcb59441e38d870ddd231772f4e8e127.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index a066a864eb..9e99aa9dd9 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1757,6 +1757,11 @@ static int process_frame_obj(SANMVideoContext *ctx, GetByteContext *gb)
             memset(ctx->fbuf, 0, ctx->frm0_size);
     }
 
+    if (w + FFMAX(left, 0) > ctx->avctx->width || h + FFMAX(top, 0) > ctx->avctx->height) {
+        avpriv_request_sample(ctx->avctx, "overly large frame\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
     switch (codec) {
     case 1:
     case 3:
author	Michael Niedermayer <michael@niedermayer.cc>	2025-08-17 15:31:48 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2025-08-17 15:39:33 +0200
commit	134fbfd1dcb59441e38d870ddd231772f4e8e127 (patch)
tree	4055e8d44af17ec719afc537b2f748aee619387f
parent	a2cfaf1b916cd4519249031adc37e339baca7a7b (diff)
download	ffmpeg-134fbfd1dcb59441e38d870ddd231772f4e8e127.tar.gz