diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2021-02-01 20:18:14 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-02-02 13:12:12 +0100 |
| commit | 2a0d17c4d1f7f5539b8bbad90cca1eab45780982 (patch) | |
| tree | 8445b3c7a683544e1f57e30fbe7ff0f720822637 | |
| parent | e742bf3421f1a3077334ec0761ac2116c70e7a07 (diff) | |
| download | ffmpeg-2a0d17c4d1f7f5539b8bbad90cca1eab45780982.tar.gz | |
avcodec/cri: Use ff_set_dimensions()
Fixes: out of memory
Fixes: 29985/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-6424425392111616
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/cri.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/libavcodec/cri.c b/libavcodec/cri.c index f7c3b4ef48..efbccf4fee 100644 --- a/libavcodec/cri.c +++ b/libavcodec/cri.c @@ -184,6 +184,7 @@ static int cri_decode_frame(AVCodecContext *avctx, void *data, char codec_name[1024]; uint32_t key, length; float framerate; + int width, height; key = bytestream2_get_le32(gb); length = bytestream2_get_le32(gb); @@ -199,11 +200,14 @@ static int cri_decode_frame(AVCodecContext *avctx, void *data, case 100: if (length < 16) return AVERROR_INVALIDDATA; - avctx->width = bytestream2_get_le32(gb); - avctx->height = bytestream2_get_le32(gb); + width = bytestream2_get_le32(gb); + height = bytestream2_get_le32(gb); s->color_model = bytestream2_get_le32(gb); if (bytestream2_get_le32(gb) != 1) return AVERROR_INVALIDDATA; + ret = ff_set_dimensions(avctx, width, height); + if (ret < 0) + return ret; length -= 16; goto skip; case 101: |