On Thu, Jan 12, 2023 at 09:11:35PM -0300, James Almer wrote:
> 
> 
> On 1/12/2023 9:01 PM, Michael Niedermayer wrote:
> > Fixes:OOM
> > Fixes:out of array access (no testcase)
> > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/xpmdec.c | 3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c
> > index ff1f51dd32..504cc47d8f 100644
> > --- a/libavcodec/xpmdec.c
> > +++ b/libavcodec/xpmdec.c
> > @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p,
> >       size *= 4;
> > +    if (size > SIZE_MAX)
> > +        return AVERROR(ENOMEM);
> 
> Maybe check for (size > SIZE_MAX / 4) before the multiplication above
> instead.

what is the advantage of this ?

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle