[FFmpeg-devel] [PATCH 4/4] avcodec/sanm: Check thet left/top is within the w/h

Michael Niedermayer Wed, 18 Jun 2025 20:05:36 -0700

Fixes: 
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5466731806261248
Fixes: out of array access


Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/sanm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index 02bb78859a8..df248ec3547 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1649,7 +1649,7 @@ static int process_frame_obj(SANMVideoContext *ctx, 
GetByteContext *gb)
     bytestream2_skip(gb, 2);
     parm2 = bytestream2_get_le16u(gb);
 
-    if (w < 1 || h < 1 || w > 800 || h > 600 || left > 800 || top > 600) {
+    if (w < 1 || h < 1 || w > 800 || h > 600 || left >= w || top >= h || left 
< 0 || top < 0) {
         av_log(ctx->avctx, AV_LOG_WARNING,
                "ignoring invalid fobj dimensions: c%d %d %d @ %d %d\n",
                codec, w, h, left, top);
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/4] avcodec/sanm: Check thet left/top is within the w/h

Reply via email to