From a69e16a97e40f3841766347bd0c0ba2c672c51ca Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 5 May 2014 18:39:30 +0200
Subject: tests/tiny_ssim: check dimensions

Fix integer overflow

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 tests/tiny_ssim.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'tests')

diff --git a/tests/tiny_ssim.c b/tests/tiny_ssim.c
index fe65e47533..767a0fea06 100644
--- a/tests/tiny_ssim.c
+++ b/tests/tiny_ssim.c
@@ -29,6 +29,7 @@
 
 #include "config.h"
 #include <inttypes.h>
+#include <limits.h>
 #include <math.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -195,7 +196,13 @@ int main(int argc, char* argv[])
     f[0] = fopen(argv[1], "rb");
     f[1] = fopen(argv[2], "rb");
     sscanf(argv[3], "%dx%d", &w, &h);
-    frame_size = w*h*3/2;
+
+    if (w<=0 || h<=0 || w*(int64_t)h >= INT_MAX/3 || 2LL*w+12 >= INT_MAX / sizeof(*temp)) {
+        fprintf(stderr, "Dimensions are too large\n");
+        return -2;
+    }
+
+    frame_size = w*h*3LL/2;
     for( i=0; i<2; i++ )
     {
         buf[i] = malloc(frame_size);
-- 
cgit v1.2.3