[FFmpeg-cvslog] tiffdec: check overread for packbits
Michael Niedermayer
git at videolan.org
Sun Apr 15 21:32:46 CEST 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sun Apr 15 20:19:42 2012 +0200| [fefc65675eb5def2a34787cffea53c88e956cca1] | committer: Michael Niedermayer
tiffdec: check overread for packbits
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fefc65675eb5def2a34787cffea53c88e956cca1
---
libavcodec/tiff.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 8de1ebd..a30e1a9 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -253,6 +253,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
break;
case TIFF_PACKBITS:
for (pixels = 0; pixels < width;) {
+ if (ssrc + size - src < 2) {
+ av_log(s->avctx, AV_LOG_ERROR, "Read went out of bounds\n");
+ return AVERROR_INVALIDDATA;
+ }
code = (int8_t) * src++;
if (code >= 0) {
code++;
@@ -261,6 +265,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
"Copy went out of bounds\n");
return -1;
}
+ if (ssrc + size - src < code) {
+ av_log(s->avctx, AV_LOG_ERROR, "Read went out of bounds\n");
+ return AVERROR_INVALIDDATA;
+ }
horizontal_fill(s->bpp * (s->avctx->pix_fmt == PIX_FMT_PAL8),
dst, 1, src, 0, code, pixels);
src += code;
More information about the ffmpeg-cvslog
mailing list