[FFmpeg-cvslog] tiffdec: check count in metadata reading.
Michael Niedermayer
git at videolan.org
Mon Dec 3 21:14:36 CET 2012
ffmpeg | branch: release/1.0 | Michael Niedermayer <michaelni at gmx.at> | Fri Nov 9 12:13:30 2012 +0100| [0b9be54e97fa574867d5e99a3623d1db7df7b274] | committer: Michael Niedermayer
tiffdec: check count in metadata reading.
Fixes out of array access
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 6d1c5ea04af3e345232aa70c944de961061dab2d)
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0b9be54e97fa574867d5e99a3623d1db7df7b274
---
libavcodec/tiff.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 579bd0d..d0b302a 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -250,7 +250,7 @@ static int add_doubles_metadata(int count,
int i;
double *dp;
- if (count >= INT_MAX / sizeof(int64_t))
+ if (count >= INT_MAX / sizeof(int64_t) || count <= 0)
return AVERROR_INVALIDDATA;
if (bytestream2_get_bytes_left(&s->gb) < count * sizeof(int64_t))
return AVERROR_INVALIDDATA;
@@ -276,7 +276,7 @@ static int add_shorts_metadata(int count, const char *name,
int i;
int16_t *sp;
- if (count >= INT_MAX / sizeof(int16_t))
+ if (count >= INT_MAX / sizeof(int16_t) || count <= 0)
return AVERROR_INVALIDDATA;
if (bytestream2_get_bytes_left(&s->gb) < count * sizeof(int16_t))
return AVERROR_INVALIDDATA;
More information about the ffmpeg-cvslog
mailing list