[FFmpeg-cvslog] tiff: Prevent overreads in the type_sizes array.
Alex Converse
git at videolan.org
Sat Feb 25 04:28:16 CET 2012
ffmpeg | branch: master | Alex Converse <alex.converse at gmail.com> | Thu Feb 23 10:47:50 2012 -0800| [447363870f2f91e125e07ac2d0820359a5d86b06] | committer: Alex Converse
tiff: Prevent overreads in the type_sizes array.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=447363870f2f91e125e07ac2d0820359a5d86b06
---
libavcodec/tiff.c | 15 +++++++++++----
1 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 51ebd69..d807149 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -289,6 +289,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
count = tget_long(&buf, s->le);
off = tget_long(&buf, s->le);
+ if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
+ av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
+ return 0;
+ }
+
if(count == 1){
switch(type){
case TIFF_BYTE:
@@ -310,10 +315,12 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
value = UINT_MAX;
buf = start + off;
}
- }else if(type_sizes[type] * count <= 4){
- buf -= 4;
- }else{
- buf = start + off;
+ } else {
+ if (count <= 4 && type_sizes[type] * count <= 4) {
+ buf -= 4;
+ } else {
+ buf = start + off;
+ }
}
if(buf && (buf < start || buf > end_buf)){
More information about the ffmpeg-cvslog
mailing list