[FFmpeg-cvslog] tiff: dont leave geotag_count in an invalid state on errors.
Michael Niedermayer
git at videolan.org
Sun Feb 10 20:58:26 CET 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sun Feb 10 20:24:22 2013 +0100| [0e3dacb11eacf6a944691bb4a12f4dd56b6d7ce6] | committer: Michael Niedermayer
tiff: dont leave geotag_count in an invalid state on errors.
Fixes out of array reads
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e3dacb11eacf6a944691bb4a12f4dd56b6d7ce6
---
libavcodec/tiff.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index f13533f..9829e92 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -905,11 +905,14 @@ static int tiff_decode_tag(TiffContext *s)
s->geotag_count = count / 4 - 1;
av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n");
}
- if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4)
+ if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) {
+ s->geotag_count = 0;
return -1;
+ }
s->geotags = av_mallocz(sizeof(TiffGeoTag) * s->geotag_count);
if (!s->geotags) {
av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n");
+ s->geotag_count = 0;
return AVERROR(ENOMEM);
}
for (i = 0; i < s->geotag_count; i++) {
More information about the ffmpeg-cvslog
mailing list