[FFmpeg-cvslog] tiff: do not overread the source buffer
Luca Barbato
git at videolan.org
Sun Jun 9 11:13:47 CEST 2013
ffmpeg | branch: release/1.1 | Luca Barbato <lu_zero at gentoo.org> | Mon Jun 3 04:53:02 2013 +0200| [8eb7c2566ca20392315618cda4a635b19cbb8e21] | committer: Reinhard Tartler
tiff: do not overread the source buffer
At least 2 bytes from the source are read every loop.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 9c2216976907336dfae0e8e38a4d70ca2465a92c)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
Conflicts:
libavcodec/tiff.c
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8eb7c2566ca20392315618cda4a635b19cbb8e21
---
libavcodec/tiff.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 8c40006..264e985 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -207,10 +207,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
break;
case TIFF_PACKBITS:
for (pixels = 0; pixels < width;) {
+ if (ssrc + size - src < 2)
+ return AVERROR_INVALIDDATA;
code = (int8_t) * src++;
if (code >= 0) {
code++;
- if (pixels + code > width) {
+ if (pixels + code > width ||
+ ssrc + size - src < code) {
av_log(s->avctx, AV_LOG_ERROR,
"Copy went out of bounds\n");
return -1;
More information about the ffmpeg-cvslog
mailing list