[FFmpeg-cvslog] avcodec/tiff: Ignore tile_count

Michael Niedermayer git at videolan.org
Sat Apr 8 01:07:53 EEST 2023


ffmpeg | branch: release/4.4 | Michael Niedermayer <michael at niedermayer.cc> | Fri Nov 18 18:26:59 2022 +0100| [743613862146bbc3e7397ee345dab7e3ff93ee96] | committer: Michael Niedermayer

avcodec/tiff: Ignore tile_count

Fixes: out of array access
Fixes: 52427/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4849108968144896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 65ce417828cc6f5209d8467bc7755f0c59e9aa49)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=743613862146bbc3e7397ee345dab7e3ff93ee96
---

 libavcodec/tiff.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index bef0c59d9d..05187dce51 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -100,7 +100,6 @@ typedef struct TiffContext {
     int is_tiled;
     int tile_byte_counts_offset, tile_offsets_offset;
     int tile_width, tile_length;
-    int tile_count;
 
     int is_jpeg;
 
@@ -988,7 +987,7 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame *frame,
     tile_count_y = (s->height + s->tile_length - 1) / s->tile_length;
 
     /* Iterate over the number of tiles */
-    for (tile_idx = 0; tile_idx < s->tile_count; tile_idx++) {
+    for (tile_idx = 0; tile_idx < tile_count_x * tile_count_y; tile_idx++) {
         tile_x = tile_idx % tile_count_x;
         tile_y = tile_idx / tile_count_x;
 
@@ -1408,7 +1407,6 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         break;
     case TIFF_TILE_OFFSETS:
         s->tile_offsets_offset = off;
-        s->tile_count = count;
         s->is_tiled = 1;
         break;
     case TIFF_TILE_BYTE_COUNTS:
@@ -1903,7 +1901,7 @@ again:
         return AVERROR_INVALIDDATA;
     }
 
-    has_tile_bits  = s->is_tiled || s->tile_byte_counts_offset || s->tile_offsets_offset || s->tile_width || s->tile_length || s->tile_count;
+    has_tile_bits  = s->is_tiled || s->tile_byte_counts_offset || s->tile_offsets_offset || s->tile_width || s->tile_length;
     has_strip_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;
 
     if (has_tile_bits && has_strip_bits) {



More information about the ffmpeg-cvslog mailing list