generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

tiff: do not overread the source buffer

Browse Source 
At least 2 bytes from the source are read every loop.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c22169769)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavcodec/tiff.c
This commit is contained in:
Luca Barbato
2013-06-03 04:53:02 +02:00
committed by Reinhard Tartler
parent ea7ba1d871
commit 96de1c5ed9
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
libavcodec/tiff.c
View File

@@ -186,10 +186,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin
break; break;
case TIFF_PACKBITS: case TIFF_PACKBITS:
for(pixels = 0; pixels < width;){ for(pixels = 0; pixels < width;){
if (ssrc + size - src < 2)
return AVERROR_INVALIDDATA;
code = (int8_t)*src++; code = (int8_t)*src++;
if(code >= 0){ if(code >= 0){
code++; code++;
if(pixels + code > width){ if (pixels + code > width ||
ssrc + size - src < code) {
av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n"); av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n");
return -1; return -1;
} }