tiff: do not overread the source buffer

At least 2 bytes from the source are read every loop. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
2013-06-03 04:53:02 +02:00 · 2013-06-03 04:53:02 +02:00 · 9c22169769
commit 9c22169769
parent 999ccd2d0a
1 changed files with 4 additions and 1 deletions
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@ -224,10 +224,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
            break;
        case TIFF_PACKBITS:
            for (pixels = 0; pixels < width;) {
+                if (ssrc + size - src < 2)
+                    return AVERROR_INVALIDDATA;
                code = (int8_t) *src++;
                if (code >= 0) {
                    code++;
-                    if (pixels + code > width) {
+                    if (pixels + code > width ||
+                        ssrc + size - src < code) {
                        av_log(s->avctx, AV_LOG_ERROR,
                               "Copy went out of bounds\n");
                        return AVERROR_INVALIDDATA;