From 0e3dacb11eacf6a944691bb4a12f4dd56b6d7ce6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Feb 2013 20:24:22 +0100 Subject: [PATCH] tiff: dont leave geotag_count in an invalid state on errors. Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index f13533fb3c..9829e92bf8 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -905,11 +905,14 @@ static int tiff_decode_tag(TiffContext *s) s->geotag_count = count / 4 - 1; av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n"); } - if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) + if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) { + s->geotag_count = 0; return -1; + } s->geotags = av_mallocz(sizeof(TiffGeoTag) * s->geotag_count); if (!s->geotags) { av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n"); + s->geotag_count = 0; return AVERROR(ENOMEM); } for (i = 0; i < s->geotag_count; i++) {