highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/tiff: Disallow striped and tiled tiffs except for DNG

Browse Source 
strips + tiles is not allowed in TIFF
DNG uses a separate codepath

Regression since da5b3d002862d1e105002a6dc1567e6551860896.

Fixes: NULL pointer dereference
Fixes: poc1
Fixes: Ticket8960

Found-by: 1vanChen of NSFOCUS Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2020-11-02 10:46:04 +01:00
parent 654b21ef17
commit 292e41ce65
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavcodec/tiff.c
View File

@ -1923,14 +1923,17 @@ again:
has_strip_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;
if (has_tile_bits && has_strip_bits) {
av_log(avctx, AV_LOG_WARNING, "Tiled TIFF is not allowed to strip\n");
int tiled_dng = s->is_tiled && is_dng;
av_log(avctx, tiled_dng ? AV_LOG_WARNING : AV_LOG_ERROR, "Tiled TIFF is not allowed to strip\n");
if (!tiled_dng)
return AVERROR_INVALIDDATA;
}
/* now we have the data and may start decoding */
if ((ret = init_image(s, &frame)) < 0)
return ret;
if (!s->is_tiled) {
if (!s->is_tiled || has_strip_bits) {
if (s->strips == 1 && !s->stripsize) {
av_log(avctx, AV_LOG_WARNING, "Image data size missing\n");
s->stripsize = avpkt->size - s->stripoff;