highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tiff: Prevent overreads in the type_sizes array.

Browse Source 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 447363870f2f91e125e07ac2d0820359a5d86b06)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Alex Converse 2012-02-23 10:47:50 -08:00 committed by Reinhard Tartler
parent cd6c5e16c6
commit b1d9a80863
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
libavcodec/tiff.c
View File

@ -288,6 +288,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
count = tget_long(&buf, s->le);
off = tget_long(&buf, s->le);
if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
return 0;
}
if(count == 1){
switch(type){
case TIFF_BYTE:
@ -309,10 +314,12 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
value = -1;
buf = start + off;
}
}else if(type_sizes[type] * count <= 4){
buf -= 4;
}else{
buf = start + off;
} else {
if (count <= 4 && type_sizes[type] * count <= 4) {
buf -= 4;
} else {
buf = start + off;
}
}
if(buf && (buf < start || buf > end_buf)){