aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Kang <daniel.d.kang@gmail.com>2011-01-06 14:44:50 +0000
committerCarl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>2011-01-06 14:44:50 +0000
commit1ba44140a3169868eb94e62888d8d2f9861968ab (patch)
treef3b4780d21d6533e1ea5fdb965557b690565ed33
parent504530bfbadfef05230179bccb0e733f032ac1a3 (diff)
downloadffmpeg-1ba44140a3169868eb94e62888d8d2f9861968ab.tar.gz
Fix crash for files with strip size larger than the buffer.
Fixes issue 2498. Patch by Daniel Kang, daniel.d.kang at gmail Originally committed as revision 26243 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/tiff.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 285cc40249..a23af1ab6f 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -531,6 +531,11 @@ static int decode_frame(AVCodecContext *avctx,
else
ssize = s->stripsize;
+ if (ssize > buf_size) {
+ av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n");
+ return -1;
+ }
+
if(s->stripdata){
soff = tget(&s->stripdata, s->sot, s->le);
}else