diff options
author | Daniel Kang <daniel.d.kang@gmail.com> | 2011-01-06 14:44:50 +0000 |
---|---|---|
committer | Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at> | 2011-01-06 14:44:50 +0000 |
commit | 1ba44140a3169868eb94e62888d8d2f9861968ab (patch) | |
tree | f3b4780d21d6533e1ea5fdb965557b690565ed33 | |
parent | 504530bfbadfef05230179bccb0e733f032ac1a3 (diff) | |
download | ffmpeg-1ba44140a3169868eb94e62888d8d2f9861968ab.tar.gz |
Fix crash for files with strip size larger than the buffer.
Fixes issue 2498.
Patch by Daniel Kang, daniel.d.kang at gmail
Originally committed as revision 26243 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r-- | libavcodec/tiff.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 285cc40249..a23af1ab6f 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -531,6 +531,11 @@ static int decode_frame(AVCodecContext *avctx, else ssize = s->stripsize; + if (ssize > buf_size) { + av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n"); + return -1; + } + if(s->stripdata){ soff = tget(&s->stripdata, s->sot, s->le); }else |