aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-04-15 20:19:42 +0200
committerMichael Niedermayer <michaelni@gmx.at>2012-04-15 20:20:43 +0200
commitfefc65675eb5def2a34787cffea53c88e956cca1 (patch)
tree4b781e47fc339a901d7e59bc27ccddd03daea2fe
parent2837d8dc276760db1821b81df3f794a90bfa56e6 (diff)
downloadffmpeg-fefc65675eb5def2a34787cffea53c88e956cca1.tar.gz
tiffdec: check overread for packbits
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/tiff.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 8de1ebd1bf..a30e1a948a 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -253,6 +253,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
break;
case TIFF_PACKBITS:
for (pixels = 0; pixels < width;) {
+ if (ssrc + size - src < 2) {
+ av_log(s->avctx, AV_LOG_ERROR, "Read went out of bounds\n");
+ return AVERROR_INVALIDDATA;
+ }
code = (int8_t) * src++;
if (code >= 0) {
code++;
@@ -261,6 +265,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
"Copy went out of bounds\n");
return -1;
}
+ if (ssrc + size - src < code) {
+ av_log(s->avctx, AV_LOG_ERROR, "Read went out of bounds\n");
+ return AVERROR_INVALIDDATA;
+ }
horizontal_fill(s->bpp * (s->avctx->pix_fmt == PIX_FMT_PAL8),
dst, 1, src, 0, code, pixels);
src += code;