diff options
| author | Alex Converse <alex.converse@gmail.com> | 2012-03-06 17:00:29 -0800 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-03-13 23:30:55 +0100 |
| commit | 2744fdbd9e1ee6a10f7627147be6556d04c1a88a (patch) | |
| tree | 72f2f5fd0705287d5af7eb4be28eb3c895686f6a | |
| parent | 1fcc2c60914c1fd9c516203f675676e1586b0376 (diff) | |
| download | ffmpeg-2744fdbd9e1ee6a10f7627147be6556d04c1a88a.tar.gz | |
tiffdec: Prevent illegal memory access caused by recycled pointers.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit fd0be63049ed46660993d0550a4f0847a0b942ea)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| -rw-r--r-- | libavcodec/tiff.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index d807149922..a0db1f1d28 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -535,6 +535,8 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n"); return -1; } + // Reset these pointers so we can tell if they were set this frame + s->stripsizes = s->stripdata = NULL; /* parse image file directory */ off = tget_long(&buf, le); if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { |