tiff: do not overread the source buffer

At least 2 bytes from the source are read every loop. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9c2216976907336dfae0e8e38a4d70ca2465a92c) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/tiff.c
author: Luca Barbato <lu_zero@gentoo.org> 2013-06-03 04:53:02 +0200
committer: Reinhard Tartler <siretart@tauware.de> 2013-06-08 16:31:54 +0200
commit: 8eb7c2566ca20392315618cda4a635b19cbb8e21 (patch)
tree: f69fababfbc2bf07ca0bb027839e6fff791d197f
parent: 042b8c2f06b4796bab0b65069ac7e7565d9157ce (diff)
download: ffmpeg-8eb7c2566ca20392315618cda4a635b19cbb8e21.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 8c40006aa5..264e98501b 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -207,10 +207,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
             break;
         case TIFF_PACKBITS:
             for (pixels = 0; pixels < width;) {
+                if (ssrc + size - src < 2)
+                    return AVERROR_INVALIDDATA;
                 code = (int8_t) * src++;
                 if (code >= 0) {
                     code++;
-                    if (pixels + code > width) {
+                    if (pixels + code > width ||
+                        ssrc + size - src < code) {
                         av_log(s->avctx, AV_LOG_ERROR,
                                "Copy went out of bounds\n");
                         return -1;
author	Luca Barbato <lu_zero@gentoo.org>	2013-06-03 04:53:02 +0200
committer	Reinhard Tartler <siretart@tauware.de>	2013-06-08 16:31:54 +0200
commit	8eb7c2566ca20392315618cda4a635b19cbb8e21 (patch)
tree	f69fababfbc2bf07ca0bb027839e6fff791d197f
parent	042b8c2f06b4796bab0b65069ac7e7565d9157ce (diff)
download	ffmpeg-8eb7c2566ca20392315618cda4a635b19cbb8e21.tar.gz