avcodec/tiff: Check stripsize strippos for overflow

Fixes: 861/clusterfuzz-testcase-5688284384591872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5d996b56499f00f80b02a41bab3d6b7349e36e9d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 10 insertions, 0 deletions

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index ecafd2ddf1..70e34b469d 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -904,6 +904,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         break;
     case TIFF_STRIP_OFFS:
         if (count == 1) {
+            if (value > INT_MAX) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                    "strippos %u too large\n", value);
+                return AVERROR_INVALIDDATA;
+            }
             s->strippos = 0;
             s->stripoff = value;
         } else
@@ -915,6 +920,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         break;
     case TIFF_STRIP_SIZE:
         if (count == 1) {
+            if (value > INT_MAX) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                    "stripsize %u too large\n", value);
+                return AVERROR_INVALIDDATA;
+            }
             s->stripsizesoff = 0;
             s->stripsize     = value;
             s->strips        = 1;