diff options
author | Luca Barbato <lu_zero@gentoo.org> | 2013-06-03 04:53:02 +0200 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2013-06-22 08:51:56 +0200 |
commit | 96de1c5ed90b4defb4126d946061d4a23101b28c (patch) | |
tree | cc85ad0be549be724b29461c620161dcc9f5f426 | |
parent | ea7ba1d8717dacca70771d0fbe553acbdbd47739 (diff) | |
download | ffmpeg-96de1c5ed90b4defb4126d946061d4a23101b28c.tar.gz |
tiff: do not overread the source buffer
At least 2 bytes from the source are read every loop.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c2216976907336dfae0e8e38a4d70ca2465a92c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/tiff.c
-rw-r--r-- | libavcodec/tiff.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index a0db1f1d28..8a1db12aae 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -186,10 +186,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin break; case TIFF_PACKBITS: for(pixels = 0; pixels < width;){ + if (ssrc + size - src < 2) + return AVERROR_INVALIDDATA; code = (int8_t)*src++; if(code >= 0){ code++; - if(pixels + code > width){ + if (pixels + code > width || + ssrc + size - src < code) { av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n"); return -1; } |