tiff: do not overread the source buffer

At least 2 bytes from the source are read every loop. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] (cherry picked from commit 9c2216976907336dfae0e8e38a4d70ca2465a92c) Signed-off-by: Reinhard Tartler <[email protected]> Conflicts: libavcodec/tiff.c
author: Luca Barbato <[email protected]> 2013-06-03 04:53:02 +0200
committer: Reinhard Tartler <[email protected]> 2013-06-22 08:51:56 +0200
commit: 96de1c5ed90b4defb4126d946061d4a23101b28c (patch)
tree: cc85ad0be549be724b29461c620161dcc9f5f426
parent: ea7ba1d8717dacca70771d0fbe553acbdbd47739 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index a0db1f1d28..8a1db12aae 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -186,10 +186,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin
             break;
         case TIFF_PACKBITS:
             for(pixels = 0; pixels < width;){
+                if (ssrc + size - src < 2)
+                    return AVERROR_INVALIDDATA;
                 code = (int8_t)*src++;
                 if(code >= 0){
                     code++;
-                    if(pixels + code > width){
+                    if (pixels + code > width ||
+                        ssrc + size - src < code) {
                         av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n");
                         return -1;
                     }
author	Luca Barbato <[email protected]>	2013-06-03 04:53:02 +0200
committer	Reinhard Tartler <[email protected]>	2013-06-22 08:51:56 +0200
commit	96de1c5ed90b4defb4126d946061d4a23101b28c (patch)
tree	cc85ad0be549be724b29461c620161dcc9f5f426
parent	ea7ba1d8717dacca70771d0fbe553acbdbd47739 (diff)