tiff: Prevent overreads in the type_sizes array.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 447363870f2f91e125e07ac2d0820359a5d86b06)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

1 files changed, 11 insertions, 4 deletions

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 6bfef220f4..71a4e70e3e 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -288,6 +288,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
     count = tget_long(&buf, s->le);
     off = tget_long(&buf, s->le);
 
+    if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
+        av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
+        return 0;
+    }
+
     if(count == 1){
         switch(type){
         case TIFF_BYTE:
@@ -309,10 +314,12 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
             value = -1;
             buf = start + off;
         }
-    }else if(type_sizes[type] * count <= 4){
-        buf -= 4;
-    }else{
-        buf = start + off;
+    } else {
+        if (count <= 4 && type_sizes[type] * count <= 4) {
+            buf -= 4;
+        } else {
+            buf = start + off;
+        }
     }
 
     if(buf && (buf < start || buf > end_buf)){