aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2020-08-20 01:05:35 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2020-08-26 20:31:09 +0200
commitb9ea493afe8576efe3de60f8c6723f9f155de0d8 (patch)
tree71658e9a7d826981896cba8c3033625c7ff92279
parentad29f9e47cb848e11ee1d358d2bae15cd35ef04b (diff)
downloadffmpeg-b9ea493afe8576efe3de60f8c6723f9f155de0d8.tar.gz
avcodec/tiff: Check jpeg context against jpeg frame parameters
Fixes: out of array access Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/tiff.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 86f8487086..8a42e677ce 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -919,6 +919,11 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame,
/* Copy the outputted tile's pixels from 'jpgframe' to 'frame' (final buffer) */
+ if (s->jpgframe->width != s->avctx_mjpeg->width ||
+ s->jpgframe->height != s->avctx_mjpeg->height ||
+ s->jpgframe->format != s->avctx_mjpeg->pix_fmt)
+ return AVERROR_INVALIDDATA;
+
/* See dng_blit for explanation */
if (s->avctx_mjpeg->width == w * 2 &&
s->avctx_mjpeg->height == h / 2 &&