aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/tiff.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2011-10-02 21:37:59 +0200
committerMichael Niedermayer <michaelni@gmx.at>2011-10-02 21:37:59 +0200
commit7fc85451fd47a4607f3cc47d1daa84ae122f5a46 (patch)
treef94ae472ddeea47eee50ef33ee6ecdd3e7e1e501 /libavcodec/tiff.c
parent42c8fdb943b210b2f79e2510a91ca0f542c9bad0 (diff)
parentb89a0c9d7f4c4a23d709761033ad5e2f9c2881fa (diff)
downloadffmpeg-7fc85451fd47a4607f3cc47d1daa84ae122f5a46.tar.gz
Merge branch 'release/0.8' into release/0.7
* release/0.8: (185 commits) h264: fix intra 16x16 mode check when using mbaff and constrained_intra_pred. h264: check for invalid bit depth value. h264: add entries for 11 and 12 bits in ff_h264_chroma_qp[][] h264: fix the check for invalid SPS:num_ref_frames. h264: do not let invalid values in h->ref_count on ff_h264_decode_ref_pic_list_reordering() errors. Reject video with non multiple of 16 width/height in the 4xm decoder. 4xm decoder: fix data size for i2 frames. 4xm decoder: print some error messages in case of errors. Check for out of bound accesses in the 4xm decoder. Prevent block size from inreasing in the shorten decoder. Check for out of bound reads in PTX decoder. Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffers used in 4xm decoder. Fix the check for missing references in ff_er_frame_end() for H264. Prevent NULL dereference when the huffman table is invalid in the 4xm decoder. Fix use of uninitialized memory in 4X Technologies demuxer. h264: increase ref_poc size to 32 as it can be per field. h264: set unused ref_counts to 0 as a precautionary meassure. Remove Chnagelog it has nothing to do with reality fate: fix motion pixels checksum change caused by backported bugfix avienc: Add a limit on the number of skiped frames muxed in a row. ... Conflicts: Doxyfile RELEASE VERSION libavformat/utils.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/tiff.c')
-rw-r--r--libavcodec/tiff.c40
1 files changed, 25 insertions, 15 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index c54eaee346..ed01b70147 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -170,6 +170,8 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin
}
switch(s->compr){
case TIFF_RAW:
+ if (ssrc + size - src < width)
+ return AVERROR_INVALIDDATA;
if (!s->fill_order) {
memcpy(dst, src, width);
} else {
@@ -277,6 +279,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
uint32_t *pal;
const uint8_t *rp, *gp, *bp;
+ if (end_buf - buf < 12)
+ return -1;
tag = tget_short(&buf, s->le);
type = tget_short(&buf, s->le);
count = tget_long(&buf, s->le);
@@ -336,7 +340,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
case TIFF_SHORT:
case TIFF_LONG:
s->bpp = 0;
- for(i = 0; i < count; i++) s->bpp += tget(&buf, type, s->le);
+ for(i = 0; i < count && buf < end_buf; i++) s->bpp += tget(&buf, type, s->le);
break;
default:
s->bpp = -1;
@@ -450,6 +454,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
case TIFF_PAL:
pal = (uint32_t *) s->palette;
off = type_sizes[type];
+ if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3)
+ return -1;
rp = buf;
gp = buf + count / 3 * off;
bp = buf + count / 3 * off * 2;
@@ -493,12 +499,16 @@ static int decode_frame(AVCodecContext *avctx,
AVFrame *picture = data;
AVFrame * const p= (AVFrame*)&s->picture;
const uint8_t *orig_buf = buf, *end_buf = buf + buf_size;
- int id, le, off, ret;
+ unsigned off;
+ int id, le, ret;
int i, j, entries;
- int stride, soff, ssize;
+ int stride;
+ unsigned soff, ssize;
uint8_t *dst;
//parse image header
+ if (end_buf - buf < 8)
+ return AVERROR_INVALIDDATA;
id = AV_RL16(buf); buf += 2;
if(id == 0x4949) le = 1;
else if(id == 0x4D4D) le = 0;
@@ -518,9 +528,9 @@ static int decode_frame(AVCodecContext *avctx,
}
/* parse image file directory */
off = tget_long(&buf, le);
- if(orig_buf + off + 14 >= end_buf){
+ if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) {
av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n");
- return -1;
+ return AVERROR_INVALIDDATA;
}
buf = orig_buf + off;
entries = tget_short(&buf, le);
@@ -544,23 +554,23 @@ static int decode_frame(AVCodecContext *avctx,
stride = p->linesize[0];
dst = p->data[0];
for(i = 0; i < s->height; i += s->rps){
- if(s->stripsizes)
+ if(s->stripsizes) {
+ if (s->stripsizes >= end_buf)
+ return AVERROR_INVALIDDATA;
ssize = tget(&s->stripsizes, s->sstype, s->le);
- else
+ } else
ssize = s->stripsize;
- if (ssize > buf_size) {
- av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n");
- return -1;
- }
-
if(s->stripdata){
+ if (s->stripdata >= end_buf)
+ return AVERROR_INVALIDDATA;
soff = tget(&s->stripdata, s->sot, s->le);
}else
soff = s->stripoff;
- if (soff < 0) {
- av_log(avctx, AV_LOG_ERROR, "Invalid stripoff: %d\n", soff);
- return AVERROR(EINVAL);
+
+ if (soff > buf_size || ssize > buf_size - soff) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n");
+ return -1;
}
if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0)
break;