tiff: dont leave geotag_count in an invalid state on errors.

Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-02-10 20:24:22 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-02-10 20:24:53 +0100
commit: 0e3dacb11eacf6a944691bb4a12f4dd56b6d7ce6 (patch)
tree: 7c71bc943e3a57e6fa978f2e1dbf09de7ff8e3ee /libavcodec/tiff.c
parent: f28043d0a34aaf4ac7cf25bd0dddd868811c0ab2 (diff)
download: ffmpeg-0e3dacb11eacf6a944691bb4a12f4dd56b6d7ce6.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index f13533fb3c..9829e92bf8 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -905,11 +905,14 @@ static int tiff_decode_tag(TiffContext *s)
             s->geotag_count = count / 4 - 1;
             av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n");
         }
-        if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4)
+        if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) {
+            s->geotag_count = 0;
             return -1;
+        }
         s->geotags = av_mallocz(sizeof(TiffGeoTag) * s->geotag_count);
         if (!s->geotags) {
             av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n");
+            s->geotag_count = 0;
             return AVERROR(ENOMEM);
         }
         for (i = 0; i < s->geotag_count; i++) {
author	Michael Niedermayer <michaelni@gmx.at>	2013-02-10 20:24:22 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-02-10 20:24:53 +0100
commit	0e3dacb11eacf6a944691bb4a12f4dd56b6d7ce6 (patch)
tree	7c71bc943e3a57e6fa978f2e1dbf09de7ff8e3ee /libavcodec/tiff.c
parent	f28043d0a34aaf4ac7cf25bd0dddd868811c0ab2 (diff)
download	ffmpeg-0e3dacb11eacf6a944691bb4a12f4dd56b6d7ce6.tar.gz