diff options
| author | Alex Converse <alex.converse@gmail.com> | 2012-03-06 17:00:29 -0800 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-04-01 18:33:29 +0200 |
| commit | bbe316dfb425edecd98e3fbef93c17abe6bb5cb8 (patch) | |
| tree | 7396bd8230c01b4e24e5f305f029784f8ca67160 /libavcodec | |
| parent | b4a223fd1936f8c7d3dd48f37f49790b0d04f429 (diff) | |
| download | ffmpeg-bbe316dfb425edecd98e3fbef93c17abe6bb5cb8.tar.gz | |
tiffdec: Prevent illegal memory access caused by recycled pointers.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit fd0be63049ed46660993d0550a4f0847a0b942ea)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/tiff.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 1866dab9e7..0a0973c6d9 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -534,6 +534,8 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n"); return -1; } + // Reset these pointers so we can tell if they were set this frame + s->stripsizes = s->stripdata = NULL; /* parse image file directory */ off = tget_long(&buf, le); if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { |