ffmpeg | branch: release/5.1 | Michael Niedermayer <[email protected]> | Sun Apr 16 17:38:39 2023 +0200| [7337f2e8e36b5bbadb9170a0e30b988cc4392540] | committer: Michael Niedermayer
avcodec/tiff: add a zero DNG_LINEARIZATION_TABLE check Fixes: index 4294967295 out of bounds for type 'uint16_t [65536]' Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5950405086674944 Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6666195176914944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 6e98cf0280cd693ef82c4444fe15bc7aef8771b3) Signed-off-by: Michael Niedermayer <[email protected]> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7337f2e8e36b5bbadb9170a0e30b988cc4392540 --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 717f299fdd..b4a1c2f040 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1416,7 +1416,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->sub_ifd = ff_tget(&s->gb, TIFF_LONG, s->le); /** Only get the first SubIFD */ break; case DNG_LINEARIZATION_TABLE: - if (count > FF_ARRAY_ELEMS(s->dng_lut)) + if (count < 1 || count > FF_ARRAY_ELEMS(s->dng_lut)) return AVERROR_INVALIDDATA; for (int i = 0; i < count; i++) s->dng_lut[i] = ff_tget(&s->gb, type, s->le); _______________________________________________ ffmpeg-cvslog mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
