Module: libav Branch: release/0.8 Commit: 424b6edd1944cf02261109edb5913417cf8e5dfb
Author: Alex Converse <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Thu Feb 23 10:47:50 2012 -0800 tiff: Prevent overreads in the type_sizes array. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] (cherry picked from commit 447363870f2f91e125e07ac2d0820359a5d86b06) Signed-off-by: Anton Khirnov <[email protected]> --- libavcodec/tiff.c | 15 +++++++++++---- 1 files changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index a88d0f9..6810f81 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -289,6 +289,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * count = tget_long(&buf, s->le); off = tget_long(&buf, s->le); + if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) { + av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type); + return 0; + } + if(count == 1){ switch(type){ case TIFF_BYTE: @@ -310,10 +315,12 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * value = -1; buf = start + off; } - }else if(type_sizes[type] * count <= 4){ - buf -= 4; - }else{ - buf = start + off; + } else { + if (count <= 4 && type_sizes[type] * count <= 4) { + buf -= 4; + } else { + buf = start + off; + } } if(buf && (buf < start || buf > end_buf)){ _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
