On Thu, Feb 23, 2012 at 10:56:30AM -0800, Alex Converse wrote: > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > CC: [email protected] > --- > libavcodec/tiff.c | 15 +++++++++++---- > 1 files changed, 11 insertions(+), 4 deletions(-) > > diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c > index 51ebd69..d807149 100644 > --- a/libavcodec/tiff.c > +++ b/libavcodec/tiff.c > @@ -289,6 +289,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t > *start, const uint8_t * > count = tget_long(&buf, s->le); > off = tget_long(&buf, s->le); > > + if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) { > + av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) > encountered\n", type); > + return 0; > + } > + > if(count == 1){ > switch(type){ > case TIFF_BYTE: > @@ -310,10 +315,12 @@ static int tiff_decode_tag(TiffContext *s, const > uint8_t *start, const uint8_t * > value = UINT_MAX; > buf = start + off; > } > - }else if(type_sizes[type] * count <= 4){ > - buf -= 4; > - }else{ > - buf = start + off; > + } else { > + if (count <= 4 && type_sizes[type] * count <= 4) { > + buf -= 4; > + } else { > + buf = start + off; > + } > } > > if(buf && (buf < start || buf > end_buf)){ > --
looks OK _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
