Browse code
avcodec/tiff: Check stripsize strippos for overflow
Fixes: 861/clusterfuzz-testcase-5688284384591872
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2017/03/16 10:00:17Showing 1 changed files
| ... | ... |
@@ -914,6 +914,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) |
| 914 | 914 |
break; |
| 915 | 915 |
case TIFF_STRIP_OFFS: |
| 916 | 916 |
if (count == 1) {
|
| 917 |
+ if (value > INT_MAX) {
|
|
| 918 |
+ av_log(s->avctx, AV_LOG_ERROR, |
|
| 919 |
+ "strippos %u too large\n", value); |
|
| 920 |
+ return AVERROR_INVALIDDATA; |
|
| 921 |
+ } |
|
| 917 | 922 |
s->strippos = 0; |
| 918 | 923 |
s->stripoff = value; |
| 919 | 924 |
} else |
| ... | ... |
@@ -925,6 +930,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) |
| 925 | 925 |
break; |
| 926 | 926 |
case TIFF_STRIP_SIZE: |
| 927 | 927 |
if (count == 1) {
|
| 928 |
+ if (value > INT_MAX) {
|
|
| 929 |
+ av_log(s->avctx, AV_LOG_ERROR, |
|
| 930 |
+ "stripsize %u too large\n", value); |
|
| 931 |
+ return AVERROR_INVALIDDATA; |
|
| 932 |
+ } |
|
| 928 | 933 |
s->stripsizesoff = 0; |
| 929 | 934 |
s->stripsize = value; |
| 930 | 935 |
s->strips = 1; |