Fixes: 861/clusterfuzz-testcase-5688284384591872
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
... | ... |
@@ -914,6 +914,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) |
914 | 914 |
break; |
915 | 915 |
case TIFF_STRIP_OFFS: |
916 | 916 |
if (count == 1) { |
917 |
+ if (value > INT_MAX) { |
|
918 |
+ av_log(s->avctx, AV_LOG_ERROR, |
|
919 |
+ "strippos %u too large\n", value); |
|
920 |
+ return AVERROR_INVALIDDATA; |
|
921 |
+ } |
|
917 | 922 |
s->strippos = 0; |
918 | 923 |
s->stripoff = value; |
919 | 924 |
} else |
... | ... |
@@ -925,6 +930,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) |
925 | 925 |
break; |
926 | 926 |
case TIFF_STRIP_SIZE: |
927 | 927 |
if (count == 1) { |
928 |
+ if (value > INT_MAX) { |
|
929 |
+ av_log(s->avctx, AV_LOG_ERROR, |
|
930 |
+ "stripsize %u too large\n", value); |
|
931 |
+ return AVERROR_INVALIDDATA; |
|
932 |
+ } |
|
928 | 933 |
s->stripsizesoff = 0; |
929 | 934 |
s->stripsize = value; |
930 | 935 |
s->strips = 1; |