Browse code
avcodec/tiff: more completely check bpp/bppcount
Fixes pixel format selection
Fixes out of array accesses
Fixes: asan_heap-oob_1766029_6_asan_heap-oob_20aa045_332_cov_1823216757_m2-d1d366d7965db766c19a66c7a2ccbb6b.tif
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2014/10/03 23:08:32Showing 1 changed files
| ... | ... |
@@ -814,13 +814,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) |
| 814 | 814 |
s->height = value; |
| 815 | 815 |
break; |
| 816 | 816 |
case TIFF_BPP: |
| 817 |
- s->bppcount = count; |
|
| 818 |
- if (count > 4) {
|
|
| 817 |
+ if (count > 4U) {
|
|
| 819 | 818 |
av_log(s->avctx, AV_LOG_ERROR, |
| 820 | 819 |
"This format is not supported (bpp=%d, %d components)\n", |
| 821 |
- s->bpp, count); |
|
| 820 |
+ value, count); |
|
| 822 | 821 |
return AVERROR_INVALIDDATA; |
| 823 | 822 |
} |
| 823 |
+ s->bppcount = count; |
|
| 824 | 824 |
if (count == 1) |
| 825 | 825 |
s->bpp = value; |
| 826 | 826 |
else {
|
| ... | ... |
@@ -838,6 +838,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) |
| 838 | 838 |
s->bpp = -1; |
| 839 | 839 |
} |
| 840 | 840 |
} |
| 841 |
+ if (s->bpp > 64U) {
|
|
| 842 |
+ av_log(s->avctx, AV_LOG_ERROR, |
|
| 843 |
+ "This format is not supported (bpp=%d, %d components)\n", |
|
| 844 |
+ s->bpp, count); |
|
| 845 |
+ s->bpp = 0; |
|
| 846 |
+ return AVERROR_INVALIDDATA; |
|
| 847 |
+ } |
|
| 841 | 848 |
break; |
| 842 | 849 |
case TIFF_SAMPLES_PER_PIXEL: |
| 843 | 850 |
if (count != 1) {
|