Browse code
tiffdec: check overread for packbits
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2012/04/16 03:19:42Showing 1 changed files
| ... | ... |
@@ -253,6 +253,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, |
| 253 | 253 |
break; |
| 254 | 254 |
case TIFF_PACKBITS: |
| 255 | 255 |
for (pixels = 0; pixels < width;) {
|
| 256 |
+ if (ssrc + size - src < 2) {
|
|
| 257 |
+ av_log(s->avctx, AV_LOG_ERROR, "Read went out of bounds\n"); |
|
| 258 |
+ return AVERROR_INVALIDDATA; |
|
| 259 |
+ } |
|
| 256 | 260 |
code = (int8_t) * src++; |
| 257 | 261 |
if (code >= 0) {
|
| 258 | 262 |
code++; |
| ... | ... |
@@ -261,6 +265,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, |
| 261 | 261 |
"Copy went out of bounds\n"); |
| 262 | 262 |
return -1; |
| 263 | 263 |
} |
| 264 |
+ if (ssrc + size - src < code) {
|
|
| 265 |
+ av_log(s->avctx, AV_LOG_ERROR, "Read went out of bounds\n"); |
|
| 266 |
+ return AVERROR_INVALIDDATA; |
|
| 267 |
+ } |
|
| 264 | 268 |
horizontal_fill(s->bpp * (s->avctx->pix_fmt == PIX_FMT_PAL8), |
| 265 | 269 |
dst, 1, src, 0, code, pixels); |
| 266 | 270 |
src += code; |