Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -253,6 +253,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, |
253 | 253 |
break; |
254 | 254 |
case TIFF_PACKBITS: |
255 | 255 |
for (pixels = 0; pixels < width;) { |
256 |
+ if (ssrc + size - src < 2) { |
|
257 |
+ av_log(s->avctx, AV_LOG_ERROR, "Read went out of bounds\n"); |
|
258 |
+ return AVERROR_INVALIDDATA; |
|
259 |
+ } |
|
256 | 260 |
code = (int8_t) * src++; |
257 | 261 |
if (code >= 0) { |
258 | 262 |
code++; |
... | ... |
@@ -261,6 +265,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, |
261 | 261 |
"Copy went out of bounds\n"); |
262 | 262 |
return -1; |
263 | 263 |
} |
264 |
+ if (ssrc + size - src < code) { |
|
265 |
+ av_log(s->avctx, AV_LOG_ERROR, "Read went out of bounds\n"); |
|
266 |
+ return AVERROR_INVALIDDATA; |
|
267 |
+ } |
|
264 | 268 |
horizontal_fill(s->bpp * (s->avctx->pix_fmt == PIX_FMT_PAL8), |
265 | 269 |
dst, 1, src, 0, code, pixels); |
266 | 270 |
src += code; |