[libav-stable] tiff: do not overread the source buffer

Luca Barbato git at libav.org
Fri Jun 7 17:43:19 CEST 2013


Module: libav
Branch: master
Commit: 9c2216976907336dfae0e8e38a4d70ca2465a92c

Author:    Luca Barbato <lu_zero at gentoo.org>
Committer: Luca Barbato <lu_zero at gentoo.org>
Date:      Mon Jun  3 04:53:02 2013 +0200

tiff: do not overread the source buffer

At least 2 bytes from the source are read every loop.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org

---

 libavcodec/tiff.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index edef830..735eafe 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -224,10 +224,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
             break;
         case TIFF_PACKBITS:
             for (pixels = 0; pixels < width;) {
+                if (ssrc + size - src < 2)
+                    return AVERROR_INVALIDDATA;
                 code = (int8_t) *src++;
                 if (code >= 0) {
                     code++;
-                    if (pixels + code > width) {
+                    if (pixels + code > width ||
+                        ssrc + size - src < code) {
                         av_log(s->avctx, AV_LOG_ERROR,
                                "Copy went out of bounds\n");
                         return AVERROR_INVALIDDATA;



More information about the libav-stable mailing list