tiff: Prevent overreads in the type_sizes array.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org

tiff: Prevent overreads in the type_sizes array.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
44736387 · Alex Converse · e32548d1 · 44736387
Commit 44736387 authored Feb 23, 2012 by Alex Converse
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 4 deletions

tiff.c libavcodec/tiff.c +11 -4

No files found.
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -289,6 +289,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
    count = tget_long(&buf, s->le);
    off = tget_long(&buf, s->le);
+    if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
+        av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
+        return 0;
+    }
    if(count == 1){
        switch(type){
        case TIFF_BYTE:
@@ -310,10 +315,12 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
            value = UINT_MAX;
            buf = start + off;
        }
-    }else if(type_sizes[type] * count <= 4){
+    } else {
-        buf -= 4;
+        if (count <= 4 && type_sizes[type] * count <= 4) {
-    }else{
+            buf -= 4;
-        buf = start + off;
+        } else {
+            buf = start + off;
+        }
    }
    if(buf && (buf < start || buf > end_buf)){