Commit 9c221697 authored by Luca Barbato's avatar Luca Barbato

tiff: do not overread the source buffer

At least 2 bytes from the source are read every loop.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
parent 999ccd2d
......@@ -224,10 +224,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
break;
case TIFF_PACKBITS:
for (pixels = 0; pixels < width;) {
if (ssrc + size - src < 2)
return AVERROR_INVALIDDATA;
code = (int8_t) *src++;
if (code >= 0) {
code++;
if (pixels + code > width) {
if (pixels + code > width ||
ssrc + size - src < code) {
av_log(s->avctx, AV_LOG_ERROR,
"Copy went out of bounds\n");
return AVERROR_INVALIDDATA;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment