Commit fefc6567 authored by Michael Niedermayer's avatar Michael Niedermayer

tiffdec: check overread for packbits

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 2837d8dc
...@@ -253,6 +253,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, ...@@ -253,6 +253,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
break; break;
case TIFF_PACKBITS: case TIFF_PACKBITS:
for (pixels = 0; pixels < width;) { for (pixels = 0; pixels < width;) {
if (ssrc + size - src < 2) {
av_log(s->avctx, AV_LOG_ERROR, "Read went out of bounds\n");
return AVERROR_INVALIDDATA;
}
code = (int8_t) * src++; code = (int8_t) * src++;
if (code >= 0) { if (code >= 0) {
code++; code++;
...@@ -261,6 +265,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, ...@@ -261,6 +265,10 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
"Copy went out of bounds\n"); "Copy went out of bounds\n");
return -1; return -1;
} }
if (ssrc + size - src < code) {
av_log(s->avctx, AV_LOG_ERROR, "Read went out of bounds\n");
return AVERROR_INVALIDDATA;
}
horizontal_fill(s->bpp * (s->avctx->pix_fmt == PIX_FMT_PAL8), horizontal_fill(s->bpp * (s->avctx->pix_fmt == PIX_FMT_PAL8),
dst, 1, src, 0, code, pixels); dst, 1, src, 0, code, pixels);
src += code; src += code;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment