mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2025-01-02 04:52:09 +00:00
tiff: Prevent overreads in the type_sizes array.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
This commit is contained in:
parent
e32548d133
commit
447363870f
@ -289,6 +289,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
|
|||||||
count = tget_long(&buf, s->le);
|
count = tget_long(&buf, s->le);
|
||||||
off = tget_long(&buf, s->le);
|
off = tget_long(&buf, s->le);
|
||||||
|
|
||||||
|
if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
|
||||||
|
av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if(count == 1){
|
if(count == 1){
|
||||||
switch(type){
|
switch(type){
|
||||||
case TIFF_BYTE:
|
case TIFF_BYTE:
|
||||||
@ -310,11 +315,13 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
|
|||||||
value = UINT_MAX;
|
value = UINT_MAX;
|
||||||
buf = start + off;
|
buf = start + off;
|
||||||
}
|
}
|
||||||
}else if(type_sizes[type] * count <= 4){
|
} else {
|
||||||
|
if (count <= 4 && type_sizes[type] * count <= 4) {
|
||||||
buf -= 4;
|
buf -= 4;
|
||||||
} else {
|
} else {
|
||||||
buf = start + off;
|
buf = start + off;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if(buf && (buf < start || buf > end_buf)){
|
if(buf && (buf < start || buf > end_buf)){
|
||||||
av_log(s->avctx, AV_LOG_ERROR, "Tag referencing position outside the image\n");
|
av_log(s->avctx, AV_LOG_ERROR, "Tag referencing position outside the image\n");
|
||||||
|
Loading…
Reference in New Issue
Block a user