mirror of https://git.ffmpeg.org/ffmpeg.git
avcodec/tiff: Ignore tile_count
Fixes: out of array access Fixes: 52427/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4849108968144896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
b32316923d
commit
65ce417828
|
@ -110,7 +110,6 @@ typedef struct TiffContext {
|
||||||
int is_tiled;
|
int is_tiled;
|
||||||
int tile_byte_counts_offset, tile_offsets_offset;
|
int tile_byte_counts_offset, tile_offsets_offset;
|
||||||
int tile_width, tile_length;
|
int tile_width, tile_length;
|
||||||
int tile_count;
|
|
||||||
|
|
||||||
int is_jpeg;
|
int is_jpeg;
|
||||||
|
|
||||||
|
@ -994,7 +993,7 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame *frame,
|
||||||
tile_count_y = (s->height + s->tile_length - 1) / s->tile_length;
|
tile_count_y = (s->height + s->tile_length - 1) / s->tile_length;
|
||||||
|
|
||||||
/* Iterate over the number of tiles */
|
/* Iterate over the number of tiles */
|
||||||
for (tile_idx = 0; tile_idx < s->tile_count; tile_idx++) {
|
for (tile_idx = 0; tile_idx < tile_count_x * tile_count_y; tile_idx++) {
|
||||||
tile_x = tile_idx % tile_count_x;
|
tile_x = tile_idx % tile_count_x;
|
||||||
tile_y = tile_idx / tile_count_x;
|
tile_y = tile_idx / tile_count_x;
|
||||||
|
|
||||||
|
@ -1430,7 +1429,6 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
|
||||||
break;
|
break;
|
||||||
case TIFF_TILE_OFFSETS:
|
case TIFF_TILE_OFFSETS:
|
||||||
s->tile_offsets_offset = off;
|
s->tile_offsets_offset = off;
|
||||||
s->tile_count = count;
|
|
||||||
s->is_tiled = 1;
|
s->is_tiled = 1;
|
||||||
break;
|
break;
|
||||||
case TIFF_TILE_BYTE_COUNTS:
|
case TIFF_TILE_BYTE_COUNTS:
|
||||||
|
@ -2096,7 +2094,7 @@ again:
|
||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
|
|
||||||
has_tile_bits = s->is_tiled || s->tile_byte_counts_offset || s->tile_offsets_offset || s->tile_width || s->tile_length || s->tile_count;
|
has_tile_bits = s->is_tiled || s->tile_byte_counts_offset || s->tile_offsets_offset || s->tile_width || s->tile_length;
|
||||||
has_strip_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;
|
has_strip_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;
|
||||||
|
|
||||||
if (has_tile_bits && has_strip_bits) {
|
if (has_tile_bits && has_strip_bits) {
|
||||||
|
|
Loading…
Reference in New Issue