From 79e8d17024e6c6328a40fcee191ffd70798a9c6e Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 10 Jul 2020 17:14:43 +0200
Subject: [PATCH] avcodec/tiff: Check input space in dng_decode_jpeg()

Fixes: out of array read
Fixes: 24034/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5111884337119232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 6a3ec3ef95..18b327e800 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -882,6 +882,9 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame,
     int is_single_comp, is_u16, pixel_size;
     int ret;
 
+    if (tile_byte_count < 0 || tile_byte_count > bytestream2_get_bytes_left(&s->gb))
+        return AVERROR_INVALIDDATA;
+
     /* Prepare a packet and send to the MJPEG decoder */
     av_init_packet(&jpkt);
     jpkt.data = (uint8_t*)s->gb.buffer;