tiffdec: check rps, fix infinite loop.
authorMichael Niedermayer <michaelni@gmx.at>
Fri, 9 Nov 2012 18:28:23 +0000 (19:28 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 9 Nov 2012 18:28:57 +0000 (19:28 +0100)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/tiff.c

index 45c2476..f00b1ad 100644 (file)
@@ -1089,6 +1089,11 @@ static int decode_frame(AVCodecContext *avctx,
         bytestream2_init(&stripdata, avpkt->data + s->strippos, avpkt->size - s->strippos);
     }
 
+    if (s->rps <= 0) {
+        av_log(avctx, AV_LOG_ERROR, "rps %d invalid\n", s->rps);
+        return AVERROR_INVALIDDATA;
+    }
+
     for (i = 0; i < s->height; i += s->rps) {
         if (s->stripsizesoff)
             ssize = tget(&stripsizes, s->sstype, s->le);