avcodec/jpeg2000dec: Check tile offsets
authorMichael Niedermayer <michael@niedermayer.cc>
Wed, 24 May 2017 17:40:42 +0000 (19:40 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 5 Jun 2017 21:16:54 +0000 (23:16 +0200)
Fixes: runtime error: signed integer overflow: 4096 - -2147483648 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 89325417e7b33f4b08171d9d609c48662d96b2d3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/jpeg2000dec.c

index c4705cf..afa7837 100644 (file)
@@ -297,6 +297,14 @@ static int get_siz(Jpeg2000DecoderContext *s)
         return AVERROR_PATCHWELCOME;
     }
 
+    if (s->tile_offset_x < 0 || s->tile_offset_y < 0 ||
+        s->image_offset_x < s->tile_offset_x ||
+        s->image_offset_y < s->tile_offset_y) {
+        av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n",
+               s->ncomponents);
+        return AVERROR_INVALIDDATA;
+    }
+
     s->ncomponents = ncomponents;
 
     if (s->tile_width <= 0 || s->tile_height <= 0) {