tiff: do not overread the source buffer
authorLuca Barbato <lu_zero@gentoo.org>
Mon, 3 Jun 2013 02:53:02 +0000 (04:53 +0200)
committerReinhard Tartler <siretart@tauware.de>
Sat, 8 Jun 2013 14:31:54 +0000 (16:31 +0200)
At least 2 bytes from the source are read every loop.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 9c2216976907336dfae0e8e38a4d70ca2465a92c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/tiff.c

libavcodec/tiff.c

index 8c40006..264e985 100644 (file)
@@ -207,10 +207,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
             break;
         case TIFF_PACKBITS:
             for (pixels = 0; pixels < width;) {
+                if (ssrc + size - src < 2)
+                    return AVERROR_INVALIDDATA;
                 code = (int8_t) * src++;
                 if (code >= 0) {
                     code++;
-                    if (pixels + code > width) {
+                    if (pixels + code > width ||
+                        ssrc + size - src < code) {
                         av_log(s->avctx, AV_LOG_ERROR,
                                "Copy went out of bounds\n");
                         return -1;