diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-03-16 04:00:17 +0300 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-03-20 03:33:08 +0300 |
commit | 5d996b56499f00f80b02a41bab3d6b7349e36e9d (patch) | |
tree | 67169ebbe3ff786e9dc273af981d0a91455de8dc /libavcodec/tiff.c | |
parent | 61b8a9ea2930130a1fecf6c06a391a18d8b95d83 (diff) |
avcodec/tiff: Check stripsize strippos for overflow
Fixes: 861/clusterfuzz-testcase-5688284384591872
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/tiff.c')
-rw-r--r-- | libavcodec/tiff.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 0be7be7528..5a6573fb79 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -914,6 +914,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_OFFS: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "strippos %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->strippos = 0; s->stripoff = value; } else @@ -925,6 +930,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_SIZE: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "stripsize %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->stripsizesoff = 0; s->stripsize = value; s->strips = 1; |