avcodec/tiff: Check stripsize strippos for overflow

Fixes: 861/clusterfuzz-testcase-5688284384591872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-03-16 02:00:17 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-03-20 01:33:08 +0100
commit: 5d996b56499f00f80b02a41bab3d6b7349e36e9d (patch)
tree: 67169ebbe3ff786e9dc273af981d0a91455de8dc /libavcodec/tiff.c
parent: 61b8a9ea2930130a1fecf6c06a391a18d8b95d83 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 0be7be7528..5a6573fb79 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -914,6 +914,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         break;
     case TIFF_STRIP_OFFS:
         if (count == 1) {
+            if (value > INT_MAX) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                    "strippos %u too large\n", value);
+                return AVERROR_INVALIDDATA;
+            }
             s->strippos = 0;
             s->stripoff = value;
         } else
@@ -925,6 +930,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         break;
     case TIFF_STRIP_SIZE:
         if (count == 1) {
+            if (value > INT_MAX) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                    "stripsize %u too large\n", value);
+                return AVERROR_INVALIDDATA;
+            }
             s->stripsizesoff = 0;
             s->stripsize     = value;
             s->strips        = 1;
author	Michael Niedermayer <michael@niedermayer.cc>	2017-03-16 02:00:17 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-03-20 01:33:08 +0100
commit	5d996b56499f00f80b02a41bab3d6b7349e36e9d (patch)
tree	67169ebbe3ff786e9dc273af981d0a91455de8dc /libavcodec/tiff.c
parent	61b8a9ea2930130a1fecf6c06a391a18d8b95d83 (diff)