From 447363870f2f91e125e07ac2d0820359a5d86b06 Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Thu, 23 Feb 2012 10:47:50 -0800
Subject: tiff: Prevent overreads in the type_sizes array.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/tiff.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'libavcodec/tiff.c')

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 51ebd69f66..d807149922 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -289,6 +289,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
     count = tget_long(&buf, s->le);
     off = tget_long(&buf, s->le);
 
+    if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
+        av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
+        return 0;
+    }
+
     if(count == 1){
         switch(type){
         case TIFF_BYTE:
@@ -310,10 +315,12 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
             value = UINT_MAX;
             buf = start + off;
         }
-    }else if(type_sizes[type] * count <= 4){
-        buf -= 4;
-    }else{
-        buf = start + off;
+    } else {
+        if (count <= 4 && type_sizes[type] * count <= 4) {
+            buf -= 4;
+        } else {
+            buf = start + off;
+        }
     }
 
     if(buf && (buf < start || buf > end_buf)){
-- 
cgit v1.2.3