From 9c2216976907336dfae0e8e38a4d70ca2465a92c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 3 Jun 2013 04:53:02 +0200 Subject: tiff: do not overread the source buffer At least 2 bytes from the source are read every loop. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/tiff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'libavcodec/tiff.c') diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index edef8308b8..735eafe721 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -224,10 +224,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, break; case TIFF_PACKBITS: for (pixels = 0; pixels < width;) { + if (ssrc + size - src < 2) + return AVERROR_INVALIDDATA; code = (int8_t) *src++; if (code >= 0) { code++; - if (pixels + code > width) { + if (pixels + code > width || + ssrc + size - src < code) { av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n"); return AVERROR_INVALIDDATA; -- cgit v1.2.3