From a4db272a92a5556ff45ecd15735fe578ec6e81c5 Mon Sep 17 00:00:00 2001
From: Daniel Kang <daniel.d.kang@gmail.com>
Date: Sun, 9 Jan 2011 19:29:39 +0000
Subject: Return on negative soff sizes, fixes issue 2515.

Patch by Daniel Kang, daniel.d.kang at gmail

Originally committed as revision 26288 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/tiff.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavcodec/tiff.c')

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index c1b71dc99a..f5d922a980 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -540,6 +540,10 @@ static int decode_frame(AVCodecContext *avctx,
             soff = tget(&s->stripdata, s->sot, s->le);
         }else
             soff = s->stripoff;
+        if (soff < 0) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid stripoff: %d\n", soff);
+            return AVERROR(EINVAL);
+        }
         if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0)
             break;
         dst += s->rps * stride;
-- 
cgit v1.2.3