From a036c25969498693539f5e494e1f25ad2227e24c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 26 Nov 2018 02:57:32 +0100
Subject: avcodec/tiff: Fix integer overflows in left shift in init_image()

Fixes: left shift of 255 by 24 places cannot be represented in type 'int'
Fixes: 11377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5694319101476864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'libavcodec')

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 6271c937c3..751f23ef33 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -706,7 +706,7 @@ static int init_image(TiffContext *s, ThreadFrame *frame)
         s->avctx->pix_fmt = s->palette_is_set ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_GRAY8;
         break;
     case 10081:
-        switch (s->pattern[0] | (s->pattern[1] << 8) | (s->pattern[2] << 16) | (s->pattern[3] << 24)) {
+        switch (AV_RL32(s->pattern)) {
         case 0x02010100:
             s->avctx->pix_fmt = AV_PIX_FMT_BAYER_RGGB8;
             break;
@@ -721,12 +721,12 @@ static int init_image(TiffContext *s, ThreadFrame *frame)
             break;
         default:
             av_log(s->avctx, AV_LOG_ERROR, "Unsupported Bayer pattern: 0x%X\n",
-                   s->pattern[0] | s->pattern[1] << 8 | s->pattern[2] << 16 | s->pattern[3] << 24);
+                   AV_RL32(s->pattern));
             return AVERROR_PATCHWELCOME;
         }
         break;
     case 10121:
-        switch (s->pattern[0] | s->pattern[1] << 8 | s->pattern[2] << 16 | s->pattern[3] << 24) {
+        switch (AV_RL32(s->pattern)) {
         case 0x02010100:
             s->avctx->pix_fmt = s->le ? AV_PIX_FMT_BAYER_RGGB16LE : AV_PIX_FMT_BAYER_RGGB16BE;
             break;
@@ -741,12 +741,12 @@ static int init_image(TiffContext *s, ThreadFrame *frame)
             break;
         default:
             av_log(s->avctx, AV_LOG_ERROR, "Unsupported Bayer pattern: 0x%X\n",
-                   s->pattern[0] | s->pattern[1] << 8 | s->pattern[2] << 16 | s->pattern[3] << 24);
+                   AV_RL32(s->pattern));
             return AVERROR_PATCHWELCOME;
         }
         break;
     case 10161:
-        switch (s->pattern[0] | s->pattern[1] << 8 | s->pattern[2] << 16 | s->pattern[3] << 24) {
+        switch (AV_RL32(s->pattern)) {
         case 0x02010100:
             s->avctx->pix_fmt = s->le ? AV_PIX_FMT_BAYER_RGGB16LE : AV_PIX_FMT_BAYER_RGGB16BE;
             break;
@@ -761,7 +761,7 @@ static int init_image(TiffContext *s, ThreadFrame *frame)
             break;
         default:
             av_log(s->avctx, AV_LOG_ERROR, "Unsupported Bayer pattern: 0x%X\n",
-                   s->pattern[0] | s->pattern[1] << 8 | s->pattern[2] << 16 | s->pattern[3] << 24);
+                   AV_RL32(s->pattern));
             return AVERROR_PATCHWELCOME;
         }
         break;
-- 
cgit v1.2.3