[FFmpeg-devel] [PATCH 2/2] avcodec/tiff: Check bpp/bppcount for 0
Michael Niedermayer
michael at niedermayer.cc
Fri Aug 7 13:04:33 EEST 2020
On Thu, Aug 06, 2020 at 11:31:03PM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: division by zero
> > Fixes: 24253/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6250318007107584
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/tiff.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
> > index 18b327e800..5c748e9650 100644
> > --- a/libavcodec/tiff.c
> > +++ b/libavcodec/tiff.c
> > @@ -1290,7 +1290,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
> > s->height = value;
> > break;
> > case TIFF_BPP:
> > - if (count > 5U) {
> > + if (count > 5 || count <= 0) {
> > av_log(s->avctx, AV_LOG_ERROR,
> > "This format is not supported (bpp=%d, %d components)\n",
> > value, count);
> > @@ -1321,7 +1321,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
> > "Samples per pixel requires a single value, many provided\n");
> > return AVERROR_INVALIDDATA;
> > }
> > - if (value > 5U) {
> > + if (value > 5 || value <= 0) {
> > av_log(s->avctx, AV_LOG_ERROR,
> > "Samples per pixel %d is too large\n", value);
>
> How about changing this to "Invalid samples per pixel %d\n"?
will apply with this change
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
What does censorship reveal? It reveals fear. -- Julian Assange
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200807/05e5d0e7/attachment.sig>
More information about the ffmpeg-devel
mailing list