On 13/01/2020 17:50, Lynne wrote: > Actually the entire condition needs to be gone. count is uint32_t. The length > is already checked below. > Copied this from ff_tadd_shorts_metadata which has an int count.
Ah. > And the offset value isn't taken into account. TIFF allows the ICC profile to > be placed pretty much anywhere within the file (the 32 bit offset points from > the start of the file, not the field). So this would only work with files > where the ICC profile immediately follows the tag. Oh, that's a bit wild. I did a quick Google search for the ICC profile tag spec, and it wasn't obvious to me where it is defined, so I assumed it was directly after the tag. > Attached a new patch. > + gb_temp = s->gb; > + bytestream2_seek(&gb_temp, SEEK_SET, off); > + > + if (bytestream2_get_bytes_left(&gb_temp) < count) > + return AVERROR_INVALIDDATA; Is it worth checking the bytestream2_seek return value too, or will that be handled by bytestream2_get_bytes_left anyway? If it is handled, patch seems OK. - Derek _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
