On Sun, Feb 26, 2012 at 1:11 AM, Alex Converse <[email protected]> wrote:
> Module: libav
> Branch: release/0.8
> Commit: 424b6edd1944cf02261109edb5913417cf8e5dfb
>
> Author: Alex Converse <[email protected]>
> Committer: Reinhard Tartler <[email protected]>
> Date: Thu Feb 23 10:47:50 2012 -0800
>
> tiff: Prevent overreads in the type_sizes array.
>
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> CC: [email protected]
> (cherry picked from commit 447363870f2f91e125e07ac2d0820359a5d86b06)
>
> Signed-off-by: Anton Khirnov <[email protected]>
>
> ---
>
> libavcodec/tiff.c | 15 +++++++++++----
> 1 files changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
> index a88d0f9..6810f81 100644
> --- a/libavcodec/tiff.c
> +++ b/libavcodec/tiff.c
> @@ -289,6 +289,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t
> *start, const uint8_t *
> count = tget_long(&buf, s->le);
> off = tget_long(&buf, s->le);
>
> + if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
> + av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u)
> encountered\n", type);
> + return 0;
> + }
> +
> if(count == 1){
> switch(type){
> case TIFF_BYTE:
> @@ -310,10 +315,12 @@ static int tiff_decode_tag(TiffContext *s, const
> uint8_t *start, const uint8_t *
> value = -1;
> buf = start + off;
> }
> - }else if(type_sizes[type] * count <= 4){
> - buf -= 4;
> - }else{
> - buf = start + off;
> + } else {
> + if (count <= 4 && type_sizes[type] * count <= 4) {
This is still capable of an oob read. Perhaps we want both patches.
> + buf -= 4;
> + } else {
> + buf = start + off;
> + }
> }
>
> if(buf && (buf < start || buf > end_buf)){
>
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
