diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2022-11-18 18:26:59 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2023-04-15 22:38:00 +0200 |
commit | 6507719760922add106db871a89062d9e15876df (patch) | |
tree | 935020928346f832b1ae0decaf4f18687818748c | |
parent | 1ff546c0339c6a200af5a7221353b08bff2356d9 (diff) | |
download | ffmpeg-6507719760922add106db871a89062d9e15876df.tar.gz |
avcodec/tiff: Ignore tile_count
Fixes: out of array access
Fixes: 52427/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4849108968144896
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 65ce417828cc6f5209d8467bc7755f0c59e9aa49)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/tiff.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 8a5a81821c..62345d47c0 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -99,7 +99,6 @@ typedef struct TiffContext { int is_tiled; int tile_byte_counts_offset, tile_offsets_offset; int tile_width, tile_length; - int tile_count; int is_jpeg; @@ -994,7 +993,7 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame *frame, AVPacket *avp tile_count_y = (s->height + s->tile_length - 1) / s->tile_length; /* Iterate over the number of tiles */ - for (tile_idx = 0; tile_idx < s->tile_count; tile_idx++) { + for (tile_idx = 0; tile_idx < tile_count_x * tile_count_y; tile_idx++) { tile_x = tile_idx % tile_count_x; tile_y = tile_idx / tile_count_x; @@ -1427,7 +1426,6 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_TILE_OFFSETS: s->tile_offsets_offset = off; - s->tile_count = count; s->is_tiled = 1; break; case TIFF_TILE_BYTE_COUNTS: @@ -1925,7 +1923,7 @@ again: return AVERROR_INVALIDDATA; } - has_tile_bits = s->is_tiled || s->tile_byte_counts_offset || s->tile_offsets_offset || s->tile_width || s->tile_length || s->tile_count; + has_tile_bits = s->is_tiled || s->tile_byte_counts_offset || s->tile_offsets_offset || s->tile_width || s->tile_length; has_strip_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff; if (has_tile_bits && has_strip_bits) { |