diff mbox

[FFmpeg-devel,1/2] avcodec/tiff: Check geotag count for being non zero

Message ID 20170321015202.8604-1-michael@niedermayer.cc
State Accepted
Commit 3182e19c1c29eef60208a67ad8ecad1d9a2d0694
Headers show

Commit Message

Michael Niedermayer March 21, 2017, 1:52 a.m. UTC 
Fixes memleak
Fixes: 874/clusterfuzz-testcase-5252796175613952

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer March 23, 2017, 2:24 p.m. UTC | #1 
On Tue, Mar 21, 2017 at 02:52:01AM +0100, Michael Niedermayer wrote:
> Fixes memleak
> Fixes: 874/clusterfuzz-testcase-5252796175613952
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/tiff.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

patchset applied

[...]
diff mbox

Patch

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 5a6573fb79..3aaf63338d 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1071,7 +1071,8 @@  static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
             s->geotag_count = count / 4 - 1;
             av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n");
         }
-        if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) {
+        if (   bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4
+            || s->geotag_count == 0) {
             s->geotag_count = 0;
             return -1;
         }