diff mbox

[FFmpeg-devel] avcodec/tiff: check denominator values in tiff_decode_tag()

Message ID 20191027132645.647-1-jamrial@gmail.com
State Accepted
Commit dad75924290e15996e75c335c6c30b1d8e2e48ea
Headers show

Commit Message

James Almer Oct. 27, 2019, 1:26 p.m. UTC 
Fixes ticket #8327.

Signed-off-by: James Almer <jamrial@gmail.com>
---
The first case may be for either black level or SAR, so i decided to use a
generic error message.

 libavcodec/tiff.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Comments

Michael Niedermayer Oct. 29, 2019, 11:06 a.m. UTC | #1 
On Sun, Oct 27, 2019 at 10:26:45AM -0300, James Almer wrote:
> Fixes ticket #8327.
> 
> Signed-off-by: James Almer <jamrial@gmail.com>
> ---
> The first case may be for either black level or SAR, so i decided to use a
> generic error message.
> 
>  libavcodec/tiff.c | 9 +++++++++
>  1 file changed, 9 insertions(+)

LGTM

thx

[...]
diff mbox

Patch

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index f537e99b5a..636614aa28 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1240,6 +1240,11 @@  static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         case TIFF_RATIONAL:
             value  = ff_tget(&s->gb, TIFF_LONG, s->le);
             value2 = ff_tget(&s->gb, TIFF_LONG, s->le);
+            if (!value2) {
+                av_log(s->avctx, AV_LOG_ERROR, "Invalid denominator in rational\n");
+                return AVERROR_INVALIDDATA;
+            }
+
             break;
         case TIFF_STRING:
             if (count <= 4) {
@@ -1413,6 +1418,10 @@  static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
             if (type == TIFF_RATIONAL) {
                 value  = ff_tget(&s->gb, TIFF_LONG, s->le);
                 value2 = ff_tget(&s->gb, TIFF_LONG, s->le);
+                if (!value2) {
+                    av_log(s->avctx, AV_LOG_ERROR, "Invalid black level denominator\n");
+                    return AVERROR_INVALIDDATA;
+                }
 
                 s->black_level = value / value2;
             } else