diff mbox series

[FFmpeg-devel,4/4] avcodec/tiff: Check jpeg context against jpeg frame parameters

Message ID 20200820085046.5628-4-michael@niedermayer.cc
State Accepted
Commit b9ea493afe8576efe3de60f8c6723f9f155de0d8
Headers show
Series [FFmpeg-devel,1/4] avcodec/tiff: Check the linearization table size | expand

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Michael Niedermayer Aug. 20, 2020, 8:50 a.m. UTC 
Fixes: out of array access
Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 5 +++++
 1 file changed, 5 insertions(+)
diff mbox series

Patch

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 86f8487086..8a42e677ce 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -919,6 +919,11 @@  static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame,
 
     /* Copy the outputted tile's pixels from 'jpgframe' to 'frame' (final buffer) */
 
+    if (s->jpgframe->width  != s->avctx_mjpeg->width  ||
+        s->jpgframe->height != s->avctx_mjpeg->height ||
+        s->jpgframe->format != s->avctx_mjpeg->pix_fmt)
+        return AVERROR_INVALIDDATA;
+
     /* See dng_blit for explanation */
     if (s->avctx_mjpeg->width  == w * 2 &&
         s->avctx_mjpeg->height == h / 2 &&