diff mbox series

[FFmpeg-devel,09/11] avcodec/tiff: add a zero DNG_LINEARIZATION_TABLE check

Message ID 20230416164830.15664-9-michael@niedermayer.cc
State Accepted
Commit 6e98cf0280cd693ef82c4444fe15bc7aef8771b3
Headers show
Series [FFmpeg-devel,01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer April 16, 2023, 4:48 p.m. UTC 
Fixes: index 4294967295 out of bounds for type 'uint16_t [65536]'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5950405086674944
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6666195176914944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 1a1879de890..ebc7505dcdf 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1451,7 +1451,7 @@  static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         break;
     case TIFF_GRAY_RESPONSE_CURVE:
     case DNG_LINEARIZATION_TABLE:
-        if (count > FF_ARRAY_ELEMS(s->dng_lut))
+        if (count < 1 || count > FF_ARRAY_ELEMS(s->dng_lut))
             return AVERROR_INVALIDDATA;
         for (int i = 0; i < count; i++)
             s->dng_lut[i] = ff_tget(&s->gb, type, s->le);