Fix crash for files with strip size larger than the buffer.

author Daniel Kang <daniel.d.kang@gmail.com>

Thu, 6 Jan 2011 14:44:50 +0000 (14:44 +0000)

committer Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>

Thu, 6 Jan 2011 14:44:50 +0000 (14:44 +0000)
author Daniel Kang <daniel.d.kang@gmail.com>
Thu, 6 Jan 2011 14:44:50 +0000 (14:44 +0000)
committer Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>
Thu, 6 Jan 2011 14:44:50 +0000 (14:44 +0000)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c

index 285cc40..a23af1a 100644 (file)
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -531,6 +531,11 @@ static int decode_frame(AVCodecContext *avctx,
          else
              ssize = s->stripsize;
  
+        if (ssize > buf_size) {
+            av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n");
+            return -1;
+        }
+
          if(s->stripdata){
              soff = tget(&s->stripdata, s->sot, s->le);
          }else
author	Daniel Kang <daniel.d.kang@gmail.com>
	Thu, 6 Jan 2011 14:44:50 +0000 (14:44 +0000)
committer	Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>
	Thu, 6 Jan 2011 14:44:50 +0000 (14:44 +0000)