Return on negative soff sizes, fixes issue 2515.

author Daniel Kang <daniel.d.kang@gmail.com>

Sun, 9 Jan 2011 19:29:39 +0000 (19:29 +0000)

committer Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>

Sun, 9 Jan 2011 19:29:39 +0000 (19:29 +0000)
author Daniel Kang <daniel.d.kang@gmail.com>
Sun, 9 Jan 2011 19:29:39 +0000 (19:29 +0000)
committer Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>
Sun, 9 Jan 2011 19:29:39 +0000 (19:29 +0000)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c

index c1b71dc..f5d922a 100644 (file)
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -540,6 +540,10 @@ static int decode_frame(AVCodecContext *avctx,
              soff = tget(&s->stripdata, s->sot, s->le);
          }else
              soff = s->stripoff;
+        if (soff < 0) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid stripoff: %d\n", soff);
+            return AVERROR(EINVAL);
+        }
          if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0)
              break;
          dst += s->rps * stride;
author	Daniel Kang <daniel.d.kang@gmail.com>
	Sun, 9 Jan 2011 19:29:39 +0000 (19:29 +0000)
committer	Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>
	Sun, 9 Jan 2011 19:29:39 +0000 (19:29 +0000)