Fix parser not to clobber has_b_frames when extradata is set.

[ffmpeg] / libavcodec / tiff.c

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index ab5f1ebd11946e4eb996956f2550d78b1eb36ce2..d807149922a5a44914f53a0f3cbc33d7de986485 100644 (file)
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -59,24 +59,24 @@ typedef struct TiffContext {
     LZWState *lzw;
 } TiffContext;
 
-static int tget_short(const uint8_t **p, int le){
-    int v = le ? AV_RL16(*p) : AV_RB16(*p);
+static unsigned tget_short(const uint8_t **p, int le) {
+    unsigned v = le ? AV_RL16(*p) : AV_RB16(*p);
     *p += 2;
     return v;
 }
 
-static int tget_long(const uint8_t **p, int le){
-    int v = le ? AV_RL32(*p) : AV_RB32(*p);
+static unsigned tget_long(const uint8_t **p, int le) {
+    unsigned v = le ? AV_RL32(*p) : AV_RB32(*p);
     *p += 4;
     return v;
 }
 
-static int tget(const uint8_t **p, int type, int le){
+static unsigned tget(const uint8_t **p, int type, int le) {
     switch(type){
     case TIFF_BYTE : return *(*p)++;
     case TIFF_SHORT: return tget_short(p, le);
     case TIFF_LONG : return tget_long (p, le);
-    default        : return -1;
+    default        : return UINT_MAX;
     }
 }
 
@@ -173,6 +173,8 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin
         }
         switch(s->compr){
         case TIFF_RAW:
+            if (ssrc + size - src < width)
+                return AVERROR_INVALIDDATA;
             if (!s->fill_order) {
                 memcpy(dst, src, width);
             } else {
@@ -275,16 +277,23 @@ static int init_image(TiffContext *s)
 
 static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *buf, const uint8_t *end_buf)
 {
-    int tag, type, count, off, value = 0;
+    unsigned tag, type, count, off, value = 0;
     int i, j;
     uint32_t *pal;
     const uint8_t *rp, *gp, *bp;
 
+    if (end_buf - buf < 12)
+        return -1;
     tag = tget_short(&buf, s->le);
     type = tget_short(&buf, s->le);
     count = tget_long(&buf, s->le);
     off = tget_long(&buf, s->le);
 
+    if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
+        av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
+        return 0;
+    }
+
     if(count == 1){
         switch(type){
         case TIFF_BYTE:
@@ -303,13 +312,15 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
                 break;
             }
         default:
-            value = -1;
+            value = UINT_MAX;
+            buf = start + off;
+        }
+    } else {
+        if (count <= 4 && type_sizes[type] * count <= 4) {
+            buf -= 4;
+        } else {
             buf = start + off;
         }
-    }else if(type_sizes[type] * count <= 4){
-        buf -= 4;
-    }else{
-        buf = start + off;
     }
 
     if(buf && (buf < start || buf > end_buf)){
@@ -339,7 +350,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
             case TIFF_SHORT:
             case TIFF_LONG:
                 s->bpp = 0;
-                for(i = 0; i < count; i++) s->bpp += tget(&buf, type, s->le);
+                for(i = 0; i < count && buf < end_buf; i++) s->bpp += tget(&buf, type, s->le);
                 break;
             default:
                 s->bpp = -1;
@@ -387,7 +398,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
         }
         break;
     case TIFF_ROWSPERSTRIP:
-        if(type == TIFF_LONG && value == -1)
+        if (type == TIFF_LONG && value == UINT_MAX)
             value = s->avctx->height;
         if(value < 1){
             av_log(s->avctx, AV_LOG_ERROR, "Incorrect value of rows per strip\n");
@@ -453,6 +464,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
     case TIFF_PAL:
         pal = (uint32_t *) s->palette;
         off = type_sizes[type];
+        if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3)
+            return -1;
         rp = buf;
         gp = buf + count / 3 * off;
         bp = buf + count / 3 * off * 2;
@@ -495,12 +508,16 @@ static int decode_frame(AVCodecContext *avctx,
     AVFrame *picture = data;
     AVFrame * const p= (AVFrame*)&s->picture;
     const uint8_t *orig_buf = buf, *end_buf = buf + buf_size;
-    int id, le, off, ret;
+    unsigned off;
+    int id, le, ret;
     int i, j, entries;
-    int stride, soff, ssize;
+    int stride;
+    unsigned soff, ssize;
     uint8_t *dst;
 
     //parse image header
+    if (end_buf - buf < 8)
+        return AVERROR_INVALIDDATA;
     id = AV_RL16(buf); buf += 2;
     if(id == 0x4949) le = 1;
     else if(id == 0x4D4D) le = 0;
@@ -520,9 +537,9 @@ static int decode_frame(AVCodecContext *avctx,
     }
     /* parse image file directory */
     off = tget_long(&buf, le);
-    if(orig_buf + off + 14 >= end_buf){
+    if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) {
         av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
     }
     buf = orig_buf + off;
     entries = tget_short(&buf, le);
@@ -546,23 +563,23 @@ static int decode_frame(AVCodecContext *avctx,
     stride = p->linesize[0];
     dst = p->data[0];
     for(i = 0; i < s->height; i += s->rps){
-        if(s->stripsizes)
+        if(s->stripsizes) {
+            if (s->stripsizes >= end_buf)
+                return AVERROR_INVALIDDATA;
             ssize = tget(&s->stripsizes, s->sstype, s->le);
-        else
+        } else
             ssize = s->stripsize;
 
-        if (ssize > buf_size) {
-            av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n");
-            return -1;
-        }
-
         if(s->stripdata){
+            if (s->stripdata >= end_buf)
+                return AVERROR_INVALIDDATA;
             soff = tget(&s->stripdata, s->sot, s->le);
         }else
             soff = s->stripoff;
-        if (soff < 0) {
-            av_log(avctx, AV_LOG_ERROR, "Invalid stripoff: %d\n", soff);
-            return AVERROR(EINVAL);
+
+        if (soff > buf_size || ssize > buf_size - soff) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n");
+            return -1;
         }
         if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0)
             break;