avcodec/tiff: Avoid abort with DNG RAW TIFF with YA8

Fixes: Assertion failure
Fixes: 24707/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5179910197608448
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 8c0b6f085309b57f78b3884860bf3d0ecc50732e..8a5f6e030d5a3913f2a6b68a54efe6ba53516a36 100644 (file)
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -709,7 +709,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid
             if (is_dng) {
                 int is_u16, pixel_size_bytes, pixel_size_bits, elements;
 
-                is_u16 = (s->bpp > 8);
+                is_u16 = (s->bpp / s->bppcount > 8);
                 pixel_size_bits = (is_u16 ? 16 : 8);
                 pixel_size_bytes = (is_u16 ? sizeof(uint16_t) : sizeof(uint8_t));