[FFmpeg-cvslog] avcodec/tiff: Fix integer overflows in left shift in init_image()

Michael Niedermayer git at videolan.org
Tue Nov 27 03:57:41 EET 2018


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Mon Nov 26 02:57:32 2018 +0100| [a036c25969498693539f5e494e1f25ad2227e24c] | committer: Michael Niedermayer

avcodec/tiff: Fix integer overflows in left shift in init_image()

Fixes: left shift of 255 by 24 places cannot be represented in type 'int'
Fixes: 11377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5694319101476864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a036c25969498693539f5e494e1f25ad2227e24c
---

 libavcodec/tiff.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 6271c937c3..751f23ef33 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -706,7 +706,7 @@ static int init_image(TiffContext *s, ThreadFrame *frame)
         s->avctx->pix_fmt = s->palette_is_set ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_GRAY8;
         break;
     case 10081:
-        switch (s->pattern[0] | (s->pattern[1] << 8) | (s->pattern[2] << 16) | (s->pattern[3] << 24)) {
+        switch (AV_RL32(s->pattern)) {
         case 0x02010100:
             s->avctx->pix_fmt = AV_PIX_FMT_BAYER_RGGB8;
             break;
@@ -721,12 +721,12 @@ static int init_image(TiffContext *s, ThreadFrame *frame)
             break;
         default:
             av_log(s->avctx, AV_LOG_ERROR, "Unsupported Bayer pattern: 0x%X\n",
-                   s->pattern[0] | s->pattern[1] << 8 | s->pattern[2] << 16 | s->pattern[3] << 24);
+                   AV_RL32(s->pattern));
             return AVERROR_PATCHWELCOME;
         }
         break;
     case 10121:
-        switch (s->pattern[0] | s->pattern[1] << 8 | s->pattern[2] << 16 | s->pattern[3] << 24) {
+        switch (AV_RL32(s->pattern)) {
         case 0x02010100:
             s->avctx->pix_fmt = s->le ? AV_PIX_FMT_BAYER_RGGB16LE : AV_PIX_FMT_BAYER_RGGB16BE;
             break;
@@ -741,12 +741,12 @@ static int init_image(TiffContext *s, ThreadFrame *frame)
             break;
         default:
             av_log(s->avctx, AV_LOG_ERROR, "Unsupported Bayer pattern: 0x%X\n",
-                   s->pattern[0] | s->pattern[1] << 8 | s->pattern[2] << 16 | s->pattern[3] << 24);
+                   AV_RL32(s->pattern));
             return AVERROR_PATCHWELCOME;
         }
         break;
     case 10161:
-        switch (s->pattern[0] | s->pattern[1] << 8 | s->pattern[2] << 16 | s->pattern[3] << 24) {
+        switch (AV_RL32(s->pattern)) {
         case 0x02010100:
             s->avctx->pix_fmt = s->le ? AV_PIX_FMT_BAYER_RGGB16LE : AV_PIX_FMT_BAYER_RGGB16BE;
             break;
@@ -761,7 +761,7 @@ static int init_image(TiffContext *s, ThreadFrame *frame)
             break;
         default:
             av_log(s->avctx, AV_LOG_ERROR, "Unsupported Bayer pattern: 0x%X\n",
-                   s->pattern[0] | s->pattern[1] << 8 | s->pattern[2] << 16 | s->pattern[3] << 24);
+                   AV_RL32(s->pattern));
             return AVERROR_PATCHWELCOME;
         }
         break;



More information about the ffmpeg-cvslog mailing list