[FFmpeg-cvslog] avcodec/tiff: check the black level denominator

James Almer git at videolan.org
Tue Oct 29 15:24:43 EET 2019


ffmpeg | branch: master | James Almer <jamrial at gmail.com> | Sat Oct 26 12:01:16 2019 -0300| [dad75924290e15996e75c335c6c30b1d8e2e48ea] | committer: James Almer

avcodec/tiff: check the black level denominator

Fixes ticket #8327.

Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
Signed-off-by: James Almer <jamrial at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dad75924290e15996e75c335c6c30b1d8e2e48ea
---

 libavcodec/tiff.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index f537e99b5a..636614aa28 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1240,6 +1240,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         case TIFF_RATIONAL:
             value  = ff_tget(&s->gb, TIFF_LONG, s->le);
             value2 = ff_tget(&s->gb, TIFF_LONG, s->le);
+            if (!value2) {
+                av_log(s->avctx, AV_LOG_ERROR, "Invalid denominator in rational\n");
+                return AVERROR_INVALIDDATA;
+            }
+
             break;
         case TIFF_STRING:
             if (count <= 4) {
@@ -1413,6 +1418,10 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
             if (type == TIFF_RATIONAL) {
                 value  = ff_tget(&s->gb, TIFF_LONG, s->le);
                 value2 = ff_tget(&s->gb, TIFF_LONG, s->le);
+                if (!value2) {
+                    av_log(s->avctx, AV_LOG_ERROR, "Invalid black level denominator\n");
+                    return AVERROR_INVALIDDATA;
+                }
 
                 s->black_level = value / value2;
             } else



More information about the ffmpeg-cvslog mailing list