From 042b8c2f06b4796bab0b65069ac7e7565d9157ce Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 29 May 2013 16:18:40 +0200 Subject: [PATCH 1/2] apetag: use int64_t for filesize CC: libav-stable@libav.org (cherry picked from commit e816aaacd68201b67182f9c70dc680e89a0123e9) Signed-off-by: Reinhard Tartler --- libavformat/apetag.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 0d2cb973fb..bb8b2dfadc 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -116,7 +116,7 @@ static int ape_tag_read_field(AVFormatContext *s) int64_t ff_ape_parse_tag(AVFormatContext *s) { AVIOContext *pb = s->pb; - int file_size = avio_size(pb); + int64_t file_size = avio_size(pb); uint32_t val, fields, tag_bytes; uint8_t buf[8]; int64_t tag_start; From 8eb7c2566ca20392315618cda4a635b19cbb8e21 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 3 Jun 2013 04:53:02 +0200 Subject: [PATCH 2/2] tiff: do not overread the source buffer At least 2 bytes from the source are read every loop. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9c2216976907336dfae0e8e38a4d70ca2465a92c) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/tiff.c --- libavcodec/tiff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 8c40006aa5..264e98501b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -207,10 +207,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, break; case TIFF_PACKBITS: for (pixels = 0; pixels < width;) { + if (ssrc + size - src < 2) + return AVERROR_INVALIDDATA; code = (int8_t) * src++; if (code >= 0) { code++; - if (pixels + code > width) { + if (pixels + code > width || + ssrc + size - src < code) { av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n"); return -1;