From 1ba44140a3169868eb94e62888d8d2f9861968ab Mon Sep 17 00:00:00 2001
From: Daniel Kang <daniel.d.kang@gmail.com>
Date: Thu, 6 Jan 2011 14:44:50 +0000
Subject: [PATCH] Fix crash for files with strip size larger than the buffer.
 Fixes issue 2498.

Patch by Daniel Kang, daniel.d.kang at gmail

Originally committed as revision 26243 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/tiff.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 285cc402492..a23af1ab6f0 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -531,6 +531,11 @@ static int decode_frame(AVCodecContext *avctx,
         else
             ssize = s->stripsize;
 
+        if (ssize > buf_size) {
+            av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n");
+            return -1;
+        }
+
         if(s->stripdata){
             soff = tget(&s->stripdata, s->sot, s->le);
         }else
-- 
GitLab