Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-36138: Disallow striped and tiled tiffs except for DNG

An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS).

CVE
Open in Source
#dos#git#auth#chrome

[FFmpeg-devel] [PATCH 7/7] avcodec/tiff: Disallow striped and tiled tiffs except for DNG****Michael Niedermayer michael at niedermayer.cc
Fri Nov 6 01:11:10 EET 2020

  • Previous message (by thread): [FFmpeg-devel] [PATCH 6/7] avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct()
  • Next message (by thread): [FFmpeg-devel] [PATCH] Moves yuv2yuvX_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

strips + tiles is not allowed in TIFF DNG uses a separate codepath

Regression since da5b3d002862d1e105002a6dc1567e6551860896.

Fixes: NULL pointer dereference Fixes: poc1

Found-by: 1vanChen of NSFOCUS Security Team Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

libavcodec/tiff.c | 7 ++++±- 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 2e45464218…00f0c0ccf7 100644 — a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1923,14 +1923,17 @@ again: has_strip_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;

 if (has\_tile\_bits && has\_strip\_bits) {

  •    av\_log(avctx, AV\_LOG\_WARNING, "Tiled TIFF is not allowed to strip\\n");

  •    int tiled\_dng = s->is\_tiled && is\_dng;

  •    av\_log(avctx, tiled\_dng ? AV\_LOG\_WARNING : AV\_LOG\_ERROR, "Tiled TIFF is not allowed to strip\\n");

  •    if (!tiled\_dng)

  •        return AVERROR\_INVALIDDATA;

    }

    /* now we have the data and may start decoding */ if ((ret = init_image(s, &frame)) < 0) return ret;

  • if (!s->is_tiled) {
  • if (!s->is_tiled || has_strip_bits) { if (s->strips == 1 && !s->stripsize) { av_log(avctx, AV_LOG_WARNING, “Image data size missing\n”); s->stripsize = avpkt->size - s->stripoff; – 2.17.1
  • Previous message (by thread): [FFmpeg-devel] [PATCH 6/7] avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct()
  • Next message (by thread): [FFmpeg-devel] [PATCH] Moves yuv2yuvX_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the ffmpeg-devel mailing list

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE