The add_doubles_metadata function in libavcodec/tiff.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a negative or zero count value in a TIFF image, which triggers an out-of-bounds array access.
http://www.ffmpeg.org/security.html
http://git.videolan.org/?p=ffmpeg.git%3Ba=commitdiff%3Bh=6d1c5ea04af3e345232aa70c944de961061dab2d