diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-12 17:55:56 +0200 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-12 17:55:56 +0200 |
commit | ea69462ea25a00afd18df34c36cb7c487e1e0628 (patch) | |
tree | eafeda6ec6924d35f8059caeaee02bb7e5e0c6fd | |
parent | 187e596861a51aaf5c3a9c4c9b007f890f2bc52e (diff) | |
download | libtiff-git-ea69462ea25a00afd18df34c36cb7c487e1e0628.tar.gz |
OJPEGReadBufferFill(): avoid very long processing time on corrupted files. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16400. master only
-rw-r--r-- | libtiff/tif_ojpeg.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c index 30820324..643bcf23 100644 --- a/libtiff/tif_ojpeg.c +++ b/libtiff/tif_ojpeg.c @@ -2024,10 +2024,15 @@ OJPEGReadBufferFill(OJPEGState* sp) sp->in_buffer_source=osibsEof; else { - sp->in_buffer_file_pos=TIFFGetStrileOffset(sp->tif, sp->in_buffer_next_strile); + int err = 0; + sp->in_buffer_file_pos=TIFFGetStrileOffsetWithErr(sp->tif, sp->in_buffer_next_strile, &err); + if( err ) + return 0; if (sp->in_buffer_file_pos!=0) { - uint64 bytecount = TIFFGetStrileByteCount(sp->tif, sp->in_buffer_next_strile); + uint64 bytecount = TIFFGetStrileByteCountWithErr(sp->tif, sp->in_buffer_next_strile, &err); + if( err ) + return 0; if (sp->in_buffer_file_pos>=sp->file_size) sp->in_buffer_file_pos=0; else if (bytecount==0) |