OJPEG: fix integer division by zero on corrupted subsampling factors. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15824. Credit to OSS Fuzz

author: Even Rouault <even.rouault@spatialys.com> 2019-08-10 19:36:09 +0200
committer: Even Rouault <even.rouault@spatialys.com> 2019-08-10 19:36:09 +0200
commit: 43908ce15e8bf85f063443658d2a6da0d1cd4e74 (patch)
tree: 5612a0fb7f1e4c8ed889b8224b3972ba384e3ca3
parent: 75c1cf5e917be0b15db5f0135571db98671a766d (diff)
download: libtiff-git-43908ce15e8bf85f063443658d2a6da0d1cd4e74.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index ad3e1e71..30820324 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -1107,6 +1107,12 @@ OJPEGReadHeaderInfo(TIFF* tif)
 	}
 	if (sp->strile_length<sp->image_length)
 	{
+		if (((sp->subsampling_hor!=1) && (sp->subsampling_hor!=2) && (sp->subsampling_hor!=4)) ||
+		    ((sp->subsampling_ver!=1) && (sp->subsampling_ver!=2) && (sp->subsampling_ver!=4)))
+		{
+			TIFFErrorExt(tif->tif_clientdata,module,"Invalid subsampling values");
+			return(0);
+		}
 		if (sp->strile_length%(sp->subsampling_ver*8)!=0)
 		{
 			TIFFErrorExt(tif->tif_clientdata,module,"Incompatible vertical subsampling and image strip/tile length");
author	Even Rouault <even.rouault@spatialys.com>	2019-08-10 19:36:09 +0200
committer	Even Rouault <even.rouault@spatialys.com>	2019-08-10 19:36:09 +0200
commit	43908ce15e8bf85f063443658d2a6da0d1cd4e74 (patch)
tree	5612a0fb7f1e4c8ed889b8224b3972ba384e3ca3
parent	75c1cf5e917be0b15db5f0135571db98671a766d (diff)
download	libtiff-git-43908ce15e8bf85f063443658d2a6da0d1cd4e74.tar.gz