diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-23 12:38:46 +0200 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-23 12:38:46 +0200 |
commit | 5f6349d3f82007f0509eb33b20c36f22152db1a2 (patch) | |
tree | 1cbcb6e920a58440d848e4a5a53f303d36e2f904 | |
parent | c9edebfdb039aa1be08561108a0b15175f4e5caa (diff) | |
download | libtiff-git-5f6349d3f82007f0509eb33b20c36f22152db1a2.tar.gz |
tif_ojpeg: avoid unsigned integer overflow (probably not a bug). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16635
-rw-r--r-- | libtiff/tif_ojpeg.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c index 643bcf23..87198200 100644 --- a/libtiff/tif_ojpeg.c +++ b/libtiff/tif_ojpeg.c @@ -2042,7 +2042,8 @@ OJPEGReadBufferFill(OJPEGState* sp) sp->in_buffer_file_togo=bytecount; if (sp->in_buffer_file_togo==0) sp->in_buffer_file_pos=0; - else if (sp->in_buffer_file_pos+sp->in_buffer_file_togo>sp->file_size) + else if (sp->in_buffer_file_pos > TIFF_UINT64_MAX - sp->in_buffer_file_togo || + sp->in_buffer_file_pos+sp->in_buffer_file_togo>sp->file_size) sp->in_buffer_file_togo=sp->file_size-sp->in_buffer_file_pos; } } |