diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-23 23:03:15 +0200 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-23 23:03:15 +0200 |
commit | 7db298e3a8dfe5ca9f0264dfb6b36d80b2b97e5e (patch) | |
tree | 65fc10e7b0f977b82e89cab5084ece6bdbdfc255 | |
parent | 67f7561e70d2d684b1efd15fffa7a6fb6ed284ab (diff) | |
download | libtiff-git-7db298e3a8dfe5ca9f0264dfb6b36d80b2b97e5e.tar.gz |
OJPEGWriteHeaderInfo(): avoid unsigned integer overflow on strile dimensions close to UINT32_MAX. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16683
-rw-r--r-- | libtiff/tif_ojpeg.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c index 87198200..0af54fb9 100644 --- a/libtiff/tif_ojpeg.c +++ b/libtiff/tif_ojpeg.c @@ -1254,10 +1254,10 @@ OJPEGWriteHeaderInfo(TIFF* tif) *m++=sp->subsampling_convert_cbbuf+n*sp->subsampling_convert_clinelen; for (n=0; n<sp->subsampling_convert_clines; n++) *m++=sp->subsampling_convert_crbuf+n*sp->subsampling_convert_clinelen; - sp->subsampling_convert_clinelenout=((sp->strile_width+sp->subsampling_hor-1)/sp->subsampling_hor); + sp->subsampling_convert_clinelenout=sp->strile_width/sp->subsampling_hor + ((sp->strile_width % sp->subsampling_hor) != 0 ? 1 : 0); sp->subsampling_convert_state=0; sp->bytes_per_line=sp->subsampling_convert_clinelenout*(sp->subsampling_ver*sp->subsampling_hor+2); - sp->lines_per_strile=((sp->strile_length+sp->subsampling_ver-1)/sp->subsampling_ver); + sp->lines_per_strile=sp->strile_length/sp->subsampling_ver + ((sp->strile_length % sp->subsampling_ver) != 0 ? 1 : 0); sp->subsampling_convert_log=1; } } |