OJPEGWriteHeaderInfo(): avoid unsigned integer overflow on strile dimensions close to UINT32_MAX. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16683

author: Even Rouault <even.rouault@spatialys.com> 2019-08-23 23:03:15 +0200
committer: Even Rouault <even.rouault@spatialys.com> 2019-08-23 23:03:15 +0200
commit: 7db298e3a8dfe5ca9f0264dfb6b36d80b2b97e5e (patch)
tree: 65fc10e7b0f977b82e89cab5084ece6bdbdfc255
parent: 67f7561e70d2d684b1efd15fffa7a6fb6ed284ab (diff)
download: libtiff-git-7db298e3a8dfe5ca9f0264dfb6b36d80b2b97e5e.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index 87198200..0af54fb9 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -1254,10 +1254,10 @@ OJPEGWriteHeaderInfo(TIFF* tif)
 				*m++=sp->subsampling_convert_cbbuf+n*sp->subsampling_convert_clinelen;
 			for (n=0; n<sp->subsampling_convert_clines; n++)
 				*m++=sp->subsampling_convert_crbuf+n*sp->subsampling_convert_clinelen;
-			sp->subsampling_convert_clinelenout=((sp->strile_width+sp->subsampling_hor-1)/sp->subsampling_hor);
+			sp->subsampling_convert_clinelenout=sp->strile_width/sp->subsampling_hor + ((sp->strile_width % sp->subsampling_hor) != 0 ? 1 : 0);
 			sp->subsampling_convert_state=0;
 			sp->bytes_per_line=sp->subsampling_convert_clinelenout*(sp->subsampling_ver*sp->subsampling_hor+2);
-			sp->lines_per_strile=((sp->strile_length+sp->subsampling_ver-1)/sp->subsampling_ver);
+			sp->lines_per_strile=sp->strile_length/sp->subsampling_ver + ((sp->strile_length % sp->subsampling_ver) != 0 ? 1 : 0);
 			sp->subsampling_convert_log=1;
 		}
 	}
author	Even Rouault <even.rouault@spatialys.com>	2019-08-23 23:03:15 +0200
committer	Even Rouault <even.rouault@spatialys.com>	2019-08-23 23:03:15 +0200
commit	7db298e3a8dfe5ca9f0264dfb6b36d80b2b97e5e (patch)
tree	65fc10e7b0f977b82e89cab5084ece6bdbdfc255
parent	67f7561e70d2d684b1efd15fffa7a6fb6ed284ab (diff)
download	libtiff-git-7db298e3a8dfe5ca9f0264dfb6b36d80b2b97e5e.tar.gz