EstimateStripByteCounts(): avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16643&

author: Even Rouault <even.rouault@spatialys.com> 2019-08-23 13:03:44 +0200
committer: Even Rouault <even.rouault@spatialys.com> 2019-08-23 13:03:44 +0200
commit: ea271d743467d82fb5ede54ffdf4ed05774d3b17 (patch)
tree: 6642bfd01305a8f6b83c6a24829d2ca9d5e4a34a
parent: 5f6349d3f82007f0509eb33b20c36f22152db1a2 (diff)
download: libtiff-git-ea271d743467d82fb5ede54ffdf4ed05774d3b17.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 5dfef71d..95230cda 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4590,7 +4590,11 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount)
 		uint64 rowbytes = TIFFScanlineSize64(tif);
 		uint32 rowsperstrip = td->td_imagelength/td->td_stripsperimage;
 		for (strip = 0; strip < td->td_nstrips; strip++)
-			td->td_stripbytecount_p[strip] = rowbytes * rowsperstrip;
+                {
+                    if( rowbytes > 0 && rowsperstrip > TIFF_UINT64_MAX / rowbytes )
+                        return -1;
+                    td->td_stripbytecount_p[strip] = rowbytes * rowsperstrip;
+                }
 	}
 	TIFFSetFieldBit(tif, FIELD_STRIPBYTECOUNTS);
 	if (!TIFFFieldSet(tif, FIELD_ROWSPERSTRIP))
author	Even Rouault <even.rouault@spatialys.com>	2019-08-23 13:03:44 +0200
committer	Even Rouault <even.rouault@spatialys.com>	2019-08-23 13:03:44 +0200
commit	ea271d743467d82fb5ede54ffdf4ed05774d3b17 (patch)
tree	6642bfd01305a8f6b83c6a24829d2ca9d5e4a34a
parent	5f6349d3f82007f0509eb33b20c36f22152db1a2 (diff)
download	libtiff-git-ea271d743467d82fb5ede54ffdf4ed05774d3b17.tar.gz