diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-23 13:03:44 +0200 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-23 13:03:44 +0200 |
commit | ea271d743467d82fb5ede54ffdf4ed05774d3b17 (patch) | |
tree | 6642bfd01305a8f6b83c6a24829d2ca9d5e4a34a | |
parent | 5f6349d3f82007f0509eb33b20c36f22152db1a2 (diff) | |
download | libtiff-git-ea271d743467d82fb5ede54ffdf4ed05774d3b17.tar.gz |
EstimateStripByteCounts(): avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16643&
-rw-r--r-- | libtiff/tif_dirread.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 5dfef71d..95230cda 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -4590,7 +4590,11 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount) uint64 rowbytes = TIFFScanlineSize64(tif); uint32 rowsperstrip = td->td_imagelength/td->td_stripsperimage; for (strip = 0; strip < td->td_nstrips; strip++) - td->td_stripbytecount_p[strip] = rowbytes * rowsperstrip; + { + if( rowbytes > 0 && rowsperstrip > TIFF_UINT64_MAX / rowbytes ) + return -1; + td->td_stripbytecount_p[strip] = rowbytes * rowsperstrip; + } } TIFFSetFieldBit(tif, FIELD_STRIPBYTECOUNTS); if (!TIFFFieldSet(tif, FIELD_ROWSPERSTRIP)) |