summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEven Rouault <even.rouault@spatialys.com>2019-08-12 17:55:56 +0200
committerEven Rouault <even.rouault@spatialys.com>2019-08-12 17:55:56 +0200
commitea69462ea25a00afd18df34c36cb7c487e1e0628 (patch)
treeeafeda6ec6924d35f8059caeaee02bb7e5e0c6fd
parent187e596861a51aaf5c3a9c4c9b007f890f2bc52e (diff)
downloadlibtiff-git-ea69462ea25a00afd18df34c36cb7c487e1e0628.tar.gz
OJPEGReadBufferFill(): avoid very long processing time on corrupted files. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16400. master only
-rw-r--r--libtiff/tif_ojpeg.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index 30820324..643bcf23 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -2024,10 +2024,15 @@ OJPEGReadBufferFill(OJPEGState* sp)
sp->in_buffer_source=osibsEof;
else
{
- sp->in_buffer_file_pos=TIFFGetStrileOffset(sp->tif, sp->in_buffer_next_strile);
+ int err = 0;
+ sp->in_buffer_file_pos=TIFFGetStrileOffsetWithErr(sp->tif, sp->in_buffer_next_strile, &err);
+ if( err )
+ return 0;
if (sp->in_buffer_file_pos!=0)
{
- uint64 bytecount = TIFFGetStrileByteCount(sp->tif, sp->in_buffer_next_strile);
+ uint64 bytecount = TIFFGetStrileByteCountWithErr(sp->tif, sp->in_buffer_next_strile, &err);
+ if( err )
+ return 0;
if (sp->in_buffer_file_pos>=sp->file_size)
sp->in_buffer_file_pos=0;
else if (bytecount==0)