diff options
author | Even Rouault <even.rouault@spatialys.com> | 2017-07-10 10:40:27 +0000 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2017-07-10 10:40:27 +0000 |
commit | d69a373ecf36730c896c79795f726e069cb10794 (patch) | |
tree | 23f5c52795ac69d708bf849fbc8a945b86e6d281 /libtiff/tif_pixarlog.c | |
parent | 9129c40f98a211c39593ed4323f926c4c95fbd9a (diff) | |
download | libtiff-git-d69a373ecf36730c896c79795f726e069cb10794.tar.gz |
* libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding
when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554
Credit to OSS Fuzz
Diffstat (limited to 'libtiff/tif_pixarlog.c')
-rw-r--r-- | libtiff/tif_pixarlog.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index f2263950..979858da 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -1,4 +1,4 @@ -/* $Id: tif_pixarlog.c,v 1.53 2017-05-17 09:53:06 erouault Exp $ */ +/* $Id: tif_pixarlog.c,v 1.54 2017-07-10 10:40:28 erouault Exp $ */ /* * Copyright (c) 1996-1997 Sam Leffler @@ -673,6 +673,7 @@ PixarLogSetupDecode(TIFF* tif) TIFFDirectory *td = &tif->tif_dir; PixarLogState* sp = DecoderState(tif); tmsize_t tbuf_size; + uint32 strip_height; assert(sp != NULL); @@ -682,6 +683,10 @@ PixarLogSetupDecode(TIFF* tif) if( (sp->state & PLSTATE_INIT) != 0 ) return 1; + strip_height = td->td_rowsperstrip; + if( strip_height > td->td_imagelength ) + strip_height = td->td_imagelength; + /* Make sure no byte swapping happens on the data * after decompression. */ tif->tif_postdecode = _TIFFNoPostDecode; @@ -691,7 +696,7 @@ PixarLogSetupDecode(TIFF* tif) sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ? td->td_samplesperpixel : 1); tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), - td->td_rowsperstrip), sizeof(uint16)); + strip_height), sizeof(uint16)); /* add one more stride in case input ends mid-stride */ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); if (tbuf_size == 0) |