* libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding

when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554
Credit to OSS Fuzz

1 files changed, 7 insertions, 2 deletions

diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index f2263950..979858da 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -1,4 +1,4 @@
-/* $Id: tif_pixarlog.c,v 1.53 2017-05-17 09:53:06 erouault Exp $ */
+/* $Id: tif_pixarlog.c,v 1.54 2017-07-10 10:40:28 erouault Exp $ */
 
 /*
  * Copyright (c) 1996-1997 Sam Leffler
@@ -673,6 +673,7 @@ PixarLogSetupDecode(TIFF* tif)
 	TIFFDirectory *td = &tif->tif_dir;
 	PixarLogState* sp = DecoderState(tif);
 	tmsize_t tbuf_size;
+        uint32 strip_height;
 
 	assert(sp != NULL);
 
@@ -682,6 +683,10 @@ PixarLogSetupDecode(TIFF* tif)
 	if( (sp->state & PLSTATE_INIT) != 0 )
 		return 1;
 
+        strip_height = td->td_rowsperstrip;
+        if( strip_height > td->td_imagelength )
+            strip_height = td->td_imagelength;
+
 	/* Make sure no byte swapping happens on the data
 	 * after decompression. */
 	tif->tif_postdecode = _TIFFNoPostDecode;  
@@ -691,7 +696,7 @@ PixarLogSetupDecode(TIFF* tif)
 	sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ?
 	    td->td_samplesperpixel : 1);
 	tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
-				      td->td_rowsperstrip), sizeof(uint16));
+				      strip_height), sizeof(uint16));
 	/* add one more stride in case input ends mid-stride */
 	tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
 	if (tbuf_size == 0)