From 43908ce15e8bf85f063443658d2a6da0d1cd4e74 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 10 Aug 2019 19:36:09 +0200
Subject: OJPEG: fix integer division by zero on corrupted subsampling factors.
 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15824. Credit to
 OSS Fuzz

---
 libtiff/tif_ojpeg.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index ad3e1e71..30820324 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -1107,6 +1107,12 @@ OJPEGReadHeaderInfo(TIFF* tif)
 	}
 	if (sp->strile_length<sp->image_length)
 	{
+		if (((sp->subsampling_hor!=1) && (sp->subsampling_hor!=2) && (sp->subsampling_hor!=4)) ||
+		    ((sp->subsampling_ver!=1) && (sp->subsampling_ver!=2) && (sp->subsampling_ver!=4)))
+		{
+			TIFFErrorExt(tif->tif_clientdata,module,"Invalid subsampling values");
+			return(0);
+		}
 		if (sp->strile_length%(sp->subsampling_ver*8)!=0)
 		{
 			TIFFErrorExt(tif->tif_clientdata,module,"Incompatible vertical subsampling and image strip/tile length");
-- 
cgit v1.2.1