* libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory

allocation when RowsPerStrip tag is missing.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683
Credit to OSS-Fuzz

2 files changed, 11 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index e8a2be5b..aa55fb43 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-07-18  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory
+	allocation when RowsPerStrip tag is missing.
+	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683
+	Credit to OSS-Fuzz
+
 2017-07-15  Even Rouault <even.rouault at spatialys.com>
 
 	* libtiff/tif_read.c: add protection against excessive memory
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 59d0a74c..0404ec16 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -1,4 +1,4 @@
-/* $Id: tif_luv.c,v 1.47 2017-05-14 10:17:27 erouault Exp $ */
+/* $Id: tif_luv.c,v 1.48 2017-07-18 19:45:12 erouault Exp $ */
 
 /*
  * Copyright (c) 1997 Greg Ward Larson
@@ -1416,8 +1416,10 @@ LogLuvInitState(TIFF* tif)
 	}
         if( isTiled(tif) )
             sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength);
-        else
+        else if( td->td_rowsperstrip != (uint32)-1 )
             sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip);
+        else
+            sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength);
 	if (multiply_ms(sp->tbuflen, sizeof (uint32)) == 0 ||
 	    (sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (uint32))) == NULL) {
 		TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer");