* libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory

allocation when RowsPerStrip tag is missing.
Credit to OSS-Fuzz (locally run, on GDAL)

2 files changed, 10 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 28e7be7e..80ae7042 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2017-05-14 Even Rouault <even.rouault at spatialys.com>
 
+	* libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory
+	allocation when RowsPerStrip tag is missing.
+	Credit to OSS-Fuzz (locally run, on GDAL)
+
+2017-05-14 Even Rouault <even.rouault at spatialys.com>
+
 	* libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
 	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
 	Credit to OSS-Fuzz
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 08d8b4f3..59d0a74c 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -1,4 +1,4 @@
-/* $Id: tif_luv.c,v 1.46 2017-05-13 18:29:38 erouault Exp $ */
+/* $Id: tif_luv.c,v 1.47 2017-05-14 10:17:27 erouault Exp $ */
 
 /*
  * Copyright (c) 1997 Greg Ward Larson
@@ -1314,8 +1314,10 @@ LogL16InitState(TIFF* tif)
 	}
         if( isTiled(tif) )
             sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength);
-        else
+        else if( td->td_rowsperstrip != (uint32)-1 )
             sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip);
+        else
+            sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength);
 	if (multiply_ms(sp->tbuflen, sizeof (int16)) == 0 ||
 	    (sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (int16))) == NULL) {
 		TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer");