diff options
| author | erouault <erouault> | 2017-07-10 10:40:27 +0000 |
|---|---|---|
| committer | erouault <erouault> | 2017-07-10 10:40:27 +0000 |
| commit | 576f725ce3b531b193a2ae0eba6cb55cab06ceed (patch) | |
| tree | cc5f378f2b251d7eaad532ff573d4e73331da11a | |
| parent | 3fb3c2aeb602d45a4242322880db6acebde8a9e9 (diff) | |
| download | libtiff-576f725ce3b531b193a2ae0eba6cb55cab06ceed.tar.gz | |
* libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding
when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554
Credit to OSS Fuzz
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | libtiff/tif_pixarlog.c | 9 |
2 files changed, 14 insertions, 2 deletions
@@ -1,3 +1,10 @@ +2017-07-10 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding + when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX) + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554 + Credit to OSS Fuzz + 2017-07-04 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedTileAndAllocBuffer() diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index f2263950..979858da 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -1,4 +1,4 @@ -/* $Id: tif_pixarlog.c,v 1.53 2017-05-17 09:53:06 erouault Exp $ */ +/* $Id: tif_pixarlog.c,v 1.54 2017-07-10 10:40:28 erouault Exp $ */ /* * Copyright (c) 1996-1997 Sam Leffler @@ -673,6 +673,7 @@ PixarLogSetupDecode(TIFF* tif) TIFFDirectory *td = &tif->tif_dir; PixarLogState* sp = DecoderState(tif); tmsize_t tbuf_size; + uint32 strip_height; assert(sp != NULL); @@ -682,6 +683,10 @@ PixarLogSetupDecode(TIFF* tif) if( (sp->state & PLSTATE_INIT) != 0 ) return 1; + strip_height = td->td_rowsperstrip; + if( strip_height > td->td_imagelength ) + strip_height = td->td_imagelength; + /* Make sure no byte swapping happens on the data * after decompression. */ tif->tif_postdecode = _TIFFNoPostDecode; @@ -691,7 +696,7 @@ PixarLogSetupDecode(TIFF* tif) sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ? td->td_samplesperpixel : 1); tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), - td->td_rowsperstrip), sizeof(uint16)); + strip_height), sizeof(uint16)); /* add one more stride in case input ends mid-stride */ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); if (tbuf_size == 0) |