From 13e02541f408b2e7fad7427d3645958d8eff92cc Mon Sep 17 00:00:00 2001 From: erouault Date: Tue, 18 Jul 2017 19:45:11 +0000 Subject: * libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory allocation when RowsPerStrip tag is missing. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683 Credit to OSS-Fuzz --- ChangeLog | 7 +++++++ libtiff/tif_luv.c | 6 ++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e8a2be5b..aa55fb43 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2017-07-18 Even Rouault + + * libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory + allocation when RowsPerStrip tag is missing. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683 + Credit to OSS-Fuzz + 2017-07-15 Even Rouault * libtiff/tif_read.c: add protection against excessive memory diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c index 59d0a74c..0404ec16 100644 --- a/libtiff/tif_luv.c +++ b/libtiff/tif_luv.c @@ -1,4 +1,4 @@ -/* $Id: tif_luv.c,v 1.47 2017-05-14 10:17:27 erouault Exp $ */ +/* $Id: tif_luv.c,v 1.48 2017-07-18 19:45:12 erouault Exp $ */ /* * Copyright (c) 1997 Greg Ward Larson @@ -1416,8 +1416,10 @@ LogLuvInitState(TIFF* tif) } if( isTiled(tif) ) sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength); - else + else if( td->td_rowsperstrip != (uint32)-1 ) sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip); + else + sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength); if (multiply_ms(sp->tbuflen, sizeof (uint32)) == 0 || (sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (uint32))) == NULL) { TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer"); -- cgit v1.2.1