diff options
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | libtiff/tif_luv.c | 6 |
2 files changed, 11 insertions, 2 deletions
@@ -1,3 +1,10 @@ +2017-07-18 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory + allocation when RowsPerStrip tag is missing. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683 + Credit to OSS-Fuzz + 2017-07-15 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_read.c: add protection against excessive memory diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c index 59d0a74c..0404ec16 100644 --- a/libtiff/tif_luv.c +++ b/libtiff/tif_luv.c @@ -1,4 +1,4 @@ -/* $Id: tif_luv.c,v 1.47 2017-05-14 10:17:27 erouault Exp $ */ +/* $Id: tif_luv.c,v 1.48 2017-07-18 19:45:12 erouault Exp $ */ /* * Copyright (c) 1997 Greg Ward Larson @@ -1416,8 +1416,10 @@ LogLuvInitState(TIFF* tif) } if( isTiled(tif) ) sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength); - else + else if( td->td_rowsperstrip != (uint32)-1 ) sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip); + else + sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength); if (multiply_ms(sp->tbuflen, sizeof (uint32)) == 0 || (sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (uint32))) == NULL) { TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer"); |