From 79545bf2663bc184cadab73287b5200ce8c82c83 Mon Sep 17 00:00:00 2001 From: erouault Date: Mon, 24 Jul 2017 12:47:30 +0000 Subject: * libtiff/tif_luv.c: further reduce memory requirements for temporary buffer when RowsPerStrip >= image_length in LogLuvInitState() and LogL16InitState(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700 Credit to OSS Fuzz --- ChangeLog | 8 ++++++++ libtiff/tif_luv.c | 6 +++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 54b40afd..3da2b704 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2017-07-24 Even Rouault + + * libtiff/tif_luv.c: further reduce memory requirements for temporary + buffer when RowsPerStrip >= image_length in LogLuvInitState() and + LogL16InitState(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700 + Credit to OSS Fuzz + 2017-07-24 Even Rouault * libtiff/tif_getimage.c: fix fromskew computation when to-be-skipped diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c index 0404ec16..4b25244b 100644 --- a/libtiff/tif_luv.c +++ b/libtiff/tif_luv.c @@ -1,4 +1,4 @@ -/* $Id: tif_luv.c,v 1.48 2017-07-18 19:45:12 erouault Exp $ */ +/* $Id: tif_luv.c,v 1.49 2017-07-24 12:47:30 erouault Exp $ */ /* * Copyright (c) 1997 Greg Ward Larson @@ -1314,7 +1314,7 @@ LogL16InitState(TIFF* tif) } if( isTiled(tif) ) sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength); - else if( td->td_rowsperstrip != (uint32)-1 ) + else if( td->td_rowsperstrip < td->td_imagelength ) sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip); else sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength); @@ -1416,7 +1416,7 @@ LogLuvInitState(TIFF* tif) } if( isTiled(tif) ) sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength); - else if( td->td_rowsperstrip != (uint32)-1 ) + else if( td->td_rowsperstrip < td->td_imagelength ) sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip); else sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength); -- cgit v1.2.1