tif_ojpeg.c: avoid use of uninitialized memory on edge/broken file. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16844
This commit is contained in:
Even Rouault
parent
4b2a343001
commit
7475a28508
@ -1241,7 +1241,13 @@ OJPEGWriteHeaderInfo(TIFF* tif)
|
|||||||
sp->subsampling_convert_ybuflen=sp->subsampling_convert_ylinelen*sp->subsampling_convert_ylines;
|
sp->subsampling_convert_ybuflen=sp->subsampling_convert_ylinelen*sp->subsampling_convert_ylines;
|
||||||
sp->subsampling_convert_cbuflen=sp->subsampling_convert_clinelen*sp->subsampling_convert_clines;
|
sp->subsampling_convert_cbuflen=sp->subsampling_convert_clinelen*sp->subsampling_convert_clines;
|
||||||
sp->subsampling_convert_ycbcrbuflen=sp->subsampling_convert_ybuflen+2*sp->subsampling_convert_cbuflen;
|
sp->subsampling_convert_ycbcrbuflen=sp->subsampling_convert_ybuflen+2*sp->subsampling_convert_cbuflen;
|
||||||
sp->subsampling_convert_ycbcrbuf=_TIFFmalloc(sp->subsampling_convert_ycbcrbuflen);
|
/* The calloc is not normally necessary, except in some edge/broken cases */
|
||||||
|
/* for example for a tiled image of height 1 with a tile height of 1 and subsampling_hor=subsampling_ver=2 */
|
||||||
|
/* In that case, libjpeg will only fill the 8 first lines of the 16 lines */
|
||||||
|
/* See https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16844 */
|
||||||
|
/* Even if this case is allowed (?), its handling is broken because OJPEGPreDecode() should also likely */
|
||||||
|
/* reset subsampling_convert_state to 0 when changing tile. */
|
||||||
|
sp->subsampling_convert_ycbcrbuf=_TIFFcalloc(1, sp->subsampling_convert_ycbcrbuflen);
|
||||||
if (sp->subsampling_convert_ycbcrbuf==0)
|
if (sp->subsampling_convert_ycbcrbuf==0)
|
||||||
{
|
{
|
||||||
TIFFErrorExt(tif->tif_clientdata,module,"Out of memory");
|
TIFFErrorExt(tif->tif_clientdata,module,"Out of memory");
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user