https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7237

diff --git a/coders/tiff.c b/coders/tiff.c
index 2b2bc92b70f38259ff0de76ec12103288383a876..5799cbc6957fa7d929de44e0674137b59a1f66a9 100644 (file)
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -958,13 +958,12 @@ static tsize_t TIFFReadBlob(thandle_t image,tdata_t data,tsize_t size)
   return(count);
 }
 
-static int32 TIFFReadPixels(TIFF *tiff,size_t bits_per_sample,
-  tsample_t sample,ssize_t row,tdata_t scanline)
+static int32 TIFFReadPixels(TIFF *tiff,const tsample_t sample,const ssize_t row,
+  tdata_t scanline)
 {
   int32
     status;
 
-  (void) bits_per_sample;
   status=TIFFReadScanline(tiff,scanline,(uint32) row,sample);
   return(status);
 }
@@ -1764,12 +1763,13 @@ RestoreMSCWarning
     quantum_type=RGBQuantum;
     if (((MagickSizeType) TIFFScanlineSize(tiff)) > GetBlobSize(image))
       ThrowTIFFException(CorruptImageError,"InsufficientImageDataInFile");
-    tiff_pixels=(unsigned char *) AcquireMagickMemory(MagickMax(
-      TIFFScanlineSize(tiff),MagickMax((ssize_t) image->columns*
-      samples_per_pixel*pow(2.0,ceil(log(bits_per_sample)/log(2.0))),
-      image->columns*rows_per_strip)*sizeof(uint32)));
+    number_pixels=MagickMax(TIFFScanlineSize(tiff),MagickMax((ssize_t) 
+      image->columns*samples_per_pixel*pow(2.0,ceil(log(bits_per_sample)/
+      log(2.0))),image->columns*rows_per_strip)*sizeof(uint32));
+    tiff_pixels=(unsigned char *) AcquireMagickMemory(number_pixels);
     if (tiff_pixels == (unsigned char *) NULL)
       ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+    (void) ResetMagickMemory(tiff_pixels,0,number_pixels);
     switch (method)
     {
       case ReadSingleSampleMethod:
@@ -1811,7 +1811,7 @@ RestoreMSCWarning
           register Quantum
             *magick_restrict q;
 
-          status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
+          status=TIFFReadPixels(tiff,0,y,(char *) tiff_pixels);
           if (status == -1)
             break;
           q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
@@ -1864,7 +1864,7 @@ RestoreMSCWarning
           register Quantum
             *magick_restrict q;
 
-          status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
+          status=TIFFReadPixels(tiff,0,y,(char *) tiff_pixels);
           if (status == -1)
             break;
           q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
@@ -1899,8 +1899,7 @@ RestoreMSCWarning
             int
               status;
 
-            status=TIFFReadPixels(tiff,bits_per_sample,(tsample_t) i,y,(char *)
-              tiff_pixels);
+            status=TIFFReadPixels(tiff,(tsample_t) i,y,(char *) tiff_pixels);
             if (status == -1)
               break;
             q=GetAuthenticPixels(image,0,y,image->columns,1,exception);
@@ -1956,7 +1955,7 @@ RestoreMSCWarning
           unsigned char
             *p;
 
-          status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
+          status=TIFFReadPixels(tiff,0,y,(char *) tiff_pixels);
           if (status == -1)
             break;
           q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);