From aef4e3dbc9f56f4ad5fc692c2c43e6c96ac31f01 Mon Sep 17 00:00:00 2001 From: Cristy Date: Sat, 31 Mar 2018 13:09:30 -0400 Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7237 --- coders/tiff.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/coders/tiff.c b/coders/tiff.c index 2b2bc92b7..5799cbc69 100644 --- a/coders/tiff.c +++ b/coders/tiff.c @@ -958,13 +958,12 @@ static tsize_t TIFFReadBlob(thandle_t image,tdata_t data,tsize_t size) return(count); } -static int32 TIFFReadPixels(TIFF *tiff,size_t bits_per_sample, - tsample_t sample,ssize_t row,tdata_t scanline) +static int32 TIFFReadPixels(TIFF *tiff,const tsample_t sample,const ssize_t row, + tdata_t scanline) { int32 status; - (void) bits_per_sample; status=TIFFReadScanline(tiff,scanline,(uint32) row,sample); return(status); } @@ -1764,12 +1763,13 @@ RestoreMSCWarning quantum_type=RGBQuantum; if (((MagickSizeType) TIFFScanlineSize(tiff)) > GetBlobSize(image)) ThrowTIFFException(CorruptImageError,"InsufficientImageDataInFile"); - tiff_pixels=(unsigned char *) AcquireMagickMemory(MagickMax( - TIFFScanlineSize(tiff),MagickMax((ssize_t) image->columns* - samples_per_pixel*pow(2.0,ceil(log(bits_per_sample)/log(2.0))), - image->columns*rows_per_strip)*sizeof(uint32))); + number_pixels=MagickMax(TIFFScanlineSize(tiff),MagickMax((ssize_t) + image->columns*samples_per_pixel*pow(2.0,ceil(log(bits_per_sample)/ + log(2.0))),image->columns*rows_per_strip)*sizeof(uint32)); + tiff_pixels=(unsigned char *) AcquireMagickMemory(number_pixels); if (tiff_pixels == (unsigned char *) NULL) ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); + (void) ResetMagickMemory(tiff_pixels,0,number_pixels); switch (method) { case ReadSingleSampleMethod: @@ -1811,7 +1811,7 @@ RestoreMSCWarning register Quantum *magick_restrict q; - status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels); + status=TIFFReadPixels(tiff,0,y,(char *) tiff_pixels); if (status == -1) break; q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); @@ -1864,7 +1864,7 @@ RestoreMSCWarning register Quantum *magick_restrict q; - status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels); + status=TIFFReadPixels(tiff,0,y,(char *) tiff_pixels); if (status == -1) break; q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); @@ -1899,8 +1899,7 @@ RestoreMSCWarning int status; - status=TIFFReadPixels(tiff,bits_per_sample,(tsample_t) i,y,(char *) - tiff_pixels); + status=TIFFReadPixels(tiff,(tsample_t) i,y,(char *) tiff_pixels); if (status == -1) break; q=GetAuthenticPixels(image,0,y,image->columns,1,exception); @@ -1956,7 +1955,7 @@ RestoreMSCWarning unsigned char *p; - status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels); + status=TIFFReadPixels(tiff,0,y,(char *) tiff_pixels); if (status == -1) break; q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); -- 2.40.0