From e07b6fdd72d638840c077a8b53226a6aefd7d9ec Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Tue, 27 Sep 2016 16:46:41 +0800 Subject: Bug 697157: tiff: Rational tag denominators may not be zero. --- source/fitz/load-tiff.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c index cfa8e2e2..9e37cc6f 100644 --- a/source/fitz/load-tiff.c +++ b/source/fitz/load-tiff.c @@ -619,6 +619,8 @@ fz_read_tiff_bytes(unsigned char *p, struct tiff *tiff, unsigned ofs, unsigned n static void fz_read_tiff_tag_value(unsigned *p, struct tiff *tiff, unsigned type, unsigned ofs, unsigned n) { + unsigned den; + tiff->rp = tiff->bp + ofs; if (tiff->rp > tiff->ep) tiff->rp = tiff->bp; @@ -629,7 +631,11 @@ fz_read_tiff_tag_value(unsigned *p, struct tiff *tiff, unsigned type, unsigned o { case TRATIONAL: *p = readlong(tiff); - *p = *p / readlong(tiff); + den = readlong(tiff); + if (den) + *p = *p / den; + else + *p = UINT_MAX; p ++; break; case TBYTE: *p++ = readbyte(tiff); break; -- cgit v1.2.3