commit 38b09fc7de522321a74e3168f6239a66655cde51
author Cristy <mikayla-grace@urban-warrior.org> Mon May 04 20:16:37 2020 -0400
committer Cristy <mikayla-grace@urban-warrior.org> Mon May 04 20:16:50 2020 -0400
tree 4228dfcba1f901418fe67a16f55d9e3dad18c460
parent 784b6ac9cc456ce5ddb304db5f17830b4c012a20

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22019

coders/tiff.c

diff --git a/coders/tiff.c b/coders/tiff.c
index 798611f..bed4b15 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -2045,15 +2045,15 @@
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         extent=TIFFTileSize(tiff);
 #if defined(TIFF_VERSION_BIG)
-        extent+=sizeof(uint64);
+        extent+=columns*sizeof(uint64);
 #else
-        extent+=sizeof(uint32);
+        extent+=columns*sizeof(uint32);
 #endif
         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*tile_pixels));
         if (tile_pixels == (unsigned char *) NULL)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
-        (void) memset(tile_pixels,0,TIFFTileSize(tiff)*sizeof(*tile_pixels));
+        (void) memset(tile_pixels,0,extent*sizeof(*tile_pixels));
         for (i=0; i < (ssize_t) samples_per_pixel; i++)
         {
           switch (i)