TiffAppendToStrip - rewrite-in-place logic tries to malloc with a size of 0 bytes
Summary
I am seeing a tempSize of 0 being passed to malloc here:
uint64_t toCopy = td->td_stripbytecount_p[strip];
if( toCopy < 1024 * 1024 )
tempSize = (tmsize_t)toCopy;
else
tempSize = 1024 * 1024;
//...
temp = _TIFFmalloc(tempSize);
if (temp == NULL) {
TIFFErrorExt(tif->tif_clientdata, module, "No space for output buffer");
return (0);
}
Version
Steps to reproduce
We don't currently have a reproducer since this is happening with protected user data. Where the user is not me. It's in a cloud flume worker.
Platform
- Custom: Linux, x86_64, google3/blaze built.
- Called from GDAL from 2018-Nov-02 - https://github.com/OSGeo/gdal/commit/e5e7b313540f0ff913fadfe6a273fb7c356a22cb