tif_ojpeg: avoid unsigned integer overflow (probably not a bug). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16635

author: Even Rouault <even.rouault@spatialys.com> 2019-08-23 12:38:46 +0200
committer: Even Rouault <even.rouault@spatialys.com> 2019-08-23 12:38:46 +0200
commit: 5f6349d3f82007f0509eb33b20c36f22152db1a2 (patch)
tree: 1cbcb6e920a58440d848e4a5a53f303d36e2f904
parent: c9edebfdb039aa1be08561108a0b15175f4e5caa (diff)
download: libtiff-git-5f6349d3f82007f0509eb33b20c36f22152db1a2.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index 643bcf23..87198200 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -2042,7 +2042,8 @@ OJPEGReadBufferFill(OJPEGState* sp)
 							sp->in_buffer_file_togo=bytecount;
 							if (sp->in_buffer_file_togo==0)
 								sp->in_buffer_file_pos=0;
-							else if (sp->in_buffer_file_pos+sp->in_buffer_file_togo>sp->file_size)
+							else if (sp->in_buffer_file_pos > TIFF_UINT64_MAX - sp->in_buffer_file_togo || 
+                                                                sp->in_buffer_file_pos+sp->in_buffer_file_togo>sp->file_size)
 								sp->in_buffer_file_togo=sp->file_size-sp->in_buffer_file_pos;
 						}
 					}
author	Even Rouault <even.rouault@spatialys.com>	2019-08-23 12:38:46 +0200
committer	Even Rouault <even.rouault@spatialys.com>	2019-08-23 12:38:46 +0200
commit	5f6349d3f82007f0509eb33b20c36f22152db1a2 (patch)
tree	1cbcb6e920a58440d848e4a5a53f303d36e2f904
parent	c9edebfdb039aa1be08561108a0b15175f4e5caa (diff)
download	libtiff-git-5f6349d3f82007f0509eb33b20c36f22152db1a2.tar.gz