_TIFFPartialReadStripArray(): avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16685

author: Even Rouault <even.rouault@spatialys.com> 2019-08-24 00:37:17 +0200
committer: Even Rouault <even.rouault@spatialys.com> 2019-08-24 00:37:17 +0200
commit: 804f40f3bfe85300331fd1fb8317c46aa9625ed0 (patch)
tree: 01d18c6871b7cab8f98ac527ab16c69490177e4d
parent: 7db298e3a8dfe5ca9f0264dfb6b36d80b2b97e5e (diff)
download: libtiff-git-804f40f3bfe85300331fd1fb8317c46aa9625ed0.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 95230cda..29874310 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -6033,6 +6033,14 @@ int _TIFFPartialReadStripArray( TIFF* tif, TIFFDirEntry* dirent,
             TIFFSwabLong(&offset);
         nBaseOffset = offset;
     }
+    /* To avoid later unsigned integer overflows */
+    if( nBaseOffset > (uint64)TIFF_INT64_MAX )
+    {
+        TIFFErrorExt(tif->tif_clientdata, module,
+                 "Cannot read offset/size for strile %d", strile);
+        panVals[strile] = 0;
+        return 0;
+    }
     nOffset = nBaseOffset + sizeofval * strile;
     nOffsetStartPage =
         (nOffset / IO_CACHE_PAGE_SIZE) * IO_CACHE_PAGE_SIZE;
author	Even Rouault <even.rouault@spatialys.com>	2019-08-24 00:37:17 +0200
committer	Even Rouault <even.rouault@spatialys.com>	2019-08-24 00:37:17 +0200
commit	804f40f3bfe85300331fd1fb8317c46aa9625ed0 (patch)
tree	01d18c6871b7cab8f98ac527ab16c69490177e4d
parent	7db298e3a8dfe5ca9f0264dfb6b36d80b2b97e5e (diff)
download	libtiff-git-804f40f3bfe85300331fd1fb8317c46aa9625ed0.tar.gz