From 3519ab6c7fd9c7b3692a7053d2dac5a8958a6ab2 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 3 Sep 2019 20:15:41 +0200
Subject: ByteCountLooksBad and EstimateStripByteCounts: avoid unsigned integer
 overflows. Fixes https://oss-fuzz.com/testcase-detail/5686156066291712 and
 https://oss-fuzz.com/testcase-detail/6332499206078464

---
 libtiff/tif_dirread.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 94af0c96..6f909413 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -3551,9 +3551,17 @@ static int ByteCountLooksBad(TIFF* tif)
     filesize = TIFFGetFileSize(tif);
     if( offset <= filesize && bytecount > filesize - offset )
         return 1;
-    if( tif->tif_mode == O_RDONLY &&
-        bytecount < TIFFScanlineSize64(tif) * tif->tif_dir.td_imagelength)
-        return 1;
+    if( tif->tif_mode == O_RDONLY )
+    {
+        uint64 scanlinesize = TIFFScanlineSize64(tif);
+        if( tif->tif_dir.td_imagelength > 0 &&
+            scanlinesize > TIFF_UINT64_MAX / tif->tif_dir.td_imagelength )
+        {
+            return 1;
+        }
+        if( bytecount < scanlinesize * tif->tif_dir.td_imagelength)
+            return 1;
+    }
     return 0;
 }
 
@@ -4573,6 +4581,8 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount)
 		 * of data in the strip and trim this number back accordingly.
 		 */
 		strip--;
+                if (td->td_stripoffset_p[strip] > TIFF_UINT64_MAX - td->td_stripbytecount_p[strip])
+                    return -1;
 		if (td->td_stripoffset_p[strip]+td->td_stripbytecount_p[strip] > filesize) {
                     if( td->td_stripoffset_p[strip] >= filesize ) {
                         /* Not sure what we should in that case... */
-- 
cgit v1.2.1