From 37a02ad493586bfd21a6fb15c5d8deeaaaffc41b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 1 Feb 2020 18:11:08 +0100
Subject: TIFFSetupStrips: enforce 2GB limitation of Strip/Tile
 Offsets/ByteCounts arrays

TIFFWriteDirectoryTagData() has an assertion that checks that the
arrays are not larger than 2GB. So error out earlier if in that situation.
---
 libtiff/tif_write.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
index 33e803c1..f79330e9 100644
--- a/libtiff/tif_write.c
+++ b/libtiff/tif_write.c
@@ -533,6 +533,13 @@ TIFFSetupStrips(TIFF* tif)
 		    isUnspecified(tif, FIELD_ROWSPERSTRIP) ?
 			td->td_samplesperpixel : TIFFNumberOfStrips(tif);
 	td->td_nstrips = td->td_stripsperimage;
+        /* TIFFWriteDirectoryTagData has a limitation to 0x80000000U bytes */
+        if( td->td_nstrips >= 0x80000000U / ((tif->tif_flags&TIFF_BIGTIFF)?0x8U:0x4U) )
+        {
+            TIFFErrorExt(tif->tif_clientdata, "TIFFSetupStrips",
+                         "Too large Strip/Tile Offsets/ByteCounts arrays");
+            return 0;
+        }
 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
 		td->td_stripsperimage /= td->td_samplesperpixel;
 	td->td_stripoffset_p = (uint64 *)
-- 
cgit v1.2.1