From 5f6349d3f82007f0509eb33b20c36f22152db1a2 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 23 Aug 2019 12:38:46 +0200
Subject: tif_ojpeg: avoid unsigned integer overflow (probably not a bug).
 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16635

---
 libtiff/tif_ojpeg.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index 643bcf23..87198200 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -2042,7 +2042,8 @@ OJPEGReadBufferFill(OJPEGState* sp)
 							sp->in_buffer_file_togo=bytecount;
 							if (sp->in_buffer_file_togo==0)
 								sp->in_buffer_file_pos=0;
-							else if (sp->in_buffer_file_pos+sp->in_buffer_file_togo>sp->file_size)
+							else if (sp->in_buffer_file_pos > TIFF_UINT64_MAX - sp->in_buffer_file_togo || 
+                                                                sp->in_buffer_file_pos+sp->in_buffer_file_togo>sp->file_size)
 								sp->in_buffer_file_togo=sp->file_size-sp->in_buffer_file_pos;
 						}
 					}
-- 
cgit v1.2.1