From dd50fedc2f660f73615d1aca043ac66de6af4117 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 20 Aug 2019 15:29:06 +0200
Subject: _TIFFPartialReadStripArray(): avoid triggering unsigned integer
 overflow with -fsanitize=unsigned-integer-overflow (not a bug, this is well
 defined by itself)

---
 libtiff/tif_dirread.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 3a06ea71..02642057 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5958,6 +5958,13 @@ static void TryChopUpUncompressedBigTiff( TIFF* tif )
     allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
 }
 
+
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
+static uint64 _TIFFUnsanitizedAddUInt64AndInt(uint64 a, int b)
+{
+    return a + b;
+}
+
 /* Read the value of [Strip|Tile]Offset or [Strip|Tile]ByteCount around
  * strip/tile of number strile. Also fetch the neighbouring values using a
  * 4096 byte page size.
@@ -6059,7 +6066,7 @@ int _TIFFPartialReadStripArray( TIFF* tif, TIFFDirEntry* dirent,
         iStartBefore = -strile;
     for( i = iStartBefore;
          (uint32)(strile + i) < arraySize &&
-         (uint64)(nOffset) + (i + 1) * sizeofvalint <= nOffsetEndPage;
+         _TIFFUnsanitizedAddUInt64AndInt(nOffset, (i + 1) * sizeofvalint) <= nOffsetEndPage;
          ++i )
     {
         if( sizeofval == sizeof(uint16) )
-- 
cgit v1.2.1