From ea271d743467d82fb5ede54ffdf4ed05774d3b17 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 23 Aug 2019 13:03:44 +0200
Subject: EstimateStripByteCounts(): avoid unsigned integer overflow. Fixes
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16643&

---
 libtiff/tif_dirread.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 5dfef71d..95230cda 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4590,7 +4590,11 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount)
 		uint64 rowbytes = TIFFScanlineSize64(tif);
 		uint32 rowsperstrip = td->td_imagelength/td->td_stripsperimage;
 		for (strip = 0; strip < td->td_nstrips; strip++)
-			td->td_stripbytecount_p[strip] = rowbytes * rowsperstrip;
+                {
+                    if( rowbytes > 0 && rowsperstrip > TIFF_UINT64_MAX / rowbytes )
+                        return -1;
+                    td->td_stripbytecount_p[strip] = rowbytes * rowsperstrip;
+                }
 	}
 	TIFFSetFieldBit(tif, FIELD_STRIPBYTECOUNTS);
 	if (!TIFFFieldSet(tif, FIELD_ROWSPERSTRIP))
-- 
cgit v1.2.1