From ea69462ea25a00afd18df34c36cb7c487e1e0628 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 12 Aug 2019 17:55:56 +0200
Subject: OJPEGReadBufferFill(): avoid very long processing time on corrupted
 files. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16400.
 master only

---
 libtiff/tif_ojpeg.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index 30820324..643bcf23 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -2024,10 +2024,15 @@ OJPEGReadBufferFill(OJPEGState* sp)
 					sp->in_buffer_source=osibsEof;
 				else
 				{
-					sp->in_buffer_file_pos=TIFFGetStrileOffset(sp->tif, sp->in_buffer_next_strile);
+					int err = 0;
+					sp->in_buffer_file_pos=TIFFGetStrileOffsetWithErr(sp->tif, sp->in_buffer_next_strile, &err);
+					if( err )
+						return 0;
 					if (sp->in_buffer_file_pos!=0)
 					{
-                                                uint64 bytecount = TIFFGetStrileByteCount(sp->tif, sp->in_buffer_next_strile);
+						uint64 bytecount = TIFFGetStrileByteCountWithErr(sp->tif, sp->in_buffer_next_strile, &err);
+						if( err )
+							return 0;
 						if (sp->in_buffer_file_pos>=sp->file_size)
 							sp->in_buffer_file_pos=0;
 						else if (bytecount==0)
-- 
cgit v1.2.1