* libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to

tif_rawdataloaded when it is set. Similarly to TIFFStartStrip().
This issue was revealed by the change of 2017-06-30 in TIFFFileTile(),
limiting the number of bytes read. But it could probably have been hit
too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454
Credit to OSS Fuzz

2 files changed, 15 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 62258ddb..9a0082aa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-07-02  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to
+	tif_rawdataloaded when it is set. Similarly to TIFFStartStrip().
+	This issue was revealed by the change of 2017-06-30 in TIFFFileTile(),
+	limiting the number of bytes read. But it could probably have been hit
+	too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
+	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454
+	Credit to OSS Fuzz
+
 2017-06-30  Even Rouault <even.rouault at spatialys.com>
 
 	* man: update documentation regarding SubIFD tag and
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 7e887d63..8153746d 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -1,4 +1,4 @@
-/* $Id: tif_read.c,v 1.62 2017-06-30 13:11:18 erouault Exp $ */
+/* $Id: tif_read.c,v 1.63 2017-07-02 14:13:39 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -1421,7 +1421,10 @@ TIFFStartTile(TIFF* tif, uint32 tile)
 	else
 	{
 		tif->tif_rawcp = tif->tif_rawdata;
-		tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile];
+		if( tif->tif_rawdataloaded > 0 )
+			tif->tif_rawcc = tif->tif_rawdataloaded;
+		else
+			tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile];
 	}
 	return ((*tif->tif_predecode)(tif,
 			(uint16)(tile/td->td_stripsperimage)));