From a7786e10d1bab22f34322e6e711b93b377d6155e Mon Sep 17 00:00:00 2001

From: Thomas Bernard <miniupnp@free.fr>

Date: Tue, 10 Nov 2020 01:54:30 +0100

Subject: [PATCH] (CVE-2020-35523) gtTileContig(): check Tile width for

 overflow

fixes #211

(cherry picked from commit c8d613ef497058fe653c467fc84c70a62a4a71b2)

---

 libtiff/tif_getimage.c | 17 +++++++++++++----

 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c

index c6edd27c..b1f7cc95 100644

--- a/libtiff/tif_getimage.c

+++ b/libtiff/tif_getimage.c

@@ -31,6 +31,7 @@

  */

 #include "tiffiop.h"

 #include <stdio.h>

+#include <limits.h>

 static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);

 static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);

@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)

     flip = setorientation(img);

     if (flip & FLIP_VERTICALLY) {

-	    y = h - 1;

-	    toskew = -(int32)(tw + w);

+        if ((tw + w) > INT_MAX) {

+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");

+            return (0);

+        }

+        y = h - 1;

+        toskew = -(int32)(tw + w);

     }

     else {

-	    y = 0;

-	    toskew = -(int32)(tw - w);

+        if (tw > (INT_MAX + w)) {

+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");

+            return (0);

+        }

+        y = 0;

+        toskew = -(int32)(tw - w);

     }

     /*