From 5f3ae40bcaf5518aae18eedc90cd9b326d7bd640 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Mon, 11 Jul 2016 16:54:49 +0200
Subject: [PATCH 8/8] Fix CVE-2016-5320

---
 libtiff/tif_pixarlog.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index c9f056e..c961529 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -462,7 +462,7 @@ typedef	struct {
 	int			state;
 	int			user_datafmt;
 	int			quality;
-	tsize_t			tbuf_size;
+	tmsize_t	tbuf_size;
 #define PLSTATE_INIT 1
 
 	TIFFVSetMethod		vgetparent;	/* super-class method */
@@ -691,6 +691,7 @@ PixarLogSetupDecode(TIFF* tif)
 	if (tbuf_size == 0)
 		return (0);   /* TODO: this is an error return without error report through TIFFErrorExt */
 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+	sp->tbuf_size = tbuf_size;
 	if (sp->tbuf == NULL)
 		return (0);
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
@@ -782,6 +783,11 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
 		return (0);
 	}
+	if (sp->stream.avail_out > sp->tbuf_size)
+	{
+		TIFFErrorExt(tif->tif_clientdata, module, "Error within the calculation of ZLib buffer size");
+		return (0);
+	}
 	do {
 		int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
 		if (state == Z_STREAM_END) {
-- 
2.7.4