From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
From: Arie Haenel <arie.haenel@jct.ac.il>
Date: Wed, 19 Jul 2023 19:34:25 +0000
Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
 (fixes #591)

---
 tools/tiffcp.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 3b2d1ddac..80b39829a 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1754,6 +1754,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
                   "Width * Samples/Pixel)");
         return 0;
     }
+
+    if ( (imagew - tilew * spp) > INT_MAX ){
+        TIFFError(TIFFFileName(in),
+                  "Error, image raster scan line size is too large");
+        return 0;       
+    }   
+
     iskew = imagew - tilew * spp;
     tilebuf = limitMalloc(tilesize);
     if (tilebuf == 0)
-- 
GitLab