$NetBSD: patch-bc,v 1.1 2006/08/02 15:42:25 salo Exp $

Security fix for SA21304.

--- libtiff/tif_read.c.orig	2005-12-21 13:33:56.000000000 +0100
+++ libtiff/tif_read.c	2006-08-02 17:18:41.000000000 +0200
@@ -272,7 +272,13 @@ TIFFFillStrip(TIFF* tif, tstrip_t strip)
 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
 			_TIFFfree(tif->tif_rawdata);
 		tif->tif_flags &= ~TIFF_MYBUFFER;
-		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
+		/*
+		 * This sanity check could potentially overflow, causing an OOB read.
+		 * verify that offset + bytecount is > offset.
+		 * -- taviso@google.com 14 Jun 2006
+		 */
+		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
+			(td->td_stripoffset[strip] + bytecount) < td->td_stripoffset[strip]) {
 			/*
 			 * This error message might seem strange, but it's
 			 * what would happen if a read were done instead.
@@ -470,7 +476,14 @@ TIFFFillTile(TIFF* tif, ttile_t tile)
 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
 			_TIFFfree(tif->tif_rawdata);
 		tif->tif_flags &= ~TIFF_MYBUFFER;
-		if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
+		/*
+		 * We must check this calculation doesnt overflow, potentially
+		 * causing an OOB read.
+		 * -- taviso@google.com 15 Jun 2006
+		 */
+		if ( td->td_stripoffset[tile] + bytecount > tif->tif_size ||
+			(td->td_stripoffset[tile] + bytecount) < 
+				td->td_stripoffset[tile]) {
 			tif->tif_curtile = NOTILE;
 			return (0);
 		}