From c8f0a16f4ad10cd5d595bd5614104e2ecf52ee92 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 22 Sep 2020 18:27:44 +0200
Subject: tif_fax3.h: return error when a buffer overflow occurs. Fixes
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25552 and
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25849

---
 libtiff/tif_fax3.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libtiff/tif_fax3.h b/libtiff/tif_fax3.h
index 117619c5..9d765b6b 100644
--- a/libtiff/tif_fax3.h
+++ b/libtiff/tif_fax3.h
@@ -240,6 +240,11 @@ static const char* StateNames[] = {
  * current row and reset decoding state.
  */
 #define SETVALUE(x) do {							\
+    if (pa >= thisrun + sp->nruns) {					\
+        TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u",	\
+                    sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip);	\
+        return (-1);							\
+    }									\
     *pa++ = RunLength + (x);						\
     a0 += (x);								\
     RunLength = 0;							\
-- 
cgit v1.2.1