From 7a092f8af2568d61993a8cc2e7a35a998d7d37be Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 17 Mar 2018 09:36:29 +0100
Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion
 (CVE-2017-11613)

Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more
cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
Credit to OSS Fuzz

Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
---
 libtiff/tif_dirread.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 1a3259c1..6baa7b31 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5700,9 +5700,8 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
         /* file is as big as needed */
         if( tif->tif_mode == O_RDONLY &&
             nstrips > 1000000 &&
-            (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
-             tif->tif_dir.td_stripbytecount[0] >
-                    TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
+            (offset >= TIFFGetFileSize(tif) ||
+             stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
         {
             return;
         }