From 7b840002c1fb948a9153d53b9c79546c4dcfce2e Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 7 Sep 2020 23:51:21 +0200
Subject: [PATCH] Fax3PreDecode(): reset curruns and refruns state variables

to avoid out-of-bounds write triggered by GDAL when repeatedly
reading a corrupt strip.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25493
---
 libtiff/tif_fax3.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libtiff/tif_fax3.c b/libtiff/tif_fax3.c
index ac9724ea..cd8e4ef2 100644
--- a/libtiff/tif_fax3.c
+++ b/libtiff/tif_fax3.c
@@ -161,7 +161,9 @@ Fax3PreDecode(TIFF* tif, uint16 s)
 	 */
 	sp->bitmap =
 	    TIFFGetBitRevTable(tif->tif_dir.td_fillorder != FILLORDER_LSB2MSB);
+	sp->curruns = sp->runs;
 	if (sp->refruns) {		/* init reference line to white */
+		sp->refruns = sp->runs + sp->nruns;
 		sp->refruns[0] = (uint32) sp->b.rowpixels;
 		sp->refruns[1] = 0;
 	}