From 804f40f3bfe85300331fd1fb8317c46aa9625ed0 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 24 Aug 2019 00:37:17 +0200
Subject: [PATCH] _TIFFPartialReadStripArray(): avoid unsigned integer
 overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16685

---
 libtiff/tif_dirread.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 95230cda..29874310 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -6033,6 +6033,14 @@ int _TIFFPartialReadStripArray( TIFF* tif, TIFFDirEntry* dirent,
             TIFFSwabLong(&offset);
         nBaseOffset = offset;
     }
+    /* To avoid later unsigned integer overflows */
+    if( nBaseOffset > (uint64)TIFF_INT64_MAX )
+    {
+        TIFFErrorExt(tif->tif_clientdata, module,
+                 "Cannot read offset/size for strile %d", strile);
+        panVals[strile] = 0;
+        return 0;
+    }
     nOffset = nBaseOffset + sizeofval * strile;
     nOffsetStartPage =
         (nOffset / IO_CACHE_PAGE_SIZE) * IO_CACHE_PAGE_SIZE;