From c22f319eb4da5d75a5fcda41cf24983f7355d9c6 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 27 Aug 2019 10:58:21 +0200
Subject: [PATCH] tif_ojpeg.c: avoid unsigned integer overflow. Fixes
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16793

---
 libtiff/tif_ojpeg.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index 33129d3f..83d2f5c6 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -1317,7 +1317,9 @@ OJPEGReadHeaderInfoSec(TIFF* tif)
 		}
 		else
 		{
-			if ((sp->jpeg_interchange_format_length==0) || (sp->jpeg_interchange_format+sp->jpeg_interchange_format_length>sp->file_size))
+			if ((sp->jpeg_interchange_format_length==0) ||
+                            (sp->jpeg_interchange_format > TIFF_UINT64_MAX - sp->jpeg_interchange_format_length) ||
+                            (sp->jpeg_interchange_format+sp->jpeg_interchange_format_length>sp->file_size))
 				sp->jpeg_interchange_format_length=sp->file_size-sp->jpeg_interchange_format;
 		}
 	}