From e86d43caeec81132df187fff3763e8a6ea591742 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 18 Sep 2019 01:21:17 +0200
Subject: [PATCH] TIFFReadAndRealloc(): avoid too large memory allocation
 attempts. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17244

---
 libtiff/tif_read.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index b9e5a932..2ccaec98 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -60,6 +60,22 @@ static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
 #endif
         tmsize_t already_read = 0;
 
+
+#if SIZEOF_SIZE_T != 8
+        /* On 32 bit processes, if the request is large enough, check against */
+        /* file size */
+        if( size > 1000 * 1000 * 1000 )
+        {
+            uint64 filesize = TIFFGetFileSize(tif);
+            if( (uint64)size >= filesize )
+            {
+                TIFFErrorExt(tif->tif_clientdata, module,
+                             "Chunk size requested is larger than file size.");
+                return 0;
+            }
+        }
+#endif
+
         /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
         /* so as to avoid allocating too much memory in case the file is too */
         /* short. We could ask for the file size, but this might be */