$NetBSD: patch-CVE-2018-12900,v 1.1 2019/07/17 09:25:45 nia Exp $

Fixes CVE-2018-12900

Upstream commit:
https://gitlab.com/libtiff/libtiff/commit/27124e9148b2056d0e0bf4033b4924d5d2a38d01.patch

--- tools/tiffcp.c.orig	2018-10-13 13:58:55.000000000 +0000
+++ tools/tiffcp.c
@@ -41,6 +41,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 #include <ctype.h>
 
@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
 	int status = 1;
 	uint32 imagew = TIFFRasterScanlineSize(in);
 	uint32 tilew = TIFFTileRowSize(in);
-	int iskew  = imagew - tilew*spp;
+	int iskew;
 	tsize_t tilesize = TIFFTileSize(in);
 	tdata_t tilebuf;
 	uint8* bufp = (uint8*) buf;
@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
 	uint32 row;
 	uint16 bps = 0, bytes_per_sample;
 
+	if (spp > (INT_MAX / tilew))
+	{
+		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+		return 0;
+	}
+	iskew = imagew - tilew*spp;
 	tilebuf = _TIFFmalloc(tilesize);
 	if (tilebuf == 0)
 		return 0;
