From 6b842f4ec001b12a9348e95854e02bbd10a84e20 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Fri, 6 Mar 2020 22:59:18 +0000
Subject: [PATCH] Ensure that Tiff's concept of Strip and Tilesize matches
 Pillow's

---
 src/libImaging/TiffDecode.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
index c3df1174e..bb5b77804 100644
--- a/src/libImaging/TiffDecode.c
+++ b/src/libImaging/TiffDecode.c
@@ -363,6 +363,13 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
         
         state->bytes = row_byte_size * tile_length;
 
+        if (TIFFTileSize(tiff) > state->bytes) {
+            // If the strip size as expected by LibTiff isn't we're expecting, abort.
+            state->errcode = IMAGING_CODEC_MEMORY;
+            TIFFClose(tiff);
+            return -1;
+        }
+
         /* realloc to fit whole tile */
         /* malloc check above */
         new_data = realloc (state->buffer, state->bytes);
@@ -424,11 +431,21 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
             TIFFClose(tiff);
             return -1;
         }
-        
+
         state->bytes = rows_per_strip * row_byte_size;
 
         TRACE(("StripSize: %d \n", state->bytes));
 
+        if (TIFFStripSize(tiff) > state->bytes) {
+            // If the strip size as expected by LibTiff isn't we're expecting, abort.
+            // man:   TIFFStripSize returns the equivalent size for a strip of data as it would be returned in a
+            //        call to TIFFReadEncodedStrip ...
+
+            state->errcode = IMAGING_CODEC_MEMORY;
+            TIFFClose(tiff);
+            return -1;
+        }
+
         /* realloc to fit whole strip */
         /* malloc check above */
         new_data = realloc (state->buffer, state->bytes);