Fix for crash-0da0

Tests/test_tiff_crashes.py

@@ -35,7 +35,7 @@ from .helper import on_ci
         "Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif",
         "Tests/images/crash-74d2a78403a5a59db1fb0a2b8735ac068a75f6e3.tif",
         "Tests/images/crash-81154a65438ba5aaeca73fd502fa4850fbde60f8.tif",
-
+        "Tests/images/crash-0da013a13571cc8eb457a39fee8db18f8a3c7127.tif",
     ],
 )
 @pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")

src/libImaging/TiffDecode.c

@@ -451,7 +451,7 @@ _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff, int planes, Imagin
     UINT8 *new_data;
     UINT32 rows_per_strip;
     int ret;
-    tsize_t strip_size, row_byte_size;
+    tsize_t strip_size, row_byte_size, unpacker_row_byte_size;
 
     ret = TIFFGetField(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip);
     if (ret != 1 || rows_per_strip==(UINT32)(-1)) {
@@ -471,7 +471,8 @@ _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff, int planes, Imagin
         return -1;
     }
 
-    if (strip_size > ((state->xsize * state->bits / planes + 7) / 8) * rows_per_strip) {
+    unpacker_row_byte_size = (state->xsize * state->bits / planes + 7) / 8;
+    if (strip_size > (unpacker_row_byte_size * rows_per_strip)) {
         // If the strip size as expected by LibTiff isn't what we're expecting, abort.
         // man:   TIFFStripSize returns the equivalent size for a strip of data as it would be returned in a
         //        call to TIFFReadEncodedStrip ...
@@ -485,7 +486,9 @@ _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff, int planes, Imagin
 
     row_byte_size = TIFFScanlineSize(tiff);
 
-    if (row_byte_size == 0 || row_byte_size > strip_size) {
+    // if the unpacker calculated row size is > row byte size, (at least) the last
+    // row of the strip will have a read buffer overflow.
+    if (row_byte_size == 0 || unpacker_row_byte_size > row_byte_size) {
         state->errcode = IMAGING_CODEC_BROKEN;
         return -1;
     }