From 87934e22d056cb72ad6c7e9dc48e06d2a02e2dec Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Wed, 31 Mar 2021 23:17:20 +0200
Subject: [PATCH] Fix for crash-0da0

---
 ...h-0da013a13571cc8eb457a39fee8db18f8a3c7127.tif | Bin 0 -> 674 bytes
 Tests/test_tiff_crashes.py                        |   2 +-
 src/libImaging/TiffDecode.c                       |   9 ++++++---
 3 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 Tests/images/crash-0da013a13571cc8eb457a39fee8db18f8a3c7127.tif

diff --git a/Tests/images/crash-0da013a13571cc8eb457a39fee8db18f8a3c7127.tif b/Tests/images/crash-0da013a13571cc8eb457a39fee8db18f8a3c7127.tif
new file mode 100644
index 0000000000000000000000000000000000000000..6e4e9b9caa53af34c5ee072974084618d9ffedc4
GIT binary patch
literal 674
zcmebD)MB{6z`*eT|NnF?AJ#(FhuWH*0!*z3oY)%`H#mJzl=$>1l|#&9$!777mM_~_
z4yv_qH+g^Cy(PzS-<Q{KZ!LZG_3EYY?ugU%ubn0-Di}-?k!RZO75enoc{f)R9yZ;n
zViqjrFZm;zVkb>owDkI_&ON8&CV46TU+R7PsdszGI(^TjfAc)1uiC#v>#x2C_pkhy
z6aGc*dU6{mo*i4Y;_G_v+Siv<r|-FTdRyC4;WtjgB9hZ`GEUytSp1KRyG`%)1|9dF
zgjr3urgZ%O&+fp$BF4bL$jrb9^wBLKW`wdsfNUlx8zjdJWwQX;Y*03k30K1eWb-mI
zF_;1Adq53*K(-=~EdrDfWMl!G&jI8MA(<(P#1@0HLH3G6)t>;er5IVkdd-05NJH6n
zK(-8$UOA|^8&F&x%Ju`YHK1yMOa@IL8$<(r$Y2O`n+1>+1{5#?vPFRGK8PfPenx(7
zs(xxwW^%E9KxR%(ez|@~YH>-ier9fBdTOzLx`}QYNVq5^wMe%FD5F=Bna1FqpO#pm
z5a8mb;Fg(Fl3Jvot5B9&RGgWgr(mpSZmI{ew?UPGK><!bV6&13ayS^)xr2hq0b)XN
zNn&0~Vo{2MZ)r|RrfvYxN`(+lH#ddglKdhN2Wotov7P}C85l4a85o#a85&s`m@62V
MTNzte8JRKw05YPb9{>OV

literal 0
HcmV?d00001

diff --git a/Tests/test_tiff_crashes.py b/Tests/test_tiff_crashes.py
index a8e378ec1..6cdb8e44d 100644
--- a/Tests/test_tiff_crashes.py
+++ b/Tests/test_tiff_crashes.py
@@ -35,7 +35,7 @@ from .helper import on_ci
         "Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif",
         "Tests/images/crash-74d2a78403a5a59db1fb0a2b8735ac068a75f6e3.tif",
         "Tests/images/crash-81154a65438ba5aaeca73fd502fa4850fbde60f8.tif",
-
+        "Tests/images/crash-0da013a13571cc8eb457a39fee8db18f8a3c7127.tif",
     ],
 )
 @pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")
diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
index 25616da24..bae3afff4 100644
--- a/src/libImaging/TiffDecode.c
+++ b/src/libImaging/TiffDecode.c
@@ -451,7 +451,7 @@ _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff, int planes, Imagin
     UINT8 *new_data;
     UINT32 rows_per_strip;
     int ret;
-    tsize_t strip_size, row_byte_size;
+    tsize_t strip_size, row_byte_size, unpacker_row_byte_size;
 
     ret = TIFFGetField(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip);
     if (ret != 1 || rows_per_strip==(UINT32)(-1)) {
@@ -471,7 +471,8 @@ _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff, int planes, Imagin
         return -1;
     }
 
-    if (strip_size > ((state->xsize * state->bits / planes + 7) / 8) * rows_per_strip) {
+    unpacker_row_byte_size = (state->xsize * state->bits / planes + 7) / 8;
+    if (strip_size > (unpacker_row_byte_size * rows_per_strip)) {
         // If the strip size as expected by LibTiff isn't what we're expecting, abort.
         // man:   TIFFStripSize returns the equivalent size for a strip of data as it would be returned in a
         //        call to TIFFReadEncodedStrip ...
@@ -485,7 +486,9 @@ _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff, int planes, Imagin
 
     row_byte_size = TIFFScanlineSize(tiff);
 
-    if (row_byte_size == 0 || row_byte_size > strip_size) {
+    // if the unpacker calculated row size is > row byte size, (at least) the last
+    // row of the strip will have a read buffer overflow.
+    if (row_byte_size == 0 || unpacker_row_byte_size > row_byte_size) {
         state->errcode = IMAGING_CODEC_BROKEN;
         return -1;
     }