Fix for CVE-2021-25291

* Invalid tile boundaries lead to OOB Read in TiffDecode.c, in TiffReadRGBATile
* Check the tile validity before attempting to read.

Tests/test_tiff_crashes.py

@@ -32,6 +32,7 @@ from .helper import on_ci
         "Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif",
         "Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif",
         "Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif",
+        "Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif",
     ],
 )
 @pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")

src/libImaging/TiffDecode.c

@@ -479,6 +479,15 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
 
         for (y = state->yoff; y < state->ysize; y += tile_length) {
             for (x = state->xoff; x < state->xsize; x += tile_width) {
+                /* Sanity Check. Apparently in some cases, the TiffReadRGBA* functions
+                   have a different view of the size of the tiff than we're getting from
+                   other functions. So, we need to check here. 
+                */
+                if (!TIFFCheckTile(tiff, x, y, 0, 0)) {
+                    TRACE(("Check Tile Error, Tile at %dx%d\n", x, y));
+                    state->errcode = IMAGING_CODEC_BROKEN;
+                    goto decode_err;
+                }
                 if (isYCbCr) {
                     /* To avoid dealing with YCbCr subsampling, let libtiff handle it */
                     if (!TIFFReadRGBATile(tiff, x, y, (UINT32 *)state->buffer)) {