From c6a12721b46f1a72974f91177890301730d7b330 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 10 Nov 2020 01:01:59 +0100
Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG
 YCbCr

fixes #220
Upstream-Status: Backport
https://gitlab.com/libtiff/libtiff/-/commit/c6a12721b46f1a72974f91177890301730d7b330
https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
CVE: CVE-2021-35524
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>

---
 tools/tiff2pdf.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 719811ea..dc69d2f9 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -2087,9 +2087,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
 #endif
 		(void) 0;
 	}
-	k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
-	if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
-		k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+	if(t2p->pdf_compression == T2P_COMPRESS_JPEG
+	   && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
+		k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
+	} else {
+		k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+		if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+			k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+		}
 	}
 	if (k == 0) {
 		/* Assume we had overflow inside TIFFScanlineSize */
-- 
GitLab