CVE: CVE-2019-7663 
Upstream-Status: Backport 
Signed-off-by:
Ross Burton <ross.burton@intel.com>

From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Mon, 11 Feb 2019 10:05:33 +0100
Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow

From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Mon, 11 Feb 2019 21:42:03 +0100
Subject: [PATCH 2/2] tiffcp.c: use INT_MAX

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Refresh this patch as it can't be applyed when using PATCHTOOL = "patch".
---
 tools/tiffcp.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 2f406e2..8c81aa4 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -41,6 +41,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 #include <ctype.h>
 
@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
 	int status = 1;
 	uint32 imagew = TIFFRasterScanlineSize(in);
 	uint32 tilew = TIFFTileRowSize(in);
-	int iskew  = imagew - tilew*spp;
+	int iskew;
 	tsize_t tilesize = TIFFTileSize(in);
 	tdata_t tilebuf;
 	uint8* bufp = (uint8*) buf;
@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
 	uint32 row;
 	uint16 bps = 0, bytes_per_sample;
 
+	if (spp > (INT_MAX / tilew))
+	{
+		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+		return 0;
+	}
+	iskew = imagew - tilew*spp;
 	tilebuf = _TIFFmalloc(tilesize);
 	if (tilebuf == 0)
 		return 0;
-- 
2.7.4