From a80b9eb70a8137e2571b2f32bd05d1a22a5603c4 Mon Sep 17 00:00:00 2001
From: Lee Howard <faxguy@howardsilvan.com>
Date: Sat, 5 Oct 2024 09:45:30 -0700
Subject: [PATCH 2/7] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid
 input, addresses issue #650

CVE: CVE-2024-13978
Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4]
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
 tools/tiff2pdf.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 6dfc239..2010fee 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1371,8 +1371,24 @@ void t2p_read_tiff_init(T2P *t2p, TIFF *input)
             t2p->pdf_xrefcount += (t2p->tiff_tiles[i].tiles_tilecount - 1) * 2;
             TIFFGetField(input, TIFFTAG_TILEWIDTH,
                          &(t2p->tiff_tiles[i].tiles_tilewidth));
+            if (t2p->tiff_tiles[i].tiles_tilewidth < 1)
+            {
+                TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s",
+                          t2p->tiff_tiles[i].tiles_tilewidth,
+                          TIFFFileName(input));
+                t2p->t2p_error = T2P_ERR_ERROR;
+                return;
+            }
             TIFFGetField(input, TIFFTAG_TILELENGTH,
                          &(t2p->tiff_tiles[i].tiles_tilelength));
+            if (t2p->tiff_tiles[i].tiles_tilelength < 1)
+            {
+                TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s",
+                          t2p->tiff_tiles[i].tiles_tilelength,
+                          TIFFFileName(input));
+                t2p->t2p_error = T2P_ERR_ERROR;
+                return;
+            }
             t2p->tiff_tiles[i].tiles_tiles = (T2P_TILE *)_TIFFmalloc(
                 TIFFSafeMultiply(tmsize_t, t2p->tiff_tiles[i].tiles_tilecount,
                                  sizeof(T2P_TILE)));
-- 
2.47.3