libtiff: EvaluateIFDdatasizeReading(): avoid unsigned integer overflow (master only)

From ce1477da0b7d42b812fa48f5c82588a59c5e90f9 Mon Sep 17 00:00:00 2001
From: Even Rouault <[EMAIL REDACTED]>
Date: Sat, 27 Apr 2024 12:57:00 +0200
Subject: [PATCH] EvaluateIFDdatasizeReading(): avoid unsigned integer overflow
 (master only)

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68327
---
 libtiff/tif_dirread.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 70074c73..4305a512 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4093,6 +4093,12 @@ static bool EvaluateIFDdatasizeReading(TIFF *tif, TIFFDirEntry *dp)
     const uint64_t datalength = dp->tdir_count * data_width;
     if (datalength > ((tif->tif_flags & TIFF_BIGTIFF) ? 0x8U : 0x4U))
     {
+        if (tif->tif_dir.td_dirdatasize_read > UINT64_MAX - datalength)
+        {
+            TIFFErrorExtR(tif, "EvaluateIFDdatasizeReading",
+                          "Too large IFD data size");
+            return false;
+        }
         tif->tif_dir.td_dirdatasize_read += datalength;
         if (!(tif->tif_flags & TIFF_BIGTIFF))
         {