libtiff: fixed buffer underflow bug (#2065)

https://github.com/libsdl-org/libtiff/commit/94e732d78f4233449640e00fcec0de8c3fb23685

From 94e732d78f4233449640e00fcec0de8c3fb23685 Mon Sep 17 00:00:00 2001
From: Frank Warmerdam <[EMAIL REDACTED]>
Date: Mon, 22 Jun 2009 04:57:31 +0000
Subject: [PATCH] fixed buffer underflow bug (#2065)

---
 ChangeLog         | 5 +++++
 libtiff/tif_lzw.c | 5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8d9c9c77..bde1fb40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-06-22  Frank Warmerdam  <warmerdam@pobox.com>
+
+	* libtiff/tif_lzw.c: Fix buffer underflow bug. 
+	http://bugzilla.maptools.org/show_bug.cgi?id=2065
+
 2009-06-03  Frank Warmerdam  <warmerdam@pobox.com>
 
 	* libtiff/tif_write.c: do not override the planar configuration to be
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index b870e857..bc4dac65 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -1,4 +1,4 @@
-/* $Id: tif_lzw.c,v 1.29.2.4 2009-01-01 00:10:43 bfriesen Exp $ */
+/* $Id: tif_lzw.c,v 1.29.2.5 2009-06-22 04:57:31 fwarmerdam Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -675,6 +675,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, tsize_t occ0, tsample_t s)
 		}
 		oldcodep = codep;
 		if (code >= 256) {
+			char *op_orig = op;
 			/*
 		 	 * Code maps to a string, copy string
 			 * value to output (written in reverse).
@@ -709,7 +710,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, tsize_t occ0, tsample_t s)
 			tp = op;
 			do {
 				*--tp = codep->value;
-			} while( (codep = codep->next) != NULL);
+			} while( (codep = codep->next) != NULL && tp > op_orig);
 		} else
 			*op++ = code, occ--;
 	}