libtiff: * libtiff/tif_ojpeg.c: fix buffer overflow on problem data

https://github.com/libsdl-org/libtiff/commit/afba48129055a2b6be93a4e4c548240cfb6cfce9

From afba48129055a2b6be93a4e4c548240cfb6cfce9 Mon Sep 17 00:00:00 2001
From: Lee Howard <[EMAIL REDACTED]>
Date: Sat, 11 Dec 2010 21:25:03 +0000
Subject: [PATCH]         * libtiff/tif_ojpeg.c: fix buffer overflow on problem
 data         http://bugzilla.maptools.org/show_bug.cgi?id=1999

---
 ChangeLog           | 7 ++++++-
 libtiff/tif_ojpeg.c | 8 ++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2c92f577..38087716 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,9 @@
-2010-12-08  Lee Howard <faxguy@howardsilvan.com>
+2010-12-11  Lee Howard <faxguy@howardsilvan.com>
+
+        * libtiff/tif_ojpeg.c: fix buffer overflow on problem data
+        http://bugzilla.maptools.org/show_bug.cgi?id=1999
+
+2010-12-11  Lee Howard <faxguy@howardsilvan.com>
 
 	* libtiff/tif_ojpeg.c: fix crash when reading a TIFF with a zero
 	or missing byte-count tag
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index c481a0b0..9eba6d5c 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -1,4 +1,4 @@
-/* $Id: tif_ojpeg.c,v 1.24.2.7 2010-12-11 19:16:26 faxguy Exp $ */
+/* $Id: tif_ojpeg.c,v 1.24.2.8 2010-12-11 21:25:04 faxguy Exp $ */
 
 /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
    specification is now totally obsolete and deprecated for new applications and
@@ -1537,7 +1537,6 @@ OJPEGReadHeaderInfoSecStreamSof(TIFF* tif, uint8 marker_id)
 		OJPEGReadSkip(sp,4);
 	else
 	{
-		/* TODO: probably best to also add check on allowed upper bound, especially x, may cause buffer overflow otherwise i think */
 		/* Y: Number of lines */
 		if (OJPEGReadWord(sp,&p)==0)
 			return(0);
@@ -1555,6 +1554,11 @@ OJPEGReadHeaderInfoSecStreamSof(TIFF* tif, uint8 marker_id)
 			TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width");
 			return(0);
 		}
+		if ((uint32)p>sp->strile_width)
+		{
+			TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width");
+			return(0);
+		}
 		sp->sof_x=p;
 	}
 	/* Nf: Number of image components in frame */