libtiff: TIFFAdvanceDirectory(): fix unsigned-integer-overflow in mapped case

From 343118c63c163684ac1ed7b6c31d8d61bb43fe55 Mon Sep 17 00:00:00 2001
From: Even Rouault <[EMAIL REDACTED]>
Date: Mon, 10 Oct 2022 22:23:07 +0200
Subject: [PATCH] TIFFAdvanceDirectory(): fix unsigned-integer-overflow in
 mapped case

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52309
---
 libtiff/tif_dir.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 1c8bb255..9b153b63 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1633,9 +1633,14 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdiroff, uint64_t* off, uint16_t* n
 			tmsize_t poffa,poffb,poffc,poffd;
 			uint64_t dircount64;
 			uint16_t dircount16;
+			if( poff > (uint64_t)TIFF_TMSIZE_T_MAX - sizeof(uint64_t) )
+			{
+				TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count");
+				return(0);
+			}
 			poffa=(tmsize_t)poff;
 			poffb=poffa+sizeof(uint64_t);
-			if (((uint64_t)poffa != poff) || (poffb < poffa) || (poffb < (tmsize_t)sizeof(uint64_t)) || (poffb > tif->tif_size))
+			if (poffb > tif->tif_size)
 			{
 				TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count");
 				return(0);
@@ -1649,9 +1654,14 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdiroff, uint64_t* off, uint16_t* n
 				return(0);
 			}
 			dircount16=(uint16_t)dircount64;
+			if( poffb > TIFF_TMSIZE_T_MAX - (tmsize_t)(dircount16*20) - (tmsize_t)sizeof(uint64_t) )
+			{
+				TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory link");
+				return(0);
+			}
 			poffc=poffb+dircount16*20;
 			poffd=poffc+sizeof(uint64_t);
-			if ((poffc<poffb) || (poffc<dircount16*20) || (poffd<poffc) || (poffd<(tmsize_t)sizeof(uint64_t)) || (poffd > tif->tif_size))
+			if (poffd > tif->tif_size)
 			{
 				TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory link");
 				return(0);