From f1f86eedeea802317b75d97d867246f41bf9d616 Mon Sep 17 00:00:00 2001
From: Even Rouault <[EMAIL REDACTED]>
Date: Thu, 15 Dec 2022 22:15:00 +0100
Subject: [PATCH] TIFFSetDirectory: avoid harmless unsigned-integer-overflow
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54343
---
libtiff/tif_dir.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 4a366545..c7789bb8 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -2041,10 +2041,14 @@ int TIFFSetDirectory(TIFF *tif, tdir_t dirn)
tif->tif_nextdiroff = nextdiroff;
/*
* Set curdir to the actual directory index. The
- * -1 is because TIFFReadDirectory will increment
+ * -1 decrement is because TIFFReadDirectory will increment
* tif_curdir after successfully reading the directory.
*/
- tif->tif_curdir = (dirn - n) - 1;
+ tif->tif_curdir = (dirn - n);
+ if (tif->tif_curdir == 0)
+ tif->tif_curdir = TIFF_NON_EXISTENT_DIR_NUMBER;
+ else
+ tif->tif_curdir--;
return (TIFFReadDirectory(tif));
}