From c290c1f228f88a84f15861a40ca03b82ad859165 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Wed, 31 Mar 2021 21:04:59 +0200
Subject: [PATCH] fixes crash-74d2

---
 ...d2a78403a5a59db1fb0a2b8735ac068a75f6e3.tif | Bin 0 -> 1026 bytes
 Tests/test_tiff_crashes.py                    |   2 ++
 src/libImaging/TiffDecode.c                   |  30 ++++++++++--------
 3 files changed, 19 insertions(+), 13 deletions(-)
 create mode 100644 Tests/images/crash-74d2a78403a5a59db1fb0a2b8735ac068a75f6e3.tif

diff --git a/Tests/images/crash-74d2a78403a5a59db1fb0a2b8735ac068a75f6e3.tif b/Tests/images/crash-74d2a78403a5a59db1fb0a2b8735ac068a75f6e3.tif
new file mode 100644
index 0000000000000000000000000000000000000000..053e4e4e952ca9a0139f6d7a2b726c64b305fdc1
GIT binary patch
literal 1026
zcmebD)M8L#W?-26NO_Ufk^28Y@PtFO{{OiTAm;z4e1ftr?jVtWr;6q**8~y^Pc%<?
zYUvleqNAf@j-jC7_PqPs|9}0uRKel;+U!WC$4wpoPY9UK)BpefkNYQWrzw2G99GLO
zFTLQ=Cnw5&>Fctuf9vD_|E>4lw{G>W*cD#KZ)Jz_a~+ZtcPSMFTBzV~tz!TG{~zT~
zY-iQb2xz?QzubGlL>U_`{-v*dU;p~I|NpOl(`#eHOLhlL?cZ{3m7HjcK`I}Y^8f#z
zGzuI}UbV0)_%^qu?{<lB+wXmAf8W3V|Nr;D+y8H0|GPFKckM)WjS3xsj#aNCc@}C;
za|deLQvXwmx2oi?O)uPkCwKY<x3(xLDOq%Y{BY7sxtm4dA#=+Mt0yt)d`*W-wtd~V
zeSH<s<p2NQ$6wuBx1%adjx$c{Yu0)$Igv=$WD<S-G~@p#BdIShe^p9@0~Sa)PX-1y
zH;0RhOCc~&e)RwUKXvi{pG<6bY~P={I8VL~=<vCPa=dO1jcY#E|NsBU9vo*HMeX=d
zLB}hgr(nQ-(iC?w4v#{EX5u{t@-Yhd$DqI@z`(%B%)rRNzz_k%j8L{869WSilns(&
zhO$|JY&Iwx$YkI`QX|O70yc*OC@zE~E{en!gR(*9i$m300ohWFtPs7xv@8u}3jo<N
zNP0D(Y@l)mLq;YBE+8!dR09GDKn!vxjP@)_OUw()Of6@it^YuNMe?5*EG%*P?*-7k
WF#ml3vI+U`2T%<NBmgmX{{a9tc|&Ia

literal 0
HcmV?d00001

diff --git a/Tests/test_tiff_crashes.py b/Tests/test_tiff_crashes.py
index ae4d0f1006e..7b01d458eb1 100644
--- a/Tests/test_tiff_crashes.py
+++ b/Tests/test_tiff_crashes.py
@@ -33,6 +33,8 @@
         "Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif",
         "Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif",
         "Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif",
+        "Tests/images/crash-74d2a78403a5a59db1fb0a2b8735ac068a75f6e3.tif",
+
     ],
 )
 @pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")
diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
index 021c2898c7c..f8acfa6f870 100644
--- a/src/libImaging/TiffDecode.c
+++ b/src/libImaging/TiffDecode.c
@@ -265,7 +265,7 @@ _decodeAsRGBA(Imaging im, ImagingCodecState state, TIFF *tiff) {
         ret = TIFFGetFieldDefaulted(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_block);
     }
 
-    if (ret != 1) {
+    if (ret != 1 || rows_per_block==(UINT32)(-1)) {
         rows_per_block = state->ysize;
     }
 
@@ -281,17 +281,6 @@ _decodeAsRGBA(Imaging im, ImagingCodecState state, TIFF *tiff) {
     img.req_orientation = ORIENTATION_TOPLEFT;
     img.col_offset = 0;
 
-    if (state->xsize != img.width || state->ysize != img.height) {
-        TRACE(
-            ("Inconsistent Image Error: %d =? %d, %d =? %d",
-             state->xsize,
-             img.width,
-             state->ysize,
-             img.height));
-        state->errcode = IMAGING_CODEC_BROKEN;
-        goto decodergba_err;
-    }
-
     /* overflow check for row byte size */
     if (INT_MAX / 4 < img.width) {
         state->errcode = IMAGING_CODEC_MEMORY;
@@ -429,7 +418,7 @@ _decodeTile(Imaging im, ImagingCodecState state, TIFF *tiff, int planes, Imaging
             for (x = state->xoff; x < state->xsize; x += tile_width) {
                 /* Sanity Check. Apparently in some cases, the TiffReadRGBA* functions
                    have a different view of the size of the tiff than we're getting from
-                   other functions. So, we need to check here. 
+                   other functions. So, we need to check here.
                 */
                 if (!TIFFCheckTile(tiff, x, y, 0, plane)) {
                     TRACE(("Check Tile Error, Tile at %dx%d\n", x, y));
@@ -568,6 +557,7 @@ ImagingLibTiffDecode(
     uint16 planarconfig = 0;
     int planes = 1;
     ImagingShuffler unpackers[4];
+    UINT32 img_width, img_height;
 
     memset(unpackers, 0, sizeof(ImagingShuffler) * 4);
 
@@ -664,6 +654,20 @@ ImagingLibTiffDecode(
         }
     }
 
+    TIFFGetField(tiff, TIFFTAG_IMAGEWIDTH, &img_width);
+    TIFFGetField(tiff, TIFFTAG_IMAGELENGTH, &img_height);
+
+    if (state->xsize != img_width || state->ysize != img_height) {
+        TRACE(
+            ("Inconsistent Image Error: %d =? %d, %d =? %d",
+             state->xsize,
+             img_width,
+             state->ysize,
+             img_height));
+        state->errcode = IMAGING_CODEC_BROKEN;
+        goto decode_err;
+    }
+
 
     TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric);
     TIFFGetField(tiff, TIFFTAG_COMPRESSION, &compression);