From 926f93b96f79ecabb0a2d7014d3ebc85cd9d44fd Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 11 Jan 2025 22:32:50 +0100
Subject: [PATCH] libertiff.hpp: avoid harmless unsigned integer overflow
 (oss-fuzz #389332105)

---
 third_party/libertiff/libertiff.hpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/third_party/libertiff/libertiff.hpp b/third_party/libertiff/libertiff.hpp
index de5fd2ec7706..55fde834f508 100644
--- a/third_party/libertiff/libertiff.hpp
+++ b/third_party/libertiff/libertiff.hpp
@@ -1217,6 +1217,12 @@ class Image
         uint64_t offset = imageOffset;
         if LIBERTIFF_CONSTEXPR (isBigTIFF)
         {
+            // To prevent unsigned integer overflows in later additions. The
+            // theoretical max should be much closer to UINT64_MAX, but half of
+            // it is already more than needed in practice :-)
+            if (offset >= std::numeric_limits<uint64_t>::max() / 2)
+                return nullptr;
+
             const auto tagCount64Bit = rc->read<uint64_t>(offset, ok);
             // Artificially limit to the same number of entries as ClassicTIFF
             if (tagCount64Bit > std::numeric_limits<uint16_t>::max())