From 0c490accae2464cd4089af42db315e5995635692 Mon Sep 17 00:00:00 2001
From: Alexander Alekhin <alexander.alekhin@intel.com>
Date: Fri, 5 Apr 2019 17:56:48 +0300
Subject: [PATCH] imgcodecs(tiff): check TIFF tile size

oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13280
oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13283
---
 modules/imgcodecs/src/grfmt_tiff.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/imgcodecs/src/grfmt_tiff.cpp b/modules/imgcodecs/src/grfmt_tiff.cpp
index b1f3d8192c..2094b1accc 100644
--- a/modules/imgcodecs/src/grfmt_tiff.cpp
+++ b/modules/imgcodecs/src/grfmt_tiff.cpp
@@ -401,6 +401,10 @@ bool  TiffDecoder::readData( Mat& img )
                     (!is_tiled && tile_height0 == std::numeric_limits<uint32>::max()) )
                 tile_height0 = m_height;
 
+            CV_Assert((int)tile_width0 > 0 && (int)tile_width0 < std::numeric_limits<int>::max());
+            CV_Assert((int)tile_height0 > 0 && (int)tile_height0 < std::numeric_limits<int>::max());
+            CV_Assert(((uint64_t)tile_width0 * tile_height0 * ncn * (bpp / bitsPerByte) < (CV_BIG_UINT(1) << 30)) && "TIFF tile size is too large: >= 1Gb");
+
             if (dst_bpp == 8)
             {
                 // we will use TIFFReadRGBA* functions, so allocate temporary buffer for 32bit RGBA