CVE: CVE-2023-52356
Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a 
ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>

[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
 . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
-- Rodrigo Figueiredo Zaiden]

Backport of:

From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 31 Oct 2023 15:58:41 +0100
Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
 col/row (fixes #622)

---
 libtiff/tif_getimage.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)


--- tiff-4.3.0.orig/libtiff/tif_getimage.c
+++ tiff-4.3.0/libtiff/tif_getimage.c
@@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t
     }
 
     if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
+        if (row >= img.height)
+        {
+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+                          "Invalid row passed to TIFFReadRGBAStrip().");
+            TIFFRGBAImageEnd(&img);
+            return (0);
+        }
 
         img.row_offset = row;
         img.col_offset = 0;
@@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t
 	    return( 0 );
     }
 
+    if (col >= img.width || row >= img.height)
+    {
+        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+                      "Invalid row/col passed to TIFFReadRGBATile().");
+        TIFFRGBAImageEnd(&img);
+        return (0);
+    }
+
     /*
      * The TIFFRGBAImageGet() function doesn't allow us to get off the
      * edge of the image, even to fill an otherwise valid tile.  So we