1diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c 2index b93b4c7..0674fa4 100644 3--- a/third_party/libtiff/tif_pixarlog.c 4+++ b/third_party/libtiff/tif_pixarlog.c 5@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op, 6 typedef struct { 7 TIFFPredictorState predict; 8 z_stream stream; 9+ tmsize_t tbuf_size; /* only set/used on reading for now */ 10 uint16 *tbuf; 11 uint16 stride; 12 int state; 13@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif) 14 sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); 15 if (sp->tbuf == NULL) 16 return (0); 17+ sp->tbuf_size = tbuf_size; 18 if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) 19 sp->user_datafmt = PixarLogGuessDataFmt(td); 20 if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { 21@@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) 22 TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); 23 return (0); 24 } 25+ /* Check that we will not fill more than what was allocated */ 26+ if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size) 27+ { 28+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); 29+ return (0); 30+ } 31 do { 32 int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); 33 if (state == Z_STREAM_END) { 34