From 40cf205c81d82aad9fb614d3587dad93861e84b7 Mon Sep 17 00:00:00 2001
From: Lucas CHOLLET <lucas.chollet@free.fr>
Date: Wed, 6 Mar 2024 21:47:29 -0500
Subject: [PATCH] LibGfx/TIFF: Reject images with a null value in tile's
 dimensions

Fixes oss-fuzz issue 66844.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66844&sort=-opened&q=proj%3Aserenity%20TIFF&can=1
---
 Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp
index 62384797b5..c0761416ab 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp
@@ -63,11 +63,14 @@ public:
         return {};
     }
 
-    ErrorOr<void> ensure_conditional_tags_are_present() const
+    ErrorOr<void> ensure_conditional_tags_are_correct() const
     {
         if (m_metadata.photometric_interpretation() == PhotometricInterpretation::RGBPalette && !m_metadata.color_map().has_value())
             return Error::from_string_literal("TIFFImageDecoderPlugin: RGBPalette image doesn't contain a color map");
 
+        if (m_metadata.tile_width() == 0u || m_metadata.tile_length() == 0u)
+            return Error::from_string_literal("TIFFImageDecoderPlugin: Null value in tile's dimensions");
+
         return {};
     }
 
@@ -123,7 +126,7 @@ public:
     {
         TRY(ensure_baseline_tags_are_present(m_metadata));
         TRY(ensure_baseline_tags_are_correct());
-        TRY(ensure_conditional_tags_are_present());
+        TRY(ensure_conditional_tags_are_correct());
         cache_values();
         auto maybe_error = decode_frame_impl();