From 4393e83230128de1cb798b67e798101d683380b1 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Tue, 21 Jun 2022 15:06:40 -0400
Subject: [PATCH] prevent possible buffer overrun

---
 coders/tiff.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/coders/tiff.c b/coders/tiff.c
index e278ca7c0a..d5e30293db 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1796,9 +1796,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         */
         extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
 #if defined(TIFF_VERSION_BIG)
-        extent+=image->columns*sizeof(uint64);
+        extent+=samples_per_pixel*sizeof(uint64);
 #else
-        extent+=image->columns*sizeof(uint32);
+        extent+=samples_per_pixel*sizeof(uint32);
 #endif
         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*strip_pixels));
@@ -1894,11 +1894,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         number_pixels=(MagickSizeType) columns*rows;
         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
-        extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+        extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+          TIFFTileSize(tiff));
 #if defined(TIFF_VERSION_BIG)
-        extent+=image->columns*sizeof(uint64);
+        extent+=samples_per_pixel*sizeof(uint64);
 #else
-        extent+=image->columns*sizeof(uint32);
+        extent+=samples_per_pixel*sizeof(uint32);
 #endif
         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*tile_pixels));
@@ -1996,9 +1997,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         number_pixels=(MagickSizeType) image->columns*image->rows;
 #if defined(TIFF_VERSION_BIG)
-        number_pixels+=image->columns*sizeof(uint64);
+        number_pixels+=samples_per_pixel*sizeof(uint64);
 #else
-        number_pixels+=image->columns*sizeof(uint32);
+        number_pixels+=samples_per_pixel*sizeof(uint32);
 #endif
         generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
         if (generic_info == (MemoryInfo *) NULL)