Libtiff upstream security fixes

Upstream patches applied:
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122
https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490
https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4

Bug: chromium:711638
Change-Id: I017bfa91f7682c190bd7f8dbe36c2c3d1ac68728
Reviewed-on: https://pdfium-review.googlesource.com/4313
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

1 files changed, 14 insertions, 0 deletions

diff --git a/third_party/libtiff/tif_jpeg.c b/third_party/libtiff/tif_jpeg.c
index abd0b0aa2f..4f154a7c2b 100644
--- a/third_party/libtiff/tif_jpeg.c
+++ b/third_party/libtiff/tif_jpeg.c
@@ -1634,6 +1634,20 @@ JPEGSetupEncode(TIFF* tif)
 	case PHOTOMETRIC_YCBCR:
 		sp->h_sampling = td->td_ycbcrsubsampling[0];
 		sp->v_sampling = td->td_ycbcrsubsampling[1];
+		if( sp->h_sampling == 0 || sp->v_sampling == 0 )
+		{
+			TIFFErrorExt(tif->tif_clientdata, module,
+					"Invalig horizontal/vertical sampling value");
+			return (0);
+		}
+		if( td->td_bitspersample > 16 )
+		{
+			TIFFErrorExt(tif->tif_clientdata, module,
+							"BitsPerSample %d not allowed for JPEG",
+							td->td_bitspersample);
+			return (0);
+		}
+
 		/*
 		 * A ReferenceBlackWhite field *must* be present since the
 		 * default value is inappropriate for YCbCr.  Fill in the