From f4a8d3d70483c7d781e1e674a633a449e52197e8 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Mon, 13 Apr 2020 17:55:00 +0200
Subject: [PATCH] [WINDOWSCODECS] Avoid buffer underflow in
 TiffFrameDecode_ReadTile. CORE-16796

---
 dll/win32/windowscodecs/tiffformat.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/dll/win32/windowscodecs/tiffformat.c b/dll/win32/windowscodecs/tiffformat.c
index 6f4f6d06b74..e7141fc3e23 100644
--- a/dll/win32/windowscodecs/tiffformat.c
+++ b/dll/win32/windowscodecs/tiffformat.c
@@ -1164,6 +1164,21 @@ static HRESULT TiffFrameDecode_ReadTile(TiffFrameDecode *This, UINT tile_x, UINT
         {
             BYTE b = *src--;
 
+#ifdef __REACTOS__
+            dst -= 4;
+            dst[2] = (b & 0x08) ? 0xff : 0; /* R */
+            dst[1] = (b & 0x04) ? 0xff : 0; /* G */
+            dst[0] = (b & 0x02) ? 0xff : 0; /* B */
+            dst[3] = (b & 0x01) ? 0xff : 0; /* A */
+            if (count || This->decode_info.tile_width % 2 == 0)
+            {
+                dst -= 4;
+                dst[2] = (b & 0x80) ? 0xff : 0; /* R */
+                dst[1] = (b & 0x40) ? 0xff : 0; /* G */
+                dst[0] = (b & 0x20) ? 0xff : 0; /* B */
+                dst[3] = (b & 0x10) ? 0xff : 0; /* A */
+            }
+#else
             dst -= 8;
             dst[2] = (b & 0x80) ? 0xff : 0; /* R */
             dst[1] = (b & 0x40) ? 0xff : 0; /* G */
@@ -1173,6 +1188,7 @@ static HRESULT TiffFrameDecode_ReadTile(TiffFrameDecode *This, UINT tile_x, UINT
             dst[5] = (b & 0x04) ? 0xff : 0; /* G */
             dst[4] = (b & 0x02) ? 0xff : 0; /* B */
             dst[7] = (b & 0x01) ? 0xff : 0; /* A */
+#endif
         }
     }
     /* 16bpp RGBA */