From 7ee553f4116b9688f574335bd71fb32f6e6c5f7a Mon Sep 17 00:00:00 2001
From: Dmitry Timoshkov <dmitry@baikal.ru>
Date: Mon, 14 Jan 2019 14:14:53 +0800
Subject: [PATCH] windowscodecs: Fix the buffer size check in TIFF decoder's
 CopyPixels implementation.

Signed-off-by: Dmitry Timoshkov <dmitry@baikal.ru>
Signed-off-by: Vincent Povirk <vincent@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/windowscodecs/tests/tiffformat.c | 2 --
 dlls/windowscodecs/tiffformat.c       | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/dlls/windowscodecs/tests/tiffformat.c b/dlls/windowscodecs/tests/tiffformat.c
index c15e4985e6d..7651ea154a8 100644
--- a/dlls/windowscodecs/tests/tiffformat.c
+++ b/dlls/windowscodecs/tests/tiffformat.c
@@ -598,11 +598,9 @@ static void test_tiff_24bpp(void)
             ok(hr == E_INVALIDARG, "CopyPixels(%u) should fail: %#x\n", stride, hr);
         else
         {
-todo_wine_if(stride > 3)
             ok(hr == S_OK, "CopyPixels(%u) error %#x\n", stride, hr);
 
             for (i = 0; i < sizeof(data); i++)
-todo_wine_if(stride > 3)
                 ok(data[i] == expected_data[i], "%u: expected %02x, got %02x\n", i, expected_data[i], data[i]);
         }
     }
diff --git a/dlls/windowscodecs/tiffformat.c b/dlls/windowscodecs/tiffformat.c
index 93af5594a79..3d53b2439a3 100644
--- a/dlls/windowscodecs/tiffformat.c
+++ b/dlls/windowscodecs/tiffformat.c
@@ -1105,7 +1105,7 @@ static HRESULT WINAPI TiffFrameDecode_CopyPixels(IWICBitmapFrameDecode *iface,
     if (cbStride < bytesperrow)
         return E_INVALIDARG;
 
-    if ((cbStride * prc->Height) > cbBufferSize)
+    if ((cbStride * (prc->Height-1)) + bytesperrow > cbBufferSize)
         return E_INVALIDARG;
 
     min_tile_x = prc->X / This->decode_info.tile_width;