libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.

The patch (https://codereview.chromium.org/2284063002) for Issue 618267
was insufficient. The integer overflow still could be triggered and could
lead to heap buffer overflow.

This CL strengthens integer overflow check in function _TIFFCheckRealloc.

BUG=chromium:654169
R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2405693002
diff --git a/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
new file mode 100644
index 0000000..3d494d8
--- /dev/null
+++ b/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
@@ -0,0 +1,13 @@
+diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c
+index 3ce3680..bc4ea01 100644
+--- a/third_party/libtiff/tif_aux.c
++++ b/third_party/libtiff/tif_aux.c
+@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ 	/*
+ 	 * XXX: Check for integer overflow.
+ 	 */
+-	if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
++	if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+ 		cp = _TIFFrealloc(buffer, bytes);
+ 
+ 	if (cp == NULL) {
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 2f9c4f9..66049c4 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -17,3 +17,4 @@
 0005-Leak-TIFFFetchStripThing.patch: Fix a memory leak
 0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow
 0007-uninitialized-value.patch: Fix potentially uninitialized dircount value
+0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow
diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c
index 3ce3680..bc4ea01 100644
--- a/third_party/libtiff/tif_aux.c
+++ b/third_party/libtiff/tif_aux.c
@@ -69,7 +69,7 @@
 	/*
 	 * XXX: Check for integer overflow.
 	 */
-	if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+	if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
 		cp = _TIFFrealloc(buffer, bytes);
 
 	if (cp == NULL) {