You need to log in before you can comment on or make changes to this bug.
In gtTileContig, w, tw are uint32. tw is obtained from TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); so it could be very large in corrupted files. fromskew, toskew are int32. There are several places in gtTileContig where these are assigned to computations using w, tw. Examples: toskew = -(int32)(tw + w); fromskew = tw - (w - tocol); This can result in integer overflows which cause other problems, as pointers are shifted by toskew/fromskew later on.
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.