https://codereview.chromium.org/2284063002
https://crbug.com/618267
https://pdfium.googlesource.com/pdfium/+/master/libtiff/

Author: tracy_jiang <tracy_jiang@foxitsoftware.com>
Date:   Mon Aug 29 13:42:56 2016 -0700

Fix for #618267. Adding a method to determine if multiplication has
overflow.

--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
 	/*
 	 * XXX: Check for integer overflow.
 	 */
-	if (nmemb && elem_size && bytes / elem_size == nmemb)
+	if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
 		cp = _TIFFrealloc(buffer, bytes);
 
 	if (cp == NULL) {
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -315,6 +315,9 @@ typedef size_t TIFFIOSize_t;
 #define _TIFF_off_t off_t
 #endif
 
+#include <limits.h>
+#define _TIFFIfMultiplicationOverflow(op1, op2) ((op1) > SSIZE_MAX / (op2))
+
 #if defined(__cplusplus)
 extern "C" {
 #endif