Description: fix underflow loop in LZWDecodeCompat
Author: Kees Cook <kees@ubuntu.com>
Ubuntu: https://bugs.edge.launchpad.net/bugs/380149

--- tiff-3.8.2~/libtiff/tif_lzw.c	2009-06-21 16:10:05.000000000 -0700
+++ tiff-3.8.2/libtiff/tif_lzw.c	2009-06-21 16:09:38.000000000 -0700
@@ -670,6 +670,7 @@
 		}
 		oldcodep = codep;
 		if (code >= 256) {
+			char *op_orig = op;
 			/*
 		 	 * Code maps to a string, copy string
 			 * value to output (written in reverse).
@@ -704,7 +705,7 @@
 			tp = op;
 			do {
 				*--tp = codep->value;
-			} while( (codep = codep->next) != NULL);
+			} while( (codep = codep->next) != NULL && tp > op_orig);
 		} else
 			*op++ = code, occ--;
 	}