TIFFFetchDirectory(): fix invalid cast from uint64 to tmsize_t. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16784

author: Even Rouault <even.rouault@spatialys.com> 2019-08-26 18:57:29 +0200
committer: Even Rouault <even.rouault@spatialys.com> 2019-08-26 18:57:29 +0200
commit: 244dfb46afb53243e69e691bfb882dfe388237ba (patch)
tree: a8bde616d7b8d9b5f7a36412c5b3339550895fc1
parent: 1a4efdd151ed5eea231004aa6daaaf3493954876 (diff)
download: libtiff-git-244dfb46afb53243e69e691bfb882dfe388237ba.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 29874310..467ff840 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4788,12 +4788,13 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir,
 		}
 	} else {
 		tmsize_t m;
-		tmsize_t off = (tmsize_t) tif->tif_diroff;
-		if ((uint64)off!=tif->tif_diroff)
+		tmsize_t off;
+		if (tif->tif_diroff > (uint64)TIFF_INT64_MAX)
 		{
 			TIFFErrorExt(tif->tif_clientdata,module,"Can not read TIFF directory count");
 			return(0);
 		}
+		off = (tmsize_t) tif->tif_diroff;
 
 		/*
 		 * Check for integer overflow when validating the dir_off,
author	Even Rouault <even.rouault@spatialys.com>	2019-08-26 18:57:29 +0200
committer	Even Rouault <even.rouault@spatialys.com>	2019-08-26 18:57:29 +0200
commit	244dfb46afb53243e69e691bfb882dfe388237ba (patch)
tree	a8bde616d7b8d9b5f7a36412c5b3339550895fc1
parent	1a4efdd151ed5eea231004aa6daaaf3493954876 (diff)
download	libtiff-git-244dfb46afb53243e69e691bfb882dfe388237ba.tar.gz