From 244dfb46afb53243e69e691bfb882dfe388237ba Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Mon, 26 Aug 2019 18:57:29 +0200 Subject: TIFFFetchDirectory(): fix invalid cast from uint64 to tmsize_t. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16784 --- libtiff/tif_dirread.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 29874310..467ff840 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -4788,12 +4788,13 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, } } else { tmsize_t m; - tmsize_t off = (tmsize_t) tif->tif_diroff; - if ((uint64)off!=tif->tif_diroff) + tmsize_t off; + if (tif->tif_diroff > (uint64)TIFF_INT64_MAX) { TIFFErrorExt(tif->tif_clientdata,module,"Can not read TIFF directory count"); return(0); } + off = (tmsize_t) tif->tif_diroff; /* * Check for integer overflow when validating the dir_off, -- cgit v1.2.1