diff options
author | erouault <erouault> | 2017-08-23 13:33:42 +0000 |
---|---|---|
committer | erouault <erouault> | 2017-08-23 13:33:42 +0000 |
commit | 1ddc038a2a9d52ec0573a7edabc2bead0d4b4501 (patch) | |
tree | 39267f24431a694c553b58af09854bd16ce85e51 | |
parent | 5c3a76098d0a7fe35709fb59aa14c64416ad664f (diff) | |
download | libtiff-1ddc038a2a9d52ec0573a7edabc2bead0d4b4501.tar.gz |
* libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
on uint32 when selecting the value of SubIFD tag by runtime check
(in TIFFWriteDirectoryTagSubifd()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
Reported by team OWL337
SubIFD tag by runtime check (in TIFFWriteDirectorySec())
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | libtiff/tif_dirwrite.c | 11 |
2 files changed, 18 insertions, 3 deletions
@@ -1,7 +1,15 @@ 2017-08-23 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting + on uint32 when selecting the value of SubIFD tag by runtime check + (in TIFFWriteDirectoryTagSubifd()). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 + Reported by team OWL337 + +2017-08-23 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_dirwrite.c: replace assertion related to not finding the - SubIFD tag by runtime check. + SubIFD tag by runtime check (in TIFFWriteDirectorySec()) Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337 diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c index 9553f860..c68d6d21 100644 --- a/libtiff/tif_dirwrite.c +++ b/libtiff/tif_dirwrite.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirwrite.c,v 1.88 2017-08-23 13:21:42 erouault Exp $ */ +/* $Id: tif_dirwrite.c,v 1.89 2017-08-23 13:33:42 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir) for (p=0; p < tif->tif_dir.td_nsubifd; p++) { assert(pa != 0); - assert(*pa <= 0xFFFFFFFFUL); + + /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */ + if( *pa > 0xFFFFFFFFUL) + { + TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag"); + _TIFFfree(o); + return(0); + } *pb++=(uint32)(*pa++); } n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o); |