* libtiff/tif_dirwrite.c: replace assertion to tag value not fitting

on uint32 when selecting the value of SubIFD tag by runtime check (in TIFFWriteDirectoryTagSubifd()). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337 SubIFD tag by runtime check (in TIFFWriteDirectorySec())
author: erouault <erouault> 2017-08-23 13:33:42 +0000
committer: erouault <erouault> 2017-08-23 13:33:42 +0000
commit: 1ddc038a2a9d52ec0573a7edabc2bead0d4b4501 (patch)
tree: 39267f24431a694c553b58af09854bd16ce85e51
parent: 5c3a76098d0a7fe35709fb59aa14c64416ad664f (diff)
download: libtiff-1ddc038a2a9d52ec0573a7edabc2bead0d4b4501.tar.gz
2 files changed, 18 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 87554768..58d5e0cc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,15 @@
 2017-08-23  Even Rouault <even.rouault at spatialys.com>
 
+	* libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
+	on uint32 when selecting the value of SubIFD tag by runtime check
+	(in TIFFWriteDirectoryTagSubifd()).
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
+	Reported by team OWL337
+
+2017-08-23  Even Rouault <even.rouault at spatialys.com>
+
 	* libtiff/tif_dirwrite.c: replace assertion related to not finding the
-	SubIFD tag by runtime check.
+	SubIFD tag by runtime check (in TIFFWriteDirectorySec())
 	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
 	Reported by team OWL337
 
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 9553f860..c68d6d21 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirwrite.c,v 1.88 2017-08-23 13:21:42 erouault Exp $ */
+/* $Id: tif_dirwrite.c,v 1.89 2017-08-23 13:33:42 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
 		for (p=0; p < tif->tif_dir.td_nsubifd; p++)
 		{
                         assert(pa != 0);
-			assert(*pa <= 0xFFFFFFFFUL);
+
+                        /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
+                        if( *pa > 0xFFFFFFFFUL)
+                        {
+                            TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
+                            _TIFFfree(o);
+                            return(0);
+                        }
 			*pb++=(uint32)(*pa++);
 		}
 		n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
author	erouault <erouault>	2017-08-23 13:33:42 +0000
committer	erouault <erouault>	2017-08-23 13:33:42 +0000
commit	1ddc038a2a9d52ec0573a7edabc2bead0d4b4501 (patch)
tree	39267f24431a694c553b58af09854bd16ce85e51
parent	5c3a76098d0a7fe35709fb59aa14c64416ad664f (diff)
download	libtiff-1ddc038a2a9d52ec0573a7edabc2bead0d4b4501.tar.gz