* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid

undefined behaviour caused by invalid shift exponent.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648

2 files changed, 14 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 65176404..8e202a2c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2017-01-11 Even Rouault <even.rouault at spatialys.com>
 
+	* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
+	undefined behaviour caused by invalid shift exponent.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
 	* libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
 	of double to other data types to avoid undefined behaviour if the output range
 	isn't big enough to hold the input value.
diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
index 09ef4949..e45e2a4e 100644
--- a/libtiff/tif_jpeg.c
+++ b/libtiff/tif_jpeg.c
@@ -1,4 +1,4 @@
-/* $Id: tif_jpeg.c,v 1.125 2017-01-11 12:15:01 erouault Exp $ */
+/* $Id: tif_jpeg.c,v 1.126 2017-01-11 16:13:50 erouault Exp $ */
 
 /*
  * Copyright (c) 1994-1997 Sam Leffler
@@ -1632,6 +1632,13 @@ JPEGSetupEncode(TIFF* tif)
                             "Invalig horizontal/vertical sampling value");
                     return (0);
                 }
+                if( td->td_bitspersample > 16 )
+                {
+                    TIFFErrorExt(tif->tif_clientdata, module,
+                                 "BitsPerSample %d not allowed for JPEG",
+                                 td->td_bitspersample);
+                    return (0);
+                }
 
 		/*
 		 * A ReferenceBlackWhite field *must* be present since the