* libtiff/tif_dir.c: avoid potential null pointer dereference in

_TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713

2 files changed, 9 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 992dfe97..b4771234 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2017-07-11  Even Rouault <even.rouault at spatialys.com>
 
+	* libtiff/tif_dir.c: avoid potential null pointer dereference in
+	_TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713
+
+2017-07-11  Even Rouault <even.rouault at spatialys.com>
+
 	* libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW
 	strips. Crashing issue only on memory mapped files, where the strip
 	offset is the last byte of the file, and the file size is a multiple
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index a8839491..f00f8080 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.c,v 1.130 2017-05-17 21:54:05 erouault Exp $ */
+/* $Id: tif_dir.c,v 1.131 2017-07-11 21:38:04 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -872,6 +872,8 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
                 TIFFTagValue *tv = td->td_customValues + i;
                 if (tv->info->field_tag != tag)
                     continue;
+                if( tv->value == NULL )
+                    return 0;
                 val = *(uint16 *)tv->value;
                 /* Truncate to SamplesPerPixel, since the */
                 /* setting code for INKNAMES assume that there are SamplesPerPixel */