From 95290821b4b170309ce104f866bcd9adff24ab0a Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Tue, 27 Jun 2017 13:44:44 +0000
Subject: * libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a
 double value can fit in a float before casting. Patch by Nicolas RUFF

---
 ChangeLog             | 5 +++++
 libtiff/tif_dirread.c | 4 +++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index ecd70534..ab792220 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-06-27  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a
+	double value can fit in a float before casting. Patch by Nicolas RUFF
+
 2017-06-26  Even Rouault <even.rouault at spatialys.com>
 
 	* libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 2e2cdccc..a3d0efd1 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.212 2017-06-18 10:31:50 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.213 2017-06-27 13:44:44 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -636,6 +636,8 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloat(TIFF* tif, TIFFDirEntry* d
 				err=TIFFReadDirEntryCheckedDouble(tif,direntry,&m);
 				if (err!=TIFFReadDirEntryErrOk)
 					return(err);
+				if ((m > FLT_MAX) || (m < FLT_MIN))
+					return(TIFFReadDirEntryErrRange);
 				*value=(float)m;
 				return(TIFFReadDirEntryErrOk);
 			}
-- 
cgit v1.2.1