From b6af137bf9ef852f1a48a50a5afb88f9e9da01cc Mon Sep 17 00:00:00 2001 From: Even Rouault <even.rouault@spatialys.com> Date: Wed, 23 Aug 2017 13:33:42 +0000 Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting on uint32 when selecting the value of SubIFD tag by runtime check (in TIFFWriteDirectoryTagSubifd()). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337 diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c index a85f0627..cad0a498 100644 --- a/libtiff/tif_dirwrite.c +++ b/libtiff/tif_dirwrite.c @@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir) for (p=0; p < tif->tif_dir.td_nsubifd; p++) { assert(pa != 0); - assert(*pa <= 0xFFFFFFFFUL); + + /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */ + if( *pa > 0xFFFFFFFFUL) + { + TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag"); + _TIFFfree(o); + return(0); + } *pb++=(uint32)(*pa++); } n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);