| From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001 |
| From: Even Rouault <even.rouault@spatialys.com> |
| Date: Wed, 23 Aug 2017 13:21:41 +0000 |
| Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not |
| finding the SubIFD tag by runtime check. Fixes |
| http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337 |
| |
| Upstream-Status: Backport |
| [https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e] |
| |
| CVE: CVE-2017-13726 |
| |
| Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| --- |
| ChangeLog | 7 +++++++ |
| libtiff/tif_dirwrite.c | 7 ++++++- |
| 2 files changed, 13 insertions(+), 1 deletion(-) |
| |
| diff --git a/ChangeLog b/ChangeLog |
| index 6980da8..3e299d9 100644 |
| --- a/ChangeLog |
| +++ b/ChangeLog |
| @@ -1,3 +1,10 @@ |
| +2017-08-23 Even Rouault <even.rouault at spatialys.com> |
| + |
| + * libtiff/tif_dirwrite.c: replace assertion related to not finding the |
| + SubIFD tag by runtime check. |
| + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 |
| + Reported by team OWL337 |
| + |
| 2017-07-15 Even Rouault <even.rouault at spatialys.com> |
| |
| * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" |
| diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c |
| index 8d6686b..14090ae 100644 |
| --- a/libtiff/tif_dirwrite.c |
| +++ b/libtiff/tif_dirwrite.c |
| @@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) |
| TIFFDirEntry* nb; |
| for (na=0, nb=dir; ; na++, nb++) |
| { |
| - assert(na<ndir); |
| + if( na == ndir ) |
| + { |
| + TIFFErrorExt(tif->tif_clientdata,module, |
| + "Cannot find SubIFD tag"); |
| + goto bad; |
| + } |
| if (nb->tdir_tag==TIFFTAG_SUBIFD) |
| break; |
| } |
| -- |
| 2.7.4 |
| |