From 21cfbd887b092a8ba00bb055625bc52b7fd3f7d7 Mon Sep 17 00:00:00 2001
From: Frank Warmerdam <warmerdam@pobox.com>
Date: Thu, 5 Feb 2009 20:13:44 +0000
Subject: [PATCH] reincorporate sanity check on tag size at 2GB to avoid 32bit
 system overflow (#1993)

---
 ChangeLog             |  4 ++++
 libtiff/tif_dirread.c | 15 ++++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index dc1954a6..20a75062 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2009-02-05  Frank Warmerdam  <warmerdam@pobox.com>
 
+	* libtiff/tif_dirread.c: Re-incorporated a sanity check on tag size,
+	but at the 2GB boundary to avoid overflow on 32bit systems. 
+	http://bugzilla.maptools.org/show_bug.cgi?id=1993
+
 	* libtiff/tif_dirread.c: Remove some assertions that blow due to
 	corrupt files rather than in response to library internal 
 	inconsistencies.  
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index d8823579..7d2b4fb2 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.151 2009-02-05 19:50:01 fwarmerdam Exp $ */
+/* $Id: tif_dirread.c,v 1.152 2009-02-05 20:13:44 fwarmerdam Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -766,12 +766,17 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d
 		return(TIFFReadDirEntryErrOk);
 	}
         (void) desttypesize;
-#ifdef notdef
-	if ((uint64)(4*1024*1024/typesize)<direntry->tdir_count)
+
+        /* 
+         * As a sanity check, make sure we have no more than a 2GB tag array 
+         * in either the current data type or the dest data type.  This also
+         * avoids problems with overflow of tmsize_t on 32bit systems.
+         */
+	if ((uint64)(2147483647/typesize)<direntry->tdir_count)
 		return(TIFFReadDirEntryErrSizesan);
-	if ((uint64)(4*1024*1024/desttypesize)<direntry->tdir_count)
+	if ((uint64)(2147483647/desttypesize)<direntry->tdir_count)
 		return(TIFFReadDirEntryErrSizesan);
-#endif
+
 	*count=(uint32)direntry->tdir_count;
 	datasize=(*count)*typesize;
 	assert((tmsize_t)datasize>0);