reincorporate sanity check on tag size at 2GB to avoid 32bit system overflow (#1993)

ChangeLog

@@ -1,5 +1,9 @@
 2009-02-05  Frank Warmerdam  <warmerdam@pobox.com>
 
+	* libtiff/tif_dirread.c: Re-incorporated a sanity check on tag size,
+	but at the 2GB boundary to avoid overflow on 32bit systems. 
+	http://bugzilla.maptools.org/show_bug.cgi?id=1993
+
 	* libtiff/tif_dirread.c: Remove some assertions that blow due to
 	corrupt files rather than in response to library internal 
 	inconsistencies.  

libtiff/tif_dirread.c

@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.151 2009-02-05 19:50:01 fwarmerdam Exp $ */
+/* $Id: tif_dirread.c,v 1.152 2009-02-05 20:13:44 fwarmerdam Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -766,12 +766,17 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d
 		return(TIFFReadDirEntryErrOk);
 	}
         (void) desttypesize;
-#ifdef notdef
-	if ((uint64)(4*1024*1024/typesize)<direntry->tdir_count)
+
+        /* 
+         * As a sanity check, make sure we have no more than a 2GB tag array 
+         * in either the current data type or the dest data type.  This also
+         * avoids problems with overflow of tmsize_t on 32bit systems.
+         */
+	if ((uint64)(2147483647/typesize)<direntry->tdir_count)
 		return(TIFFReadDirEntryErrSizesan);
-	if ((uint64)(4*1024*1024/desttypesize)<direntry->tdir_count)
+	if ((uint64)(2147483647/desttypesize)<direntry->tdir_count)
 		return(TIFFReadDirEntryErrSizesan);
-#endif
+
 	*count=(uint32)direntry->tdir_count;
 	datasize=(*count)*typesize;
 	assert((tmsize_t)datasize>0);