TIFFFetchDirectory(): fix invalid cast from uint64 to tmsize_t. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16784

2019-08-26 18:57:29 +02:00 · 2019-08-26 18:57:29 +02:00 · 244dfb46af
commit 244dfb46af
parent 1a4efdd151
1 changed files with 3 additions and 2 deletions
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@ -4788,12 +4788,13 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir,
 		}
 	} else {
 		tmsize_t m;
-		tmsize_t off = (tmsize_t) tif->tif_diroff;
-		if ((uint64)off!=tif->tif_diroff)
+		tmsize_t off;
+		if (tif->tif_diroff > (uint64)TIFF_INT64_MAX)
 		{
 			TIFFErrorExt(tif->tif_clientdata,module,"Can not read TIFF directory count");
 			return(0);
 		}
+		off = (tmsize_t) tif->tif_diroff;

 		/*
 		 * Check for integer overflow when validating the dir_off,