diff --git a/ChangeLog b/ChangeLog index c408bf7b..226f8f84 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2016-11-16 Even Rouault + + * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference + NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII + access are 0-byte arrays. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced + by previous fix done on 2016-11-11 for CVE-2016-9297). + Reported by Henri Salo. + 2016-11-12 Bob Friesenhahn * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 0ed3afa2..01070f2e 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirread.c,v 1.203 2016-11-11 20:22:01 erouault Exp $ */ +/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -5000,7 +5000,7 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) if (err==TIFFReadDirEntryErrOk) { int m; - if( data[dp->tdir_count-1] != '\0' ) + if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' ) { TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); data[dp->tdir_count-1] = '\0'; @@ -5177,7 +5177,7 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) if (err==TIFFReadDirEntryErrOk) { int m; - if( data[dp->tdir_count-1] != '\0' ) + if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' ) { TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); data[dp->tdir_count-1] = '\0';