* libtiff/tif_dirread.c: in TIFFCheckDirOffset(), avoid uint16 overflow

when reading more than 65535 directories, and effectively error out when
reaching that limit.

ChangeLog

@@ -1,3 +1,9 @@
+2015-01-03  Even Rouault  <even.rouault@spatialys.com>
+
+	* libtiff/tif_dirread.c: in TIFFCheckDirOffset(), avoid uint16 overflow
+	when reading more than 65535 directories, and effectively error out when
+	reaching that limit.
+
 2014-12-29  Even Rouault  <even.rouault@spatialys.com>
 
 	* libtiff/tif_jpeg.c: in JPEGFixupTags(), recognize SOF2, SOF9 and SOF10

libtiff/tif_dirread.c

@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.182 2014-12-23 11:06:54 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.183 2015-01-03 18:03:40 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -4395,6 +4395,11 @@ TIFFCheckDirOffset(TIFF* tif, uint64 diroff)
 
 	if (diroff == 0)			/* no more directories */
 		return 0;
+	if (tif->tif_dirnumber == 65535) {
+	    TIFFErrorExt(tif->tif_clientdata, "TIFFCheckDirOffset",
+			 "Cannot handle more than 65535 TIFF directories");
+	    return 0;
+	}
 
 	for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlist; n++) {
 		if (tif->tif_dirlist[n] == diroff)
@@ -4414,7 +4419,10 @@ TIFFCheckDirOffset(TIFF* tif, uint64 diroff)
 		    tif->tif_dirnumber, 2 * sizeof(uint64), "for IFD list");
 		if (!new_dirlist)
 			return 0;
-		tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
+		if( tif->tif_dirnumber >= 32768 )
+		    tif->tif_dirlistsize = 65535;
+		else
+		    tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
 		tif->tif_dirlist = new_dirlist;
 	}