libtiff/tif_dir.c: _TIFFVGetField(): fix heap out-of-bounds access when requesting TIFFTAG_NUMBEROFINKS on a EXIF directory. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2765. Reported by Google Autofuzz project

2017-12-31 15:30:44 +01:00 · 2017-12-31 15:30:44 +01:00 · 8d4d8b5c2f
commit 8d4d8b5c2f
parent c6f41df7b5
1 changed files with 12 additions and 12 deletions
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@ -861,14 +861,24 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
 	const TIFFField* fip = TIFFFindField(tif, tag, TIFF_ANY);
 	if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
 	    return 0;
+
+	/*
+	 * We want to force the custom code to be used for custom
+	 * fields even if the tag happens to match a well known 
+	 * one - important for reinterpreted handling of standard
+	 * tag values in custom directories (i.e. EXIF) 
+	 */
+	if (fip->field_bit == FIELD_CUSTOM) {
+		standard_tag = 0;
+	}
 	
-        if( tag == TIFFTAG_NUMBEROFINKS )
+        if( standard_tag == TIFFTAG_NUMBEROFINKS )
        {
            int i;
            for (i = 0; i < td->td_customValueCount; i++) {
                uint16 val;
                TIFFTagValue *tv = td->td_customValues + i;
-                if (tv->info->field_tag != tag)
+                if (tv->info->field_tag != standard_tag)
                    continue;
                if( tv->value == NULL )
                    return 0;
@ -890,16 +900,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
            return 0;
        }

-	/*
-	 * We want to force the custom code to be used for custom
-	 * fields even if the tag happens to match a well known 
-	 * one - important for reinterpreted handling of standard
-	 * tag values in custom directories (i.e. EXIF) 
-	 */
-	if (fip->field_bit == FIELD_CUSTOM) {
-		standard_tag = 0;
-	}
-
 	switch (standard_tag) {
 		case TIFFTAG_SUBFILETYPE:
 			*va_arg(ap, uint32*) = td->td_subfiletype;