From 8d4d8b5c2f4255b4b003ff1a7af7ba016c68d9a8 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sun, 31 Dec 2017 15:30:44 +0100 Subject: [PATCH] libtiff/tif_dir.c: _TIFFVGetField(): fix heap out-of-bounds access when requesting TIFFTAG_NUMBEROFINKS on a EXIF directory. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2765. Reported by Google Autofuzz project --- libtiff/tif_dir.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c index cbf2b693..6f0b4879 100644 --- a/libtiff/tif_dir.c +++ b/libtiff/tif_dir.c @@ -861,14 +861,24 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) const TIFFField* fip = TIFFFindField(tif, tag, TIFF_ANY); if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ return 0; + + /* + * We want to force the custom code to be used for custom + * fields even if the tag happens to match a well known + * one - important for reinterpreted handling of standard + * tag values in custom directories (i.e. EXIF) + */ + if (fip->field_bit == FIELD_CUSTOM) { + standard_tag = 0; + } - if( tag == TIFFTAG_NUMBEROFINKS ) + if( standard_tag == TIFFTAG_NUMBEROFINKS ) { int i; for (i = 0; i < td->td_customValueCount; i++) { uint16 val; TIFFTagValue *tv = td->td_customValues + i; - if (tv->info->field_tag != tag) + if (tv->info->field_tag != standard_tag) continue; if( tv->value == NULL ) return 0; @@ -890,16 +900,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) return 0; } - /* - * We want to force the custom code to be used for custom - * fields even if the tag happens to match a well known - * one - important for reinterpreted handling of standard - * tag values in custom directories (i.e. EXIF) - */ - if (fip->field_bit == FIELD_CUSTOM) { - standard_tag = 0; - } - switch (standard_tag) { case TIFFTAG_SUBFILETYPE: *va_arg(ap, uint32*) = td->td_subfiletype;