From 9f839d923383e3bc21e25ce5e9c3b31901fcaf90 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 11 Jan 2017 12:51:59 +0000
Subject: [PATCH] * libtiff/tif_dirwrite.c: in
 TIFFWriteDirectoryTagCheckedRational, replace assertion by runtime check to
 error out if passed value is strictly negative. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2535

* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
---
 ChangeLog              | 11 +++++++++++
 libtiff/tif_dirwrite.c | 11 ++++++++---
 tools/tiffcrop.c       |  3 +--
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a7208f5e..6a752cd5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace
+	assertion by runtime check to error out if passed value is strictly
+	negative.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535
+
+	* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
+	caused double free.
+	Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
+
 2017-01-11 Even Rouault <even.rouault at spatialys.com>
 
 	* libtiff/tif_jpeg.c: avoid integer division by zero in
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index d34f6f61..055324db 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */
+/* $Id: tif_dirwrite.c,v 1.84 2017-01-11 12:51:59 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -2094,10 +2094,15 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
 static int
 TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
 {
+        static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
 	uint32 m[2];
-	assert(value>=0.0);
 	assert(sizeof(uint32)==4);
-	if (value<=0.0)
+        if( value < 0 )
+        {
+            TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
+            return 0;
+        }
+	else if (value==0.0)
 	{
 		m[0]=0;
 		m[1]=1;
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 21dd0872..c69177e0 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */
+/* $Id: tiffcrop.c,v 1.50 2017-01-11 12:51:59 erouault Exp $ */
 
 /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
  * the image data through additional options listed below
@@ -7996,7 +7996,6 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
   if (!TIFFWriteDirectory(out))
     {
     TIFFError("","Failed to write IFD for page number %d", pagenum);
-    TIFFClose(out);
     return (-1);
     }