From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 23 Aug 2017 13:33:42 +0000
Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
 fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
 TIFFWriteDirectoryTagSubifd()). Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337

SubIFD tag by runtime check (in TIFFWriteDirectorySec())

Upstream-Status: Backport
[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]

CVE: CVE-2017-13727

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ChangeLog              | 10 +++++++++-
 libtiff/tif_dirwrite.c |  9 ++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3e299d9..8f5efe9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,15 @@
 2017-08-23  Even Rouault <even.rouault at spatialys.com>
 
+	* libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
+	on uint32 when selecting the value of SubIFD tag by runtime check
+	(in TIFFWriteDirectoryTagSubifd()).
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
+	Reported by team OWL337
+
+2017-08-23  Even Rouault <even.rouault at spatialys.com>
+
 	* libtiff/tif_dirwrite.c: replace assertion related to not finding the
-	SubIFD tag by runtime check.
+	SubIFD tag by runtime check (in TIFFWriteDirectorySec())
 	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
 	Reported by team OWL337
 
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 14090ae..f0a4baa 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
 		for (p=0; p < tif->tif_dir.td_nsubifd; p++)
 		{
                         assert(pa != 0);
-			assert(*pa <= 0xFFFFFFFFUL);
+
+                        /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
+                        if( *pa > 0xFFFFFFFFUL)
+                        {
+                            TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
+                            _TIFFfree(o);
+                            return(0);
+                        }
 			*pb++=(uint32)(*pa++);
 		}
 		n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
-- 
2.7.4