From 6ffbd01d4c8fec0a7c08df4955fd2afa5f3b48c8 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 27 Nov 2021 14:55:06 +0100 Subject: TIFFReadCustomDirectory(): avoid crash when reading SubjectDistance tag on a non EXIF directory Fixes #316 The Valgrind trace was ``` TIFFReadCustomDirectory: Warning, Unknown field with tag 37382 (0x9206) encountered. ==3277355== Invalid read of size 1 ==3277355== at 0x4842B60: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==3277355== by 0x48BB799: _TIFFmemcpy (tif_unix.c:346) ==3277355== by 0x485B3CB: _TIFFVSetField (tif_dir.c:647) ==3277355== by 0x485C125: TIFFVSetField (tif_dir.c:890) ==3277355== by 0x485BEDC: TIFFSetField (tif_dir.c:834) ==3277355== by 0x486DA9A: TIFFFetchSubjectDistance (tif_dirread.c:5826) ==3277355== by 0x4869E35: TIFFReadCustomDirectory (tif_dirread.c:4530) ==3277355== by 0x4869F0A: TIFFReadGPSDirectory (tif_dirread.c:4564) ==3277355== by 0x10AA7A: main (tiffinfo.c:171) ==3277355== Address 0x3fc856aaaaaaaaab is not stack'd, malloc'd or (recently) free'd ==3277355== ``` --- libtiff/tif_dirread.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index d84147a0..8f434ef5 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -4527,7 +4527,14 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff, switch (dp->tdir_tag) { case EXIFTAG_SUBJECTDISTANCE: - (void)TIFFFetchSubjectDistance(tif, dp); + if( strncmp(fip->field_name, "Tag ", 4) != 0 ) { + /* should only be called on a Exif directory */ + /* when exifFields[] is active */ + (void)TIFFFetchSubjectDistance(tif, dp); + } + else { + (void)TIFFFetchNormalTag(tif, dp, TRUE); + } break; default: (void)TIFFFetchNormalTag(tif, dp, TRUE); -- cgit v1.2.1