fixed inadequate validation of SubjectDistance (#2212)

2 files changed, 11 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 47c364e4..d298031c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2010-06-13  Frank Warmerdam  <warmerdam@pobox.com>
 
+	* libtiff/tif_dirread.c: Fixed inadequate validation of the 
+	SubjectDistance field (#2212).
+
 	* tiff2pdf.c: Fix assorted bugs in tiff2pdf: missing "return" 
 	in t2p_read_tiff_size() causes t2p->tiff_datasize to be set entirely 
 	wrong for COMPRESSION_JPEG case, resulting in memory stomp if actual 
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 79261c96..0c973ee9 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.92.2.7 2010-06-08 18:50:42 bfriesen Exp $ */
+/* $Id: tif_dirread.c,v 1.92.2.8 2010-06-14 00:19:22 fwarmerdam Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -1919,6 +1919,13 @@ TIFFFetchSubjectDistance(TIFF* tif, TIFFDirEntry* dir)
 	float v;
 	int ok = 0;
 
+    if( dir->tdir_count != 1 || dir->tdir_type != TIFF_RATIONAL )
+    {
+		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+                       "incorrect count or type for SubjectDistance, tag ignored" );
+		return (0);
+    }
+
 	if (TIFFFetchData(tif, dir, (char *)l)
 	    && cvtRational(tif, dir, l[0], l[1], &v)) {
 		/*