diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | libtiff/tif_dirread.c | 4 |
2 files changed, 8 insertions, 1 deletions
@@ -1,3 +1,8 @@ +2017-06-27 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a + double value can fit in a float before casting. Patch by Nicolas RUFF + 2017-06-26 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 2e2cdccc..a3d0efd1 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirread.c,v 1.212 2017-06-18 10:31:50 erouault Exp $ */ +/* $Id: tif_dirread.c,v 1.213 2017-06-27 13:44:44 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -636,6 +636,8 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloat(TIFF* tif, TIFFDirEntry* d err=TIFFReadDirEntryCheckedDouble(tif,direntry,&m); if (err!=TIFFReadDirEntryErrOk) return(err); + if ((m > FLT_MAX) || (m < FLT_MIN)) + return(TIFFReadDirEntryErrRange); *value=(float)m; return(TIFFReadDirEntryErrOk); } |