https://github.com/libsdl-org/libtiff/commit/3554dedc99c2e00ed8d94b8285f822d514528c69
From 3554dedc99c2e00ed8d94b8285f822d514528c69 Mon Sep 17 00:00:00 2001
From: Frank Warmerdam <[EMAIL REDACTED]>
Date: Mon, 14 Jun 2010 00:19:22 +0000
Subject: [PATCH] fixed inadequate validation of SubjectDistance (#2212)
---
ChangeLog | 3 +++
libtiff/tif_dirread.c | 9 ++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index 47c364e4..d298031c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
2010-06-13 Frank Warmerdam <warmerdam@pobox.com>
+ * libtiff/tif_dirread.c: Fixed inadequate validation of the
+ SubjectDistance field (#2212).
+
* tiff2pdf.c: Fix assorted bugs in tiff2pdf: missing "return"
in t2p_read_tiff_size() causes t2p->tiff_datasize to be set entirely
wrong for COMPRESSION_JPEG case, resulting in memory stomp if actual
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 79261c96..0c973ee9 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.92.2.7 2010-06-08 18:50:42 bfriesen Exp $ */
+/* $Id: tif_dirread.c,v 1.92.2.8 2010-06-14 00:19:22 fwarmerdam Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -1919,6 +1919,13 @@ TIFFFetchSubjectDistance(TIFF* tif, TIFFDirEntry* dir)
float v;
int ok = 0;
+ if( dir->tdir_count != 1 || dir->tdir_type != TIFF_RATIONAL )
+ {
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "incorrect count or type for SubjectDistance, tag ignored" );
+ return (0);
+ }
+
if (TIFFFetchData(tif, dir, (char *)l)
&& cvtRational(tif, dir, l[0], l[1], &v)) {
/*