https://github.com/libsdl-org/libtiff/commit/183076faa63c4b460d35e643383678812ce41464
From 183076faa63c4b460d35e643383678812ce41464 Mon Sep 17 00:00:00 2001
From: Even Rouault <[EMAIL REDACTED]>
Date: Sun, 20 Feb 2022 13:44:58 +0100
Subject: [PATCH] _TIFFVSetField(): when passing a string without explicit
length, check that the length doesn't except the 1 << 31 maximum bytes we
support
---
libtiff/tif_dir.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 6dda9634..9fd2d45a 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -586,7 +586,18 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
else
{
mb=(char*)va_arg(ap,char*);
- ma=(uint32_t)(strlen(mb) + 1);
+ size_t len = strlen(mb) + 1;
+ if( len >= 0x80000000U )
+ {
+ status = 0;
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Too long string value for \"%s\". "
+ "Maximum supported is 2147483647 bytes",
+ tif->tif_name,
+ fip->field_name);
+ goto end;
+ }
+ ma=(uint32_t)len;
}
tv->count=ma;
setByteArray(&tv->value,mb,ma,1);