libtiff: TIFFWriteDirectoryTagData(): turn assertion on data length into a runtime check

SDLPushPostBot · May 7, 2022, 7:28pm

https://github.com/libsdl-org/libtiff/commit/cef46abf5457b73d0b30056081715366b7a07721

From cef46abf5457b73d0b30056081715366b7a07721 Mon Sep 17 00:00:00 2001
From: Even Rouault <[EMAIL REDACTED]>
Date: Sat, 19 Feb 2022 15:10:25 +0100
Subject: [PATCH] TIFFWriteDirectoryTagData(): turn assertion on data length
 into a runtime check

For example, the assertion could actually be triggered when writing an
ASCII tag with more than 1 << 31 bytes.
---
 libtiff/tif_dirwrite.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index dbc8d8b5..d5a819da 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -3070,7 +3070,12 @@ TIFFWriteDirectoryTagData(TIFF* tif, uint32_t* ndir, TIFFDirEntry* dir, uint16_t
 			TIFFErrorExt(tif->tif_clientdata,module,"IO error writing tag data");
 			return(0);
 		}
-		assert(datalength<0x80000000UL);
+		if (datalength >= 0x80000000UL)
+		{
+			TIFFErrorExt(tif->tif_clientdata,module,
+			             "libtiff does not allow writing more than 2147483647 bytes in a tag");
+			return(0);
+		}
 		if (!WriteOK(tif,data,(tmsize_t)datalength))
 		{
 			TIFFErrorExt(tif->tif_clientdata,module,"IO error writing tag data");