https://github.com/libsdl-org/libtiff/commit/cef46abf5457b73d0b30056081715366b7a07721
From cef46abf5457b73d0b30056081715366b7a07721 Mon Sep 17 00:00:00 2001
From: Even Rouault <[EMAIL REDACTED]>
Date: Sat, 19 Feb 2022 15:10:25 +0100
Subject: [PATCH] TIFFWriteDirectoryTagData(): turn assertion on data length
into a runtime check
For example, the assertion could actually be triggered when writing an
ASCII tag with more than 1 << 31 bytes.
---
libtiff/tif_dirwrite.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index dbc8d8b5..d5a819da 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -3070,7 +3070,12 @@ TIFFWriteDirectoryTagData(TIFF* tif, uint32_t* ndir, TIFFDirEntry* dir, uint16_t
TIFFErrorExt(tif->tif_clientdata,module,"IO error writing tag data");
return(0);
}
- assert(datalength<0x80000000UL);
+ if (datalength >= 0x80000000UL)
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,
+ "libtiff does not allow writing more than 2147483647 bytes in a tag");
+ return(0);
+ }
if (!WriteOK(tif,data,(tmsize_t)datalength))
{
TIFFErrorExt(tif->tif_clientdata,module,"IO error writing tag data");