diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2018-07-30 17:10:13 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-02 11:24:25 +0200 |
| commit | a7f6a9958c48146e719ecc1f6e2c38812af75c4b (patch) | |
| tree | eb6aeaebec66969039436a5c9f211b7f566208fb | |
| parent | bc0a209d2a3136d9a26a496ffd43ccdb56190fa2 (diff) | |
| download | alpine_aports-a7f6a9958c48146e719ecc1f6e2c38812af75c4b.tar.bz2 alpine_aports-a7f6a9958c48146e719ecc1f6e2c38812af75c4b.tar.xz alpine_aports-a7f6a9958c48146e719ecc1f6e2c38812af75c4b.zip | |
main/tiff: various security fixes
- CVE-2017-9935
- CVE-2017-11613
- CVE-2017-17095
- CVE-2018-10963
fixes #8242
fixes #9165
| -rw-r--r-- | main/tiff/APKBUILD | 17 | ||||
| -rw-r--r-- | main/tiff/CVE-2017-11613.patch | 44 | ||||
| -rw-r--r-- | main/tiff/CVE-2017-17095.patch | 28 | ||||
| -rw-r--r-- | main/tiff/CVE-2017-9935.patch | 164 | ||||
| -rw-r--r-- | main/tiff/CVE-2018-10963.patch | 31 |
5 files changed, 282 insertions, 2 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 14b9f21ec7..0068211bbc 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | # Maintainer: Michael Mason <ms13sp@gmail.com> | 3 | # Maintainer: Michael Mason <ms13sp@gmail.com> |
| 4 | pkgname=tiff | 4 | pkgname=tiff |
| 5 | pkgver=4.0.9 | 5 | pkgver=4.0.9 |
| 6 | pkgrel=4 | 6 | pkgrel=5 |
| 7 | pkgdesc="Provides support for the Tag Image File Format or TIFF" | 7 | pkgdesc="Provides support for the Tag Image File Format or TIFF" |
| 8 | url="http://www.libtiff.org/" | 8 | url="http://www.libtiff.org/" |
| 9 | arch="all" | 9 | arch="all" |
| @@ -13,13 +13,22 @@ depends_dev="zlib-dev libjpeg-turbo-dev" | |||
| 13 | makedepends="libtool autoconf automake $depends_dev" | 13 | makedepends="libtool autoconf automake $depends_dev" |
| 14 | subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" | 14 | subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" |
| 15 | source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz | 15 | source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz |
| 16 | CVE-2017-9935.patch | ||
| 17 | CVE-2017-11613.patch | ||
| 18 | CVE-2017-17095.patch | ||
| 16 | CVE-2017-18013.patch | 19 | CVE-2017-18013.patch |
| 17 | CVE-2018-5784.patch | 20 | CVE-2018-5784.patch |
| 18 | CVE-2018-7456.patch | 21 | CVE-2018-7456.patch |
| 19 | CVE-2018-8905.patch | 22 | CVE-2018-8905.patch |
| 23 | CVE-2018-10963.patch | ||
| 20 | " | 24 | " |
| 21 | 25 | ||
| 22 | # secfixes: | 26 | # secfixes: |
| 27 | # 4.0.9-r5: | ||
| 28 | # - CVE-2017-9935 | ||
| 29 | # - CVE-2017-11613 | ||
| 30 | # - CVE-2017-17095 | ||
| 31 | # - CVE-2018-10963 | ||
| 23 | # 4.0.9-r4: | 32 | # 4.0.9-r4: |
| 24 | # - CVE-2018-8905 | 33 | # - CVE-2018-8905 |
| 25 | # 4.0.9-r3: | 34 | # 4.0.9-r3: |
| @@ -86,7 +95,11 @@ tools() { | |||
| 86 | } | 95 | } |
| 87 | 96 | ||
| 88 | sha512sums="04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd tiff-4.0.9.tar.gz | 97 | sha512sums="04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd tiff-4.0.9.tar.gz |
| 98 | 75160265be98350706b90f69e0a432183ce51105b713da32a50030ed3123b956e68c19a21540a5c7fb02253bf33ddfb3e0ea4f3a0977aa7b19404ea3e6d6d5d8 CVE-2017-9935.patch | ||
| 99 | 61fbc0fa3256ebdde2a42a482a39d4c63d68e16fc47e3e9f76f5719e7c7dce01f5d3897b53280494334f8be33d48517c24a9739f3be8118f097ff3a7814f0326 CVE-2017-11613.patch | ||
| 100 | 78c8593033a5c8b91a03bbca7dd05f3de2abfc2965096cc8e828df50a66069544e0221fd573f25eda0726cd5fd8b527bd018bfd74f3e8aac8816f6cc9b462489 CVE-2017-17095.patch | ||
| 89 | 3a31e4315ecc5c5bf709e2ca0fefb5bc7ff50c79f911b8b8366be38d007d3f79e89982700a620b2d82739313fbd79041428dbf3ecf0a790c9ec3bc2e211d6fce CVE-2017-18013.patch | 101 | 3a31e4315ecc5c5bf709e2ca0fefb5bc7ff50c79f911b8b8366be38d007d3f79e89982700a620b2d82739313fbd79041428dbf3ecf0a790c9ec3bc2e211d6fce CVE-2017-18013.patch |
| 90 | c9cb1f712241c5bbd01910d4f4becf50ba8498bb04393f45451af4ace948b6a41b3d887adc9fbce1a53edeb0aeba03868f4d31428f3c5813ed14bb4b6f4c0f96 CVE-2018-5784.patch | 102 | c9cb1f712241c5bbd01910d4f4becf50ba8498bb04393f45451af4ace948b6a41b3d887adc9fbce1a53edeb0aeba03868f4d31428f3c5813ed14bb4b6f4c0f96 CVE-2018-5784.patch |
| 91 | 8f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47 CVE-2018-7456.patch | 103 | 8f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47 CVE-2018-7456.patch |
| 92 | ba283d0def89bf7caee753f39b5717780e9aec2ba32b8ce400b3d86b50eb1414a92bd56ebcf5e9550436a71aa18c55e31c6b5966f24dc5ec1863f28ca769d887 CVE-2018-8905.patch" | 104 | ba283d0def89bf7caee753f39b5717780e9aec2ba32b8ce400b3d86b50eb1414a92bd56ebcf5e9550436a71aa18c55e31c6b5966f24dc5ec1863f28ca769d887 CVE-2018-8905.patch |
| 105 | 8dd973dc365599b9821393b96713e87d834a25ad96f4fc131616e11ded6ac9d119d66054c66bba8c3669d73b59b9e3569874b05334ae02a689ee57209b85e09e CVE-2018-10963.patch" | ||
diff --git a/main/tiff/CVE-2017-11613.patch b/main/tiff/CVE-2017-11613.patch new file mode 100644 index 0000000000..b3f600a974 --- /dev/null +++ b/main/tiff/CVE-2017-11613.patch | |||
| @@ -0,0 +1,44 @@ | |||
| 1 | From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Even Rouault <even.rouault@spatialys.com> | ||
| 3 | Date: Sun, 11 Mar 2018 11:14:01 +0100 | ||
| 4 | Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion | ||
| 5 | (CVE-2017-11613) | ||
| 6 | |||
| 7 | In ChopUpSingleUncompressedStrip(), if the computed number of strips is big | ||
| 8 | enough and we are in read only mode, validate that the file size is consistent | ||
| 9 | with that number of strips to avoid useless attempts at allocating a lot of | ||
| 10 | memory for the td_stripbytecount and td_stripoffset arrays. | ||
| 11 | |||
| 12 | Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more | ||
| 13 | cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979. | ||
| 14 | Credit to OSS Fuzz | ||
| 15 | |||
| 16 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724 | ||
| 17 | --- | ||
| 18 | libtiff/tif_dirread.c | 10 ++++++++++ | ||
| 19 | 1 file changed, 10 insertions(+) | ||
| 20 | |||
| 21 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
| 22 | index 80aaf8d..5896a78 100644 | ||
| 23 | --- a/libtiff/tif_dirread.c | ||
| 24 | +++ b/libtiff/tif_dirread.c | ||
| 25 | @@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) | ||
| 26 | if( nstrips == 0 ) | ||
| 27 | return; | ||
| 28 | |||
| 29 | + /* If we are going to allocate a lot of memory, make sure that the */ | ||
| 30 | + /* file is as big as needed */ | ||
| 31 | + if( tif->tif_mode == O_RDONLY && | ||
| 32 | + nstrips > 1000000 && | ||
| 33 | + (offset >= TIFFGetFileSize(tif) || | ||
| 34 | + stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) | ||
| 35 | + { | ||
| 36 | + return; | ||
| 37 | + } | ||
| 38 | + | ||
| 39 | newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
| 40 | "for chopped \"StripByteCounts\" array"); | ||
| 41 | newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
| 42 | -- | ||
| 43 | 2.17.1 | ||
| 44 | |||
diff --git a/main/tiff/CVE-2017-17095.patch b/main/tiff/CVE-2017-17095.patch new file mode 100644 index 0000000000..760c9553d9 --- /dev/null +++ b/main/tiff/CVE-2017-17095.patch | |||
| @@ -0,0 +1,28 @@ | |||
| 1 | Based on http://bugzilla.maptools.org/show_bug.cgi?id=2750#c5 | ||
| 2 | |||
| 3 | diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c | ||
| 4 | index 7a57800..8443fce 100644 | ||
| 5 | --- a/tools/pal2rgb.c | ||
| 6 | +++ b/tools/pal2rgb.c | ||
| 7 | @@ -184,8 +184,19 @@ main(int argc, char* argv[]) | ||
| 8 | { unsigned char *ibuf, *obuf; | ||
| 9 | register unsigned char* pp; | ||
| 10 | register uint32 x; | ||
| 11 | - ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); | ||
| 12 | - obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); | ||
| 13 | + tmsize_t tss_in = TIFFScanlineSize(in); | ||
| 14 | + tmsize_t tss_out = TIFFScanlineSize(out); | ||
| 15 | + if (tss_out / tss_in < 3) { | ||
| 16 | + /* | ||
| 17 | + * BUG 2750: The following code assumes the output buffer is 3x the | ||
| 18 | + * length of the input buffer due to exploding the palette into | ||
| 19 | + * RGB tuples. If this doesn't happen, fail now. | ||
| 20 | + */ | ||
| 21 | + fprintf(stderr, "Could not determine correct image size for output. Exiting.\n"); | ||
| 22 | + return -1; | ||
| 23 | + } | ||
| 24 | + ibuf = (unsigned char*)_TIFFmalloc(tss_in); | ||
| 25 | + obuf = (unsigned char*)_TIFFmalloc(tss_out); | ||
| 26 | switch (config) { | ||
| 27 | case PLANARCONFIG_CONTIG: | ||
| 28 | for (row = 0; row < imagelength; row++) { | ||
diff --git a/main/tiff/CVE-2017-9935.patch b/main/tiff/CVE-2017-9935.patch new file mode 100644 index 0000000000..39327ffb92 --- /dev/null +++ b/main/tiff/CVE-2017-9935.patch | |||
| @@ -0,0 +1,164 @@ | |||
| 1 | From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Brian May <brian@linuxpenguins.xyz> | ||
| 3 | Date: Thu, 7 Dec 2017 07:46:47 +1100 | ||
| 4 | Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935 | ||
| 5 | |||
| 6 | Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 | ||
| 7 | |||
| 8 | This vulnerability - at least for the supplied test case - is because we | ||
| 9 | assume that a tiff will only have one transfer function that is the same | ||
| 10 | for all pages. This is not required by the TIFF standards. | ||
| 11 | |||
| 12 | We than read the transfer function for every page. Depending on the | ||
| 13 | transfer function, we allocate either 2 or 4 bytes to the XREF buffer. | ||
| 14 | We allocate this memory after we read in the transfer function for the | ||
| 15 | page. | ||
| 16 | |||
| 17 | For the first exploit - POC1, this file has 3 pages. For the first page | ||
| 18 | we allocate 2 extra extra XREF entries. Then for the next page 2 more | ||
| 19 | entries. Then for the last page the transfer function changes and we | ||
| 20 | allocate 4 more entries. | ||
| 21 | |||
| 22 | When we read the file into memory, we assume we have 4 bytes extra for | ||
| 23 | each and every page (as per the last transfer function we read). Which | ||
| 24 | is not correct, we only have 2 bytes extra for the first 2 pages. As a | ||
| 25 | result, we end up writing past the end of the buffer. | ||
| 26 | |||
| 27 | There are also some related issues that this also fixes. For example, | ||
| 28 | TIFFGetField can return uninitalized pointer values, and the logic to | ||
| 29 | detect a N=3 vs N=1 transfer function seemed rather strange. | ||
| 30 | |||
| 31 | It is also strange that we declare the transfer functions to be of type | ||
| 32 | float, when the standard says they are unsigned 16 bit values. This is | ||
| 33 | fixed in another patch. | ||
| 34 | |||
| 35 | This patch will check to ensure that the N value for every transfer | ||
| 36 | function is the same for every page. If this changes, we abort with an | ||
| 37 | error. In theory, we should perhaps check that the transfer function | ||
| 38 | itself is identical for every page, however we don't do that due to the | ||
| 39 | confusion of the type of the data in the transfer function. | ||
| 40 | --- | ||
| 41 | libtiff/tif_dir.c | 3 +++ | ||
| 42 | tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++---------------- | ||
| 43 | 2 files changed, 49 insertions(+), 23 deletions(-) | ||
| 44 | |||
| 45 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
| 46 | index f00f808..c36a5f3 100644 | ||
| 47 | --- a/libtiff/tif_dir.c | ||
| 48 | +++ b/libtiff/tif_dir.c | ||
| 49 | @@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) | ||
| 50 | if (td->td_samplesperpixel - td->td_extrasamples > 1) { | ||
| 51 | *va_arg(ap, uint16**) = td->td_transferfunction[1]; | ||
| 52 | *va_arg(ap, uint16**) = td->td_transferfunction[2]; | ||
| 53 | + } else { | ||
| 54 | + *va_arg(ap, uint16**) = NULL; | ||
| 55 | + *va_arg(ap, uint16**) = NULL; | ||
| 56 | } | ||
| 57 | break; | ||
| 58 | case TIFFTAG_REFERENCEBLACKWHITE: | ||
| 59 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
| 60 | index bdb9126..bd23c9e 100644 | ||
| 61 | --- a/tools/tiff2pdf.c | ||
| 62 | +++ b/tools/tiff2pdf.c | ||
| 63 | @@ -239,7 +239,7 @@ typedef struct { | ||
| 64 | float tiff_whitechromaticities[2]; | ||
| 65 | float tiff_primarychromaticities[6]; | ||
| 66 | float tiff_referenceblackwhite[2]; | ||
| 67 | - float* tiff_transferfunction[3]; | ||
| 68 | + uint16* tiff_transferfunction[3]; | ||
| 69 | int pdf_image_interpolate; /* 0 (default) : do not interpolate, | ||
| 70 | 1 : interpolate */ | ||
| 71 | uint16 tiff_transferfunctioncount; | ||
| 72 | @@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ | ||
| 73 | uint16 pagen=0; | ||
| 74 | uint16 paged=0; | ||
| 75 | uint16 xuint16=0; | ||
| 76 | + uint16 tiff_transferfunctioncount=0; | ||
| 77 | + uint16* tiff_transferfunction[3]; | ||
| 78 | |||
| 79 | directorycount=TIFFNumberOfDirectories(input); | ||
| 80 | if(directorycount > TIFF_DIR_MAX) { | ||
| 81 | @@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ | ||
| 82 | } | ||
| 83 | #endif | ||
| 84 | if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, | ||
| 85 | - &(t2p->tiff_transferfunction[0]), | ||
| 86 | - &(t2p->tiff_transferfunction[1]), | ||
| 87 | - &(t2p->tiff_transferfunction[2]))) { | ||
| 88 | - if((t2p->tiff_transferfunction[1] != (float*) NULL) && | ||
| 89 | - (t2p->tiff_transferfunction[2] != (float*) NULL) && | ||
| 90 | - (t2p->tiff_transferfunction[1] != | ||
| 91 | - t2p->tiff_transferfunction[0])) { | ||
| 92 | - t2p->tiff_transferfunctioncount = 3; | ||
| 93 | - t2p->tiff_pages[i].page_extra += 4; | ||
| 94 | - t2p->pdf_xrefcount += 4; | ||
| 95 | - } else { | ||
| 96 | - t2p->tiff_transferfunctioncount = 1; | ||
| 97 | - t2p->tiff_pages[i].page_extra += 2; | ||
| 98 | - t2p->pdf_xrefcount += 2; | ||
| 99 | - } | ||
| 100 | - if(t2p->pdf_minorversion < 2) | ||
| 101 | - t2p->pdf_minorversion = 2; | ||
| 102 | + &(tiff_transferfunction[0]), | ||
| 103 | + &(tiff_transferfunction[1]), | ||
| 104 | + &(tiff_transferfunction[2]))) { | ||
| 105 | + | ||
| 106 | + if((tiff_transferfunction[1] != (uint16*) NULL) && | ||
| 107 | + (tiff_transferfunction[2] != (uint16*) NULL) | ||
| 108 | + ) { | ||
| 109 | + tiff_transferfunctioncount=3; | ||
| 110 | + } else { | ||
| 111 | + tiff_transferfunctioncount=1; | ||
| 112 | + } | ||
| 113 | } else { | ||
| 114 | - t2p->tiff_transferfunctioncount=0; | ||
| 115 | + tiff_transferfunctioncount=0; | ||
| 116 | } | ||
| 117 | + | ||
| 118 | + if (i > 0){ | ||
| 119 | + if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ | ||
| 120 | + TIFFError( | ||
| 121 | + TIFF2PDF_MODULE, | ||
| 122 | + "Different transfer function on page %d", | ||
| 123 | + i); | ||
| 124 | + t2p->t2p_error = T2P_ERR_ERROR; | ||
| 125 | + return; | ||
| 126 | + } | ||
| 127 | + } | ||
| 128 | + | ||
| 129 | + t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; | ||
| 130 | + t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; | ||
| 131 | + t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; | ||
| 132 | + t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; | ||
| 133 | + if(tiff_transferfunctioncount == 3){ | ||
| 134 | + t2p->tiff_pages[i].page_extra += 4; | ||
| 135 | + t2p->pdf_xrefcount += 4; | ||
| 136 | + if(t2p->pdf_minorversion < 2) | ||
| 137 | + t2p->pdf_minorversion = 2; | ||
| 138 | + } else if (tiff_transferfunctioncount == 1){ | ||
| 139 | + t2p->tiff_pages[i].page_extra += 2; | ||
| 140 | + t2p->pdf_xrefcount += 2; | ||
| 141 | + if(t2p->pdf_minorversion < 2) | ||
| 142 | + t2p->pdf_minorversion = 2; | ||
| 143 | + } | ||
| 144 | + | ||
| 145 | if( TIFFGetField( | ||
| 146 | input, | ||
| 147 | TIFFTAG_ICCPROFILE, | ||
| 148 | @@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ | ||
| 149 | &(t2p->tiff_transferfunction[0]), | ||
| 150 | &(t2p->tiff_transferfunction[1]), | ||
| 151 | &(t2p->tiff_transferfunction[2]))) { | ||
| 152 | - if((t2p->tiff_transferfunction[1] != (float*) NULL) && | ||
| 153 | - (t2p->tiff_transferfunction[2] != (float*) NULL) && | ||
| 154 | - (t2p->tiff_transferfunction[1] != | ||
| 155 | - t2p->tiff_transferfunction[0])) { | ||
| 156 | + if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && | ||
| 157 | + (t2p->tiff_transferfunction[2] != (uint16*) NULL) | ||
| 158 | + ) { | ||
| 159 | t2p->tiff_transferfunctioncount=3; | ||
| 160 | } else { | ||
| 161 | t2p->tiff_transferfunctioncount=1; | ||
| 162 | -- | ||
| 163 | 2.17.0 | ||
| 164 | |||
diff --git a/main/tiff/CVE-2018-10963.patch b/main/tiff/CVE-2018-10963.patch new file mode 100644 index 0000000000..039b7c1a16 --- /dev/null +++ b/main/tiff/CVE-2018-10963.patch | |||
| @@ -0,0 +1,31 @@ | |||
| 1 | From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Even Rouault <even.rouault@spatialys.com> | ||
| 3 | Date: Sat, 12 May 2018 14:24:15 +0200 | ||
| 4 | Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes | ||
| 5 | http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 | ||
| 6 | |||
| 7 | --- | ||
| 8 | libtiff/tif_dirwrite.c | 7 +++++-- | ||
| 9 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
| 10 | |||
| 11 | diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c | ||
| 12 | index c68d6d2..5d0a669 100644 | ||
| 13 | --- a/libtiff/tif_dirwrite.c | ||
| 14 | +++ b/libtiff/tif_dirwrite.c | ||
| 15 | @@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) | ||
| 16 | } | ||
| 17 | break; | ||
| 18 | default: | ||
| 19 | - assert(0); /* we should never get here */ | ||
| 20 | - break; | ||
| 21 | + TIFFErrorExt(tif->tif_clientdata,module, | ||
| 22 | + "Cannot write tag %d (%s)", | ||
| 23 | + TIFFFieldTag(o), | ||
| 24 | + o->field_name ? o->field_name : "unknown"); | ||
| 25 | + goto bad; | ||
| 26 | } | ||
| 27 | } | ||
| 28 | } | ||
| 29 | -- | ||
| 30 | 2.17.0 | ||
| 31 | |||