From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 23 Aug 2017 13:21:41 +0000
Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not
 finding the SubIFD tag by runtime check. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337

Upstream-Status: Backport
[https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e]

CVE: CVE-2017-13726

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ChangeLog              | 7 +++++++
 libtiff/tif_dirwrite.c | 7 ++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 6980da8..3e299d9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-08-23  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_dirwrite.c: replace assertion related to not finding the
+	SubIFD tag by runtime check.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
+	Reported by team OWL337
+
 2017-07-15  Even Rouault <even.rouault at spatialys.com>
 
 	* tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 8d6686b..14090ae 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
 			TIFFDirEntry* nb;
 			for (na=0, nb=dir; ; na++, nb++)
 			{
-				assert(na<ndir);
+				if( na == ndir )
+                                {
+                                    TIFFErrorExt(tif->tif_clientdata,module,
+                                                 "Cannot find SubIFD tag");
+                                    goto bad;
+                                }
 				if (nb->tdir_tag==TIFFTAG_SUBIFD)
 					break;
 			}
-- 
2.7.4