Writing IFD8 tags with too large values destroys classic TIFF files.
If an TIFF_IFD8
(custom) tag with a value greater than 2^32 is written into a classic TIFF file, this will corrupt the TIFF file. As example TIFFTAG_GLOBALPARAMETERSIFD can be used.
If the value is smaller than 2^32, libtiff correctly writes the tag as TIFF_IFD(13) into a classic TIFF file.
Analysis:
TIFFSetValue() stores the uint64_t value in an internal uint64_t
variable.
TIFFWriteDirectorySec()
aborts writing with an error, but the first part of the file is already written. This leads to a corrupted file. The error message is:
TIFFWriteDirectoryTagIfdIfd8Array: Attempt to write value larger than 0xFFFFFFFF in Classic TIFF file.
TIFFOpen()
then reports the errors:
TIFFFetchDirectory: Sanity check on directory count failed, zero tag directories not supported. TIFFReadDirectory: Failed to read directory at offset 566.
Almost the same applies to TIFF_LONG8
and TIFF_SLONG8
values, even if the error message is different:
TIFFWriteDirectoryTagCheckedLong8Array: LONG8 not allowed for ClassicTIFF.
Conclusion:
It should be prevented that an attempt is made to write invalid values into the file and then writing has to be aborted. The check must therefore already be carried out when the value is set (e.g. in TIFFSetValue()
)!
In addition, for TIFF_LONG8
tags, a TIFF_LONG
value should be written into a classic TIFF if the value is in the value range of long
(uint32_t
). The similar should apply to TIFF_SLONG8
tags.
Version: libtiff version 4.4.0
Platform: Windows 10 x64, Visual Studio 2020 with CMake