From a91566b32d107e86c4ea0b10bbcb5ce089005cb7 Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 13 Aug 2024 09:42:15 +0800
Subject: [PATCH] fix CVE-2024-7006
Reference:https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e
Check return value of _TIFFCreateAnonField().
Fixes #624 (closed)

---
 libtiff/tif_dirinfo.c |  2 +-
 libtiff/tif_dirread.c | 17 ++++++++---------
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index a212d01..755693c 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -797,7 +797,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, TIFFDataType dt)
 	fld = TIFFFindField(tif, tag, dt);
 	if (fld == NULL) {
 		fld = _TIFFCreateAnonField(tif, tag, dt);
-		if (!_TIFFMergeFields(tif, fld, 1))
+		if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))		
 			return NULL;
 	}
 
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index ed88e80..4e2b53e 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -3734,11 +3734,10 @@ TIFFReadDirectory(TIFF* tif)
 				    dp->tdir_tag,dp->tdir_tag);
 				/* the following knowingly leaks the 
 				   anonymous field structure */
-				if (!_TIFFMergeFields(tif,
-					_TIFFCreateAnonField(tif,
-						dp->tdir_tag,
-						(TIFFDataType) dp->tdir_type),
-					1)) {
+                                const TIFFField *fld = _TIFFCreateAnonField(
+                                    tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+                                if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))				
+				{
 					TIFFWarningExt(tif->tif_clientdata,
 					    module,
 					    "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
@@ -4500,10 +4499,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff,
 			TIFFWarningExt(tif->tif_clientdata, module,
 			    "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered",
 			    dp->tdir_tag, dp->tdir_tag);
-			if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
-						dp->tdir_tag,
-						(TIFFDataType) dp->tdir_type),
-					     1)) {
+                        const TIFFField *fld = _TIFFCreateAnonField(
+                             tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+                        if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))			
+			{
 				TIFFWarningExt(tif->tif_clientdata, module,
 				    "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
 				    dp->tdir_tag, dp->tdir_tag);
-- 
2.27.0