commit 9991b31a7c651e7b87a3ccd73b3dc5c67dcfdd60
Author: erouault <erouault>
Date:   Sat Dec 3 15:30:31 2016 +0000

    * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
    limit the return number of inks to SamplesPerPixel, so that code that parses
    ink names doesn't go past the end of the buffer.
    Reported by Agostino Sarubbo.
    Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
    
    
    Reported by Agostino Sarubbo.

diff --git a/ChangeLog b/ChangeLog
index 0d7b12d..fb9fc0e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2016-12-03 Even Rouault <even.rouault at spatialys.com>
 
+	* tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
+	limit the return number of inks to SamplesPerPixel, so that code that parses
+	ink names doesn't go past the end of the buffer.
+	Reported by Agostino Sarubbo.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
 	* tools/tiffcp.c: avoid potential division by zero if BitsPerSamples tag is
 	missing.
 	Reported by Agostino Sarubbo.
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index ad21655..2574e74 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */
+/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -854,6 +854,32 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
 	if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
 	    return 0;
 	
+        if( tag == TIFFTAG_NUMBEROFINKS )
+        {
+            int i;
+            for (i = 0; i < td->td_customValueCount; i++) {
+                uint16 val;
+                TIFFTagValue *tv = td->td_customValues + i;
+                if (tv->info->field_tag != tag)
+                    continue;
+                val = *(uint16 *)tv->value;
+                /* Truncate to SamplesPerPixel, since the */
+                /* setting code for INKNAMES assume that there are SamplesPerPixel */
+                /* inknames. */
+                /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
+                if( val > td->td_samplesperpixel )
+                {
+                    TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
+                                   "Truncating NumberOfInks from %u to %u",
+                                   val, td->td_samplesperpixel);
+                    val = td->td_samplesperpixel;
+                }
+                *va_arg(ap, uint16*) = val;
+                return 1;
+            }
+            return 0;
+        }
+
 	/*
 	 * We want to force the custom code to be used for custom
 	 * fields even if the tag happens to match a well known