File tiff-3.8.2-CVE-2012-5581.patch of Package tiff3

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-3.8.2-CVE-2012-5581.patch of Package tiff3

Index: tiff-3.9.5/libtiff/tif_dir.c
===================================================================
--- tiff-3.9.5.orig/libtiff/tif_dir.c
+++ tiff-3.9.5/libtiff/tif_dir.c
@@ -493,32 +493,27 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
 		    status = 0;
 		    goto end;
 		}
-
-		if ((fip->field_passcount
+                 if (fip->field_tag == TIFFTAG_DOTRANGE 
+                     && strcmp(fip->field_name,"DotRange") == 0) {
+                    /* TODO: This is an evil exception and should not have been
+                       handled this way ... likely best if we move it into
+                       the directory structure with an explicit field in 
+                       libtiff 4.1 and assign it a FIELD_ value */
+                    uint16 v[2];
+                    v[0] = (uint16)va_arg(ap, int);
+                    v[1] = (uint16)va_arg(ap, int);
+                    _TIFFmemcpy(tv->value, &v, 4);
+                } else if (fip->field_passcount
 		    || fip->field_writecount == TIFF_VARIABLE
 		    || fip->field_writecount == TIFF_VARIABLE2
 		    || fip->field_writecount == TIFF_SPP
-		    || tv->count > 1)
-		    && fip->field_tag != TIFFTAG_PAGENUMBER
-		    && fip->field_tag != TIFFTAG_HALFTONEHINTS
-		    && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
-		    && fip->field_tag != TIFFTAG_DOTRANGE) {
+		    || tv->count > 1) {
                     _TIFFmemcpy(tv->value, va_arg(ap, void *),
 				tv->count * tv_size);
 		} else {
-		    /*
-		     * XXX: The following loop required to handle
-		     * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
-		     * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
-		     * These tags are actually arrays and should be passed as
-		     * array pointers to TIFFSetField() function, but actually
-		     * passed as a list of separate values. This behaviour
-		     * must be changed in the future!
-		     */
-		    int i;
+		    assert( tv->count == 1 );
 		    char *val = (char *)tv->value;
 
-		    for (i = 0; i < tv->count; i++, val += tv_size) {
 			    switch (fip->field_type) {
 				case TIFF_BYTE:
 				case TIFF_UNDEFINED:
@@ -577,7 +572,6 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
 				    status = 0;
 				    break;
 			    }
-		    }
 		}
 	    }
           }

Places

File tiff-3.8.2-CVE-2012-5581.patch of Package tiff3

Places