Blame SOURCES/libtiff-printdir-width.patch

7c98bb
Make TIFFPrintDirectory cope with both TIFF_VARIABLE and TIFF_VARIABLE2
7c98bb
conventions for field_passcount fields, ie, either 16- or 32-bit counts.
7c98bb
This patch is taken from upstream commits dated 2012-05-23 ("fix crash
7c98bb
with odd 16bit count types for some custom fields") and 2012-12-12 ("Fix
7c98bb
TIFF_VARIABLE/TIFF_VARIABLE2 confusion in TIFFPrintDirectory").
7c98bb
7c98bb
This doesn't qualify as a security issue in itself, mainly because
7c98bb
TIFFPrintDirectory is unlikely to be used in any security-exposed
7c98bb
scenarios; but we need to fix it so that our test case for CVE-2012-5581
7c98bb
works on all platforms.
7c98bb
7c98bb
7c98bb
diff -Naur tiff-3.9.4.orig/libtiff/tif_print.c tiff-3.9.4/libtiff/tif_print.c
7c98bb
--- tiff-3.9.4.orig/libtiff/tif_print.c	2010-06-08 14:50:42.000000000 -0400
7c98bb
+++ tiff-3.9.4/libtiff/tif_print.c	2012-12-13 12:17:33.726765771 -0500
7c98bb
@@ -518,8 +518,19 @@
7c98bb
 			continue;
7c98bb
 
7c98bb
 		if(fip->field_passcount) {
7c98bb
-			if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
7c98bb
+			if (fip->field_readcount == TIFF_VARIABLE2 ) {
7c98bb
+				if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
7c98bb
+					continue;
7c98bb
+			} else if (fip->field_readcount == TIFF_VARIABLE ) {
7c98bb
+				uint16 small_value_count;
7c98bb
+				if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1)
7c98bb
+					continue;
7c98bb
+				value_count = small_value_count;
7c98bb
+			} else {
7c98bb
+				assert (fip->field_readcount == TIFF_VARIABLE
7c98bb
+					|| fip->field_readcount == TIFF_VARIABLE2);
7c98bb
 				continue;
7c98bb
+			} 
7c98bb
 		} else {
7c98bb
 			if (fip->field_readcount == TIFF_VARIABLE
7c98bb
 			    || fip->field_readcount == TIFF_VARIABLE2)