|
 |
0e6869 |
Make TIFFPrintDirectory cope with both TIFF_VARIABLE and TIFF_VARIABLE2
|
|
|
0e6869 |
conventions for field_passcount fields, ie, either 16- or 32-bit counts.
|
|
|
0e6869 |
This patch is taken from upstream commits dated 2012-05-23 ("fix crash
|
|
|
0e6869 |
with odd 16bit count types for some custom fields") and 2012-12-12 ("Fix
|
|
|
0e6869 |
TIFF_VARIABLE/TIFF_VARIABLE2 confusion in TIFFPrintDirectory").
|
|
|
0e6869 |
|
|
|
0e6869 |
This doesn't qualify as a security issue in itself, mainly because
|
|
|
0e6869 |
TIFFPrintDirectory is unlikely to be used in any security-exposed
|
|
|
0e6869 |
scenarios; but we need to fix it so that our test case for CVE-2012-5581
|
|
|
0e6869 |
works on all platforms.
|
|
|
0e6869 |
|
|
|
0e6869 |
|
|
|
0e6869 |
diff -Naur tiff-3.9.4.orig/libtiff/tif_print.c tiff-3.9.4/libtiff/tif_print.c
|
|
|
0e6869 |
--- tiff-3.9.4.orig/libtiff/tif_print.c 2010-06-08 14:50:42.000000000 -0400
|
|
|
0e6869 |
+++ tiff-3.9.4/libtiff/tif_print.c 2012-12-13 12:17:33.726765771 -0500
|
|
|
0e6869 |
@@ -518,8 +518,19 @@
|
|
|
0e6869 |
continue;
|
|
|
0e6869 |
|
|
|
0e6869 |
if(fip->field_passcount) {
|
|
|
0e6869 |
- if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
|
|
|
0e6869 |
+ if (fip->field_readcount == TIFF_VARIABLE2 ) {
|
|
|
0e6869 |
+ if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
|
|
|
0e6869 |
+ continue;
|
|
|
0e6869 |
+ } else if (fip->field_readcount == TIFF_VARIABLE ) {
|
|
|
0e6869 |
+ uint16 small_value_count;
|
|
|
0e6869 |
+ if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1)
|
|
|
0e6869 |
+ continue;
|
|
|
0e6869 |
+ value_count = small_value_count;
|
|
|
0e6869 |
+ } else {
|
|
|
0e6869 |
+ assert (fip->field_readcount == TIFF_VARIABLE
|
|
|
0e6869 |
+ || fip->field_readcount == TIFF_VARIABLE2);
|
|
|
0e6869 |
continue;
|
|
|
0e6869 |
+ }
|
|
|
0e6869 |
} else {
|
|
|
0e6869 |
if (fip->field_readcount == TIFF_VARIABLE
|
|
|
0e6869 |
|| fip->field_readcount == TIFF_VARIABLE2)
|