Blob Blame History Raw
Teach "tiffinfo -D" to not try to print image data inside an EXIF subdirectory,
because there isn't any.  Back-patched from an upstream 4.0.2 fix.

This is not a security issue in itself (it crashes, but with a simple NULL
pointer dereference).  However, our test case for CVE-2012-5581 tickles this
bug, so it seems easier to fix this than make a new test case.


diff -Naur tiff-3.9.4.orig/tools/tiffinfo.c tiff-3.9.4/tools/tiffinfo.c
--- tiff-3.9.4.orig/tools/tiffinfo.c	2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffinfo.c	2012-12-11 16:33:17.062228558 -0500
@@ -49,7 +49,7 @@
 int	stoponerr = 1;			/* stop on first read error */
 
 static	void usage(void);
-static	void tiffinfo(TIFF*, uint16, long);
+static	void tiffinfo(TIFF*, uint16, long, int);
 
 int
 main(int argc, char* argv[])
@@ -124,19 +124,20 @@
 		if (tif != NULL) {
 			if (dirnum != -1) {
 				if (TIFFSetDirectory(tif, (tdir_t) dirnum))
-					tiffinfo(tif, order, flags);
+					tiffinfo(tif, order, flags, 1);
 			} else if (diroff != 0) {
 				if (TIFFSetSubDirectory(tif, diroff))
-					tiffinfo(tif, order, flags);
+					tiffinfo(tif, order, flags, 1);
 			} else {
 				do {
 					uint32 offset;
 
-					tiffinfo(tif, order, flags);
+					tiffinfo(tif, order, flags, 1);
 					if (TIFFGetField(tif, TIFFTAG_EXIFIFD,
 							 &offset)) {
-						if (TIFFReadEXIFDirectory(tif, offset))
-							tiffinfo(tif, order, flags);
+						if (TIFFReadEXIFDirectory(tif, offset)) {
+							tiffinfo(tif, order, flags, 0);
+						}
 					}
 				} while (TIFFReadDirectory(tif));
 			}
@@ -426,10 +427,10 @@
 }
 
 static void
-tiffinfo(TIFF* tif, uint16 order, long flags)
+tiffinfo(TIFF* tif, uint16 order, long flags, int is_image)
 {
 	TIFFPrintDirectory(tif, stdout, flags);
-	if (!readdata)
+	if (!readdata || !is_image)
 		return;
 	if (rawdata) {
 		if (order) {