Teach "tiffinfo -D" to not try to print image data inside an EXIF subdirectory,
because there isn't any. Back-patched from an upstream 4.0.2 fix.
This is not a security issue in itself (it crashes, but with a simple NULL
pointer dereference). However, our test case for CVE-2012-5581 tickles this
bug, so it seems easier to fix this than make a new test case.
diff -Naur tiff-3.9.4.orig/tools/tiffinfo.c tiff-3.9.4/tools/tiffinfo.c
--- tiff-3.9.4.orig/tools/tiffinfo.c 2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffinfo.c 2012-12-11 16:33:17.062228558 -0500
@@ -49,7 +49,7 @@
int stoponerr = 1; /* stop on first read error */
static void usage(void);
-static void tiffinfo(TIFF*, uint16, long);
+static void tiffinfo(TIFF*, uint16, long, int);
int
main(int argc, char* argv[])
@@ -124,19 +124,20 @@
if (tif != NULL) {
if (dirnum != -1) {
if (TIFFSetDirectory(tif, (tdir_t) dirnum))
- tiffinfo(tif, order, flags);
+ tiffinfo(tif, order, flags, 1);
} else if (diroff != 0) {
if (TIFFSetSubDirectory(tif, diroff))
- tiffinfo(tif, order, flags);
+ tiffinfo(tif, order, flags, 1);
} else {
do {
uint32 offset;
- tiffinfo(tif, order, flags);
+ tiffinfo(tif, order, flags, 1);
if (TIFFGetField(tif, TIFFTAG_EXIFIFD,
&offset)) {
- if (TIFFReadEXIFDirectory(tif, offset))
- tiffinfo(tif, order, flags);
+ if (TIFFReadEXIFDirectory(tif, offset)) {
+ tiffinfo(tif, order, flags, 0);
+ }
}
} while (TIFFReadDirectory(tif));
}
@@ -426,10 +427,10 @@
}
static void
-tiffinfo(TIFF* tif, uint16 order, long flags)
+tiffinfo(TIFF* tif, uint16 order, long flags, int is_image)
{
TIFFPrintDirectory(tif, stdout, flags);
- if (!readdata)
+ if (!readdata || !is_image)
return;
if (rawdata) {
if (order) {