Tree - rpms/libtiff - CentOS Git server

rpms / libtiff

Files

Commit: ccba1e49d43e4700e31275ad4a239b3a4d161f83
Blob Blame History Raw
From 8e3772f232bf8f8c1959f229b5d922dd33a1e558 Mon Sep 17 00:00:00 2001
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 7 Dec 2017 07:49:20 +1100
Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix apparent incorrect type for
 transfer table

The standard says the transfer table contains unsigned 16 bit values,
I have no idea why we refer to them as floats.

(cherry picked from commit d4f213636b6f950498a1386083199bd7f65676b9)
---
 tools/tiff2pdf.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index ef5d6a01..bd23c9e5 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -239,7 +239,7 @@ typedef struct {
 	float tiff_whitechromaticities[2];
 	float tiff_primarychromaticities[6];
 	float tiff_referenceblackwhite[2];
-	float* tiff_transferfunction[3];
+	uint16* tiff_transferfunction[3];
 	int pdf_image_interpolate;	/* 0 (default) : do not interpolate,
 					   1 : interpolate */
 	uint16 tiff_transferfunctioncount;
@@ -1050,7 +1050,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
 	uint16 paged=0;
 	uint16 xuint16=0;
 	uint16 tiff_transferfunctioncount=0;
-	float* tiff_transferfunction[3];
+	uint16* tiff_transferfunction[3];
 
 	directorycount=TIFFNumberOfDirectories(input);
 	if(directorycount > TIFF_DIR_MAX) {
@@ -1163,8 +1163,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
                                  &(tiff_transferfunction[1]),
                                  &(tiff_transferfunction[2]))) {
 
-                        if((tiff_transferfunction[1] != (float*) NULL) &&
-                           (tiff_transferfunction[2] != (float*) NULL)
+                        if((tiff_transferfunction[1] != (uint16*) NULL) &&
+                           (tiff_transferfunction[2] != (uint16*) NULL)
                           ) {
                             tiff_transferfunctioncount=3;
                         } else {
@@ -1861,8 +1861,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
 			 &(t2p->tiff_transferfunction[0]),
 			 &(t2p->tiff_transferfunction[1]),
 			 &(t2p->tiff_transferfunction[2]))) {
-		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
-                   (t2p->tiff_transferfunction[2] != (float*) NULL)
+		if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
+                   (t2p->tiff_transferfunction[2] != (uint16*) NULL)
                   ) {
 			t2p->tiff_transferfunctioncount=3;
 		} else {
-- 
2.34.1
rpms / libtiff

Source Code

Files
