/[packages]/updates/1/libtiff/current/SOURCES/tiff-3.9.6-CVE-2012-5581.diff
ViewVC logotype

Annotation of /updates/1/libtiff/current/SOURCES/tiff-3.9.6-CVE-2012-5581.diff

Parent Directory Parent Directory | Revision Log Revision Log

Revision 327676 - (hide annotations) (download)
Fri Dec 7 00:24:34 2012 UTC (11 years, 4 months ago) by luigiwalser
File size: 13751 byte(s) 
add patch from redhat to fix CVE-2012-5581
1 luigiwalser 327676 diff -Naur tiff-3.9.6.fix/libtiff/tif_dir.c tiff-3.9.6/libtiff/tif_dir.c
2     --- tiff-3.9.6.fix/libtiff/tif_dir.c 2010-07-08 21:47:59.000000000 +0530
3     +++ tiff-3.9.6/libtiff/tif_dir.c 2012-11-08 10:39:25.549268282 +0530
4     @@ -493,94 +493,90 @@
5     status = 0;
6     goto end;
7     }
8     + if (fip->field_tag == TIFFTAG_DOTRANGE
9     + && strcmp(fip->field_name,"DotRange") == 0) {
10     + /* TODO: This is an evil exception and should not have been
11     + handled this way ... likely best if we move it into
12     + the directory structure with an explicit field in
13     + libtiff 4.1 and assign it a FIELD_ value */
14     + uint16 v[2];
15     + v[0] = (uint16)va_arg(ap, int);
16     + v[1] = (uint16)va_arg(ap, int);
17     + _TIFFmemcpy(tv->value, &v, 4);
18     + }
19     +
20     + else if (fip->field_passcount
21     + || fip->field_writecount == TIFF_VARIABLE
22     + || fip->field_writecount == TIFF_VARIABLE2
23     + || fip->field_writecount == TIFF_SPP
24     + || tv->count > 1) {
25    
26     - if ((fip->field_passcount
27     - || fip->field_writecount == TIFF_VARIABLE
28     - || fip->field_writecount == TIFF_VARIABLE2
29     - || fip->field_writecount == TIFF_SPP
30     - || tv->count > 1)
31     - && fip->field_tag != TIFFTAG_PAGENUMBER
32     - && fip->field_tag != TIFFTAG_HALFTONEHINTS
33     - && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
34     - && fip->field_tag != TIFFTAG_DOTRANGE) {
35     _TIFFmemcpy(tv->value, va_arg(ap, void *),
36     tv->count * tv_size);
37     } else {
38     - /*
39     - * XXX: The following loop required to handle
40     - * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
41     - * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
42     - * These tags are actually arrays and should be passed as
43     - * array pointers to TIFFSetField() function, but actually
44     - * passed as a list of separate values. This behaviour
45     - * must be changed in the future!
46     - */
47     - int i;
48     + assert( tv->count == 1 );
49     char *val = (char *)tv->value;
50     -
51     - for (i = 0; i < tv->count; i++, val += tv_size) {
52     - switch (fip->field_type) {
53     - case TIFF_BYTE:
54     - case TIFF_UNDEFINED:
55     - {
56     - uint8 v = (uint8)va_arg(ap, int);
57     - _TIFFmemcpy(val, &v, tv_size);
58     - }
59     - break;
60     - case TIFF_SBYTE:
61     - {
62     - int8 v = (int8)va_arg(ap, int);
63     - _TIFFmemcpy(val, &v, tv_size);
64     - }
65     - break;
66     - case TIFF_SHORT:
67     - {
68     - uint16 v = (uint16)va_arg(ap, int);
69     - _TIFFmemcpy(val, &v, tv_size);
70     - }
71     - break;
72     - case TIFF_SSHORT:
73     - {
74     - int16 v = (int16)va_arg(ap, int);
75     - _TIFFmemcpy(val, &v, tv_size);
76     - }
77     - break;
78     - case TIFF_LONG:
79     - case TIFF_IFD:
80     - {
81     - uint32 v = va_arg(ap, uint32);
82     - _TIFFmemcpy(val, &v, tv_size);
83     - }
84     - break;
85     - case TIFF_SLONG:
86     - {
87     - int32 v = va_arg(ap, int32);
88     - _TIFFmemcpy(val, &v, tv_size);
89     - }
90     - break;
91     - case TIFF_RATIONAL:
92     - case TIFF_SRATIONAL:
93     - case TIFF_FLOAT:
94     - {
95     - float v = (float)va_arg(ap, double);
96     - _TIFFmemcpy(val, &v, tv_size);
97     - }
98     - break;
99     - case TIFF_DOUBLE:
100     - {
101     - double v = va_arg(ap, double);
102     - _TIFFmemcpy(val, &v, tv_size);
103     - }
104     - break;
105     - default:
106     - _TIFFmemset(val, 0, tv_size);
107     - status = 0;
108     - break;
109     + switch (fip->field_type) {
110     + case TIFF_BYTE:
111     + case TIFF_UNDEFINED:
112     + {
113     + uint8 v = (uint8)va_arg(ap, int);
114     + _TIFFmemcpy(val, &v, tv_size);
115     + }
116     + break;
117     + case TIFF_SBYTE:
118     + {
119     + int8 v = (int8)va_arg(ap, int);
120     + _TIFFmemcpy(val, &v, tv_size);
121     + }
122     + break;
123     + case TIFF_SHORT:
124     + {
125     + uint16 v = (uint16)va_arg(ap, int);
126     + _TIFFmemcpy(val, &v, tv_size);
127     + }
128     + break;
129     + case TIFF_SSHORT:
130     + {
131     + int16 v = (int16)va_arg(ap, int);
132     + _TIFFmemcpy(val, &v, tv_size);
133     + }
134     + break;
135     + case TIFF_LONG:
136     + case TIFF_IFD:
137     + {
138     + uint32 v = va_arg(ap, uint32);
139     + _TIFFmemcpy(val, &v, tv_size);
140     + }
141     + break;
142     + case TIFF_SLONG:
143     + {
144     + int32 v = va_arg(ap, int32);
145     + _TIFFmemcpy(val, &v, tv_size);
146     + }
147     + break;
148     + case TIFF_RATIONAL:
149     + case TIFF_SRATIONAL:
150     + case TIFF_FLOAT:
151     + {
152     + float v = (float)va_arg(ap, double);
153     + _TIFFmemcpy(val, &v, tv_size);
154     + }
155     + break;
156     + case TIFF_DOUBLE:
157     + {
158     + double v = va_arg(ap, double);
159     + _TIFFmemcpy(val, &v, tv_size);
160     + }
161     + break;
162     + default:
163     + _TIFFmemset(val, 0, tv_size);
164     + status = 0;
165     + break;
166     }
167     }
168     }
169     }
170     - }
171     }
172     if (status) {
173     TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
174     @@ -868,75 +864,76 @@
175     *va_arg(ap, uint16*) = (uint16)tv->count;
176     *va_arg(ap, void **) = tv->value;
177     ret_val = 1;
178     + } else if (fip->field_tag == TIFFTAG_DOTRANGE
179     + && strcmp(fip->field_name,"DotRange") == 0) {
180     + /* TODO: This is an evil exception and should not have been
181     + handled this way ... likely best if we move it into
182     + the directory structure with an explicit field in
183     + libtiff 4.1 and assign it a FIELD_ value */
184     + *va_arg(ap, uint16*) = ((uint16 *)tv->value)[0];
185     + *va_arg(ap, uint16*) = ((uint16 *)tv->value)[1];
186     + ret_val = 1;
187     } else {
188     - if ((fip->field_type == TIFF_ASCII
189     + if (fip->field_type == TIFF_ASCII
190     || fip->field_readcount == TIFF_VARIABLE
191     || fip->field_readcount == TIFF_VARIABLE2
192     || fip->field_readcount == TIFF_SPP
193     - || tv->count > 1)
194     - && fip->field_tag != TIFFTAG_PAGENUMBER
195     - && fip->field_tag != TIFFTAG_HALFTONEHINTS
196     - && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
197     - && fip->field_tag != TIFFTAG_DOTRANGE) {
198     + || tv->count > 1) {
199     *va_arg(ap, void **) = tv->value;
200     ret_val = 1;
201     } else {
202     - int j;
203     char *val = (char *)tv->value;
204     -
205     - for (j = 0; j < tv->count;
206     - j++, val += _TIFFDataSize(tv->info->field_type)) {
207     - switch (fip->field_type) {
208     - case TIFF_BYTE:
209     - case TIFF_UNDEFINED:
210     - *va_arg(ap, uint8*) =
211     - *(uint8 *)val;
212     - ret_val = 1;
213     - break;
214     - case TIFF_SBYTE:
215     - *va_arg(ap, int8*) =
216     - *(int8 *)val;
217     - ret_val = 1;
218     - break;
219     - case TIFF_SHORT:
220     - *va_arg(ap, uint16*) =
221     - *(uint16 *)val;
222     - ret_val = 1;
223     - break;
224     - case TIFF_SSHORT:
225     - *va_arg(ap, int16*) =
226     - *(int16 *)val;
227     - ret_val = 1;
228     - break;
229     - case TIFF_LONG:
230     - case TIFF_IFD:
231     - *va_arg(ap, uint32*) =
232     - *(uint32 *)val;
233     - ret_val = 1;
234     - break;
235     - case TIFF_SLONG:
236     - *va_arg(ap, int32*) =
237     - *(int32 *)val;
238     - ret_val = 1;
239     - break;
240     - case TIFF_RATIONAL:
241     - case TIFF_SRATIONAL:
242     - case TIFF_FLOAT:
243     - *va_arg(ap, float*) =
244     - *(float *)val;
245     - ret_val = 1;
246     - break;
247     - case TIFF_DOUBLE:
248     - *va_arg(ap, double*) =
249     - *(double *)val;
250     - ret_val = 1;
251     - break;
252     - default:
253     - ret_val = 0;
254     - break;
255     - }
256     - }
257     - }
258     + assert( tv->count == 1 );
259     + switch (fip->field_type) {
260     + case TIFF_BYTE:
261     + case TIFF_UNDEFINED:
262     + *va_arg(ap, uint8*) =
263     + *(uint8 *)val;
264     + ret_val = 1;
265     + break;
266     + case TIFF_SBYTE:
267     + *va_arg(ap, int8*) =
268     + *(int8 *)val;
269     + ret_val = 1;
270     + break;
271     + case TIFF_SHORT:
272     + *va_arg(ap, uint16*) =
273     + *(uint16 *)val;
274     + ret_val = 1;
275     + break;
276     + case TIFF_SSHORT:
277     + *va_arg(ap, int16*) =
278     + *(int16 *)val;
279     + ret_val = 1;
280     + break;
281     + case TIFF_LONG:
282     + case TIFF_IFD:
283     + *va_arg(ap, uint32*) =
284     + *(uint32 *)val;
285     + ret_val = 1;
286     + break;
287     + case TIFF_SLONG:
288     + *va_arg(ap, int32*) =
289     + *(int32 *)val;
290     + ret_val = 1;
291     + break;
292     + case TIFF_RATIONAL:
293     + case TIFF_SRATIONAL:
294     + case TIFF_FLOAT:
295     + *va_arg(ap, float*) =
296     + *(float *)val;
297     + ret_val = 1;
298     + break;
299     + case TIFF_DOUBLE:
300     + *va_arg(ap, double*) =
301     + *(double *)val;
302     + ret_val = 1;
303     + break;
304     + default:
305     + ret_val = 0;
306     + break;
307     + }
308     + }
309     }
310     break;
311     }
  ViewVC Help
Powered by ViewVC 1.1.30