/[packages]/updates/1/libtiff/current/SOURCES/tiff-3.9.6-CVE-2012-5581.diff
ViewVC logotype

Contents of /updates/1/libtiff/current/SOURCES/tiff-3.9.6-CVE-2012-5581.diff

Parent Directory Parent Directory | Revision Log Revision Log


Revision 327676 - (show annotations) (download)
Fri Dec 7 00:24:34 2012 UTC (8 years, 7 months ago) by luigiwalser
File size: 13751 byte(s)
add patch from redhat to fix CVE-2012-5581
1 diff -Naur tiff-3.9.6.fix/libtiff/tif_dir.c tiff-3.9.6/libtiff/tif_dir.c
2 --- tiff-3.9.6.fix/libtiff/tif_dir.c 2010-07-08 21:47:59.000000000 +0530
3 +++ tiff-3.9.6/libtiff/tif_dir.c 2012-11-08 10:39:25.549268282 +0530
4 @@ -493,94 +493,90 @@
5 status = 0;
6 goto end;
7 }
8 + if (fip->field_tag == TIFFTAG_DOTRANGE
9 + && strcmp(fip->field_name,"DotRange") == 0) {
10 + /* TODO: This is an evil exception and should not have been
11 + handled this way ... likely best if we move it into
12 + the directory structure with an explicit field in
13 + libtiff 4.1 and assign it a FIELD_ value */
14 + uint16 v[2];
15 + v[0] = (uint16)va_arg(ap, int);
16 + v[1] = (uint16)va_arg(ap, int);
17 + _TIFFmemcpy(tv->value, &v, 4);
18 + }
19 +
20 + else if (fip->field_passcount
21 + || fip->field_writecount == TIFF_VARIABLE
22 + || fip->field_writecount == TIFF_VARIABLE2
23 + || fip->field_writecount == TIFF_SPP
24 + || tv->count > 1) {
25
26 - if ((fip->field_passcount
27 - || fip->field_writecount == TIFF_VARIABLE
28 - || fip->field_writecount == TIFF_VARIABLE2
29 - || fip->field_writecount == TIFF_SPP
30 - || tv->count > 1)
31 - && fip->field_tag != TIFFTAG_PAGENUMBER
32 - && fip->field_tag != TIFFTAG_HALFTONEHINTS
33 - && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
34 - && fip->field_tag != TIFFTAG_DOTRANGE) {
35 _TIFFmemcpy(tv->value, va_arg(ap, void *),
36 tv->count * tv_size);
37 } else {
38 - /*
39 - * XXX: The following loop required to handle
40 - * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
41 - * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
42 - * These tags are actually arrays and should be passed as
43 - * array pointers to TIFFSetField() function, but actually
44 - * passed as a list of separate values. This behaviour
45 - * must be changed in the future!
46 - */
47 - int i;
48 + assert( tv->count == 1 );
49 char *val = (char *)tv->value;
50 -
51 - for (i = 0; i < tv->count; i++, val += tv_size) {
52 - switch (fip->field_type) {
53 - case TIFF_BYTE:
54 - case TIFF_UNDEFINED:
55 - {
56 - uint8 v = (uint8)va_arg(ap, int);
57 - _TIFFmemcpy(val, &v, tv_size);
58 - }
59 - break;
60 - case TIFF_SBYTE:
61 - {
62 - int8 v = (int8)va_arg(ap, int);
63 - _TIFFmemcpy(val, &v, tv_size);
64 - }
65 - break;
66 - case TIFF_SHORT:
67 - {
68 - uint16 v = (uint16)va_arg(ap, int);
69 - _TIFFmemcpy(val, &v, tv_size);
70 - }
71 - break;
72 - case TIFF_SSHORT:
73 - {
74 - int16 v = (int16)va_arg(ap, int);
75 - _TIFFmemcpy(val, &v, tv_size);
76 - }
77 - break;
78 - case TIFF_LONG:
79 - case TIFF_IFD:
80 - {
81 - uint32 v = va_arg(ap, uint32);
82 - _TIFFmemcpy(val, &v, tv_size);
83 - }
84 - break;
85 - case TIFF_SLONG:
86 - {
87 - int32 v = va_arg(ap, int32);
88 - _TIFFmemcpy(val, &v, tv_size);
89 - }
90 - break;
91 - case TIFF_RATIONAL:
92 - case TIFF_SRATIONAL:
93 - case TIFF_FLOAT:
94 - {
95 - float v = (float)va_arg(ap, double);
96 - _TIFFmemcpy(val, &v, tv_size);
97 - }
98 - break;
99 - case TIFF_DOUBLE:
100 - {
101 - double v = va_arg(ap, double);
102 - _TIFFmemcpy(val, &v, tv_size);
103 - }
104 - break;
105 - default:
106 - _TIFFmemset(val, 0, tv_size);
107 - status = 0;
108 - break;
109 + switch (fip->field_type) {
110 + case TIFF_BYTE:
111 + case TIFF_UNDEFINED:
112 + {
113 + uint8 v = (uint8)va_arg(ap, int);
114 + _TIFFmemcpy(val, &v, tv_size);
115 + }
116 + break;
117 + case TIFF_SBYTE:
118 + {
119 + int8 v = (int8)va_arg(ap, int);
120 + _TIFFmemcpy(val, &v, tv_size);
121 + }
122 + break;
123 + case TIFF_SHORT:
124 + {
125 + uint16 v = (uint16)va_arg(ap, int);
126 + _TIFFmemcpy(val, &v, tv_size);
127 + }
128 + break;
129 + case TIFF_SSHORT:
130 + {
131 + int16 v = (int16)va_arg(ap, int);
132 + _TIFFmemcpy(val, &v, tv_size);
133 + }
134 + break;
135 + case TIFF_LONG:
136 + case TIFF_IFD:
137 + {
138 + uint32 v = va_arg(ap, uint32);
139 + _TIFFmemcpy(val, &v, tv_size);
140 + }
141 + break;
142 + case TIFF_SLONG:
143 + {
144 + int32 v = va_arg(ap, int32);
145 + _TIFFmemcpy(val, &v, tv_size);
146 + }
147 + break;
148 + case TIFF_RATIONAL:
149 + case TIFF_SRATIONAL:
150 + case TIFF_FLOAT:
151 + {
152 + float v = (float)va_arg(ap, double);
153 + _TIFFmemcpy(val, &v, tv_size);
154 + }
155 + break;
156 + case TIFF_DOUBLE:
157 + {
158 + double v = va_arg(ap, double);
159 + _TIFFmemcpy(val, &v, tv_size);
160 + }
161 + break;
162 + default:
163 + _TIFFmemset(val, 0, tv_size);
164 + status = 0;
165 + break;
166 }
167 }
168 }
169 }
170 - }
171 }
172 if (status) {
173 TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
174 @@ -868,75 +864,76 @@
175 *va_arg(ap, uint16*) = (uint16)tv->count;
176 *va_arg(ap, void **) = tv->value;
177 ret_val = 1;
178 + } else if (fip->field_tag == TIFFTAG_DOTRANGE
179 + && strcmp(fip->field_name,"DotRange") == 0) {
180 + /* TODO: This is an evil exception and should not have been
181 + handled this way ... likely best if we move it into
182 + the directory structure with an explicit field in
183 + libtiff 4.1 and assign it a FIELD_ value */
184 + *va_arg(ap, uint16*) = ((uint16 *)tv->value)[0];
185 + *va_arg(ap, uint16*) = ((uint16 *)tv->value)[1];
186 + ret_val = 1;
187 } else {
188 - if ((fip->field_type == TIFF_ASCII
189 + if (fip->field_type == TIFF_ASCII
190 || fip->field_readcount == TIFF_VARIABLE
191 || fip->field_readcount == TIFF_VARIABLE2
192 || fip->field_readcount == TIFF_SPP
193 - || tv->count > 1)
194 - && fip->field_tag != TIFFTAG_PAGENUMBER
195 - && fip->field_tag != TIFFTAG_HALFTONEHINTS
196 - && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
197 - && fip->field_tag != TIFFTAG_DOTRANGE) {
198 + || tv->count > 1) {
199 *va_arg(ap, void **) = tv->value;
200 ret_val = 1;
201 } else {
202 - int j;
203 char *val = (char *)tv->value;
204 -
205 - for (j = 0; j < tv->count;
206 - j++, val += _TIFFDataSize(tv->info->field_type)) {
207 - switch (fip->field_type) {
208 - case TIFF_BYTE:
209 - case TIFF_UNDEFINED:
210 - *va_arg(ap, uint8*) =
211 - *(uint8 *)val;
212 - ret_val = 1;
213 - break;
214 - case TIFF_SBYTE:
215 - *va_arg(ap, int8*) =
216 - *(int8 *)val;
217 - ret_val = 1;
218 - break;
219 - case TIFF_SHORT:
220 - *va_arg(ap, uint16*) =
221 - *(uint16 *)val;
222 - ret_val = 1;
223 - break;
224 - case TIFF_SSHORT:
225 - *va_arg(ap, int16*) =
226 - *(int16 *)val;
227 - ret_val = 1;
228 - break;
229 - case TIFF_LONG:
230 - case TIFF_IFD:
231 - *va_arg(ap, uint32*) =
232 - *(uint32 *)val;
233 - ret_val = 1;
234 - break;
235 - case TIFF_SLONG:
236 - *va_arg(ap, int32*) =
237 - *(int32 *)val;
238 - ret_val = 1;
239 - break;
240 - case TIFF_RATIONAL:
241 - case TIFF_SRATIONAL:
242 - case TIFF_FLOAT:
243 - *va_arg(ap, float*) =
244 - *(float *)val;
245 - ret_val = 1;
246 - break;
247 - case TIFF_DOUBLE:
248 - *va_arg(ap, double*) =
249 - *(double *)val;
250 - ret_val = 1;
251 - break;
252 - default:
253 - ret_val = 0;
254 - break;
255 - }
256 - }
257 - }
258 + assert( tv->count == 1 );
259 + switch (fip->field_type) {
260 + case TIFF_BYTE:
261 + case TIFF_UNDEFINED:
262 + *va_arg(ap, uint8*) =
263 + *(uint8 *)val;
264 + ret_val = 1;
265 + break;
266 + case TIFF_SBYTE:
267 + *va_arg(ap, int8*) =
268 + *(int8 *)val;
269 + ret_val = 1;
270 + break;
271 + case TIFF_SHORT:
272 + *va_arg(ap, uint16*) =
273 + *(uint16 *)val;
274 + ret_val = 1;
275 + break;
276 + case TIFF_SSHORT:
277 + *va_arg(ap, int16*) =
278 + *(int16 *)val;
279 + ret_val = 1;
280 + break;
281 + case TIFF_LONG:
282 + case TIFF_IFD:
283 + *va_arg(ap, uint32*) =
284 + *(uint32 *)val;
285 + ret_val = 1;
286 + break;
287 + case TIFF_SLONG:
288 + *va_arg(ap, int32*) =
289 + *(int32 *)val;
290 + ret_val = 1;
291 + break;
292 + case TIFF_RATIONAL:
293 + case TIFF_SRATIONAL:
294 + case TIFF_FLOAT:
295 + *va_arg(ap, float*) =
296 + *(float *)val;
297 + ret_val = 1;
298 + break;
299 + case TIFF_DOUBLE:
300 + *va_arg(ap, double*) =
301 + *(double *)val;
302 + ret_val = 1;
303 + break;
304 + default:
305 + ret_val = 0;
306 + break;
307 + }
308 + }
309 }
310 break;
311 }

  ViewVC Help
Powered by ViewVC 1.1.28