File tiff-3.8.2-CVE-2012-5581.patch of Package tiff3
Index: tiff-3.9.5/libtiff/tif_dir.c
===================================================================
--- tiff-3.9.5.orig/libtiff/tif_dir.c
+++ tiff-3.9.5/libtiff/tif_dir.c
@@ -493,32 +493,27 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
status = 0;
goto end;
}
-
- if ((fip->field_passcount
+ if (fip->field_tag == TIFFTAG_DOTRANGE
+ && strcmp(fip->field_name,"DotRange") == 0) {
+ /* TODO: This is an evil exception and should not have been
+ handled this way ... likely best if we move it into
+ the directory structure with an explicit field in
+ libtiff 4.1 and assign it a FIELD_ value */
+ uint16 v[2];
+ v[0] = (uint16)va_arg(ap, int);
+ v[1] = (uint16)va_arg(ap, int);
+ _TIFFmemcpy(tv->value, &v, 4);
+ } else if (fip->field_passcount
|| fip->field_writecount == TIFF_VARIABLE
|| fip->field_writecount == TIFF_VARIABLE2
|| fip->field_writecount == TIFF_SPP
- || tv->count > 1)
- && fip->field_tag != TIFFTAG_PAGENUMBER
- && fip->field_tag != TIFFTAG_HALFTONEHINTS
- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
- && fip->field_tag != TIFFTAG_DOTRANGE) {
+ || tv->count > 1) {
_TIFFmemcpy(tv->value, va_arg(ap, void *),
tv->count * tv_size);
} else {
- /*
- * XXX: The following loop required to handle
- * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
- * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
- * These tags are actually arrays and should be passed as
- * array pointers to TIFFSetField() function, but actually
- * passed as a list of separate values. This behaviour
- * must be changed in the future!
- */
- int i;
+ assert( tv->count == 1 );
char *val = (char *)tv->value;
- for (i = 0; i < tv->count; i++, val += tv_size) {
switch (fip->field_type) {
case TIFF_BYTE:
case TIFF_UNDEFINED:
@@ -577,7 +572,6 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
status = 0;
break;
}
- }
}
}
}
