Sophie: libtiff-3.8.2-13.2mdv2009.1 src

libtiff-3.8.2-13.2mdv2009.1.src.rpm

Make tiffdump more paranoid about checking the count field of a directory
entry.

Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218


diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c
--- tiff-3.9.4.orig/tools/tiffdump.c	2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffdump.c	2010-06-22 12:51:42.207932477 -0400
@@ -46,6 +46,7 @@
 # include <io.h>
 #endif
 
+#include "tiffiop.h"
 #include "tiffio.h"
 
 #ifndef O_BINARY
@@ -317,7 +318,7 @@
 			printf(">\n");
 			continue;
 		}
-		space = dp->tdir_count * datawidth[dp->tdir_type];
+		space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
 		if (space <= 0) {
 			printf(">\n");
 			Error("Invalid count for tag %u", dp->tdir_tag);
@@ -709,7 +710,7 @@
 	w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
 	cc = dir->tdir_count * w;
 	if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
-	    && read(fd, cp, cc) != -1) {
+	    && read(fd, cp, cc) == cc) {
 		if (swabflag) {
 			switch (dir->tdir_type) {
 			case TIFF_SHORT: