main/tiff: fix CVE-2012-5581

fixes #1561
author: Natanael Copa <ncopa@alpinelinux.org> 2013-01-17 15:22:03 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-01-17 15:30:11 +0000
commit: eda2e96a21e8586530375f6ef00d01bff0a8519b (patch)
tree: a5c2fdefbf9a8448f838d9d819211e9fe439bfb5
parent: 9e3c4c8431fcb4ee6175eefef0db3aefad7b7e4f (diff)
download: alpine_aports-eda2e96a21e8586530375f6ef00d01bff0a8519b.tar.bz2
alpine_aports-eda2e96a21e8586530375f6ef00d01bff0a8519b.tar.xz
alpine_aports-eda2e96a21e8586530375f6ef00d01bff0a8519b.zip
2 files changed, 249 insertions, 2 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index ad02acb4c1..67f7143932 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Michael Mason <ms13sp@gmail.com>
 pkgname=tiff
 pkgver=3.9.7
-pkgrel=0
+pkgrel=1
 pkgdesc="Provides support for the Tag Image File Format or TIFF"
 url="http://www.libtiff.org/"
 arch="all"
@@ -14,6 +14,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
 source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz
        CVE-2012-4447.patch
        CVE-2012-4564.patch
+        CVE-2012-5581.patch
        "
        
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -52,4 +53,5 @@ tools() {
 md5sums="626102f448ba441d42e3212538ad67d2  tiff-3.9.7.tar.gz
 f85847db8d4cf8d9564f0f9af5bb060a  CVE-2012-4447.patch
-e7b151b4a5acc8eb4b4428a98d6aa779  CVE-2012-4564.patch"
+e7b151b4a5acc8eb4b4428a98d6aa779  CVE-2012-4564.patch
+072dc152f5acc1ff1195fdf03e67ee52  CVE-2012-5581.patch"
diff --git a/main/tiff/CVE-2012-5581.patch b/main/tiff/CVE-2012-5581.patch
new file mode 100644
index 0000000000..a6bdca1370
--- /dev/null
+++ b/main/tiff/CVE-2012-5581.patch
@@ -0,0 +1,245 @@
+Fix unsafe handling of DotRange and related tags.  Back-port of upstream
+patch for CVE-2012-5581.  (Note: I have not pushed this into upstream CVS
+for the 3.9 branch, because I'm not entirely convinced that it won't create
+application compatibility issues --- tgl)
+diff -Naur tiff-3.9.7.orig/libtiff/tif_dir.c tiff-3.9.7/libtiff/tif_dir.c
+--- tiff-3.9.7.orig/libtiff/tif_dir.c   2012-09-22 10:48:09.000000000 -0400
+++ tiff-3.9.7/libtiff/tif_dir.c        2012-12-13 13:39:20.448864070 -0500
+@@ -494,32 +494,28 @@
+                    goto end;
+                }
+ 
+-               if ((fip->field_passcount
+               if (fip->field_tag == TIFFTAG_DOTRANGE 
+                   && strcmp(fip->field_name,"DotRange") == 0) {
+                       /* TODO: This is an evil exception and should not have been
+                          handled this way ... likely best if we move it into
+                          the directory structure with an explicit field in 
+                          libtiff 4.1 and assign it a FIELD_ value */
+                       uint16 v[2];
+                       v[0] = (uint16)va_arg(ap, int);
+                       v[1] = (uint16)va_arg(ap, int);
+                       _TIFFmemcpy(tv->value, v, 4);
+               }
+               else if (fip->field_passcount
+                    || fip->field_writecount == TIFF_VARIABLE
+                    || fip->field_writecount == TIFF_VARIABLE2
+                    || fip->field_writecount == TIFF_SPP
+-                   || tv->count > 1)
+-                   && fip->field_tag != TIFFTAG_PAGENUMBER
+-                   && fip->field_tag != TIFFTAG_HALFTONEHINTS
+-                   && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+-                   && fip->field_tag != TIFFTAG_DOTRANGE
+-                   && fip->field_tag != TIFFTAG_WHITELEVEL) {
+                   || tv->count > 1) {
+                     _TIFFmemcpy(tv->value, va_arg(ap, void *),
+                                tv->count * tv_size);
+                } else {
+-                   /*
+-                    * XXX: The following loop required to handle
+-                    * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
+-                    * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
+-                    * These tags are actually arrays and should be passed as
+-                    * array pointers to TIFFSetField() function, but actually
+-                    * passed as a list of separate values. This behaviour
+-                    * must be changed in the future!
+-                    */
+-                   int i;
+                    char *val = (char *)tv->value;
+ 
+-                   for (i = 0; i < tv->count; i++, val += tv_size) {
+                   assert( tv->count == 1 );
+                            switch (fip->field_type) {
+                                case TIFF_BYTE:
+                                case TIFF_UNDEFINED:
+@@ -578,7 +574,6 @@
+                                    status = 0;
+                                    break;
+                            }
+-                   }
+                }
+            }
+           }
+@@ -869,24 +864,27 @@
+                                *va_arg(ap, uint16*) = (uint16)tv->count;
+                        *va_arg(ap, void **) = tv->value;
+                        ret_val = 1;
+-                } else {
+-                       if ((fip->field_type == TIFF_ASCII
+               } else if (fip->field_tag == TIFFTAG_DOTRANGE
+                          && strcmp(fip->field_name,"DotRange") == 0) {
+                       /* TODO: This is an evil exception and should not have been
+                          handled this way ... likely best if we move it into
+                          the directory structure with an explicit field in 
+                          libtiff 4.1 and assign it a FIELD_ value */
+                       *va_arg(ap, uint16*) = ((uint16 *)tv->value)[0];
+                       *va_arg(ap, uint16*) = ((uint16 *)tv->value)[1];
+                       ret_val = 1;
+               } else {
+                       if (fip->field_type == TIFF_ASCII
+                            || fip->field_readcount == TIFF_VARIABLE
+                            || fip->field_readcount == TIFF_VARIABLE2
+                            || fip->field_readcount == TIFF_SPP
+-                           || tv->count > 1)
+-                           && fip->field_tag != TIFFTAG_PAGENUMBER
+-                           && fip->field_tag != TIFFTAG_HALFTONEHINTS
+-                           && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+-                           && fip->field_tag != TIFFTAG_DOTRANGE) {
+                           || tv->count > 1) {
+                                *va_arg(ap, void **) = tv->value;
+                                ret_val = 1;
+                        } else {
+-                           int j;
+                            char *val = (char *)tv->value;
+ 
+-                           for (j = 0; j < tv->count;
+-                                j++, val += _TIFFDataSize(tv->info->field_type)) {
+                           assert( tv->count == 1 );
+                                switch (fip->field_type) {
+                                        case TIFF_BYTE:
+                                        case TIFF_UNDEFINED:
+@@ -936,7 +934,6 @@
+                                                ret_val = 0;
+                                                break;
+                                }
+-                           }
+                        }
+                 }
+                break;
+diff -Naur tiff-3.9.7.orig/libtiff/tif_print.c tiff-3.9.7/libtiff/tif_print.c
+--- tiff-3.9.7.orig/libtiff/tif_print.c 2010-07-08 12:17:59.000000000 -0400
+++ tiff-3.9.7/libtiff/tif_print.c      2012-12-13 13:42:12.773478278 -0500
+@@ -112,16 +112,22 @@
+ }
+ 
+ static int
+-_TIFFPrettyPrintField(TIFF* tif, FILE* fd, ttag_t tag,
+_TIFFPrettyPrintField(TIFF* tif, const TIFFFieldInfo *fip, FILE* fd, ttag_t tag,
+                      uint32 value_count, void *raw_data)
+ {
+        TIFFDirectory *td = &tif->tif_dir;
+ 
+       /* do not try to pretty print auto-defined fields */
+       if (strncmp(fip->field_name,"Tag ", 4) == 0) {
+               return 0;
+       }
+
+        switch (tag)
+        {
+                case TIFFTAG_INKSET:
+-                       fprintf(fd, "  Ink Set: ");
+-                       switch (*((uint16*)raw_data)) {
+                       if (value_count == 2 && fip->field_type == TIFF_SHORT) {
+                               fprintf(fd, "  Ink Set: ");
+                               switch (*((uint16*)raw_data)) {
+                                case INKSET_CMYK:
+                                        fprintf(fd, "CMYK\n");
+                                        break;
+@@ -130,11 +136,18 @@
+                                                *((uint16*)raw_data),
+                                                *((uint16*)raw_data));
+                                        break;
+                               }
+                               return 1;
+                        }
+-                       return 1;
+                       return 0;
+
+                case TIFFTAG_WHITEPOINT:
+-                       fprintf(fd, "  White Point: %g-%g\n",
+-                               ((float *)raw_data)[0], ((float *)raw_data)[1]);                        return 1;
+                       if (value_count == 2 && fip->field_type == TIFF_RATIONAL) {
+                               fprintf(fd, "  White Point: %g-%g\n",
+                                       ((float *)raw_data)[0], ((float *)raw_data)[1]);                        return 1;
+                       }
+                       return 0;
+
+                case TIFFTAG_REFERENCEBLACKWHITE:
+                {
+                        uint16 i;
+@@ -174,10 +187,13 @@
+                                (unsigned long) value_count);
+                        return 1;
+                case TIFFTAG_STONITS:
+-                       fprintf(fd,
+-                               "  Sample to Nits conversion factor: %.4e\n",
+-                               *((double*)raw_data));
+-                       return 1;
+                       if (value_count == 1 && fip->field_type == TIFF_DOUBLE) {
+                               fprintf(fd,
+                                       "  Sample to Nits conversion factor: %.4e\n",
+                                       *((double*)raw_data));
+                               return 1;
+                       }
+                       return 0;
+         }
+ 
+        return 0;
+@@ -524,44 +540,28 @@
+                                value_count = td->td_samplesperpixel;
+                        else
+                                value_count = fip->field_readcount;
+-                       if ((fip->field_type == TIFF_ASCII
+                       if (fip->field_tag == TIFFTAG_DOTRANGE
+                           && strcmp(fip->field_name,"DotRange") == 0) {
+                               /* TODO: This is an evil exception and should not have been
+                                  handled this way ... likely best if we move it into
+                                  the directory structure with an explicit field in 
+                                  libtiff 4.1 and assign it a FIELD_ value */
+                               static uint16 dotrange[2];
+                               raw_data = dotrange;
+                               TIFFGetField(tif, tag, dotrange+0, dotrange+1);
+                       } else if (fip->field_type == TIFF_ASCII
+                             || fip->field_readcount == TIFF_VARIABLE
+                             || fip->field_readcount == TIFF_VARIABLE2
+                             || fip->field_readcount == TIFF_SPP
+-                            || value_count > 1)
+-                           && fip->field_tag != TIFFTAG_PAGENUMBER
+-                           && fip->field_tag != TIFFTAG_HALFTONEHINTS
+-                           && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+-                           && fip->field_tag != TIFFTAG_DOTRANGE) {
+                            || value_count > 1) {
+                                if(TIFFGetField(tif, tag, &raw_data) != 1)
+                                        continue;
+-                       } else if (fip->field_tag != TIFFTAG_PAGENUMBER
+-                                  && fip->field_tag != TIFFTAG_HALFTONEHINTS
+-                                  && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+-                                  && fip->field_tag != TIFFTAG_DOTRANGE) {
+-                               raw_data = _TIFFmalloc(
+-                                       _TIFFDataSize(fip->field_type)
+-                                       * value_count);
+-                               mem_alloc = 1;
+-                               if(TIFFGetField(tif, tag, raw_data) != 1) {
+-                                       _TIFFfree(raw_data);
+-                                       continue;
+-                               }
+                        } else {
+-                               /* 
+-                                * XXX: Should be fixed and removed, see the
+-                                * notes related to TIFFTAG_PAGENUMBER,
+-                                * TIFFTAG_HALFTONEHINTS,
+-                                * TIFFTAG_YCBCRSUBSAMPLING and
+-                                * TIFFTAG_DOTRANGE tags in tif_dir.c. */
+-                               char *tmp;
+                                raw_data = _TIFFmalloc(
+                                        _TIFFDataSize(fip->field_type)
+                                        * value_count);
+-                               tmp = raw_data;
+                                mem_alloc = 1;
+-                               if(TIFFGetField(tif, tag, tmp,
+-                               tmp + _TIFFDataSize(fip->field_type)) != 1) {
+                               if(TIFFGetField(tif, tag, raw_data) != 1) {
+                                        _TIFFfree(raw_data);
+                                        continue;
+                                }
+@@ -574,7 +574,7 @@
+                 * _TIFFPrettyPrintField() fall down and print it as any other
+                 * tag.
+                 */
+-               if (_TIFFPrettyPrintField(tif, fd, tag, value_count, raw_data)) {
+               if (_TIFFPrettyPrintField(tif, fip, fd, tag, value_count, raw_data)) {
+                        if(mem_alloc)
+                                _TIFFfree(raw_data);
+                        continue;
author	Natanael Copa <ncopa@alpinelinux.org>	2013-01-17 15:22:03 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-01-17 15:30:11 +0000
commit	eda2e96a21e8586530375f6ef00d01bff0a8519b (patch)
tree	a5c2fdefbf9a8448f838d9d819211e9fe439bfb5
parent	9e3c4c8431fcb4ee6175eefef0db3aefad7b7e4f (diff)
download	alpine_aports-eda2e96a21e8586530375f6ef00d01bff0a8519b.tar.bz2 alpine_aports-eda2e96a21e8586530375f6ef00d01bff0a8519b.tar.xz alpine_aports-eda2e96a21e8586530375f6ef00d01bff0a8519b.zip

diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index ad02acb4c1..67f7143932 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD
@@ -2,7 +2,7 @@
2	# Maintainer: Michael Mason <ms13sp@gmail.com>	2	# Maintainer: Michael Mason <ms13sp@gmail.com>
3	pkgname=tiff	3	pkgname=tiff
4	pkgver=3.9.7	4	pkgver=3.9.7
5	pkgrel=0	5	pkgrel=1
6	pkgdesc="Provides support for the Tag Image File Format or TIFF"	6	pkgdesc="Provides support for the Tag Image File Format or TIFF"
7	url="http://www.libtiff.org/"	7	url="http://www.libtiff.org/"
8	arch="all"	8	arch="all"
@@ -14,6 +14,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
14	source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz	14	source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz
15	CVE-2012-4447.patch	15	CVE-2012-4447.patch
16	CVE-2012-4564.patch	16	CVE-2012-4564.patch
		17	CVE-2012-5581.patch
17	"	18	"
18		19
19	_builddir="$srcdir"/$pkgname-$pkgver	20	_builddir="$srcdir"/$pkgname-$pkgver
@@ -52,4 +53,5 @@ tools() {
52		53
53	md5sums="626102f448ba441d42e3212538ad67d2 tiff-3.9.7.tar.gz	54	md5sums="626102f448ba441d42e3212538ad67d2 tiff-3.9.7.tar.gz
54	f85847db8d4cf8d9564f0f9af5bb060a CVE-2012-4447.patch	55	f85847db8d4cf8d9564f0f9af5bb060a CVE-2012-4447.patch
55	e7b151b4a5acc8eb4b4428a98d6aa779 CVE-2012-4564.patch"	56	e7b151b4a5acc8eb4b4428a98d6aa779 CVE-2012-4564.patch
		57	072dc152f5acc1ff1195fdf03e67ee52 CVE-2012-5581.patch"


diff --git a/main/tiff/CVE-2012-5581.patch b/main/tiff/CVE-2012-5581.patch new file mode 100644 index 0000000000..a6bdca1370 --- /dev/null +++ b/main/tiff/CVE-2012-5581.patch
@@ -0,0 +1,245 @@
		1	Fix unsafe handling of DotRange and related tags. Back-port of upstream
		2	patch for CVE-2012-5581. (Note: I have not pushed this into upstream CVS
		3	for the 3.9 branch, because I'm not entirely convinced that it won't create
		4	application compatibility issues --- tgl)
		5
		6
		7	diff -Naur tiff-3.9.7.orig/libtiff/tif_dir.c tiff-3.9.7/libtiff/tif_dir.c
		8	--- tiff-3.9.7.orig/libtiff/tif_dir.c 2012-09-22 10:48:09.000000000 -0400
		9	+++ tiff-3.9.7/libtiff/tif_dir.c 2012-12-13 13:39:20.448864070 -0500
		10	@@ -494,32 +494,28 @@
		11	goto end;
		12	}
		13
		14	- if ((fip->field_passcount
		15	+ if (fip->field_tag == TIFFTAG_DOTRANGE
		16	+ && strcmp(fip->field_name,"DotRange") == 0) {
		17	+ /* TODO: This is an evil exception and should not have been
		18	+ handled this way ... likely best if we move it into
		19	+ the directory structure with an explicit field in
		20	+ libtiff 4.1 and assign it a FIELD_ value */
		21	+ uint16 v[2];
		22	+ v[0] = (uint16)va_arg(ap, int);
		23	+ v[1] = (uint16)va_arg(ap, int);
		24	+ _TIFFmemcpy(tv->value, v, 4);
		25	+ }
		26	+ else if (fip->field_passcount
		27	\|\| fip->field_writecount == TIFF_VARIABLE
		28	\|\| fip->field_writecount == TIFF_VARIABLE2
		29	\|\| fip->field_writecount == TIFF_SPP
		30	- \|\| tv->count > 1)
		31	- && fip->field_tag != TIFFTAG_PAGENUMBER
		32	- && fip->field_tag != TIFFTAG_HALFTONEHINTS
		33	- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
		34	- && fip->field_tag != TIFFTAG_DOTRANGE
		35	- && fip->field_tag != TIFFTAG_WHITELEVEL) {
		36	+ \|\| tv->count > 1) {
		37	_TIFFmemcpy(tv->value, va_arg(ap, void *),
		38	tv->count * tv_size);
		39	} else {
		40	- /*
		41	- * XXX: The following loop required to handle
		42	- * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
		43	- * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
		44	- * These tags are actually arrays and should be passed as
		45	- * array pointers to TIFFSetField() function, but actually
		46	- * passed as a list of separate values. This behaviour
		47	- * must be changed in the future!
		48	- */
		49	- int i;
		50	char val = (char )tv->value;
		51
		52	- for (i = 0; i < tv->count; i++, val += tv_size) {
		53	+ assert( tv->count == 1 );
		54	switch (fip->field_type) {
		55	case TIFF_BYTE:
		56	case TIFF_UNDEFINED:
		57	@@ -578,7 +574,6 @@
		58	status = 0;
		59	break;
		60	}
		61	- }
		62	}
		63	}
		64	}
		65	@@ -869,24 +864,27 @@
		66	va_arg(ap, uint16) = (uint16)tv->count;
		67	va_arg(ap, void *) = tv->value;
		68	ret_val = 1;
		69	- } else {
		70	- if ((fip->field_type == TIFF_ASCII
		71	+ } else if (fip->field_tag == TIFFTAG_DOTRANGE
		72	+ && strcmp(fip->field_name,"DotRange") == 0) {
		73	+ /* TODO: This is an evil exception and should not have been
		74	+ handled this way ... likely best if we move it into
		75	+ the directory structure with an explicit field in
		76	+ libtiff 4.1 and assign it a FIELD_ value */
		77	+ va_arg(ap, uint16) = ((uint16 *)tv->value)[0];
		78	+ va_arg(ap, uint16) = ((uint16 *)tv->value)[1];
		79	+ ret_val = 1;
		80	+ } else {
		81	+ if (fip->field_type == TIFF_ASCII
		82	\|\| fip->field_readcount == TIFF_VARIABLE
		83	\|\| fip->field_readcount == TIFF_VARIABLE2
		84	\|\| fip->field_readcount == TIFF_SPP
		85	- \|\| tv->count > 1)
		86	- && fip->field_tag != TIFFTAG_PAGENUMBER
		87	- && fip->field_tag != TIFFTAG_HALFTONEHINTS
		88	- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
		89	- && fip->field_tag != TIFFTAG_DOTRANGE) {
		90	+ \|\| tv->count > 1) {
		91	va_arg(ap, void *) = tv->value;
		92	ret_val = 1;
		93	} else {
		94	- int j;
		95	char val = (char )tv->value;
		96
		97	- for (j = 0; j < tv->count;
		98	- j++, val += _TIFFDataSize(tv->info->field_type)) {
		99	+ assert( tv->count == 1 );
		100	switch (fip->field_type) {
		101	case TIFF_BYTE:
		102	case TIFF_UNDEFINED:
		103	@@ -936,7 +934,6 @@
		104	ret_val = 0;
		105	break;
		106	}
		107	- }
		108	}
		109	}
		110	break;
		111	diff -Naur tiff-3.9.7.orig/libtiff/tif_print.c tiff-3.9.7/libtiff/tif_print.c
		112	--- tiff-3.9.7.orig/libtiff/tif_print.c 2010-07-08 12:17:59.000000000 -0400
		113	+++ tiff-3.9.7/libtiff/tif_print.c 2012-12-13 13:42:12.773478278 -0500
		114	@@ -112,16 +112,22 @@
		115	}
		116
		117	static int
		118	-_TIFFPrettyPrintField(TIFF* tif, FILE* fd, ttag_t tag,
		119	+_TIFFPrettyPrintField(TIFF* tif, const TIFFFieldInfo fip, FILE fd, ttag_t tag,
		120	uint32 value_count, void *raw_data)
		121	{
		122	TIFFDirectory *td = &tif->tif_dir;
		123
		124	+ /* do not try to pretty print auto-defined fields */
		125	+ if (strncmp(fip->field_name,"Tag ", 4) == 0) {
		126	+ return 0;
		127	+ }
		128	+
		129	switch (tag)
		130	{
		131	case TIFFTAG_INKSET:
		132	- fprintf(fd, " Ink Set: ");
		133	- switch (((uint16)raw_data)) {
		134	+ if (value_count == 2 && fip->field_type == TIFF_SHORT) {
		135	+ fprintf(fd, " Ink Set: ");
		136	+ switch (((uint16)raw_data)) {
		137	case INKSET_CMYK:
		138	fprintf(fd, "CMYK\n");
		139	break;
		140	@@ -130,11 +136,18 @@
		141	((uint16)raw_data),
		142	((uint16)raw_data));
		143	break;
		144	+ }
		145	+ return 1;
		146	}
		147	- return 1;
		148	+ return 0;
		149	+
		150	case TIFFTAG_WHITEPOINT:
		151	- fprintf(fd, " White Point: %g-%g\n",
		152	- ((float )raw_data)[0], ((float )raw_data)[1]); return 1;
		153	+ if (value_count == 2 && fip->field_type == TIFF_RATIONAL) {
		154	+ fprintf(fd, " White Point: %g-%g\n",
		155	+ ((float )raw_data)[0], ((float )raw_data)[1]); return 1;
		156	+ }
		157	+ return 0;
		158	+
		159	case TIFFTAG_REFERENCEBLACKWHITE:
		160	{
		161	uint16 i;
		162	@@ -174,10 +187,13 @@
		163	(unsigned long) value_count);
		164	return 1;
		165	case TIFFTAG_STONITS:
		166	- fprintf(fd,
		167	- " Sample to Nits conversion factor: %.4e\n",
		168	- ((double)raw_data));
		169	- return 1;
		170	+ if (value_count == 1 && fip->field_type == TIFF_DOUBLE) {
		171	+ fprintf(fd,
		172	+ " Sample to Nits conversion factor: %.4e\n",
		173	+ ((double)raw_data));
		174	+ return 1;
		175	+ }
		176	+ return 0;
		177	}
		178
		179	return 0;
		180	@@ -524,44 +540,28 @@
		181	value_count = td->td_samplesperpixel;
		182	else
		183	value_count = fip->field_readcount;
		184	- if ((fip->field_type == TIFF_ASCII
		185	+ if (fip->field_tag == TIFFTAG_DOTRANGE
		186	+ && strcmp(fip->field_name,"DotRange") == 0) {
		187	+ /* TODO: This is an evil exception and should not have been
		188	+ handled this way ... likely best if we move it into
		189	+ the directory structure with an explicit field in
		190	+ libtiff 4.1 and assign it a FIELD_ value */
		191	+ static uint16 dotrange[2];
		192	+ raw_data = dotrange;
		193	+ TIFFGetField(tif, tag, dotrange+0, dotrange+1);
		194	+ } else if (fip->field_type == TIFF_ASCII
		195	\|\| fip->field_readcount == TIFF_VARIABLE
		196	\|\| fip->field_readcount == TIFF_VARIABLE2
		197	\|\| fip->field_readcount == TIFF_SPP
		198	- \|\| value_count > 1)
		199	- && fip->field_tag != TIFFTAG_PAGENUMBER
		200	- && fip->field_tag != TIFFTAG_HALFTONEHINTS
		201	- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
		202	- && fip->field_tag != TIFFTAG_DOTRANGE) {
		203	+ \|\| value_count > 1) {
		204	if(TIFFGetField(tif, tag, &raw_data) != 1)
		205	continue;
		206	- } else if (fip->field_tag != TIFFTAG_PAGENUMBER
		207	- && fip->field_tag != TIFFTAG_HALFTONEHINTS
		208	- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
		209	- && fip->field_tag != TIFFTAG_DOTRANGE) {
		210	- raw_data = _TIFFmalloc(
		211	- _TIFFDataSize(fip->field_type)
		212	- * value_count);
		213	- mem_alloc = 1;
		214	- if(TIFFGetField(tif, tag, raw_data) != 1) {
		215	- _TIFFfree(raw_data);
		216	- continue;
		217	- }
		218	} else {
		219	- /*
		220	- * XXX: Should be fixed and removed, see the
		221	- * notes related to TIFFTAG_PAGENUMBER,
		222	- * TIFFTAG_HALFTONEHINTS,
		223	- * TIFFTAG_YCBCRSUBSAMPLING and
		224	- * TIFFTAG_DOTRANGE tags in tif_dir.c. */
		225	- char *tmp;
		226	raw_data = _TIFFmalloc(
		227	_TIFFDataSize(fip->field_type)
		228	* value_count);
		229	- tmp = raw_data;
		230	mem_alloc = 1;
		231	- if(TIFFGetField(tif, tag, tmp,
		232	- tmp + _TIFFDataSize(fip->field_type)) != 1) {
		233	+ if(TIFFGetField(tif, tag, raw_data) != 1) {
		234	_TIFFfree(raw_data);
		235	continue;
		236	}
		237	@@ -574,7 +574,7 @@
		238	* _TIFFPrettyPrintField() fall down and print it as any other
		239	* tag.
		240	*/
		241	- if (_TIFFPrettyPrintField(tif, fd, tag, value_count, raw_data)) {
		242	+ if (_TIFFPrettyPrintField(tif, fip, fd, tag, value_count, raw_data)) {
		243	if(mem_alloc)
		244	_TIFFfree(raw_data);
		245	continue;