Upstream patch for bug #601274  (CVE-2010-2065)


diff -Naur tiff-3.8.2.orig/libtiff/tif_read.c tiff-3.8.2/libtiff/tif_read.c
--- tiff-3.8.2.orig/libtiff/tif_read.c	2005-12-21 07:33:56.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_read.c	2010-06-13 16:04:13.000000000 -0400
@@ -525,16 +525,18 @@
 			_TIFFfree(tif->tif_rawdata);
 		tif->tif_rawdata = NULL;
 	}
+
 	if (bp) {
 		tif->tif_rawdatasize = size;
 		tif->tif_rawdata = (tidata_t) bp;
 		tif->tif_flags &= ~TIFF_MYBUFFER;
 	} else {
 		tif->tif_rawdatasize = TIFFroundup(size, 1024);
-		tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);
+		if (tif->tif_rawdatasize > 0)
+			tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);
 		tif->tif_flags |= TIFF_MYBUFFER;
 	}
-	if (tif->tif_rawdata == NULL) {
+	if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) {
 		TIFFErrorExt(tif->tif_clientdata, module,
 		    "%s: No space for data buffer at scanline %ld",
 		    tif->tif_name, (long) tif->tif_row);