From e06d40222222d98f6a21a0a60d1491e7126f151c Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <sbergman@redhat.com>
Date: Wed, 8 Apr 2020 11:56:34 +0200
Subject: tdf#131969: Fix reading SHORT Orientation value
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<http://www.cipa.jp/std/documents/e/DC-008-2012_E.pdf> "CIPA DC- 008-Translation-
2012: Exchangeable image file format for digital still cameras: Exif Version 2.3"
documents that the Orientation tag 0x0112 expects a count of 1 values of type SHORT
(16 bit), and details that values <= 4 bytes are stored in the Value Offset field
always using bytes starting from the left of the field.

This is a regression introduced with 42c0e433aca68c669bc0f55af404b6bae1655fba "Avoid
-fsanitize=misaligned-pointer-use".  That commit had wondered why the original code
had used OSL_SWAPWORD instead of OSL_SWAPDWORD when reading and writing such
orientation values.  It turns out that that original code had happened to work
correctly when processing either little or big endian data on a little endian
machine.  (Though it would have worked incorrectly when processing either little or
big endian data on a big endian machine.)  And with
42c0e433aca68c669bc0f55af404b6bae1655fba, the code worked when processing little
endian data on a little endian machine, but failed when processing big endian data
on a little endian machine, as is the case for tdf#131669 on e.g. x86_64.

(read32 has become unused and is thus removed.)

Change-Id: I7992629048ac44c00ee703c75164f3d094773244
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91881
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Reviewed-by: Tomaž Vajngerl <quikee@gmail.com>
(cherry picked from commit fd5961cb0e2ebc2f5797f76a2b1f9fd52ca4b3ab)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91889
Reviewed-by: Michael Stahl <michael.stahl@cib.de>
---
 vcl/source/filter/jpeg/Exif.cxx | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

(limited to 'vcl')

diff --git a/vcl/source/filter/jpeg/Exif.cxx b/vcl/source/filter/jpeg/Exif.cxx
index 6dd3bd1b2baa..b0f68a4aed40 100644
--- a/vcl/source/filter/jpeg/Exif.cxx
+++ b/vcl/source/filter/jpeg/Exif.cxx
@@ -169,16 +169,6 @@ void write16(sal_uInt16 value, sal_uInt8 (& data)[2], bool littleEndian) {
     }
 }
 
-sal_uInt32 read32(sal_uInt8 const (& data)[4], bool littleEndian) {
-    if (littleEndian) {
-        return data[0] | (sal_uInt32(data[1]) << 8)
-            | (sal_uInt32(data[2]) << 16) | (sal_uInt32(data[3]) << 24);
-    } else {
-        return data[3] | (sal_uInt32(data[2]) << 8)
-            | (sal_uInt32(data[1]) << 16) | (sal_uInt32(data[0]) << 24);
-    }
-}
-
 void write32(sal_uInt32 value, sal_uInt8 (& data)[4], bool littleEndian) {
     if (littleEndian) {
         data[0] = value & 0xFF;
@@ -210,11 +200,13 @@ void Exif::processIFD(sal_uInt8* pExifData, sal_uInt16 aLength, sal_uInt16 aOffs
             {
                 write16(3, ifd->type, littleEndian);
                 write32(1, ifd->count, littleEndian);
-                write32(maOrientation, ifd->offset, littleEndian);
+                write16(
+                    maOrientation, reinterpret_cast<sal_uInt8 (&)[2]>(ifd->offset), littleEndian);
             }
             else
             {
-                sal_uInt32 nIfdOffset = read32(ifd->offset, littleEndian);
+                sal_uInt16 nIfdOffset = read16(
+                    reinterpret_cast<sal_uInt8 (&)[2]>(ifd->offset), littleEndian);
                 maOrientation = convertToOrientation(nIfdOffset);
             }
         }
-- 
cgit