1 diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c 2 index 53c938a89..03c9a81fb 100644 3 --- a/third_party/libtiff/tif_getimage.c 4 +++ b/third_party/libtiff/tif_getimage.c 5 @@ -627,7 +627,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 6 uint32 col, row, y, rowstoread; 7 tmsize_t pos; 8 uint32 tw, th; 9 - unsigned char* buf; 10 + unsigned char* buf = NULL; 11 int32 fromskew, toskew; 12 int64 safeskew; 13 uint32 nrow; 14 @@ -636,13 +636,14 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 15 int32 this_toskew, leftmost_toskew; 16 int32 leftmost_fromskew; 17 uint32 leftmost_tw; 18 + tmsize_t bufsize; 19 20 - buf = (unsigned char*) _TIFFmalloc(TIFFTileSize(tif)); 21 - if (buf == 0) { 22 - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); 23 - return (0); 24 + bufsize = TIFFTileSize(tif); 25 + if (bufsize == 0) { 26 + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); 27 + return (0); 28 } 29 - _TIFFmemset(buf, 0, TIFFTileSize(tif)); 30 + 31 TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); 32 TIFFGetField(tif, TIFFTAG_TILELENGTH, &th); 33 34 @@ -691,8 +692,9 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 35 col = img->col_offset; 36 while (tocol < w) 37 { 38 - if (TIFFReadTile(tif, buf, col, 39 - row+img->row_offset, 0, 0)==(tmsize_t)(-1) && img->stoponerr) 40 + if (_TIFFReadTileAndAllocBuffer(tif, (void**) &buf, bufsize, col, 41 + row+img->row_offset, 0, 0)==(tmsize_t)(-1) && 42 + (buf == NULL || img->stoponerr)) 43 { 44 ret = 0; 45 break; 46 @@ -772,11 +774,11 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 47 uint32 col, row, y, rowstoread; 48 tmsize_t pos; 49 uint32 tw, th; 50 - unsigned char* buf; 51 - unsigned char* p0; 52 - unsigned char* p1; 53 - unsigned char* p2; 54 - unsigned char* pa; 55 + unsigned char* buf = NULL; 56 + unsigned char* p0 = NULL; 57 + unsigned char* p1 = NULL; 58 + unsigned char* p2 = NULL; 59 + unsigned char* pa = NULL; 60 tmsize_t tilesize; 61 tmsize_t bufsize; 62 int32 fromskew, toskew; 63 @@ -795,16 +797,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 64 TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); 65 return (0); 66 } 67 - buf = (unsigned char*) _TIFFmalloc(bufsize); 68 - if (buf == 0) { 69 - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); 70 - return (0); 71 - } 72 - _TIFFmemset(buf, 0, bufsize); 73 - p0 = buf; 74 - p1 = p0 + tilesize; 75 - p2 = p1 + tilesize; 76 - pa = (alpha?(p2+tilesize):NULL); 77 + 78 TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); 79 TIFFGetField(tif, TIFFTAG_TILELENGTH, &th); 80 81 @@ -824,7 +817,6 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 82 case PHOTOMETRIC_MINISBLACK: 83 case PHOTOMETRIC_PALETTE: 84 colorchannels = 1; 85 - p2 = p1 = p0; 86 break; 87 88 default: 89 @@ -849,7 +841,30 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 90 col = img->col_offset; 91 while (tocol < w) 92 { 93 - if (TIFFReadTile(tif, p0, col, 94 + if( buf == NULL ) 95 + { 96 + if (_TIFFReadTileAndAllocBuffer( 97 + tif, (void**) &buf, bufsize, col, 98 + row+img->row_offset,0,0)==(tmsize_t)(-1) 99 + && (buf == NULL || img->stoponerr)) 100 + { 101 + ret = 0; 102 + break; 103 + } 104 + p0 = buf; 105 + if( colorchannels == 1 ) 106 + { 107 + p2 = p1 = p0; 108 + pa = (alpha?(p0+3*tilesize):NULL); 109 + } 110 + else 111 + { 112 + p1 = p0 + tilesize; 113 + p2 = p1 + tilesize; 114 + pa = (alpha?(p2+tilesize):NULL); 115 + } 116 + } 117 + else if (TIFFReadTile(tif, p0, col, 118 row+img->row_offset,0,0)==(tmsize_t)(-1) && img->stoponerr) 119 { 120 ret = 0; 121 @@ -940,13 +955,14 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 122 tileContigRoutine put = img->put.contig; 123 uint32 row, y, nrow, nrowsub, rowstoread; 124 tmsize_t pos; 125 - unsigned char* buf; 126 + unsigned char* buf = NULL; 127 uint32 rowsperstrip; 128 uint16 subsamplinghor,subsamplingver; 129 uint32 imagewidth = img->width; 130 tmsize_t scanline; 131 int32 fromskew, toskew; 132 int ret = 1, flip; 133 + tmsize_t maxstripsize; 134 135 TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); 136 if( subsamplingver == 0 ) { 137 @@ -954,12 +970,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 138 return (0); 139 } 140 141 - buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif)); 142 - if (buf == 0) { 143 - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); 144 - return (0); 145 - } 146 - _TIFFmemset(buf, 0, TIFFStripSize(tif)); 147 + maxstripsize = TIFFStripSize(tif); 148 149 flip = setorientation(img); 150 if (flip & FLIP_VERTICALLY) { 151 @@ -981,11 +992,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 152 nrowsub = nrow; 153 if ((nrowsub%subsamplingver)!=0) 154 nrowsub+=subsamplingver-nrowsub%subsamplingver; 155 - if (TIFFReadEncodedStrip(tif, 156 + if (_TIFFReadEncodedStripAndAllocBuffer(tif, 157 TIFFComputeStrip(tif,row+img->row_offset, 0), 158 - buf, 159 + (void**)(&buf), 160 + maxstripsize, 161 ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) 162 - && img->stoponerr) 163 + && (buf == NULL || img->stoponerr)) 164 { 165 ret = 0; 166 break; 167 @@ -1029,8 +1041,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 168 { 169 TIFF* tif = img->tif; 170 tileSeparateRoutine put = img->put.separate; 171 - unsigned char *buf; 172 - unsigned char *p0, *p1, *p2, *pa; 173 + unsigned char *buf = NULL; 174 + unsigned char *p0 = NULL, *p1 = NULL, *p2 = NULL, *pa = NULL; 175 uint32 row, y, nrow, rowstoread; 176 tmsize_t pos; 177 tmsize_t scanline; 178 @@ -1049,15 +1061,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 179 TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); 180 return (0); 181 } 182 - p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); 183 - if (buf == 0) { 184 - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); 185 - return (0); 186 - } 187 - _TIFFmemset(buf, 0, bufsize); 188 - p1 = p0 + stripsize; 189 - p2 = p1 + stripsize; 190 - pa = (alpha?(p2+stripsize):NULL); 191 192 flip = setorientation(img); 193 if (flip & FLIP_VERTICALLY) { 194 @@ -1075,7 +1078,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 195 case PHOTOMETRIC_MINISBLACK: 196 case PHOTOMETRIC_PALETTE: 197 colorchannels = 1; 198 - p2 = p1 = p0; 199 break; 200 201 default: 202 @@ -1091,7 +1093,31 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 203 rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; 204 nrow = (row + rowstoread > h ? h - row : rowstoread); 205 offset_row = row + img->row_offset; 206 - if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), 207 + if( buf == NULL ) 208 + { 209 + if (_TIFFReadEncodedStripAndAllocBuffer( 210 + tif, TIFFComputeStrip(tif, offset_row, 0), 211 + (void**) &buf, bufsize, 212 + ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) 213 + && (buf == NULL || img->stoponerr)) 214 + { 215 + ret = 0; 216 + break; 217 + } 218 + p0 = buf; 219 + if( colorchannels == 1 ) 220 + { 221 + p2 = p1 = p0; 222 + pa = (alpha?(p0+3*stripsize):NULL); 223 + } 224 + else 225 + { 226 + p1 = p0 + stripsize; 227 + p2 = p1 + stripsize; 228 + pa = (alpha?(p2+stripsize):NULL); 229 + } 230 + } 231 + else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), 232 p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) 233 && img->stoponerr) 234 { 235 diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c 236 index cc4f5d2f6..ad0a778c0 100644 237 --- a/third_party/libtiff/tif_read.c 238 +++ b/third_party/libtiff/tif_read.c 239 @@ -442,18 +442,17 @@ TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample) 240 } 241 242 /* 243 - * Read a strip of data and decompress the specified 244 - * amount into the user-supplied buffer. 245 + * Calculate the strip size according to the number of 246 + * rows in the strip (check for truncated last strip on any 247 + * of the separations). 248 */ 249 -tmsize_t 250 -TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) 251 +static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane) 252 { 253 static const char module[] = "TIFFReadEncodedStrip"; 254 TIFFDirectory *td = &tif->tif_dir; 255 uint32 rowsperstrip; 256 uint32 stripsperplane; 257 uint32 stripinplane; 258 - uint16 plane; 259 uint32 rows; 260 tmsize_t stripsize; 261 if (!TIFFCheckRead(tif,0)) 262 @@ -465,23 +464,37 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) 263 (unsigned long)td->td_nstrips); 264 return((tmsize_t)(-1)); 265 } 266 - /* 267 - * Calculate the strip size according to the number of 268 - * rows in the strip (check for truncated last strip on any 269 - * of the separations). 270 - */ 271 + 272 rowsperstrip=td->td_rowsperstrip; 273 if (rowsperstrip>td->td_imagelength) 274 rowsperstrip=td->td_imagelength; 275 stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); 276 stripinplane=(strip%stripsperplane); 277 - plane=(uint16)(strip/stripsperplane); 278 + if( pplane ) *pplane=(uint16)(strip/stripsperplane); 279 rows=td->td_imagelength-stripinplane*rowsperstrip; 280 if (rows>rowsperstrip) 281 rows=rowsperstrip; 282 stripsize=TIFFVStripSize(tif,rows); 283 if (stripsize==0) 284 return((tmsize_t)(-1)); 285 + return stripsize; 286 +} 287 + 288 +/* 289 + * Read a strip of data and decompress the specified 290 + * amount into the user-supplied buffer. 291 + */ 292 +tmsize_t 293 +TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) 294 +{ 295 + static const char module[] = "TIFFReadEncodedStrip"; 296 + TIFFDirectory *td = &tif->tif_dir; 297 + tmsize_t stripsize; 298 + uint16 plane; 299 + 300 + stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane); 301 + if (stripsize==((tmsize_t)(-1))) 302 + return((tmsize_t)(-1)); 303 304 /* shortcut to avoid an extra memcpy() */ 305 if( td->td_compression == COMPRESSION_NONE && 306 @@ -510,6 +523,50 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) 307 return(stripsize); 308 } 309 310 +/* Variant of TIFFReadEncodedStrip() that does 311 + * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has 312 + * suceeded. This avoid excessive memory allocation in case of truncated 313 + * file. 314 + * * calls regular TIFFReadEncodedStrip() if *buf != NULL 315 + */ 316 +tmsize_t 317 +_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, 318 + void **buf, tmsize_t bufsizetoalloc, 319 + tmsize_t size_to_read) 320 +{ 321 + tmsize_t this_stripsize; 322 + uint16 plane; 323 + 324 + if( *buf != NULL ) 325 + { 326 + return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read); 327 + } 328 + 329 + this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane); 330 + if (this_stripsize==((tmsize_t)(-1))) 331 + return((tmsize_t)(-1)); 332 + 333 + if ((size_to_read!=(tmsize_t)(-1))&&(size_to_read<this_stripsize)) 334 + this_stripsize=size_to_read; 335 + if (!TIFFFillStrip(tif,strip)) 336 + return((tmsize_t)(-1)); 337 + 338 + *buf = _TIFFmalloc(bufsizetoalloc); 339 + if (*buf == NULL) { 340 + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); 341 + return((tmsize_t)(-1)); 342 + } 343 + _TIFFmemset(*buf, 0, bufsizetoalloc); 344 + 345 + if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0) 346 + return((tmsize_t)(-1)); 347 + (*tif->tif_postdecode)(tif,*buf,this_stripsize); 348 + return(this_stripsize); 349 + 350 + 351 +} 352 + 353 + 354 static tmsize_t 355 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, 356 const char* module) 357 @@ -939,6 +996,78 @@ TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) 358 return ((tmsize_t)(-1)); 359 } 360 361 +/* Variant of TIFFReadTile() that does 362 + * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has 363 + * suceeded. This avoid excessive memory allocation in case of truncated 364 + * file. 365 + * * calls regular TIFFReadEncodedTile() if *buf != NULL 366 + */ 367 +tmsize_t 368 +_TIFFReadTileAndAllocBuffer(TIFF* tif, 369 + void **buf, tmsize_t bufsizetoalloc, 370 + uint32 x, uint32 y, uint32 z, uint16 s) 371 +{ 372 + if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s)) 373 + return ((tmsize_t)(-1)); 374 + return (_TIFFReadEncodedTileAndAllocBuffer(tif, 375 + TIFFComputeTile(tif, x, y, z, s), 376 + buf, bufsizetoalloc, 377 + (tmsize_t)(-1))); 378 +} 379 + 380 +/* Variant of TIFFReadEncodedTile() that does 381 + * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has 382 + * suceeded. This avoid excessive memory allocation in case of truncated 383 + * file. 384 + * * calls regular TIFFReadEncodedTile() if *buf != NULL 385 + */ 386 +tmsize_t 387 +_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile, 388 + void **buf, tmsize_t bufsizetoalloc, 389 + tmsize_t size_to_read) 390 +{ 391 + static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer"; 392 + TIFFDirectory *td = &tif->tif_dir; 393 + tmsize_t tilesize = tif->tif_tilesize; 394 + 395 + if( *buf != NULL ) 396 + { 397 + return TIFFReadEncodedTile(tif, tile, *buf, size_to_read); 398 + } 399 + 400 + if (!TIFFCheckRead(tif, 1)) 401 + return ((tmsize_t)(-1)); 402 + if (tile >= td->td_nstrips) { 403 + TIFFErrorExt(tif->tif_clientdata, module, 404 + "%lu: Tile out of range, max %lu", 405 + (unsigned long) tile, (unsigned long) td->td_nstrips); 406 + return ((tmsize_t)(-1)); 407 + } 408 + 409 + if (!TIFFFillTile(tif,tile)) 410 + return((tmsize_t)(-1)); 411 + 412 + *buf = _TIFFmalloc(bufsizetoalloc); 413 + if (*buf == NULL) { 414 + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), 415 + "No space for tile buffer"); 416 + return((tmsize_t)(-1)); 417 + } 418 + _TIFFmemset(*buf, 0, bufsizetoalloc); 419 + 420 + if (size_to_read == (tmsize_t)(-1)) 421 + size_to_read = tilesize; 422 + else if (size_to_read > tilesize) 423 + size_to_read = tilesize; 424 + if( (*tif->tif_decodetile)(tif, 425 + (uint8*) *buf, size_to_read, (uint16)(tile/td->td_stripsperimage))) { 426 + (*tif->tif_postdecode)(tif, (uint8*) *buf, size_to_read); 427 + return (size_to_read); 428 + } else 429 + return ((tmsize_t)(-1)); 430 +} 431 + 432 + 433 static tmsize_t 434 TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module) 435 { 436 diff --git a/third_party/libtiff/tiffiop.h b/third_party/libtiff/tiffiop.h 437 index 7e415c750..6fb47de5b 100644 438 --- a/third_party/libtiff/tiffiop.h 439 +++ b/third_party/libtiff/tiffiop.h 440 @@ -364,6 +364,20 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); 441 extern double _TIFFUInt64ToDouble(uint64); 442 extern float _TIFFUInt64ToFloat(uint64); 443 444 +extern tmsize_t 445 +_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, 446 + void **buf, tmsize_t bufsizetoalloc, 447 + tmsize_t size_to_read); 448 +extern tmsize_t 449 +_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile, 450 + void **buf, tmsize_t bufsizetoalloc, 451 + tmsize_t size_to_read); 452 +extern tmsize_t 453 +_TIFFReadTileAndAllocBuffer(TIFF* tif, 454 + void **buf, tmsize_t bufsizetoalloc, 455 + uint32 x, uint32 y, uint32 z, uint16 s); 456 + 457 + 458 extern int TIFFInitDumpMode(TIFF*, int); 459 #ifdef PACKBITS_SUPPORT 460 extern int TIFFInitPackBits(TIFF*, int); 461
