summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRyan Harrison <rharrison@chromium.org>2018-04-27 16:08:58 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-04-27 16:08:58 +0000
commitb1b01de0285c77f16a72736bf6abeb9598743b0a (patch)
tree67d1e46245fb8d690cb6c890407b62f6275b49f3
parent7f41d68152885d9b391fd9cc96d9754969b78369 (diff)
downloadpdfium-b1b01de0285c77f16a72736bf6abeb9598743b0a.tar.xz
Updated libtiff 4.0.8->4.0.9
Applied 0000-build-config.patch Applied 0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch Applied 0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch Updated and applied 0017-safe_skews_in_gtTileContig.patch Removed 0025-upstream-OOM-gtTileContig.patch, already applied Removed 0026-upstream-null-dereference.patch, already applied Applied 0027-build-config.patch Updated and applied 0028-nstrips-OOM.patch BUG=pdfium:1074 Change-Id: I32510327155213fd6256c5a67fa1be3a54cb975c Reviewed-on: https://pdfium-review.googlesource.com/31550 Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org>
-rw-r--r--third_party/libtiff/0017-safe_skews_in_gtTileContig.patch105
-rw-r--r--third_party/libtiff/0025-upstream-OOM-gtTileContig.patch460
-rw-r--r--third_party/libtiff/0026-upstream-null-dereference.patch22
-rw-r--r--third_party/libtiff/0028-nstrips-OOM.patch37
-rw-r--r--third_party/libtiff/tif_aux.c9
-rw-r--r--third_party/libtiff/tif_color.c8
-rw-r--r--third_party/libtiff/tif_dir.c4
-rw-r--r--third_party/libtiff/tif_dir.h3
-rw-r--r--third_party/libtiff/tif_dirinfo.c105
-rw-r--r--third_party/libtiff/tif_dirread.c177
-rw-r--r--third_party/libtiff/tif_dirwrite.c38
-rw-r--r--third_party/libtiff/tif_error.c26
-rw-r--r--third_party/libtiff/tif_fax3.c8
-rw-r--r--third_party/libtiff/tif_getimage.c116
-rw-r--r--third_party/libtiff/tif_jpeg.c194
-rw-r--r--third_party/libtiff/tif_luv.c8
-rw-r--r--third_party/libtiff/tif_lzw.c9
-rw-r--r--third_party/libtiff/tif_pixarlog.c9
-rw-r--r--third_party/libtiff/tif_predict.c9
-rw-r--r--third_party/libtiff/tif_read.c162
-rw-r--r--third_party/libtiff/tif_swab.c24
-rw-r--r--third_party/libtiff/tif_warning.c26
-rw-r--r--third_party/libtiff/tiffconf.h14
-rw-r--r--third_party/libtiff/tiffiop.h15
-rw-r--r--third_party/libtiff/tiffvers.h4
25 files changed, 883 insertions, 709 deletions
diff --git a/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch b/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch
index ad6d33daee..9fc0ed0cc9 100644
--- a/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch
+++ b/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch
@@ -1,5 +1,98 @@
+diff --git a/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch b/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch
+index ad6d33dae..e69de29bb 100644
+--- a/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch
++++ b/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch
+@@ -1,88 +0,0 @@
+-diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
+-index 84cc1d1a7..82e19164e 100644
+---- a/third_party/libtiff/tif_getimage.c
+-+++ b/third_party/libtiff/tif_getimage.c
+-@@ -31,6 +31,7 @@
+- */
+- #include "tiffiop.h"
+- #include <stdio.h>
+-+#include <limits.h>
+-
+- static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+- static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+-@@ -629,6 +628,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+- uint32 tw, th;
+- unsigned char* buf;
+- int32 fromskew, toskew;
+-+ int64 safeskew;
+- uint32 nrow;
+- int ret = 1, flip;
+- uint32 this_tw, tocol;
+-@@ -649,19 +647,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+- flip = setorientation(img);
+- if (flip & FLIP_VERTICALLY) {
+- y = h - 1;
+-- toskew = -(int32)(tw + w);
+-+ safeskew = 0;
+-+ safeskew -= tw;
+-+ safeskew -= w;
+- }
+- else {
+- y = 0;
+-- toskew = -(int32)(tw - w);
+-+ safeskew = 0;
+-+ safeskew -= tw;
+-+ safeskew +=w;
+- }
+-
+-+ if(safeskew > INT_MAX || safeskew < INT_MIN){
+-+ _TIFFfree(buf);
+-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+-+ return (0);
+-+ }
+-+ toskew = safeskew;
+-+
+- /*
+- * Leftmost tile is clipped on left side if col_offset > 0.
+- */
+- leftmost_fromskew = img->col_offset % tw;
+- leftmost_tw = tw - leftmost_fromskew;
+-- leftmost_toskew = toskew + leftmost_fromskew;
+-+ safeskew = toskew;
+-+ safeskew += leftmost_fromskew;
+-+ if(safeskew > INT_MAX || safeskew < INT_MIN){
+-+ _TIFFfree(buf);
+-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+-+ return (0);
+-+ }
+-+ leftmost_toskew = safeskew;
+- for (row = 0; row < h; row += nrow)
+- {
+- rowstoread = th - (row + img->row_offset) % th;
+-@@ -704,9 +684,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+- /*
+- * Rightmost tile is clipped on right side.
+- */
+-- fromskew = tw - (w - tocol);
+-+ safeskew = tw;
+-+ safeskew -= w;
+-+ safeskew += tocol;
+-+ if(safeskew > INT_MAX || safeskew < INT_MIN){
+-+ _TIFFfree(buf);
+-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+-+ return (0);
+-+ }
+-+ fromskew = safeskew;
+- this_tw = tw - fromskew;
+-- this_toskew = toskew + fromskew;
+-+ safeskew = toskew;
+-+ safeskew += fromskew;
+-+ if(safeskew > INT_MAX || safeskew < INT_MIN){
+-+ _TIFFfree(buf);
+-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+-+ return (0);
+-+ }
+-+ this_toskew = safeskew;
+- }
+- (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos);
+- tocol += this_tw;
diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
-index 84cc1d1a7..82e19164e 100644
+index fc554ccab..fff3f7fde 100644
--- a/third_party/libtiff/tif_getimage.c
+++ b/third_party/libtiff/tif_getimage.c
@@ -31,6 +31,7 @@
@@ -10,15 +103,15 @@ index 84cc1d1a7..82e19164e 100644
static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
-@@ -629,6 +628,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+@@ -628,6 +629,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
uint32 tw, th;
- unsigned char* buf;
+ unsigned char* buf = NULL;
int32 fromskew, toskew;
+ int64 safeskew;
uint32 nrow;
int ret = 1, flip;
uint32 this_tw, tocol;
-@@ -649,19 +647,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+@@ -648,19 +650,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
flip = setorientation(img);
if (flip & FLIP_VERTICALLY) {
y = h - 1;
@@ -56,10 +149,10 @@ index 84cc1d1a7..82e19164e 100644
+ return (0);
+ }
+ leftmost_toskew = safeskew;
- for (row = 0; row < h; row += nrow)
+ for (row = 0; ret != 0 && row < h; row += nrow)
{
rowstoread = th - (row + img->row_offset) % th;
-@@ -704,9 +684,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+@@ -686,9 +706,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
/*
* Rightmost tile is clipped on right side.
*/
diff --git a/third_party/libtiff/0025-upstream-OOM-gtTileContig.patch b/third_party/libtiff/0025-upstream-OOM-gtTileContig.patch
deleted file mode 100644
index d4d3d7028f..0000000000
--- a/third_party/libtiff/0025-upstream-OOM-gtTileContig.patch
+++ /dev/null
@@ -1,460 +0,0 @@
-diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
-index 53c938a89..03c9a81fb 100644
---- a/third_party/libtiff/tif_getimage.c
-+++ b/third_party/libtiff/tif_getimage.c
-@@ -627,7 +627,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- uint32 col, row, y, rowstoread;
- tmsize_t pos;
- uint32 tw, th;
-- unsigned char* buf;
-+ unsigned char* buf = NULL;
- int32 fromskew, toskew;
- int64 safeskew;
- uint32 nrow;
-@@ -636,13 +636,14 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- int32 this_toskew, leftmost_toskew;
- int32 leftmost_fromskew;
- uint32 leftmost_tw;
-+ tmsize_t bufsize;
-
-- buf = (unsigned char*) _TIFFmalloc(TIFFTileSize(tif));
-- if (buf == 0) {
-- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
-- return (0);
-+ bufsize = TIFFTileSize(tif);
-+ if (bufsize == 0) {
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
-+ return (0);
- }
-- _TIFFmemset(buf, 0, TIFFTileSize(tif));
-+
- TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
- TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
-
-@@ -691,8 +692,9 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- col = img->col_offset;
- while (tocol < w)
- {
-- if (TIFFReadTile(tif, buf, col,
-- row+img->row_offset, 0, 0)==(tmsize_t)(-1) && img->stoponerr)
-+ if (_TIFFReadTileAndAllocBuffer(tif, (void**) &buf, bufsize, col,
-+ row+img->row_offset, 0, 0)==(tmsize_t)(-1) &&
-+ (buf == NULL || img->stoponerr))
- {
- ret = 0;
- break;
-@@ -772,11 +774,11 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- uint32 col, row, y, rowstoread;
- tmsize_t pos;
- uint32 tw, th;
-- unsigned char* buf;
-- unsigned char* p0;
-- unsigned char* p1;
-- unsigned char* p2;
-- unsigned char* pa;
-+ unsigned char* buf = NULL;
-+ unsigned char* p0 = NULL;
-+ unsigned char* p1 = NULL;
-+ unsigned char* p2 = NULL;
-+ unsigned char* pa = NULL;
- tmsize_t tilesize;
- tmsize_t bufsize;
- int32 fromskew, toskew;
-@@ -795,16 +797,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
- return (0);
- }
-- buf = (unsigned char*) _TIFFmalloc(bufsize);
-- if (buf == 0) {
-- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
-- return (0);
-- }
-- _TIFFmemset(buf, 0, bufsize);
-- p0 = buf;
-- p1 = p0 + tilesize;
-- p2 = p1 + tilesize;
-- pa = (alpha?(p2+tilesize):NULL);
-+
- TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
- TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
-
-@@ -824,7 +817,6 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- case PHOTOMETRIC_MINISBLACK:
- case PHOTOMETRIC_PALETTE:
- colorchannels = 1;
-- p2 = p1 = p0;
- break;
-
- default:
-@@ -849,7 +841,30 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- col = img->col_offset;
- while (tocol < w)
- {
-- if (TIFFReadTile(tif, p0, col,
-+ if( buf == NULL )
-+ {
-+ if (_TIFFReadTileAndAllocBuffer(
-+ tif, (void**) &buf, bufsize, col,
-+ row+img->row_offset,0,0)==(tmsize_t)(-1)
-+ && (buf == NULL || img->stoponerr))
-+ {
-+ ret = 0;
-+ break;
-+ }
-+ p0 = buf;
-+ if( colorchannels == 1 )
-+ {
-+ p2 = p1 = p0;
-+ pa = (alpha?(p0+3*tilesize):NULL);
-+ }
-+ else
-+ {
-+ p1 = p0 + tilesize;
-+ p2 = p1 + tilesize;
-+ pa = (alpha?(p2+tilesize):NULL);
-+ }
-+ }
-+ else if (TIFFReadTile(tif, p0, col,
- row+img->row_offset,0,0)==(tmsize_t)(-1) && img->stoponerr)
- {
- ret = 0;
-@@ -940,13 +955,14 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- tileContigRoutine put = img->put.contig;
- uint32 row, y, nrow, nrowsub, rowstoread;
- tmsize_t pos;
-- unsigned char* buf;
-+ unsigned char* buf = NULL;
- uint32 rowsperstrip;
- uint16 subsamplinghor,subsamplingver;
- uint32 imagewidth = img->width;
- tmsize_t scanline;
- int32 fromskew, toskew;
- int ret = 1, flip;
-+ tmsize_t maxstripsize;
-
- TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
- if( subsamplingver == 0 ) {
-@@ -954,12 +970,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- return (0);
- }
-
-- buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif));
-- if (buf == 0) {
-- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
-- return (0);
-- }
-- _TIFFmemset(buf, 0, TIFFStripSize(tif));
-+ maxstripsize = TIFFStripSize(tif);
-
- flip = setorientation(img);
- if (flip & FLIP_VERTICALLY) {
-@@ -981,11 +992,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- nrowsub = nrow;
- if ((nrowsub%subsamplingver)!=0)
- nrowsub+=subsamplingver-nrowsub%subsamplingver;
-- if (TIFFReadEncodedStrip(tif,
-+ if (_TIFFReadEncodedStripAndAllocBuffer(tif,
- TIFFComputeStrip(tif,row+img->row_offset, 0),
-- buf,
-+ (void**)(&buf),
-+ maxstripsize,
- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
-- && img->stoponerr)
-+ && (buf == NULL || img->stoponerr))
- {
- ret = 0;
- break;
-@@ -1029,8 +1041,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- {
- TIFF* tif = img->tif;
- tileSeparateRoutine put = img->put.separate;
-- unsigned char *buf;
-- unsigned char *p0, *p1, *p2, *pa;
-+ unsigned char *buf = NULL;
-+ unsigned char *p0 = NULL, *p1 = NULL, *p2 = NULL, *pa = NULL;
- uint32 row, y, nrow, rowstoread;
- tmsize_t pos;
- tmsize_t scanline;
-@@ -1049,15 +1061,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
- return (0);
- }
-- p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
-- if (buf == 0) {
-- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
-- return (0);
-- }
-- _TIFFmemset(buf, 0, bufsize);
-- p1 = p0 + stripsize;
-- p2 = p1 + stripsize;
-- pa = (alpha?(p2+stripsize):NULL);
-
- flip = setorientation(img);
- if (flip & FLIP_VERTICALLY) {
-@@ -1075,7 +1078,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- case PHOTOMETRIC_MINISBLACK:
- case PHOTOMETRIC_PALETTE:
- colorchannels = 1;
-- p2 = p1 = p0;
- break;
-
- default:
-@@ -1091,7 +1093,31 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
- nrow = (row + rowstoread > h ? h - row : rowstoread);
- offset_row = row + img->row_offset;
-- if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
-+ if( buf == NULL )
-+ {
-+ if (_TIFFReadEncodedStripAndAllocBuffer(
-+ tif, TIFFComputeStrip(tif, offset_row, 0),
-+ (void**) &buf, bufsize,
-+ ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+ && (buf == NULL || img->stoponerr))
-+ {
-+ ret = 0;
-+ break;
-+ }
-+ p0 = buf;
-+ if( colorchannels == 1 )
-+ {
-+ p2 = p1 = p0;
-+ pa = (alpha?(p0+3*stripsize):NULL);
-+ }
-+ else
-+ {
-+ p1 = p0 + stripsize;
-+ p2 = p1 + stripsize;
-+ pa = (alpha?(p2+stripsize):NULL);
-+ }
-+ }
-+ else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
- && img->stoponerr)
- {
-diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
-index cc4f5d2f6..ad0a778c0 100644
---- a/third_party/libtiff/tif_read.c
-+++ b/third_party/libtiff/tif_read.c
-@@ -442,18 +442,17 @@ TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample)
- }
-
- /*
-- * Read a strip of data and decompress the specified
-- * amount into the user-supplied buffer.
-+ * Calculate the strip size according to the number of
-+ * rows in the strip (check for truncated last strip on any
-+ * of the separations).
- */
--tmsize_t
--TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
-+static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane)
- {
- static const char module[] = "TIFFReadEncodedStrip";
- TIFFDirectory *td = &tif->tif_dir;
- uint32 rowsperstrip;
- uint32 stripsperplane;
- uint32 stripinplane;
-- uint16 plane;
- uint32 rows;
- tmsize_t stripsize;
- if (!TIFFCheckRead(tif,0))
-@@ -465,23 +464,37 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
- (unsigned long)td->td_nstrips);
- return((tmsize_t)(-1));
- }
-- /*
-- * Calculate the strip size according to the number of
-- * rows in the strip (check for truncated last strip on any
-- * of the separations).
-- */
-+
- rowsperstrip=td->td_rowsperstrip;
- if (rowsperstrip>td->td_imagelength)
- rowsperstrip=td->td_imagelength;
- stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
- stripinplane=(strip%stripsperplane);
-- plane=(uint16)(strip/stripsperplane);
-+ if( pplane ) *pplane=(uint16)(strip/stripsperplane);
- rows=td->td_imagelength-stripinplane*rowsperstrip;
- if (rows>rowsperstrip)
- rows=rowsperstrip;
- stripsize=TIFFVStripSize(tif,rows);
- if (stripsize==0)
- return((tmsize_t)(-1));
-+ return stripsize;
-+}
-+
-+/*
-+ * Read a strip of data and decompress the specified
-+ * amount into the user-supplied buffer.
-+ */
-+tmsize_t
-+TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
-+{
-+ static const char module[] = "TIFFReadEncodedStrip";
-+ TIFFDirectory *td = &tif->tif_dir;
-+ tmsize_t stripsize;
-+ uint16 plane;
-+
-+ stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
-+ if (stripsize==((tmsize_t)(-1)))
-+ return((tmsize_t)(-1));
-
- /* shortcut to avoid an extra memcpy() */
- if( td->td_compression == COMPRESSION_NONE &&
-@@ -510,6 +523,50 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
- return(stripsize);
- }
-
-+/* Variant of TIFFReadEncodedStrip() that does
-+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has
-+ * suceeded. This avoid excessive memory allocation in case of truncated
-+ * file.
-+ * * calls regular TIFFReadEncodedStrip() if *buf != NULL
-+ */
-+tmsize_t
-+_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
-+ void **buf, tmsize_t bufsizetoalloc,
-+ tmsize_t size_to_read)
-+{
-+ tmsize_t this_stripsize;
-+ uint16 plane;
-+
-+ if( *buf != NULL )
-+ {
-+ return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read);
-+ }
-+
-+ this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
-+ if (this_stripsize==((tmsize_t)(-1)))
-+ return((tmsize_t)(-1));
-+
-+ if ((size_to_read!=(tmsize_t)(-1))&&(size_to_read<this_stripsize))
-+ this_stripsize=size_to_read;
-+ if (!TIFFFillStrip(tif,strip))
-+ return((tmsize_t)(-1));
-+
-+ *buf = _TIFFmalloc(bufsizetoalloc);
-+ if (*buf == NULL) {
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
-+ return((tmsize_t)(-1));
-+ }
-+ _TIFFmemset(*buf, 0, bufsizetoalloc);
-+
-+ if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0)
-+ return((tmsize_t)(-1));
-+ (*tif->tif_postdecode)(tif,*buf,this_stripsize);
-+ return(this_stripsize);
-+
-+
-+}
-+
-+
- static tmsize_t
- TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
- const char* module)
-@@ -939,6 +996,78 @@ TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
- return ((tmsize_t)(-1));
- }
-
-+/* Variant of TIFFReadTile() that does
-+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
-+ * suceeded. This avoid excessive memory allocation in case of truncated
-+ * file.
-+ * * calls regular TIFFReadEncodedTile() if *buf != NULL
-+ */
-+tmsize_t
-+_TIFFReadTileAndAllocBuffer(TIFF* tif,
-+ void **buf, tmsize_t bufsizetoalloc,
-+ uint32 x, uint32 y, uint32 z, uint16 s)
-+{
-+ if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
-+ return ((tmsize_t)(-1));
-+ return (_TIFFReadEncodedTileAndAllocBuffer(tif,
-+ TIFFComputeTile(tif, x, y, z, s),
-+ buf, bufsizetoalloc,
-+ (tmsize_t)(-1)));
-+}
-+
-+/* Variant of TIFFReadEncodedTile() that does
-+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
-+ * suceeded. This avoid excessive memory allocation in case of truncated
-+ * file.
-+ * * calls regular TIFFReadEncodedTile() if *buf != NULL
-+ */
-+tmsize_t
-+_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile,
-+ void **buf, tmsize_t bufsizetoalloc,
-+ tmsize_t size_to_read)
-+{
-+ static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer";
-+ TIFFDirectory *td = &tif->tif_dir;
-+ tmsize_t tilesize = tif->tif_tilesize;
-+
-+ if( *buf != NULL )
-+ {
-+ return TIFFReadEncodedTile(tif, tile, *buf, size_to_read);
-+ }
-+
-+ if (!TIFFCheckRead(tif, 1))
-+ return ((tmsize_t)(-1));
-+ if (tile >= td->td_nstrips) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "%lu: Tile out of range, max %lu",
-+ (unsigned long) tile, (unsigned long) td->td_nstrips);
-+ return ((tmsize_t)(-1));
-+ }
-+
-+ if (!TIFFFillTile(tif,tile))
-+ return((tmsize_t)(-1));
-+
-+ *buf = _TIFFmalloc(bufsizetoalloc);
-+ if (*buf == NULL) {
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
-+ "No space for tile buffer");
-+ return((tmsize_t)(-1));
-+ }
-+ _TIFFmemset(*buf, 0, bufsizetoalloc);
-+
-+ if (size_to_read == (tmsize_t)(-1))
-+ size_to_read = tilesize;
-+ else if (size_to_read > tilesize)
-+ size_to_read = tilesize;
-+ if( (*tif->tif_decodetile)(tif,
-+ (uint8*) *buf, size_to_read, (uint16)(tile/td->td_stripsperimage))) {
-+ (*tif->tif_postdecode)(tif, (uint8*) *buf, size_to_read);
-+ return (size_to_read);
-+ } else
-+ return ((tmsize_t)(-1));
-+}
-+
-+
- static tmsize_t
- TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module)
- {
-diff --git a/third_party/libtiff/tiffiop.h b/third_party/libtiff/tiffiop.h
-index 7e415c750..6fb47de5b 100644
---- a/third_party/libtiff/tiffiop.h
-+++ b/third_party/libtiff/tiffiop.h
-@@ -364,6 +364,20 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
- extern double _TIFFUInt64ToDouble(uint64);
- extern float _TIFFUInt64ToFloat(uint64);
-
-+extern tmsize_t
-+_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
-+ void **buf, tmsize_t bufsizetoalloc,
-+ tmsize_t size_to_read);
-+extern tmsize_t
-+_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile,
-+ void **buf, tmsize_t bufsizetoalloc,
-+ tmsize_t size_to_read);
-+extern tmsize_t
-+_TIFFReadTileAndAllocBuffer(TIFF* tif,
-+ void **buf, tmsize_t bufsizetoalloc,
-+ uint32 x, uint32 y, uint32 z, uint16 s);
-+
-+
- extern int TIFFInitDumpMode(TIFF*, int);
- #ifdef PACKBITS_SUPPORT
- extern int TIFFInitPackBits(TIFF*, int);
diff --git a/third_party/libtiff/0026-upstream-null-dereference.patch b/third_party/libtiff/0026-upstream-null-dereference.patch
deleted file mode 100644
index 052645ff8a..0000000000
--- a/third_party/libtiff/0026-upstream-null-dereference.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
-index 03c9a81fb..d37f729c4 100644
---- a/third_party/libtiff/tif_getimage.c
-+++ b/third_party/libtiff/tif_getimage.c
-@@ -681,7 +681,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- return (0);
- }
- leftmost_toskew = safeskew;
-- for (row = 0; row < h; row += nrow)
-+ for (row = 0; ret != 0 && row < h; row += nrow)
- {
- rowstoread = th - (row + img->row_offset) % th;
- nrow = (row + rowstoread > h ? h - row : rowstoread);
-@@ -830,7 +830,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- leftmost_fromskew = img->col_offset % tw;
- leftmost_tw = tw - leftmost_fromskew;
- leftmost_toskew = toskew + leftmost_fromskew;
-- for (row = 0; row < h; row += nrow)
-+ for (row = 0; ret != 0 && row < h; row += nrow)
- {
- rowstoread = th - (row + img->row_offset) % th;
- nrow = (row + rowstoread > h ? h - row : rowstoread);
diff --git a/third_party/libtiff/0028-nstrips-OOM.patch b/third_party/libtiff/0028-nstrips-OOM.patch
index a6db66ee88..33a4b3df57 100644
--- a/third_party/libtiff/0028-nstrips-OOM.patch
+++ b/third_party/libtiff/0028-nstrips-OOM.patch
@@ -1,5 +1,36 @@
+diff --git a/third_party/libtiff/0028-nstrips-OOM.patch b/third_party/libtiff/0028-nstrips-OOM.patch
+index a6db66ee8..e69de29bb 100644
+--- a/third_party/libtiff/0028-nstrips-OOM.patch
++++ b/third_party/libtiff/0028-nstrips-OOM.patch
+@@ -1,26 +0,0 @@
+-diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
+-index 772ebaf7d..ab938eac9 100644
+---- a/third_party/libtiff/tif_dirread.c
+-+++ b/third_party/libtiff/tif_dirread.c
+-@@ -41,6 +41,7 @@
+-
+- #include "tiffiop.h"
+- #include <float.h>
+-+#include <limits.h>
+-
+- #define IGNORE 0 /* tag placeholder used below */
+- #define FAILED_FII ((uint32) -1)
+-@@ -3638,6 +3639,13 @@ TIFFReadDirectory(TIFF* tif)
+- isTiled(tif) ? "tiles" : "strips");
+- goto bad;
+- }
+-+ if (tif->tif_dir.td_nstrips > INT_MAX) {
+-+ TIFFErrorExt(tif->tif_clientdata, module,
+-+ "Cannot handle %u number of %s",
+-+ tif->tif_dir.td_nstrips,
+-+ isTiled(tif) ? "tiles" : "strips");
+-+ goto bad;
+-+ }
+- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
+- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
+- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
-index 772ebaf7d..ab938eac9 100644
+index 5e62e8131..521dbf0a4 100644
--- a/third_party/libtiff/tif_dirread.c
+++ b/third_party/libtiff/tif_dirread.c
@@ -41,6 +41,7 @@
@@ -7,10 +38,10 @@ index 772ebaf7d..ab938eac9 100644
#include "tiffiop.h"
#include <float.h>
+#include <limits.h>
+ #include <stdlib.h>
#define IGNORE 0 /* tag placeholder used below */
- #define FAILED_FII ((uint32) -1)
-@@ -3638,6 +3639,13 @@ TIFFReadDirectory(TIFF* tif)
+@@ -3743,6 +3744,13 @@ TIFFReadDirectory(TIFF* tif)
isTiled(tif) ? "tiles" : "strips");
goto bad;
}
diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c
index 74532c8c6f..b1772f4c96 100644
--- a/third_party/libtiff/tif_aux.c
+++ b/third_party/libtiff/tif_aux.c
@@ -1,4 +1,4 @@
-/* $Id: tif_aux.c,v 1.29 2016-11-11 20:45:53 erouault Exp $ */
+/* $Id: tif_aux.c,v 1.31 2017-11-17 20:21:00 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -359,6 +359,13 @@ _TIFFUInt64ToDouble(uint64 ui64)
}
}
+int _TIFFSeekOK(TIFF* tif, toff_t off)
+{
+ /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2726 */
+ return off <= (~(uint64)0)/2 && TIFFSeekFile(tif,off,SEEK_SET)==off;
+}
+
/* vim: set ts=8 sts=8 sw=8 noet: */
/*
* Local Variables:
diff --git a/third_party/libtiff/tif_color.c b/third_party/libtiff/tif_color.c
index 8b8418c301..71cafcde6c 100644
--- a/third_party/libtiff/tif_color.c
+++ b/third_party/libtiff/tif_color.c
@@ -1,4 +1,4 @@
-/* $Id: tif_color.c,v 1.23 2017-05-13 18:17:34 erouault Exp $ */
+/* $Id: tif_color.c,v 1.24 2017-05-29 10:12:54 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -275,10 +275,10 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr, float *luma, float *refBlackWhite)
for (i = 0, x = -128; i < 256; i++, x++) {
int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F,
refBlackWhite[5] - 128.0F, 127),
- -128.0F * 64, 128.0F * 64);
+ -128.0F * 32, 128.0F * 32);
int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F,
refBlackWhite[3] - 128.0F, 127),
- -128.0F * 64, 128.0F * 64);
+ -128.0F * 32, 128.0F * 32);
ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT);
ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT);
@@ -286,7 +286,7 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr, float *luma, float *refBlackWhite)
ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF;
ycbcr->Y_tab[i] =
(int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255),
- -128.0F * 64, 128.0F * 64);
+ -128.0F * 32, 128.0F * 32);
}
}
diff --git a/third_party/libtiff/tif_dir.c b/third_party/libtiff/tif_dir.c
index a88394917a..f00f8080a2 100644
--- a/third_party/libtiff/tif_dir.c
+++ b/third_party/libtiff/tif_dir.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.c,v 1.130 2017-05-17 21:54:05 erouault Exp $ */
+/* $Id: tif_dir.c,v 1.131 2017-07-11 21:38:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -872,6 +872,8 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
TIFFTagValue *tv = td->td_customValues + i;
if (tv->info->field_tag != tag)
continue;
+ if( tv->value == NULL )
+ return 0;
val = *(uint16 *)tv->value;
/* Truncate to SamplesPerPixel, since the */
/* setting code for INKNAMES assume that there are SamplesPerPixel */
diff --git a/third_party/libtiff/tif_dir.h b/third_party/libtiff/tif_dir.h
index 6af5f3dc37..5a38076733 100644
--- a/third_party/libtiff/tif_dir.h
+++ b/third_party/libtiff/tif_dir.h
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
+/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -291,6 +291,7 @@ struct _TIFFField {
extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
#if defined(__cplusplus)
}
diff --git a/third_party/libtiff/tif_dirinfo.c b/third_party/libtiff/tif_dirinfo.c
index 23ad002055..4904f540e5 100644
--- a/third_party/libtiff/tif_dirinfo.c
+++ b/third_party/libtiff/tif_dirinfo.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
+/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
return 0;
}
+int
+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
+{
+ /* Filter out non-codec specific tags */
+ switch (tag) {
+ /* Shared tags */
+ case TIFFTAG_PREDICTOR:
+ /* JPEG tags */
+ case TIFFTAG_JPEGTABLES:
+ /* OJPEG tags */
+ case TIFFTAG_JPEGIFOFFSET:
+ case TIFFTAG_JPEGIFBYTECOUNT:
+ case TIFFTAG_JPEGQTABLES:
+ case TIFFTAG_JPEGDCTABLES:
+ case TIFFTAG_JPEGACTABLES:
+ case TIFFTAG_JPEGPROC:
+ case TIFFTAG_JPEGRESTARTINTERVAL:
+ /* CCITT* */
+ case TIFFTAG_BADFAXLINES:
+ case TIFFTAG_CLEANFAXDATA:
+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
+ case TIFFTAG_GROUP3OPTIONS:
+ case TIFFTAG_GROUP4OPTIONS:
+ break;
+ default:
+ return 1;
+ }
+ /* Check if codec specific tags are allowed for the current
+ * compression scheme (codec) */
+ switch (tif->tif_dir.td_compression) {
+ case COMPRESSION_LZW:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_PACKBITS:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_THUNDERSCAN:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_NEXT:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_JPEG:
+ if (tag == TIFFTAG_JPEGTABLES)
+ return 1;
+ break;
+ case COMPRESSION_OJPEG:
+ switch (tag) {
+ case TIFFTAG_JPEGIFOFFSET:
+ case TIFFTAG_JPEGIFBYTECOUNT:
+ case TIFFTAG_JPEGQTABLES:
+ case TIFFTAG_JPEGDCTABLES:
+ case TIFFTAG_JPEGACTABLES:
+ case TIFFTAG_JPEGPROC:
+ case TIFFTAG_JPEGRESTARTINTERVAL:
+ return 1;
+ }
+ break;
+ case COMPRESSION_CCITTRLE:
+ case COMPRESSION_CCITTRLEW:
+ case COMPRESSION_CCITTFAX3:
+ case COMPRESSION_CCITTFAX4:
+ switch (tag) {
+ case TIFFTAG_BADFAXLINES:
+ case TIFFTAG_CLEANFAXDATA:
+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
+ return 1;
+ case TIFFTAG_GROUP3OPTIONS:
+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
+ return 1;
+ break;
+ case TIFFTAG_GROUP4OPTIONS:
+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
+ return 1;
+ break;
+ }
+ break;
+ case COMPRESSION_JBIG:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_DEFLATE:
+ case COMPRESSION_ADOBE_DEFLATE:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_PIXARLOG:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_SGILOG:
+ case COMPRESSION_SGILOG24:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_LZMA:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+
+ }
+ return 0;
+}
+
/* vim: set ts=8 sts=8 sw=8 noet: */
/*
diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
index ab938eac9d..521dbf0a41 100644
--- a/third_party/libtiff/tif_dirread.c
+++ b/third_party/libtiff/tif_dirread.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.218 2017-09-09 21:44:42 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -42,6 +42,7 @@
#include "tiffiop.h"
#include <float.h>
#include <limits.h>
+#include <stdlib.h>
#define IGNORE 0 /* tag placeholder used below */
#define FAILED_FII ((uint32) -1)
@@ -637,6 +638,8 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloat(TIFF* tif, TIFFDirEntry* d
err=TIFFReadDirEntryCheckedDouble(tif,direntry,&m);
if (err!=TIFFReadDirEntryErrOk)
return(err);
+ if ((m > FLT_MAX) || (m < FLT_MIN))
+ return(TIFFReadDirEntryErrRange);
*value=(float)m;
return(TIFFReadDirEntryErrOk);
}
@@ -766,13 +769,80 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8(TIFF* tif, TIFFDirEntry* di
}
}
-static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value)
+
+#define INITIAL_THRESHOLD (1024 * 1024)
+#define THRESHOLD_MULTIPLIER 10
+#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
+
+static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc(
+ TIFF* tif, uint64 offset, tmsize_t size, void** pdest)
+{
+#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8
+ tmsize_t threshold = INITIAL_THRESHOLD;
+#endif
+ tmsize_t already_read = 0;
+
+ assert( !isMapped(tif) );
+
+ if (!SeekOK(tif,offset))
+ return(TIFFReadDirEntryErrIo);
+
+ /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
+ /* so as to avoid allocating too much memory in case the file is too */
+ /* short. We could ask for the file size, but this might be */
+ /* expensive with some I/O layers (think of reading a gzipped file) */
+ /* Restrict to 64 bit processes, so as to avoid reallocs() */
+ /* on 32 bit processes where virtual memory is scarce. */
+ while( already_read < size )
+ {
+ void* new_dest;
+ tmsize_t bytes_read;
+ tmsize_t to_read = size - already_read;
+#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8
+ if( to_read >= threshold && threshold < MAX_THRESHOLD )
+ {
+ to_read = threshold;
+ threshold *= THRESHOLD_MULTIPLIER;
+ }
+#endif
+
+ new_dest = (uint8*) _TIFFrealloc(
+ *pdest, already_read + to_read);
+ if( new_dest == NULL )
+ {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Failed to allocate memory for %s "
+ "(%ld elements of %ld bytes each)",
+ "TIFFReadDirEntryArray",
+ (long) 1, (long) (already_read + to_read));
+ return TIFFReadDirEntryErrAlloc;
+ }
+ *pdest = new_dest;
+
+ bytes_read = TIFFReadFile(tif,
+ (char*)*pdest + already_read, to_read);
+ already_read += bytes_read;
+ if (bytes_read != to_read) {
+ return TIFFReadDirEntryErrIo;
+ }
+ }
+ return TIFFReadDirEntryErrOk;
+}
+
+static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
+ TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize,
+ void** value, uint64 maxcount)
{
int typesize;
uint32 datasize;
void* data;
+ uint64 target_count64;
typesize=TIFFDataWidth(direntry->tdir_type);
- if ((direntry->tdir_count==0)||(typesize==0))
+
+ target_count64 = (direntry->tdir_count > maxcount) ?
+ maxcount : direntry->tdir_count;
+
+ if ((target_count64==0)||(typesize==0))
{
*value=0;
return(TIFFReadDirEntryErrOk);
@@ -784,17 +854,30 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d
* in either the current data type or the dest data type. This also
* avoids problems with overflow of tmsize_t on 32bit systems.
*/
- if ((uint64)(2147483647/typesize)<direntry->tdir_count)
+ if ((uint64)(2147483647/typesize)<target_count64)
return(TIFFReadDirEntryErrSizesan);
- if ((uint64)(2147483647/desttypesize)<direntry->tdir_count)
+ if ((uint64)(2147483647/desttypesize)<target_count64)
return(TIFFReadDirEntryErrSizesan);
- *count=(uint32)direntry->tdir_count;
+ *count=(uint32)target_count64;
datasize=(*count)*typesize;
assert((tmsize_t)datasize>0);
- data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");
- if (data==0)
- return(TIFFReadDirEntryErrAlloc);
+
+ if( isMapped(tif) && datasize > (uint32)tif->tif_size )
+ return TIFFReadDirEntryErrIo;
+
+ if( !isMapped(tif) &&
+ (((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) ||
+ (!(tif->tif_flags&TIFF_BIGTIFF) && datasize > 4)) )
+ {
+ data = NULL;
+ }
+ else
+ {
+ data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");
+ if (data==0)
+ return(TIFFReadDirEntryErrAlloc);
+ }
if (!(tif->tif_flags&TIFF_BIGTIFF))
{
if (datasize<=4)
@@ -805,7 +888,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d
uint32 offset = direntry->tdir_offset.toff_long;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong(&offset);
- err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);
+ if( isMapped(tif) )
+ err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);
+ else
+ err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data);
if (err!=TIFFReadDirEntryErrOk)
{
_TIFFfree(data);
@@ -823,7 +909,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d
uint64 offset = direntry->tdir_offset.toff_long8;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong8(&offset);
- err=TIFFReadDirEntryData(tif,offset,(tmsize_t)datasize,data);
+ if( isMapped(tif) )
+ err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);
+ else
+ err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data);
if (err!=TIFFReadDirEntryErrOk)
{
_TIFFfree(data);
@@ -835,6 +924,12 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d
return(TIFFReadDirEntryErrOk);
}
+static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value)
+{
+ return TIFFReadDirEntryArrayWithLimit(tif, direntry, count,
+ desttypesize, value, ~((uint64)0));
+}
+
static enum TIFFReadDirEntryErr TIFFReadDirEntryByteArray(TIFF* tif, TIFFDirEntry* direntry, uint8** value)
{
enum TIFFReadDirEntryErr err;
@@ -1864,7 +1959,8 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntrySlongArray(TIFF* tif, TIFFDirEnt
return(TIFFReadDirEntryErrOk);
}
-static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEntry* direntry, uint64** value)
+static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8ArrayWithLimit(
+ TIFF* tif, TIFFDirEntry* direntry, uint64** value, uint64 maxcount)
{
enum TIFFReadDirEntryErr err;
uint32 count;
@@ -1884,7 +1980,7 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEnt
default:
return(TIFFReadDirEntryErrType);
}
- err=TIFFReadDirEntryArray(tif,direntry,&count,8,&origdata);
+ err=TIFFReadDirEntryArrayWithLimit(tif,direntry,&count,8,&origdata,maxcount);
if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
{
*value=0;
@@ -2030,6 +2126,11 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEnt
return(TIFFReadDirEntryErrOk);
}
+static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEntry* direntry, uint64** value)
+{
+ return TIFFReadDirEntryLong8ArrayWithLimit(tif, direntry, value, ~((uint64)0));
+}
+
static enum TIFFReadDirEntryErr TIFFReadDirEntrySlong8Array(TIFF* tif, TIFFDirEntry* direntry, int64** value)
{
enum TIFFReadDirEntryErr err;
@@ -2732,7 +2833,7 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleShort(TIFF* tif, TIFFDi
if (direntry->tdir_count<(uint64)tif->tif_dir.td_samplesperpixel)
return(TIFFReadDirEntryErrCount);
err=TIFFReadDirEntryShortArray(tif,direntry,&m);
- if (err!=TIFFReadDirEntryErrOk)
+ if (err!=TIFFReadDirEntryErrOk || m == NULL)
return(err);
na=m;
nb=tif->tif_dir.td_samplesperpixel;
@@ -3581,6 +3682,10 @@ TIFFReadDirectory(TIFF* tif)
goto bad;
dp->tdir_tag=IGNORE;
break;
+ default:
+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
+ dp->tdir_tag=IGNORE;
+ break;
}
}
}
@@ -3987,12 +4092,14 @@ TIFFReadDirectory(TIFF* tif)
#define BYTECOUNTLOOKSBAD \
( (tif->tif_dir.td_stripbytecount[0] == 0 && tif->tif_dir.td_stripoffset[0] != 0) || \
(tif->tif_dir.td_compression == COMPRESSION_NONE && \
- tif->tif_dir.td_stripbytecount[0] > TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) || \
+ (tif->tif_dir.td_stripoffset[0] <= TIFFGetFileSize(tif) && \
+ tif->tif_dir.td_stripbytecount[0] > TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0])) || \
(tif->tif_mode == O_RDONLY && \
tif->tif_dir.td_compression == COMPRESSION_NONE && \
tif->tif_dir.td_stripbytecount[0] < TIFFScanlineSize64(tif) * tif->tif_dir.td_imagelength) )
} else if (tif->tif_dir.td_nstrips == 1
+ && !(tif->tif_flags&TIFF_ISTILED)
&& _TIFFFillStriles(tif)
&& tif->tif_dir.td_stripoffset[0] != 0
&& BYTECOUNTLOOKSBAD) {
@@ -4370,7 +4477,11 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount)
}
space+=datasize;
}
- space = filesize - space;
+ if( filesize < space )
+ /* we should perhaps return in error ? */
+ space = filesize;
+ else
+ space = filesize - space;
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
space /= td->td_samplesperpixel;
for (strip = 0; strip < td->td_nstrips; strip++)
@@ -5437,28 +5548,39 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
static const char module[] = "TIFFFetchStripThing";
enum TIFFReadDirEntryErr err;
uint64* data;
- err=TIFFReadDirEntryLong8Array(tif,dir,&data);
+ err=TIFFReadDirEntryLong8ArrayWithLimit(tif,dir,&data,nstrips);
if (err!=TIFFReadDirEntryErrOk)
{
const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag);
TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",0);
return(0);
}
- if (dir->tdir_count!=(uint64)nstrips)
+ if (dir->tdir_count<(uint64)nstrips)
{
uint64* resizeddata;
+ const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag);
+ const char* pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT");
+ uint32 max_nstrips = 1000000;
+ if( pszMax )
+ max_nstrips = (uint32) atoi(pszMax);
+ TIFFReadDirEntryOutputErr(tif,TIFFReadDirEntryErrCount,
+ module,
+ fip ? fip->field_name : "unknown tagname",
+ ( nstrips <= max_nstrips ) );
+
+ if( nstrips > max_nstrips )
+ {
+ _TIFFfree(data);
+ return(0);
+ }
+
resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
if (resizeddata==0) {
_TIFFfree(data);
return(0);
}
- if (dir->tdir_count<(uint64)nstrips)
- {
- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
- }
- else
- _TIFFmemcpy(resizeddata,data,nstrips*sizeof(uint64));
+ _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
_TIFFfree(data);
data=resizeddata;
}
@@ -5546,6 +5668,11 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
uint64* newoffsets;
bytecount = td->td_stripbytecount[0];
+ /* On a newly created file, just re-opened to be filled, we */
+ /* don't want strip chop to trigger as it is going to cause issues */
+ /* later ( StripOffsets and StripByteCounts improperly filled) . */
+ if( bytecount == 0 && tif->tif_mode != O_RDONLY )
+ return;
offset = td->td_stripoffset[0];
assert(td->td_planarconfig == PLANARCONFIG_CONTIG);
if ((td->td_photometric == PHOTOMETRIC_YCBCR)&&
diff --git a/third_party/libtiff/tif_dirwrite.c b/third_party/libtiff/tif_dirwrite.c
index f733968513..c68d6d21d6 100644
--- a/third_party/libtiff/tif_dirwrite.c
+++ b/third_party/libtiff/tif_dirwrite.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */
+/* $Id: tif_dirwrite.c,v 1.89 2017-08-23 13:33:42 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
TIFFDirEntry* nb;
for (na=0, nb=dir; ; na++, nb++)
{
- assert(na<ndir);
+ if( na == ndir )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,
+ "Cannot find SubIFD tag");
+ goto bad;
+ }
if (nb->tdir_tag==TIFFTAG_SUBIFD)
break;
}
@@ -1944,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
for (p=0; p < tif->tif_dir.td_nsubifd; p++)
{
assert(pa != 0);
- assert(*pa <= 0xFFFFFFFFUL);
+
+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
+ if( *pa > 0xFFFFFFFFUL)
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
+ _TIFFfree(o);
+ return(0);
+ }
*pb++=(uint32)(*pa++);
}
n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
@@ -2111,7 +2123,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
{
uint64 m;
assert(sizeof(uint64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
m=value;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong8(&m);
@@ -2124,7 +2139,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
{
assert(count<0x20000000);
assert(sizeof(uint64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8Array","LONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong8(value,count);
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
@@ -2136,7 +2154,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
{
int64 m;
assert(sizeof(int64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedSlong8","SLONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
m=value;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong8((uint64*)(&m));
@@ -2149,7 +2170,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
{
assert(count<0x20000000);
assert(sizeof(int64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedSlong8Array","SLONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong8((uint64*)value,count);
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
diff --git a/third_party/libtiff/tif_error.c b/third_party/libtiff/tif_error.c
index 0bc8b878bd..47516b4f59 100644
--- a/third_party/libtiff/tif_error.c
+++ b/third_party/libtiff/tif_error.c
@@ -1,4 +1,4 @@
-/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_error.c,v 1.5 2010-03-10 18:56:48 bfriesen Exp $ */
+/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_error.c,v 1.6 2017-07-04 12:54:42 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -51,24 +51,32 @@ void
TIFFError(const char* module, const char* fmt, ...)
{
va_list ap;
- va_start(ap, fmt);
- if (_TIFFerrorHandler)
+ if (_TIFFerrorHandler) {
+ va_start(ap, fmt);
(*_TIFFerrorHandler)(module, fmt, ap);
- if (_TIFFerrorHandlerExt)
+ va_end(ap);
+ }
+ if (_TIFFerrorHandlerExt) {
+ va_start(ap, fmt);
(*_TIFFerrorHandlerExt)(0, module, fmt, ap);
- va_end(ap);
+ va_end(ap);
+ }
}
void
TIFFErrorExt(thandle_t fd, const char* module, const char* fmt, ...)
{
va_list ap;
- va_start(ap, fmt);
- if (_TIFFerrorHandler)
+ if (_TIFFerrorHandler) {
+ va_start(ap, fmt);
(*_TIFFerrorHandler)(module, fmt, ap);
- if (_TIFFerrorHandlerExt)
+ va_end(ap);
+ }
+ if (_TIFFerrorHandlerExt) {
+ va_start(ap, fmt);
(*_TIFFerrorHandlerExt)(fd, module, fmt, ap);
- va_end(ap);
+ va_end(ap);
+ }
}
/*
diff --git a/third_party/libtiff/tif_fax3.c b/third_party/libtiff/tif_fax3.c
index 087cedddc1..5fd514118c 100644
--- a/third_party/libtiff/tif_fax3.c
+++ b/third_party/libtiff/tif_fax3.c
@@ -1,4 +1,4 @@
-/* $Id: tif_fax3.c,v 1.80 2017-04-27 19:50:01 erouault Exp $ */
+/* $Id: tif_fax3.c,v 1.81 2017-06-18 10:31:50 erouault Exp $ */
/*
* Copyright (c) 1990-1997 Sam Leffler
@@ -1043,7 +1043,11 @@ Fax3Encode2DRow(TIFF* tif, unsigned char* bp, unsigned char* rp, uint32 bits)
for (;;) {
b2 = finddiff2(rp, b1, bits, PIXEL(rp,b1));
if (b2 >= a1) {
- int32 d = b1 - a1;
+ /* Naive computation triggers -fsanitize=undefined,unsigned-integer-overflow */
+ /* although it is correct unless the difference between both is < 31 bit */
+ /* int32 d = b1 - a1; */
+ int32 d = (b1 >= a1 && b1 - a1 <= 3U) ? (int32)(b1 - a1):
+ (b1 < a1 && a1 - b1 <= 3U) ? -(int32)(a1 - b1) : 0x7FFFFFFF;
if (!(-3 <= d && d <= 3)) { /* horizontal mode */
a2 = finddiff2(bp, a1, bits, PIXEL(bp,a1));
putcode(tif, &horizcode);
diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
index d37f729c46..fff3f7fdec 100644
--- a/third_party/libtiff/tif_getimage.c
+++ b/third_party/libtiff/tif_getimage.c
@@ -1,4 +1,4 @@
-/* $Id: tif_getimage.c,v 1.106 2017-05-20 11:29:02 erouault Exp $ */
+/* $Id: tif_getimage.c,v 1.114 2017-11-17 20:21:00 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -139,7 +139,7 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
/*
* TODO: if at all meaningful and useful, make more complete
* support check here, or better still, refactor to let supporting
- * code decide whether there is support and what meaningfull
+ * code decide whether there is support and what meaningful
* error to return
*/
break;
@@ -417,7 +417,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
/*
* TODO: if at all meaningful and useful, make more complete
* support check here, or better still, refactor to let supporting
- * code decide whether there is support and what meaningfull
+ * code decide whether there is support and what meaningful
* error to return
*/
break;
@@ -962,14 +962,14 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
tmsize_t scanline;
int32 fromskew, toskew;
int ret = 1, flip;
- tmsize_t maxstripsize;
+ tmsize_t maxstripsize;
TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
if( subsamplingver == 0 ) {
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling");
return (0);
}
-
+
maxstripsize = TIFFStripSize(tif);
flip = setorientation(img);
@@ -995,7 +995,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
if (_TIFFReadEncodedStripAndAllocBuffer(tif,
TIFFComputeStrip(tif,row+img->row_offset, 0),
(void**)(&buf),
- maxstripsize,
+ maxstripsize,
((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
&& (buf == NULL || img->stoponerr))
{
@@ -1273,8 +1273,8 @@ DECLAREContigPutFunc(put8bitcmaptile)
int samplesperpixel = img->samplesperpixel;
(void) y;
- while (h-- > 0) {
- for (x = w; x-- > 0;)
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x)
{
*cp++ = PALmap[*pp][0];
pp += samplesperpixel;
@@ -1293,7 +1293,7 @@ DECLAREContigPutFunc(put4bitcmaptile)
(void) x; (void) y;
fromskew /= 2;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL2(w, bw = PALmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1310,7 +1310,7 @@ DECLAREContigPutFunc(put2bitcmaptile)
(void) x; (void) y;
fromskew /= 4;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL4(w, bw = PALmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1327,7 +1327,7 @@ DECLAREContigPutFunc(put1bitcmaptile)
(void) x; (void) y;
fromskew /= 8;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL8(w, bw = PALmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1344,8 +1344,8 @@ DECLAREContigPutFunc(putgreytile)
uint32** BWmap = img->BWmap;
(void) y;
- while (h-- > 0) {
- for (x = w; x-- > 0;)
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x)
{
*cp++ = BWmap[*pp][0];
pp += samplesperpixel;
@@ -1364,8 +1364,8 @@ DECLAREContigPutFunc(putagreytile)
uint32** BWmap = img->BWmap;
(void) y;
- while (h-- > 0) {
- for (x = w; x-- > 0;)
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x)
{
*cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1);
pp += samplesperpixel;
@@ -1384,10 +1384,10 @@ DECLAREContigPutFunc(put16bitbwtile)
uint32** BWmap = img->BWmap;
(void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint16 *wp = (uint16 *) pp;
- for (x = w; x-- > 0;)
+ for (x = w; x > 0; --x)
{
/* use high order byte of 16bit value */
@@ -1409,7 +1409,7 @@ DECLAREContigPutFunc(put1bitbwtile)
(void) x; (void) y;
fromskew /= 8;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1426,7 +1426,7 @@ DECLAREContigPutFunc(put2bitbwtile)
(void) x; (void) y;
fromskew /= 4;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL4(w, bw = BWmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1443,7 +1443,7 @@ DECLAREContigPutFunc(put4bitbwtile)
(void) x; (void) y;
fromskew /= 2;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL2(w, bw = BWmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1460,7 +1460,7 @@ DECLAREContigPutFunc(putRGBcontig8bittile)
(void) x; (void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
UNROLL8(w, NOP,
*cp++ = PACK(pp[0], pp[1], pp[2]);
pp += samplesperpixel);
@@ -1479,7 +1479,7 @@ DECLAREContigPutFunc(putRGBAAcontig8bittile)
(void) x; (void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
UNROLL8(w, NOP,
*cp++ = PACK4(pp[0], pp[1], pp[2], pp[3]);
pp += samplesperpixel);
@@ -1497,10 +1497,10 @@ DECLAREContigPutFunc(putRGBUAcontig8bittile)
int samplesperpixel = img->samplesperpixel;
(void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32 r, g, b, a;
uint8* m;
- for (x = w; x-- > 0;) {
+ for (x = w; x > 0; --x) {
a = pp[3];
m = img->UaToAa+((size_t) a<<8);
r = m[pp[0]];
@@ -1523,8 +1523,8 @@ DECLAREContigPutFunc(putRGBcontig16bittile)
uint16 *wp = (uint16 *)pp;
(void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
- for (x = w; x-- > 0;) {
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x) {
*cp++ = PACK(img->Bitdepth16To8[wp[0]],
img->Bitdepth16To8[wp[1]],
img->Bitdepth16To8[wp[2]]);
@@ -1545,8 +1545,8 @@ DECLAREContigPutFunc(putRGBAAcontig16bittile)
uint16 *wp = (uint16 *)pp;
(void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
- for (x = w; x-- > 0;) {
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x) {
*cp++ = PACK4(img->Bitdepth16To8[wp[0]],
img->Bitdepth16To8[wp[1]],
img->Bitdepth16To8[wp[2]],
@@ -1568,10 +1568,10 @@ DECLAREContigPutFunc(putRGBUAcontig16bittile)
uint16 *wp = (uint16 *)pp;
(void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32 r,g,b,a;
uint8* m;
- for (x = w; x-- > 0;) {
+ for (x = w; x > 0; --x) {
a = img->Bitdepth16To8[wp[3]];
m = img->UaToAa+((size_t) a<<8);
r = m[img->Bitdepth16To8[wp[0]]];
@@ -1597,7 +1597,7 @@ DECLAREContigPutFunc(putRGBcontig8bitCMYKtile)
(void) x; (void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
UNROLL8(w, NOP,
k = 255 - pp[3];
r = (k*(255-pp[0]))/255;
@@ -1623,8 +1623,8 @@ DECLAREContigPutFunc(putRGBcontig8bitCMYKMaptile)
(void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
- for (x = w; x-- > 0;) {
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x) {
k = 255 - pp[3];
r = (k*(255-pp[0]))/255;
g = (k*(255-pp[1]))/255;
@@ -1653,7 +1653,7 @@ static void name(\
DECLARESepPutFunc(putRGBseparate8bittile)
{
(void) img; (void) x; (void) y; (void) a;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
UNROLL8(w, NOP, *cp++ = PACK(*r++, *g++, *b++));
SKEW(r, g, b, fromskew);
cp += toskew;
@@ -1666,7 +1666,7 @@ DECLARESepPutFunc(putRGBseparate8bittile)
DECLARESepPutFunc(putRGBAAseparate8bittile)
{
(void) img; (void) x; (void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
UNROLL8(w, NOP, *cp++ = PACK4(*r++, *g++, *b++, *a++));
SKEW4(r, g, b, a, fromskew);
cp += toskew;
@@ -1679,9 +1679,9 @@ DECLARESepPutFunc(putRGBAAseparate8bittile)
DECLARESepPutFunc(putCMYKseparate8bittile)
{
(void) img; (void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32 rv, gv, bv, kv;
- for (x = w; x-- > 0;) {
+ for (x = w; x > 0; --x) {
kv = 255 - *a++;
rv = (kv*(255-*r++))/255;
gv = (kv*(255-*g++))/255;
@@ -1699,10 +1699,10 @@ DECLARESepPutFunc(putCMYKseparate8bittile)
DECLARESepPutFunc(putRGBUAseparate8bittile)
{
(void) img; (void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32 rv, gv, bv, av;
uint8* m;
- for (x = w; x-- > 0;) {
+ for (x = w; x > 0; --x) {
av = *a++;
m = img->UaToAa+((size_t) av<<8);
rv = m[*r++];
@@ -1724,7 +1724,7 @@ DECLARESepPutFunc(putRGBseparate16bittile)
uint16 *wg = (uint16*) g;
uint16 *wb = (uint16*) b;
(void) img; (void) y; (void) a;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
for (x = 0; x < w; x++)
*cp++ = PACK(img->Bitdepth16To8[*wr++],
img->Bitdepth16To8[*wg++],
@@ -1744,7 +1744,7 @@ DECLARESepPutFunc(putRGBAAseparate16bittile)
uint16 *wb = (uint16*) b;
uint16 *wa = (uint16*) a;
(void) img; (void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
for (x = 0; x < w; x++)
*cp++ = PACK4(img->Bitdepth16To8[*wr++],
img->Bitdepth16To8[*wg++],
@@ -1765,10 +1765,10 @@ DECLARESepPutFunc(putRGBUAseparate16bittile)
uint16 *wb = (uint16*) b;
uint16 *wa = (uint16*) a;
(void) img; (void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32 r2,g2,b2,a2;
uint8* m;
- for (x = w; x-- > 0;) {
+ for (x = w; x > 0; --x) {
a2 = img->Bitdepth16To8[*wa++];
m = img->UaToAa+((size_t) a2<<8);
r2 = m[img->Bitdepth16To8[*wr++]];
@@ -1790,8 +1790,8 @@ DECLAREContigPutFunc(putcontig8bitCIELab)
uint32 r, g, b;
(void) y;
fromskew *= 3;
- while (h-- > 0) {
- for (x = w; x-- > 0;) {
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x) {
TIFFCIELabToXYZ(img->cielab,
(unsigned char)pp[0],
(signed char)pp[1],
@@ -1904,7 +1904,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile)
(void) y;
/* adjust fromskew */
- fromskew = (fromskew * 18) / 4;
+ fromskew = (fromskew / 4) * (4*2+2);
if ((h & 3) == 0 && (w & 3) == 0) {
for (; h >= 4; h -= 4) {
x = w>>2;
@@ -2007,7 +2007,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
int32 incr = 2*toskew+w;
(void) y;
- fromskew = (fromskew * 10) / 4;
+ fromskew = (fromskew / 4) * (4*2+2);
if ((w & 3) == 0 && (h & 1) == 0) {
for (; h >= 2; h -= 2) {
x = w>>2;
@@ -2085,7 +2085,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
{
(void) y;
- /* XXX adjust fromskew */
+ fromskew = (fromskew / 4) * (4*1+2);
do {
x = w>>2;
while(x>0) {
@@ -2132,7 +2132,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
uint32* cp2;
int32 incr = 2*toskew+w;
(void) y;
- fromskew = (fromskew / 2) * 6;
+ fromskew = (fromskew / 2) * (2*2+2);
cp2 = cp+w+toskew;
while (h>=2) {
x = w;
@@ -2188,7 +2188,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
{
(void) y;
- fromskew = (fromskew * 4) / 2;
+ fromskew = (fromskew / 2) * (2*1+2);
do {
x = w>>1;
while(x>0) {
@@ -2227,7 +2227,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
uint32* cp2;
int32 incr = 2*toskew+w;
(void) y;
- fromskew = (fromskew / 2) * 4;
+ fromskew = (fromskew / 1) * (1 * 2 + 2);
cp2 = cp+w+toskew;
while (h>=2) {
x = w;
@@ -2263,7 +2263,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
DECLAREContigPutFunc(putcontig8bitYCbCr11tile)
{
(void) y;
- fromskew *= 3;
+ fromskew = (fromskew / 1) * (1 * 1 + 2);
do {
x = w; /* was x = w>>1; patched 2000/09/25 warmerda@home.com */
do {
@@ -2287,7 +2287,7 @@ DECLARESepPutFunc(putseparate8bitYCbCr11tile)
(void) y;
(void) a;
/* TODO: naming of input vars is still off, change obfuscating declaration inside define, or resolve obfuscation */
- while (h-- > 0) {
+ for( ; h > 0; --h) {
x = w;
do {
uint32 dr, dg, db;
@@ -2302,7 +2302,7 @@ DECLARESepPutFunc(putseparate8bitYCbCr11tile)
static int isInRefBlackWhiteRange(float f)
{
- return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF;
+ return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF;
}
static int
@@ -2367,6 +2367,13 @@ initCIELabConversion(TIFFRGBAImage* img)
float *whitePoint;
float refWhite[3];
+ TIFFGetFieldDefaulted(img->tif, TIFFTAG_WHITEPOINT, &whitePoint);
+ if (whitePoint[1] == 0.0f ) {
+ TIFFErrorExt(img->tif->tif_clientdata, module,
+ "Invalid value for WhitePoint tag.");
+ return NULL;
+ }
+
if (!img->cielab) {
img->cielab = (TIFFCIELabToRGB *)
_TIFFmalloc(sizeof(TIFFCIELabToRGB));
@@ -2377,7 +2384,6 @@ initCIELabConversion(TIFFRGBAImage* img)
}
}
- TIFFGetFieldDefaulted(img->tif, TIFFTAG_WHITEPOINT, &whitePoint);
refWhite[1] = 100.0F;
refWhite[0] = whitePoint[0] / whitePoint[1] * refWhite[1];
refWhite[2] = (1.0F - whitePoint[0] - whitePoint[1])
diff --git a/third_party/libtiff/tif_jpeg.c b/third_party/libtiff/tif_jpeg.c
index df06e03fab..19fa87a7e2 100644
--- a/third_party/libtiff/tif_jpeg.c
+++ b/third_party/libtiff/tif_jpeg.c
@@ -1,4 +1,4 @@
-/* $Id: tif_jpeg.c,v 1.127 2017-01-31 13:02:27 erouault Exp $ */
+/* $Id: tif_jpeg.c,v 1.134 2017-10-17 19:04:47 erouault Exp $ */
/*
* Copyright (c) 1994-1997 Sam Leffler
@@ -27,6 +27,8 @@
#define WIN32_LEAN_AND_MEAN
#define VC_EXTRALEAN
+#include <stdlib.h>
+
#include "tiffiop.h"
#ifdef JPEG_SUPPORT
@@ -47,6 +49,7 @@
int TIFFFillStrip(TIFF* tif, uint32 strip);
int TIFFFillTile(TIFF* tif, uint32 tile);
int TIFFReInitJPEG_12( TIFF *tif, int scheme, int is_encode );
+int TIFFJPEGIsFullStripRequired_12(TIFF* tif);
/* We undefine FAR to avoid conflict with JPEG definition */
@@ -153,6 +156,8 @@ typedef struct {
jpeg_error_mgr err; /* libjpeg error manager */
JMP_BUF exit_jmpbuf; /* for catching libjpeg failures */
+
+ struct jpeg_progress_mgr progress;
/*
* The following two members could be a union, but
* they're small enough that it's not worth the effort.
@@ -183,6 +188,7 @@ typedef struct {
int jpegtablesmode; /* What to put in JPEGTables */
int ycbcrsampling_fetched;
+ int max_allowed_scan_number;
} JPEGState;
#define JState(tif) ((JPEGState*)(tif)->tif_data)
@@ -243,6 +249,33 @@ TIFFjpeg_output_message(j_common_ptr cinfo)
TIFFWarningExt(((JPEGState *) cinfo)->tif->tif_clientdata, "JPEGLib", "%s", buffer);
}
+/* Avoid the risk of denial-of-service on crafted JPEGs with an insane */
+/* number of scans. */
+/* See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf */
+static void
+TIFFjpeg_progress_monitor(j_common_ptr cinfo)
+{
+ JPEGState *sp = (JPEGState *) cinfo; /* NB: cinfo assumed first */
+ if (cinfo->is_decompressor)
+ {
+ const int scan_no =
+ ((j_decompress_ptr)cinfo)->input_scan_number;
+ if (scan_no >= sp->max_allowed_scan_number)
+ {
+ TIFFErrorExt(((JPEGState *) cinfo)->tif->tif_clientdata,
+ "TIFFjpeg_progress_monitor",
+ "Scan number %d exceeds maximum scans (%d). This limit "
+ "can be raised through the LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER "
+ "environment variable.",
+ scan_no, sp->max_allowed_scan_number);
+
+ jpeg_abort(cinfo); /* clean up libjpeg state */
+ LONGJMP(sp->exit_jmpbuf, 1); /* return to libtiff caller */
+ }
+ }
+}
+
+
/*
* Interface routines. This layer of routines exists
* primarily to limit side-effects from using setjmp.
@@ -345,8 +378,23 @@ TIFFjpeg_read_header(JPEGState* sp, boolean require_image)
}
static int
+TIFFjpeg_has_multiple_scans(JPEGState* sp)
+{
+ return CALLJPEG(sp, 0, jpeg_has_multiple_scans(&sp->cinfo.d));
+}
+
+static int
TIFFjpeg_start_decompress(JPEGState* sp)
{
+ const char* sz_max_allowed_scan_number;
+ /* progress monitor */
+ sp->cinfo.d.progress = &sp->progress;
+ sp->progress.progress_monitor = TIFFjpeg_progress_monitor;
+ sp->max_allowed_scan_number = 100;
+ sz_max_allowed_scan_number = getenv("LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER");
+ if( sz_max_allowed_scan_number )
+ sp->max_allowed_scan_number = atoi(sz_max_allowed_scan_number);
+
return CALLVJPEG(sp, jpeg_start_decompress(&sp->cinfo.d));
}
@@ -597,9 +645,8 @@ std_term_source(j_decompress_ptr cinfo)
}
static void
-TIFFjpeg_data_src(JPEGState* sp, TIFF* tif)
+TIFFjpeg_data_src(JPEGState* sp)
{
- (void) tif;
sp->cinfo.d.src = &sp->src;
sp->src.init_source = std_init_source;
sp->src.fill_input_buffer = std_fill_input_buffer;
@@ -625,9 +672,9 @@ tables_init_source(j_decompress_ptr cinfo)
}
static void
-TIFFjpeg_tables_src(JPEGState* sp, TIFF* tif)
+TIFFjpeg_tables_src(JPEGState* sp)
{
- TIFFjpeg_data_src(sp, tif);
+ TIFFjpeg_data_src(sp);
sp->src.init_source = tables_init_source;
}
@@ -984,7 +1031,7 @@ JPEGSetupDecode(TIFF* tif)
/* Read JPEGTables if it is present */
if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) {
- TIFFjpeg_tables_src(sp, tif);
+ TIFFjpeg_tables_src(sp);
if(TIFFjpeg_read_header(sp,FALSE) != JPEG_HEADER_TABLES_ONLY) {
TIFFErrorExt(tif->tif_clientdata, "JPEGSetupDecode", "Bogus JPEGTables field");
return (0);
@@ -1006,11 +1053,47 @@ JPEGSetupDecode(TIFF* tif)
}
/* Set up for reading normal data */
- TIFFjpeg_data_src(sp, tif);
+ TIFFjpeg_data_src(sp);
tif->tif_postdecode = _TIFFNoPostDecode; /* override byte swapping */
return (1);
}
+/* Returns 1 if the full strip should be read, even when doing scanline per */
+/* scanline decoding. This happens when the JPEG stream uses multiple scans. */
+/* Currently only called in CHUNKY_STRIP_READ_SUPPORT mode through */
+/* scanline interface. */
+/* Only reads tif->tif_dir.td_bitspersample, tif->tif_rawdata and */
+/* tif->tif_rawcc members. */
+/* Can be called independently of the usual setup/predecode/decode states */
+int TIFFJPEGIsFullStripRequired(TIFF* tif)
+{
+ int ret;
+ JPEGState state;
+
+#if defined(JPEG_DUAL_MODE_8_12) && !defined(TIFFJPEGIsFullStripRequired)
+ if( tif->tif_dir.td_bitspersample == 12 )
+ return TIFFJPEGIsFullStripRequired_12( tif );
+#endif
+
+ memset(&state, 0, sizeof(JPEGState));
+ state.tif = tif;
+
+ TIFFjpeg_create_decompress(&state);
+
+ TIFFjpeg_data_src(&state);
+
+ if (TIFFjpeg_read_header(&state, TRUE) != JPEG_HEADER_OK)
+ {
+ TIFFjpeg_destroy(&state);
+ return (0);
+ }
+ ret = TIFFjpeg_has_multiple_scans(&state);
+
+ TIFFjpeg_destroy(&state);
+
+ return ret;
+}
+
/*
* Set up for decoding a strip or tile.
*/
@@ -1051,13 +1134,13 @@ JPEGPreDecode(TIFF* tif, uint16 s)
/*
* Check image parameters and set decompression parameters.
*/
- segment_width = td->td_imagewidth;
- segment_height = td->td_imagelength - tif->tif_row;
if (isTiled(tif)) {
segment_width = td->td_tilewidth;
segment_height = td->td_tilelength;
sp->bytesperline = TIFFTileRowSize(tif);
} else {
+ segment_width = td->td_imagewidth;
+ segment_height = td->td_imagelength - tif->tif_row;
if (segment_height > td->td_rowsperstrip)
segment_height = td->td_rowsperstrip;
sp->bytesperline = TIFFScanlineSize(tif);
@@ -1078,9 +1161,23 @@ JPEGPreDecode(TIFF* tif, uint16 s)
segment_width, segment_height,
sp->cinfo.d.image_width,
sp->cinfo.d.image_height);
- }
- if (sp->cinfo.d.image_width > segment_width ||
- sp->cinfo.d.image_height > segment_height) {
+ }
+ if( sp->cinfo.d.image_width == segment_width &&
+ sp->cinfo.d.image_height > segment_height &&
+ tif->tif_row + segment_height == td->td_imagelength &&
+ !isTiled(tif) ) {
+ /* Some files have a last strip, that should be truncated, */
+ /* but their JPEG codestream has still the maximum strip */
+ /* height. Warn about this as this is non compliant, but */
+ /* we can safely recover from that. */
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "JPEG strip size exceeds expected dimensions,"
+ " expected %dx%d, got %dx%d",
+ segment_width, segment_height,
+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
+ }
+ else if (sp->cinfo.d.image_width > segment_width ||
+ sp->cinfo.d.image_height > segment_height) {
/*
* This case could be dangerous, if the strip or tile size has
* been reported as less than the amount of data jpeg will
@@ -1113,6 +1210,47 @@ JPEGPreDecode(TIFF* tif, uint16 s)
return (0);
}
#endif
+
+ /* In some cases, libjpeg needs to allocate a lot of memory */
+ /* http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf */
+ if( TIFFjpeg_has_multiple_scans(sp) )
+ {
+ /* In this case libjpeg will need to allocate memory or backing */
+ /* store for all coefficients */
+ /* See call to jinit_d_coef_controller() from master_selection() */
+ /* in libjpeg */
+ toff_t nRequiredMemory = (toff_t)sp->cinfo.d.image_width *
+ sp->cinfo.d.image_height *
+ sp->cinfo.d.num_components *
+ ((td->td_bitspersample+7)/8);
+ /* BLOCK_SMOOTHING_SUPPORTED is generally defined, so we need */
+ /* to replicate the logic of jinit_d_coef_controller() */
+ if( sp->cinfo.d.progressive_mode )
+ nRequiredMemory *= 3;
+
+#ifndef TIFF_LIBJPEG_LARGEST_MEM_ALLOC
+#define TIFF_LIBJPEG_LARGEST_MEM_ALLOC (100 * 1024 * 1024)
+#endif
+
+ if( nRequiredMemory > TIFF_LIBJPEG_LARGEST_MEM_ALLOC &&
+ getenv("LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC") == NULL )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Reading this strip would require libjpeg to allocate "
+ "at least %u bytes. "
+ "This is disabled since above the %u threshold. "
+ "You may override this restriction by defining the "
+ "LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, "
+ "or recompile libtiff by defining the "
+ "TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro to a value greater "
+ "than %u",
+ (unsigned)nRequiredMemory,
+ (unsigned)TIFF_LIBJPEG_LARGEST_MEM_ALLOC,
+ (unsigned)TIFF_LIBJPEG_LARGEST_MEM_ALLOC);
+ return (0);
+ }
+ }
+
if (td->td_planarconfig == PLANARCONFIG_CONTIG) {
/* Component 0 should have expected sampling factors */
if (sp->cinfo.d.comp_info[0].h_samp_factor != sp->h_sampling ||
@@ -1374,10 +1512,18 @@ JPEGDecodeRaw(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
{
JPEGState *sp = JState(tif);
tmsize_t nrows;
+ TIFFDirectory *td = &tif->tif_dir;
(void) s;
+ nrows = sp->cinfo.d.image_height;
+ /* For last strip, limit number of rows to its truncated height */
+ /* even if the codestream height is larger (which is not compliant, */
+ /* but that we tolerate) */
+ if( (uint32)nrows > td->td_imagelength - tif->tif_row && !isTiled(tif) )
+ nrows = td->td_imagelength - tif->tif_row;
+
/* data is expected to be read in multiples of a scanline */
- if ( (nrows = sp->cinfo.d.image_height) != 0 ) {
+ if ( nrows != 0 ) {
/* Cb,Cr both have sampling factors 1, so this is correct */
JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width;
@@ -2318,12 +2464,22 @@ static int JPEGInitializeLibJPEG( TIFF * tif, int decompress )
#ifndef TIFF_JPEG_MAX_MEMORY_TO_USE
#define TIFF_JPEG_MAX_MEMORY_TO_USE (10 * 1024 * 1024)
#endif
- /* Increase the max memory usable. This helps when creating files */
- /* with "big" tile, without using libjpeg temporary files. */
- /* For example a 512x512 tile with 3 bands */
- /* requires 1.5 MB which is above libjpeg 1MB default */
- if( sp->cinfo.c.mem->max_memory_to_use < TIFF_JPEG_MAX_MEMORY_TO_USE )
- sp->cinfo.c.mem->max_memory_to_use = TIFF_JPEG_MAX_MEMORY_TO_USE;
+ /* libjpeg turbo 1.5.2 honours max_memory_to_use, but has no backing */
+ /* store implementation, so better not set max_memory_to_use ourselves. */
+ /* See https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162 */
+ if( sp->cinfo.c.mem->max_memory_to_use > 0 )
+ {
+ /* This is to address bug related in ticket GDAL #1795. */
+ if (getenv("JPEGMEM") == NULL)
+ {
+ /* Increase the max memory usable. This helps when creating files */
+ /* with "big" tile, without using libjpeg temporary files. */
+ /* For example a 512x512 tile with 3 bands */
+ /* requires 1.5 MB which is above libjpeg 1MB default */
+ if( sp->cinfo.c.mem->max_memory_to_use < TIFF_JPEG_MAX_MEMORY_TO_USE )
+ sp->cinfo.c.mem->max_memory_to_use = TIFF_JPEG_MAX_MEMORY_TO_USE;
+ }
+ }
}
sp->cinfo_initialized = TRUE;
diff --git a/third_party/libtiff/tif_luv.c b/third_party/libtiff/tif_luv.c
index 59d0a74cc6..4b25244bff 100644
--- a/third_party/libtiff/tif_luv.c
+++ b/third_party/libtiff/tif_luv.c
@@ -1,4 +1,4 @@
-/* $Id: tif_luv.c,v 1.47 2017-05-14 10:17:27 erouault Exp $ */
+/* $Id: tif_luv.c,v 1.49 2017-07-24 12:47:30 erouault Exp $ */
/*
* Copyright (c) 1997 Greg Ward Larson
@@ -1314,7 +1314,7 @@ LogL16InitState(TIFF* tif)
}
if( isTiled(tif) )
sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength);
- else if( td->td_rowsperstrip != (uint32)-1 )
+ else if( td->td_rowsperstrip < td->td_imagelength )
sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip);
else
sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength);
@@ -1416,8 +1416,10 @@ LogLuvInitState(TIFF* tif)
}
if( isTiled(tif) )
sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength);
- else
+ else if( td->td_rowsperstrip < td->td_imagelength )
sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip);
+ else
+ sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength);
if (multiply_ms(sp->tbuflen, sizeof (uint32)) == 0 ||
(sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (uint32))) == NULL) {
TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer");
diff --git a/third_party/libtiff/tif_lzw.c b/third_party/libtiff/tif_lzw.c
index 5f1acf83da..bc8f9c84a6 100644
--- a/third_party/libtiff/tif_lzw.c
+++ b/third_party/libtiff/tif_lzw.c
@@ -1,4 +1,4 @@
-/* $Id: tif_lzw.c,v 1.55 2017-05-17 09:38:58 erouault Exp $ */
+/* $Id: tif_lzw.c,v 1.57 2017-07-11 10:54:29 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -275,7 +275,8 @@ LZWPreDecode(TIFF* tif, uint16 s)
/*
* Check for old bit-reversed codes.
*/
- if (tif->tif_rawdata[0] == 0 && (tif->tif_rawdata[1] & 0x1)) {
+ if (tif->tif_rawcc >= 2 &&
+ tif->tif_rawdata[0] == 0 && (tif->tif_rawdata[1] & 0x1)) {
#ifdef LZW_COMPAT
if (!sp->dec_decode) {
TIFFWarningExt(tif->tif_clientdata, module,
@@ -655,6 +656,9 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
}
bp = (unsigned char *)tif->tif_rawcp;
+#ifdef LZW_CHECKEOS
+ sp->dec_bitsleft = (((uint64)tif->tif_rawcc) << 3);
+#endif
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -764,6 +768,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
}
}
+ tif->tif_rawcc -= (tmsize_t)( (uint8*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8*) bp;
sp->lzw_nbits = (unsigned short)nbits;
sp->lzw_nextdata = nextdata;
diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
index f2263950e1..979858da9c 100644
--- a/third_party/libtiff/tif_pixarlog.c
+++ b/third_party/libtiff/tif_pixarlog.c
@@ -1,4 +1,4 @@
-/* $Id: tif_pixarlog.c,v 1.53 2017-05-17 09:53:06 erouault Exp $ */
+/* $Id: tif_pixarlog.c,v 1.54 2017-07-10 10:40:28 erouault Exp $ */
/*
* Copyright (c) 1996-1997 Sam Leffler
@@ -673,6 +673,7 @@ PixarLogSetupDecode(TIFF* tif)
TIFFDirectory *td = &tif->tif_dir;
PixarLogState* sp = DecoderState(tif);
tmsize_t tbuf_size;
+ uint32 strip_height;
assert(sp != NULL);
@@ -682,6 +683,10 @@ PixarLogSetupDecode(TIFF* tif)
if( (sp->state & PLSTATE_INIT) != 0 )
return 1;
+ strip_height = td->td_rowsperstrip;
+ if( strip_height > td->td_imagelength )
+ strip_height = td->td_imagelength;
+
/* Make sure no byte swapping happens on the data
* after decompression. */
tif->tif_postdecode = _TIFFNoPostDecode;
@@ -691,7 +696,7 @@ PixarLogSetupDecode(TIFF* tif)
sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ?
td->td_samplesperpixel : 1);
tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
- td->td_rowsperstrip), sizeof(uint16));
+ strip_height), sizeof(uint16));
/* add one more stride in case input ends mid-stride */
tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
if (tbuf_size == 0)
diff --git a/third_party/libtiff/tif_predict.c b/third_party/libtiff/tif_predict.c
index 7a60a39edf..9ae1f57a65 100644
--- a/third_party/libtiff/tif_predict.c
+++ b/third_party/libtiff/tif_predict.c
@@ -1,4 +1,4 @@
-/* $Id: tif_predict.c,v 1.43 2017-05-10 15:21:16 erouault Exp $ */
+/* $Id: tif_predict.c,v 1.44 2017-06-18 10:31:50 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -277,6 +277,7 @@ PredictorSetupEncode(TIFF* tif)
/* - when storing into the byte stream, we explicitly mask with 0xff so */
/* as to make icc -check=conversions happy (not necessary by the standard) */
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -344,6 +345,7 @@ swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
return horAcc16(tif, cp0, cc);
}
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -378,6 +380,7 @@ swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
return horAcc32(tif, cp0, cc);
}
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -503,6 +506,7 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
return 0;
}
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -556,6 +560,7 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
return 1;
}
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -595,6 +600,7 @@ swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
return 1;
}
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -637,6 +643,7 @@ swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
/*
* Floating point predictor differencing routine.
*/
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
{
diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
index ad0a778c0f..2ba985a749 100644
--- a/third_party/libtiff/tif_read.c
+++ b/third_party/libtiff/tif_read.c
@@ -1,4 +1,4 @@
-/* $Id: tif_read.c,v 1.59 2017-05-13 15:34:06 erouault Exp $ */
+/* $Id: tif_read.c,v 1.66 2017-11-17 20:21:00 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -262,6 +262,7 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
tif->tif_rawdataoff = tif->tif_rawdataoff + tif->tif_rawdataloaded - unused_data ;
tif->tif_rawdataloaded = unused_data + to_read;
+ tif->tif_rawcc = tif->tif_rawdataloaded;
tif->tif_rawcp = tif->tif_rawdata;
if (!isFillOrder(tif, td->td_fillorder) &&
@@ -275,10 +276,28 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
** restart the decoder.
*/
if( restart )
- return TIFFStartStrip(tif, strip);
+ {
+
+#ifdef JPEG_SUPPORT
+ /* A bit messy since breaks the codec abstraction. Ultimately */
+ /* there should be a function pointer for that, but it seems */
+ /* only JPEG is affected. */
+ /* For JPEG, if there are multiple scans (can generally be known */
+ /* with the read_ahead used), we need to read the whole strip */
+ if( tif->tif_dir.td_compression==COMPRESSION_JPEG &&
+ (uint64)tif->tif_rawcc < td->td_stripbytecount[strip] )
+ {
+ if( TIFFJPEGIsFullStripRequired(tif) )
+ {
+ return TIFFFillStrip(tif, strip);
+ }
+ }
+#endif
+
+ return TIFFStartStrip(tif, strip);
+ }
else
{
- tif->tif_rawcc = tif->tif_rawdataloaded;
return 1;
}
}
@@ -477,7 +496,7 @@ static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16
stripsize=TIFFVStripSize(tif,rows);
if (stripsize==0)
return((tmsize_t)(-1));
- return stripsize;
+ return stripsize;
}
/*
@@ -487,14 +506,14 @@ static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16
tmsize_t
TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
{
- static const char module[] = "TIFFReadEncodedStrip";
- TIFFDirectory *td = &tif->tif_dir;
- tmsize_t stripsize;
- uint16 plane;
+ static const char module[] = "TIFFReadEncodedStrip";
+ TIFFDirectory *td = &tif->tif_dir;
+ tmsize_t stripsize;
+ uint16 plane;
- stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
- if (stripsize==((tmsize_t)(-1)))
- return((tmsize_t)(-1));
+ stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
+ if (stripsize==((tmsize_t)(-1)))
+ return((tmsize_t)(-1));
/* shortcut to avoid an extra memcpy() */
if( td->td_compression == COMPRESSION_NONE &&
@@ -525,7 +544,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
/* Variant of TIFFReadEncodedStrip() that does
* * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has
- * suceeded. This avoid excessive memory allocation in case of truncated
+ * succeeded. This avoid excessive memory allocation in case of truncated
* file.
* * calls regular TIFFReadEncodedStrip() if *buf != NULL
*/
@@ -566,7 +585,6 @@ _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
}
-
static tmsize_t
TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
const char* module)
@@ -798,26 +816,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
}
}
- if (isMapped(tif) &&
- (isFillOrder(tif, td->td_fillorder)
- || (tif->tif_flags & TIFF_NOBITREV))) {
- /*
- * The image is mapped into memory and we either don't
- * need to flip bits or the compression routine is
- * going to handle this operation itself. In this
- * case, avoid copying the raw data and instead just
- * reference the data from the memory mapped file
- * image. This assumes that the decompression
- * routines do not modify the contents of the raw data
- * buffer (if they try to, the application will get a
- * fault since the file is mapped read-only).
- */
- if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) {
- _TIFFfree(tif->tif_rawdata);
- tif->tif_rawdata = NULL;
- tif->tif_rawdatasize = 0;
- }
- tif->tif_flags &= ~TIFF_MYBUFFER;
+ if (isMapped(tif)) {
/*
* We must check for overflow, potentially causing
* an OOB read. Instead of simple
@@ -854,6 +853,28 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
tif->tif_curstrip = NOSTRIP;
return (0);
}
+ }
+
+ if (isMapped(tif) &&
+ (isFillOrder(tif, td->td_fillorder)
+ || (tif->tif_flags & TIFF_NOBITREV))) {
+ /*
+ * The image is mapped into memory and we either don't
+ * need to flip bits or the compression routine is
+ * going to handle this operation itself. In this
+ * case, avoid copying the raw data and instead just
+ * reference the data from the memory mapped file
+ * image. This assumes that the decompression
+ * routines do not modify the contents of the raw data
+ * buffer (if they try to, the application will get a
+ * fault since the file is mapped read-only).
+ */
+ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) {
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_rawdata = NULL;
+ tif->tif_rawdatasize = 0;
+ }
+ tif->tif_flags &= ~TIFF_MYBUFFER;
tif->tif_rawdatasize = (tmsize_t)bytecount;
tif->tif_rawdata = tif->tif_base + (tmsize_t)td->td_stripoffset[strip];
tif->tif_rawdataoff = 0;
@@ -998,7 +1019,7 @@ TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
/* Variant of TIFFReadTile() that does
* * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
- * suceeded. This avoid excessive memory allocation in case of truncated
+ * succeeded. This avoid excessive memory allocation in case of truncated
* file.
* * calls regular TIFFReadEncodedTile() if *buf != NULL
*/
@@ -1017,7 +1038,7 @@ _TIFFReadTileAndAllocBuffer(TIFF* tif,
/* Variant of TIFFReadEncodedTile() that does
* * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
- * suceeded. This avoid excessive memory allocation in case of truncated
+ * succeeded. This avoid excessive memory allocation in case of truncated
* file.
* * calls regular TIFFReadEncodedTile() if *buf != NULL
*/
@@ -1067,7 +1088,6 @@ _TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile,
return ((tmsize_t)(-1));
}
-
static tmsize_t
TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module)
{
@@ -1210,6 +1230,56 @@ TIFFFillTile(TIFF* tif, uint32 tile)
#endif
return (0);
}
+
+ /* To avoid excessive memory allocations: */
+ /* Byte count should normally not be larger than a number of */
+ /* times the uncompressed size plus some margin */
+ if( bytecount > 1024 * 1024 )
+ {
+ /* 10 and 4096 are just values that could be adjusted. */
+ /* Hopefully they are safe enough for all codecs */
+ tmsize_t stripsize = TIFFTileSize(tif);
+ if( stripsize != 0 &&
+ (bytecount - 4096) / 10 > (uint64)stripsize )
+ {
+ uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+ if( (int64)newbytecount >= 0 )
+ {
+#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Too large tile byte count %I64u, tile %lu. Limiting to %I64u",
+ (unsigned __int64) bytecount,
+ (unsigned long) tile,
+ (unsigned __int64) newbytecount);
+#else
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Too large tile byte count %llu, tile %lu. Limiting to %llu",
+ (unsigned long long) bytecount,
+ (unsigned long) tile,
+ (unsigned long long) newbytecount);
+#endif
+ bytecount = newbytecount;
+ }
+ }
+ }
+
+ if (isMapped(tif)) {
+ /*
+ * We must check for overflow, potentially causing
+ * an OOB read. Instead of simple
+ *
+ * td->td_stripoffset[tile]+bytecount > tif->tif_size
+ *
+ * comparison (which can overflow) we do the following
+ * two comparisons:
+ */
+ if (bytecount > (uint64)tif->tif_size ||
+ td->td_stripoffset[tile] > (uint64)tif->tif_size - bytecount) {
+ tif->tif_curtile = NOTILE;
+ return (0);
+ }
+ }
+
if (isMapped(tif) &&
(isFillOrder(tif, td->td_fillorder)
|| (tif->tif_flags & TIFF_NOBITREV))) {
@@ -1230,20 +1300,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
tif->tif_rawdatasize = 0;
}
tif->tif_flags &= ~TIFF_MYBUFFER;
- /*
- * We must check for overflow, potentially causing
- * an OOB read. Instead of simple
- *
- * td->td_stripoffset[tile]+bytecount > tif->tif_size
- *
- * comparison (which can overflow) we do the following
- * two comparisons:
- */
- if (bytecount > (uint64)tif->tif_size ||
- td->td_stripoffset[tile] > (uint64)tif->tif_size - bytecount) {
- tif->tif_curtile = NOTILE;
- return (0);
- }
+
tif->tif_rawdatasize = (tmsize_t)bytecount;
tif->tif_rawdata =
tif->tif_base + (tmsize_t)td->td_stripoffset[tile];
@@ -1442,7 +1499,10 @@ TIFFStartTile(TIFF* tif, uint32 tile)
else
{
tif->tif_rawcp = tif->tif_rawdata;
- tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile];
+ if( tif->tif_rawdataloaded > 0 )
+ tif->tif_rawcc = tif->tif_rawdataloaded;
+ else
+ tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile];
}
return ((*tif->tif_predecode)(tif,
(uint16)(tile/td->td_stripsperimage)));
diff --git a/third_party/libtiff/tif_swab.c b/third_party/libtiff/tif_swab.c
index 211dc576eb..4b2e5f16d7 100644
--- a/third_party/libtiff/tif_swab.c
+++ b/third_party/libtiff/tif_swab.c
@@ -1,4 +1,4 @@
-/* $Id: tif_swab.c,v 1.14 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_swab.c,v 1.15 2017-06-08 16:39:50 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -31,7 +31,7 @@
*/
#include "tiffiop.h"
-#ifndef TIFFSwabShort
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabShort)
void
TIFFSwabShort(uint16* wp)
{
@@ -42,7 +42,7 @@ TIFFSwabShort(uint16* wp)
}
#endif
-#ifndef TIFFSwabLong
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabLong)
void
TIFFSwabLong(uint32* lp)
{
@@ -54,7 +54,7 @@ TIFFSwabLong(uint32* lp)
}
#endif
-#ifndef TIFFSwabLong8
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabLong8)
void
TIFFSwabLong8(uint64* lp)
{
@@ -68,7 +68,7 @@ TIFFSwabLong8(uint64* lp)
}
#endif
-#ifndef TIFFSwabArrayOfShort
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfShort)
void
TIFFSwabArrayOfShort(register uint16* wp, tmsize_t n)
{
@@ -84,7 +84,7 @@ TIFFSwabArrayOfShort(register uint16* wp, tmsize_t n)
}
#endif
-#ifndef TIFFSwabArrayOfTriples
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfTriples)
void
TIFFSwabArrayOfTriples(register uint8* tp, tmsize_t n)
{
@@ -100,7 +100,7 @@ TIFFSwabArrayOfTriples(register uint8* tp, tmsize_t n)
}
#endif
-#ifndef TIFFSwabArrayOfLong
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfLong)
void
TIFFSwabArrayOfLong(register uint32* lp, tmsize_t n)
{
@@ -117,7 +117,7 @@ TIFFSwabArrayOfLong(register uint32* lp, tmsize_t n)
}
#endif
-#ifndef TIFFSwabArrayOfLong8
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfLong8)
void
TIFFSwabArrayOfLong8(register uint64* lp, tmsize_t n)
{
@@ -136,7 +136,7 @@ TIFFSwabArrayOfLong8(register uint64* lp, tmsize_t n)
}
#endif
-#ifndef TIFFSwabFloat
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabFloat)
void
TIFFSwabFloat(float* fp)
{
@@ -148,7 +148,7 @@ TIFFSwabFloat(float* fp)
}
#endif
-#ifndef TIFFSwabArrayOfFloat
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfFloat)
void
TIFFSwabArrayOfFloat(register float* fp, tmsize_t n)
{
@@ -165,7 +165,7 @@ TIFFSwabArrayOfFloat(register float* fp, tmsize_t n)
}
#endif
-#ifndef TIFFSwabDouble
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabDouble)
void
TIFFSwabDouble(double *dp)
{
@@ -179,7 +179,7 @@ TIFFSwabDouble(double *dp)
}
#endif
-#ifndef TIFFSwabArrayOfDouble
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfDouble)
void
TIFFSwabArrayOfDouble(double* dp, tmsize_t n)
{
diff --git a/third_party/libtiff/tif_warning.c b/third_party/libtiff/tif_warning.c
index 423b636e6e..dc79f14455 100644
--- a/third_party/libtiff/tif_warning.c
+++ b/third_party/libtiff/tif_warning.c
@@ -1,4 +1,4 @@
-/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_warning.c,v 1.3 2010-03-10 18:56:49 bfriesen Exp $ */
+/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_warning.c,v 1.4 2017-07-04 12:54:42 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -51,24 +51,32 @@ void
TIFFWarning(const char* module, const char* fmt, ...)
{
va_list ap;
- va_start(ap, fmt);
- if (_TIFFwarningHandler)
+ if (_TIFFwarningHandler) {
+ va_start(ap, fmt);
(*_TIFFwarningHandler)(module, fmt, ap);
- if (_TIFFwarningHandlerExt)
+ va_end(ap);
+ }
+ if (_TIFFwarningHandlerExt) {
+ va_start(ap, fmt);
(*_TIFFwarningHandlerExt)(0, module, fmt, ap);
- va_end(ap);
+ va_end(ap);
+ }
}
void
TIFFWarningExt(thandle_t fd, const char* module, const char* fmt, ...)
{
va_list ap;
- va_start(ap, fmt);
- if (_TIFFwarningHandler)
+ if (_TIFFwarningHandler) {
+ va_start(ap, fmt);
(*_TIFFwarningHandler)(module, fmt, ap);
- if (_TIFFwarningHandlerExt)
+ va_end(ap);
+ }
+ if (_TIFFwarningHandlerExt) {
+ va_start(ap, fmt);
(*_TIFFwarningHandlerExt)(fd, module, fmt, ap);
- va_end(ap);
+ va_end(ap);
+ }
}
diff --git a/third_party/libtiff/tiffconf.h b/third_party/libtiff/tiffconf.h
index 50e458faf4..e527083844 100644
--- a/third_party/libtiff/tiffconf.h
+++ b/third_party/libtiff/tiffconf.h
@@ -10,7 +10,7 @@
#include "core/fxcrt/fx_system.h"
//NOTE: The tiff codec requires an ANSI C compiler environment for building and
-// presumes an ANSI C environment for use.
+// presumes an ANSI C environment for use.
# define HAVE_SYS_TYPES_H 1
# define HAVE_FCNTL_H 1
@@ -80,7 +80,7 @@
/* Unsigned 32-bit type formatter */
#define TIFF_UINT32_FORMAT "%u"
-#ifdef _MSC_VER // windows
+#ifdef _MSC_VER // windows
/* Signed 64-bit type formatter */
#define TIFF_INT64_FORMAT "%I64d"
@@ -94,9 +94,9 @@
/* Unsigned 64-bit type */
#define TIFF_UINT64_T unsigned __int64
-#else // linux/unix
+#else // linux/unix
-#if 0 //_FX_CPU_ == _FX_X64_ // linux/unix 64
+#if 0 //_FX_CPU_ == _FX_X64_ // linux/unix 64
/* Signed 64-bit type formatter */
#define TIFF_INT64_FORMAT "%ld"
@@ -107,7 +107,7 @@
/* Signed 64-bit type */
#define TIFF_INT64_T signed long
-#else // linux/unix 32
+#else // linux/unix 32
/* Signed 64-bit type formatter */
#define TIFF_INT64_FORMAT "%lld"
@@ -118,7 +118,7 @@
/* Signed 64-bit type */
#define TIFF_INT64_T signed long long
-#endif // end _FX_CPU_
+#endif // end _FX_CPU_
/* Unsigned 64-bit type */
#define TIFF_UINT64_T unsigned long long
@@ -201,7 +201,7 @@
/* Support Old JPEG compresson (read contrib/ojpeg/README first! Compilation
fails with unpatched IJG JPEG library) */
-#define OJPEG_SUPPORT 1
+#define OJPEG_SUPPORT 1
/* Support Macintosh PackBits algorithm */
#define PACKBITS_SUPPORT 1
diff --git a/third_party/libtiff/tiffiop.h b/third_party/libtiff/tiffiop.h
index 6fb47de5b2..f381666f16 100644
--- a/third_party/libtiff/tiffiop.h
+++ b/third_party/libtiff/tiffiop.h
@@ -1,4 +1,4 @@
-/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */
+/* $Id: tiffiop.h,v 1.95 2017-09-07 14:02:52 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -237,8 +237,7 @@ struct tiff {
(TIFFReadFile((tif),(buf),(size))==(size))
#endif
#ifndef SeekOK
-#define SeekOK(tif, off) \
- (TIFFSeekFile((tif),(off),SEEK_SET)==(off))
+#define SeekOK(tif, off) _TIFFSeekOK(tif, off)
#endif
#ifndef WriteOK
#define WriteOK(tif, buf, size) \
@@ -314,6 +313,13 @@ typedef size_t TIFFIOSize_t;
#define _TIFF_off_t off_t
#endif
+#if __clang_major__ >= 4 || (__clang_major__ == 3 && __clang_minor__ >= 8)
+#define TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW __attribute__((no_sanitize("unsigned-integer-overflow")))
+#else
+#define TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
+#endif
+
+
#if defined(__cplusplus)
extern "C" {
#endif
@@ -376,7 +382,7 @@ extern tmsize_t
_TIFFReadTileAndAllocBuffer(TIFF* tif,
void **buf, tmsize_t bufsizetoalloc,
uint32 x, uint32 y, uint32 z, uint16 s);
-
+extern int _TIFFSeekOK(TIFF* tif, toff_t off);
extern int TIFFInitDumpMode(TIFF*, int);
#ifdef PACKBITS_SUPPORT
@@ -400,6 +406,7 @@ extern int TIFFInitOJPEG(TIFF*, int);
#endif
#ifdef JPEG_SUPPORT
extern int TIFFInitJPEG(TIFF*, int);
+extern int TIFFJPEGIsFullStripRequired(TIFF*);
#endif
#ifdef JBIG_SUPPORT
extern int TIFFInitJBIG(TIFF*, int);
diff --git a/third_party/libtiff/tiffvers.h b/third_party/libtiff/tiffvers.h
index 890e433d8a..7c415740f6 100644
--- a/third_party/libtiff/tiffvers.h
+++ b/third_party/libtiff/tiffvers.h
@@ -1,4 +1,4 @@
-#define TIFFLIB_VERSION_STR "LIBTIFF, Version 4.0.8\nCopyright (c) 1988-1996 Sam Leffler\nCopyright (c) 1991-1996 Silicon Graphics, Inc."
+#define TIFFLIB_VERSION_STR "LIBTIFF, Version 4.0.9\nCopyright (c) 1988-1996 Sam Leffler\nCopyright (c) 1991-1996 Silicon Graphics, Inc."
/*
* This define can be used in code that requires
* compilation-related definitions specific to a
@@ -6,4 +6,4 @@
* version checking should be done based on the
* string returned by TIFFGetVersion.
*/
-#define TIFFLIB_VERSION 20170521
+#define TIFFLIB_VERSION 20171118