From b1b01de0285c77f16a72736bf6abeb9598743b0a Mon Sep 17 00:00:00 2001 From: Ryan Harrison Date: Fri, 27 Apr 2018 16:08:58 +0000 Subject: Updated libtiff 4.0.8->4.0.9 Applied 0000-build-config.patch Applied 0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch Applied 0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch Updated and applied 0017-safe_skews_in_gtTileContig.patch Removed 0025-upstream-OOM-gtTileContig.patch, already applied Removed 0026-upstream-null-dereference.patch, already applied Applied 0027-build-config.patch Updated and applied 0028-nstrips-OOM.patch BUG=pdfium:1074 Change-Id: I32510327155213fd6256c5a67fa1be3a54cb975c Reviewed-on: https://pdfium-review.googlesource.com/31550 Reviewed-by: Henrique Nakashima Commit-Queue: Ryan Harrison --- third_party/libtiff/tif_jpeg.c | 194 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 175 insertions(+), 19 deletions(-) (limited to 'third_party/libtiff/tif_jpeg.c') diff --git a/third_party/libtiff/tif_jpeg.c b/third_party/libtiff/tif_jpeg.c index df06e03fab..19fa87a7e2 100644 --- a/third_party/libtiff/tif_jpeg.c +++ b/third_party/libtiff/tif_jpeg.c @@ -1,4 +1,4 @@ -/* $Id: tif_jpeg.c,v 1.127 2017-01-31 13:02:27 erouault Exp $ */ +/* $Id: tif_jpeg.c,v 1.134 2017-10-17 19:04:47 erouault Exp $ */ /* * Copyright (c) 1994-1997 Sam Leffler @@ -27,6 +27,8 @@ #define WIN32_LEAN_AND_MEAN #define VC_EXTRALEAN +#include + #include "tiffiop.h" #ifdef JPEG_SUPPORT @@ -47,6 +49,7 @@ int TIFFFillStrip(TIFF* tif, uint32 strip); int TIFFFillTile(TIFF* tif, uint32 tile); int TIFFReInitJPEG_12( TIFF *tif, int scheme, int is_encode ); +int TIFFJPEGIsFullStripRequired_12(TIFF* tif); /* We undefine FAR to avoid conflict with JPEG definition */ @@ -153,6 +156,8 @@ typedef struct { jpeg_error_mgr err; /* libjpeg error manager */ JMP_BUF exit_jmpbuf; /* for catching libjpeg failures */ + + struct jpeg_progress_mgr progress; /* * The following two members could be a union, but * they're small enough that it's not worth the effort. @@ -183,6 +188,7 @@ typedef struct { int jpegtablesmode; /* What to put in JPEGTables */ int ycbcrsampling_fetched; + int max_allowed_scan_number; } JPEGState; #define JState(tif) ((JPEGState*)(tif)->tif_data) @@ -243,6 +249,33 @@ TIFFjpeg_output_message(j_common_ptr cinfo) TIFFWarningExt(((JPEGState *) cinfo)->tif->tif_clientdata, "JPEGLib", "%s", buffer); } +/* Avoid the risk of denial-of-service on crafted JPEGs with an insane */ +/* number of scans. */ +/* See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf */ +static void +TIFFjpeg_progress_monitor(j_common_ptr cinfo) +{ + JPEGState *sp = (JPEGState *) cinfo; /* NB: cinfo assumed first */ + if (cinfo->is_decompressor) + { + const int scan_no = + ((j_decompress_ptr)cinfo)->input_scan_number; + if (scan_no >= sp->max_allowed_scan_number) + { + TIFFErrorExt(((JPEGState *) cinfo)->tif->tif_clientdata, + "TIFFjpeg_progress_monitor", + "Scan number %d exceeds maximum scans (%d). This limit " + "can be raised through the LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER " + "environment variable.", + scan_no, sp->max_allowed_scan_number); + + jpeg_abort(cinfo); /* clean up libjpeg state */ + LONGJMP(sp->exit_jmpbuf, 1); /* return to libtiff caller */ + } + } +} + + /* * Interface routines. This layer of routines exists * primarily to limit side-effects from using setjmp. @@ -344,9 +377,24 @@ TIFFjpeg_read_header(JPEGState* sp, boolean require_image) return CALLJPEG(sp, -1, jpeg_read_header(&sp->cinfo.d, require_image)); } +static int +TIFFjpeg_has_multiple_scans(JPEGState* sp) +{ + return CALLJPEG(sp, 0, jpeg_has_multiple_scans(&sp->cinfo.d)); +} + static int TIFFjpeg_start_decompress(JPEGState* sp) { + const char* sz_max_allowed_scan_number; + /* progress monitor */ + sp->cinfo.d.progress = &sp->progress; + sp->progress.progress_monitor = TIFFjpeg_progress_monitor; + sp->max_allowed_scan_number = 100; + sz_max_allowed_scan_number = getenv("LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER"); + if( sz_max_allowed_scan_number ) + sp->max_allowed_scan_number = atoi(sz_max_allowed_scan_number); + return CALLVJPEG(sp, jpeg_start_decompress(&sp->cinfo.d)); } @@ -597,9 +645,8 @@ std_term_source(j_decompress_ptr cinfo) } static void -TIFFjpeg_data_src(JPEGState* sp, TIFF* tif) +TIFFjpeg_data_src(JPEGState* sp) { - (void) tif; sp->cinfo.d.src = &sp->src; sp->src.init_source = std_init_source; sp->src.fill_input_buffer = std_fill_input_buffer; @@ -625,9 +672,9 @@ tables_init_source(j_decompress_ptr cinfo) } static void -TIFFjpeg_tables_src(JPEGState* sp, TIFF* tif) +TIFFjpeg_tables_src(JPEGState* sp) { - TIFFjpeg_data_src(sp, tif); + TIFFjpeg_data_src(sp); sp->src.init_source = tables_init_source; } @@ -984,7 +1031,7 @@ JPEGSetupDecode(TIFF* tif) /* Read JPEGTables if it is present */ if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) { - TIFFjpeg_tables_src(sp, tif); + TIFFjpeg_tables_src(sp); if(TIFFjpeg_read_header(sp,FALSE) != JPEG_HEADER_TABLES_ONLY) { TIFFErrorExt(tif->tif_clientdata, "JPEGSetupDecode", "Bogus JPEGTables field"); return (0); @@ -1006,11 +1053,47 @@ JPEGSetupDecode(TIFF* tif) } /* Set up for reading normal data */ - TIFFjpeg_data_src(sp, tif); + TIFFjpeg_data_src(sp); tif->tif_postdecode = _TIFFNoPostDecode; /* override byte swapping */ return (1); } +/* Returns 1 if the full strip should be read, even when doing scanline per */ +/* scanline decoding. This happens when the JPEG stream uses multiple scans. */ +/* Currently only called in CHUNKY_STRIP_READ_SUPPORT mode through */ +/* scanline interface. */ +/* Only reads tif->tif_dir.td_bitspersample, tif->tif_rawdata and */ +/* tif->tif_rawcc members. */ +/* Can be called independently of the usual setup/predecode/decode states */ +int TIFFJPEGIsFullStripRequired(TIFF* tif) +{ + int ret; + JPEGState state; + +#if defined(JPEG_DUAL_MODE_8_12) && !defined(TIFFJPEGIsFullStripRequired) + if( tif->tif_dir.td_bitspersample == 12 ) + return TIFFJPEGIsFullStripRequired_12( tif ); +#endif + + memset(&state, 0, sizeof(JPEGState)); + state.tif = tif; + + TIFFjpeg_create_decompress(&state); + + TIFFjpeg_data_src(&state); + + if (TIFFjpeg_read_header(&state, TRUE) != JPEG_HEADER_OK) + { + TIFFjpeg_destroy(&state); + return (0); + } + ret = TIFFjpeg_has_multiple_scans(&state); + + TIFFjpeg_destroy(&state); + + return ret; +} + /* * Set up for decoding a strip or tile. */ @@ -1051,13 +1134,13 @@ JPEGPreDecode(TIFF* tif, uint16 s) /* * Check image parameters and set decompression parameters. */ - segment_width = td->td_imagewidth; - segment_height = td->td_imagelength - tif->tif_row; if (isTiled(tif)) { segment_width = td->td_tilewidth; segment_height = td->td_tilelength; sp->bytesperline = TIFFTileRowSize(tif); } else { + segment_width = td->td_imagewidth; + segment_height = td->td_imagelength - tif->tif_row; if (segment_height > td->td_rowsperstrip) segment_height = td->td_rowsperstrip; sp->bytesperline = TIFFScanlineSize(tif); @@ -1078,9 +1161,23 @@ JPEGPreDecode(TIFF* tif, uint16 s) segment_width, segment_height, sp->cinfo.d.image_width, sp->cinfo.d.image_height); - } - if (sp->cinfo.d.image_width > segment_width || - sp->cinfo.d.image_height > segment_height) { + } + if( sp->cinfo.d.image_width == segment_width && + sp->cinfo.d.image_height > segment_height && + tif->tif_row + segment_height == td->td_imagelength && + !isTiled(tif) ) { + /* Some files have a last strip, that should be truncated, */ + /* but their JPEG codestream has still the maximum strip */ + /* height. Warn about this as this is non compliant, but */ + /* we can safely recover from that. */ + TIFFWarningExt(tif->tif_clientdata, module, + "JPEG strip size exceeds expected dimensions," + " expected %dx%d, got %dx%d", + segment_width, segment_height, + sp->cinfo.d.image_width, sp->cinfo.d.image_height); + } + else if (sp->cinfo.d.image_width > segment_width || + sp->cinfo.d.image_height > segment_height) { /* * This case could be dangerous, if the strip or tile size has * been reported as less than the amount of data jpeg will @@ -1113,6 +1210,47 @@ JPEGPreDecode(TIFF* tif, uint16 s) return (0); } #endif + + /* In some cases, libjpeg needs to allocate a lot of memory */ + /* http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf */ + if( TIFFjpeg_has_multiple_scans(sp) ) + { + /* In this case libjpeg will need to allocate memory or backing */ + /* store for all coefficients */ + /* See call to jinit_d_coef_controller() from master_selection() */ + /* in libjpeg */ + toff_t nRequiredMemory = (toff_t)sp->cinfo.d.image_width * + sp->cinfo.d.image_height * + sp->cinfo.d.num_components * + ((td->td_bitspersample+7)/8); + /* BLOCK_SMOOTHING_SUPPORTED is generally defined, so we need */ + /* to replicate the logic of jinit_d_coef_controller() */ + if( sp->cinfo.d.progressive_mode ) + nRequiredMemory *= 3; + +#ifndef TIFF_LIBJPEG_LARGEST_MEM_ALLOC +#define TIFF_LIBJPEG_LARGEST_MEM_ALLOC (100 * 1024 * 1024) +#endif + + if( nRequiredMemory > TIFF_LIBJPEG_LARGEST_MEM_ALLOC && + getenv("LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC") == NULL ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Reading this strip would require libjpeg to allocate " + "at least %u bytes. " + "This is disabled since above the %u threshold. " + "You may override this restriction by defining the " + "LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, " + "or recompile libtiff by defining the " + "TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro to a value greater " + "than %u", + (unsigned)nRequiredMemory, + (unsigned)TIFF_LIBJPEG_LARGEST_MEM_ALLOC, + (unsigned)TIFF_LIBJPEG_LARGEST_MEM_ALLOC); + return (0); + } + } + if (td->td_planarconfig == PLANARCONFIG_CONTIG) { /* Component 0 should have expected sampling factors */ if (sp->cinfo.d.comp_info[0].h_samp_factor != sp->h_sampling || @@ -1374,10 +1512,18 @@ JPEGDecodeRaw(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) { JPEGState *sp = JState(tif); tmsize_t nrows; + TIFFDirectory *td = &tif->tif_dir; (void) s; + nrows = sp->cinfo.d.image_height; + /* For last strip, limit number of rows to its truncated height */ + /* even if the codestream height is larger (which is not compliant, */ + /* but that we tolerate) */ + if( (uint32)nrows > td->td_imagelength - tif->tif_row && !isTiled(tif) ) + nrows = td->td_imagelength - tif->tif_row; + /* data is expected to be read in multiples of a scanline */ - if ( (nrows = sp->cinfo.d.image_height) != 0 ) { + if ( nrows != 0 ) { /* Cb,Cr both have sampling factors 1, so this is correct */ JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; @@ -2318,12 +2464,22 @@ static int JPEGInitializeLibJPEG( TIFF * tif, int decompress ) #ifndef TIFF_JPEG_MAX_MEMORY_TO_USE #define TIFF_JPEG_MAX_MEMORY_TO_USE (10 * 1024 * 1024) #endif - /* Increase the max memory usable. This helps when creating files */ - /* with "big" tile, without using libjpeg temporary files. */ - /* For example a 512x512 tile with 3 bands */ - /* requires 1.5 MB which is above libjpeg 1MB default */ - if( sp->cinfo.c.mem->max_memory_to_use < TIFF_JPEG_MAX_MEMORY_TO_USE ) - sp->cinfo.c.mem->max_memory_to_use = TIFF_JPEG_MAX_MEMORY_TO_USE; + /* libjpeg turbo 1.5.2 honours max_memory_to_use, but has no backing */ + /* store implementation, so better not set max_memory_to_use ourselves. */ + /* See https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162 */ + if( sp->cinfo.c.mem->max_memory_to_use > 0 ) + { + /* This is to address bug related in ticket GDAL #1795. */ + if (getenv("JPEGMEM") == NULL) + { + /* Increase the max memory usable. This helps when creating files */ + /* with "big" tile, without using libjpeg temporary files. */ + /* For example a 512x512 tile with 3 bands */ + /* requires 1.5 MB which is above libjpeg 1MB default */ + if( sp->cinfo.c.mem->max_memory_to_use < TIFF_JPEG_MAX_MEMORY_TO_USE ) + sp->cinfo.c.mem->max_memory_to_use = TIFF_JPEG_MAX_MEMORY_TO_USE; + } + } } sp->cinfo_initialized = TRUE; -- cgit v1.2.3