summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLiang Qi <liang.qi@qt.io>2017-10-30 08:44:39 +0100
committerLiang Qi <liang.qi@qt.io>2017-10-30 09:07:52 +0100
commite5c4a6f82b83a1bf27380c071e822d5303642824 (patch)
tree5f16389c799eba64ea581ac63ee9d6b4da8bb3c1
parent36fdeb50941e3e2b0c4cd1b3343c3e337534357d (diff)
parentfeca51d8c714781378cecc99122035348e0459bb (diff)
Merge remote-tracking branch 'origin/5.9' into 5.10v5.10.0-beta4
Conflicts: .qmake.conf Change-Id: I84737121b8915a6c358ad92246984749e2719bed
-rw-r--r--dist/changes-5.6.326
-rw-r--r--dist/changes-5.9.224
-rw-r--r--src/3rdparty/libtiff/ChangeLog824
-rw-r--r--src/3rdparty/libtiff/RELEASE-DATE2
-rw-r--r--src/3rdparty/libtiff/TODO2
-rw-r--r--src/3rdparty/libtiff/VERSION2
-rw-r--r--src/3rdparty/libtiff/libtiff/SConstruct2
-rw-r--r--src/3rdparty/libtiff/libtiff/libtiff.def2
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_aux.c9
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_color.c40
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_config.h2
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_dir.c50
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_dir.h3
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_dirinfo.c105
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_dirread.c237
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_dirwrite.c137
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_error.c26
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_fax3.c77
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_fax3.h6
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_getimage.c317
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_jbig.c3
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_jpeg.c199
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_jpeg_12.c1
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_luv.c51
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_lzw.c40
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_ojpeg.c25
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_open.c6
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_packbits.c12
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_pixarlog.c67
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_predict.c25
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_print.c10
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_read.c625
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_strip.c11
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_swab.c24
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_unix.c10
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_warning.c26
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_win32.c10
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_write.c32
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_zip.c8
-rw-r--r--src/3rdparty/libtiff/libtiff/tiffio.h5
-rw-r--r--src/3rdparty/libtiff/libtiff/tiffiop.h31
-rw-r--r--src/3rdparty/libtiff/libtiff/tiffvers.h4
-rw-r--r--src/3rdparty/libtiff/port/dummy.c2
-rw-r--r--src/3rdparty/libtiff/port/lfind.c2
-rw-r--r--src/3rdparty/libtiff/port/strtoul.c2
-rw-r--r--src/3rdparty/libtiff/qt_attribution.json2
-rw-r--r--src/imageformats/doc/src/qtimageformats.qdoc10
-rw-r--r--src/plugins/imageformats/tga/qtgafile.cpp4
-rw-r--r--src/plugins/imageformats/webp/qwebphandler.cpp2
49 files changed, 2668 insertions, 474 deletions
diff --git a/dist/changes-5.6.3 b/dist/changes-5.6.3
new file mode 100644
index 0000000..87807cd
--- /dev/null
+++ b/dist/changes-5.6.3
@@ -0,0 +1,26 @@
+Qt 5.6.3 is a bug-fix release. It maintains both forward and backward
+compatibility (source and binary) with Qt 5.6.0.
+
+For more details, refer to the online documentation included in this
+distribution. The documentation is also available online:
+
+ http://doc.qt.io/qt-5/index.html
+
+The Qt version 5.6 series is binary compatible with the 5.5.x series.
+Applications compiled for 5.5 will continue to run with 5.6.
+
+Some of the changes listed in this file include issue tracking numbers
+corresponding to tasks in the Qt Bug Tracker:
+
+ https://bugreports.qt.io/
+
+Each of these identifiers can be entered in the bug tracker to obtain more
+information about a particular change.
+
+****************************************************************************
+* Important Behavior Changes *
+****************************************************************************
+
+ - For security reasons, the DDS handler will no longer be built by
+ default. Users who still want this handler can build it from the
+ source project.
diff --git a/dist/changes-5.9.2 b/dist/changes-5.9.2
new file mode 100644
index 0000000..918c4e5
--- /dev/null
+++ b/dist/changes-5.9.2
@@ -0,0 +1,24 @@
+Qt 5.9.2 is a bug-fix release. It maintains both forward and backward
+compatibility (source and binary) with Qt 5.9.0.
+
+For more details, refer to the online documentation included in this
+distribution. The documentation is also available online:
+
+http://doc.qt.io/qt-5/index.html
+
+The Qt version 5.9 series is binary compatible with the 5.8.x series.
+Applications compiled for 5.8 will continue to run with 5.9.
+
+Some of the changes listed in this file include issue tracking numbers
+corresponding to tasks in the Qt Bug Tracker:
+
+https://bugreports.qt.io/
+
+Each of these identifiers can be entered in the bug tracker to obtain more
+information about a particular change.
+
+****************************************************************************
+* Qt 5.9.2 Changes *
+****************************************************************************
+
+ - Minor bugfixes for animated webp images.
diff --git a/src/3rdparty/libtiff/ChangeLog b/src/3rdparty/libtiff/ChangeLog
index 9b9d397..e15feec 100644
--- a/src/3rdparty/libtiff/ChangeLog
+++ b/src/3rdparty/libtiff/ChangeLog
@@ -1,3 +1,825 @@
+2017-10-10 Even Rouault <even.rouault at spatialys.com>
+
+ * nmake.opt: support a DEBUG=1 option, so as to adjust OPTFLAGS and use
+ /MDd runtime in debug mode.
+
+2017-10-01 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffset.c: fix setting a single value for the ExtraSamples tag
+ (and other tags with variable number of values).
+ So 'tiffset -s ExtraSamples 1 X'. This only worked
+ when setting 2 or more values, but not just one.
+
+2017-09-29 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/libtiff.def: add TIFFReadRGBAStripExt and TIFFReadRGBATileExt
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2735
+
+2017-09-09 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: add NULL check to avoid likely false positive
+ null-pointer dereference warning by CLang Static Analyzer.
+
+2017-09-07 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tiffiop.h, tif_aux.c: redirect SeekOK() macro to a _TIFFSeekoK()
+ function that checks if the offset is not bigger than INT64_MAX, so as
+ to avoid a -1 error return code of TIFFSeekFile() to match a required
+ seek to UINT64_MAX/-1.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726
+ Adapted from proposal by Nicolas Ruff.
+
+2017-08-29 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: accept reading the last strip of a JPEG compressed
+ file if the codestream height is larger than the truncated height of the
+ strip. Emit a warning in this situation since this is non compliant.
+
+2017-08-28 Even Rouault <even.rouault at spatialys.com>
+
+ * test/Makefile.am: add missing reference to images/quad-lzw-compat.tiff
+ to fix "make distcheck". Patch by Roger Leigh
+
+2017-08-23 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
+ on uint32 when selecting the value of SubIFD tag by runtime check
+ (in TIFFWriteDirectoryTagSubifd()).
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
+ Reported by team OWL337
+
+2017-08-23 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirwrite.c: replace assertion related to not finding the
+ SubIFD tag by runtime check (in TIFFWriteDirectorySec())
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
+ Reported by team OWL337
+
+2017-07-24 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_luv.c: further reduce memory requirements for temporary
+ buffer when RowsPerStrip >= image_length in LogLuvInitState() and
+ LogL16InitState().
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700
+ Credit to OSS Fuzz
+
+2017-07-24 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: fix fromskew computation when to-be-skipped
+ pixel number is not a multiple of the horizontal subsampling, and
+ also in some other cases. Impact putcontig8bitYCbCr44tile,
+ putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile,
+ putcontig8bitYCbCr21tile and putcontig8bitYCbCr12tile
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2637 (discovered
+ by Agostino Sarubbo)
+ and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691 (credit
+ to OSS Fuzz)
+
+2017-07-24 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: gtTileContig() and gtTileSeparate():
+ properly break from loops on error when stoponerr is set, instead
+ of going on iterating on row based loop.
+
+2017-07-18 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory
+ allocation when RowsPerStrip tag is missing.
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683
+ Credit to OSS-Fuzz
+
+2017-07-15 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: add protection against excessive memory
+ allocation attempts in TIFFReadDirEntryArray() on short files.
+ Effective for mmap'ed case. And non-mmap'ed case, but restricted
+ to 64bit builds.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675
+
+2017-07-15 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
+ arrays that hold StripOffsets/StripByteCounts, when they are smaller
+ than the expected number of striles, up to 1 million striles, and
+ error out beyond. Can be tweaked by setting the environment variable
+ LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
+ This partially goes against a change added on 2002-12-17 to accept
+ those arrays of wrong sizes, but is needed to avoid denial of services.
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
+ Credit to OSS Fuzz
+
+2017-07-15 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile().
+ Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708
+ in the isMapped() case, so as to avoid excessive memory allocation
+ when we need a temporary buffer but the file is truncated.
+
+2017-07-15 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
+ mode on PlanarConfig=Contig input images.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
+ Reported by team OWL337
+
+2017-07-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dir.c: avoid potential null pointer dereference in
+ _TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713
+
+2017-07-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW
+ strips. Crashing issue only on memory mapped files, where the strip
+ offset is the last byte of the file, and the file size is a multiple
+ of one page size on the CPU architecture (typically 4096). Credit
+ to myself :-)
+
+2017-07-11 Even Rouault <even.rouault at spatialys.com>
+
+ * test/tiffcp-lzw-compat.sh, test/images/quad-lzw-compat.tiff: new files
+ to test old-style LZW decompression
+ * test/common.sh, Makefile.am, CMakeList.txt: updated with above
+
+2017-07-11 Even Rouault <even.rouault at spatialys.com>
+
+ * refresh autoconf/make stuff with what is on Ubuntu 16.04 (minor changes)
+
+2017-07-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of old-style LZW
+ compressed files.
+
+2017-07-10 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding
+ when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX)
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554
+ Credit to OSS Fuzz
+
+2017-07-04 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedTileAndAllocBuffer()
+ and _TIFFReadTileAndAllocBuffer() variants of TIFFReadEncodedTile() and
+ TIFFReadTile() that allocates the decoded buffer only after a first
+ successful TIFFFillTile(). This avoids excessive memory allocation
+ on corrupted files.
+ * libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer().
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470
+ Credit to OSS Fuzz.
+
+2017-07-04 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_error.c, tif_warning.c: correctly use va_list when both
+ an old-style and new-style warning/error handlers are installed.
+ Patch by Paavo Helde (sent on the mailing list)
+
+2017-07-02 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to
+ tif_rawdataloaded when it is set. Similarly to TIFFStartStrip().
+ This issue was revealed by the change of 2017-06-30 in TIFFFileTile(),
+ limiting the number of bytes read. But it could probably have been hit
+ too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454
+ Credit to OSS Fuzz
+
+2017-06-30 Even Rouault <even.rouault at spatialys.com>
+
+ * man: update documentation regarding SubIFD tag and
+ TIFFSetSubDirectory() data type.
+ Patch by Eric Piel
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2671
+
+2017-06-30 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
+ functions associated with LONG8/SLONG8 data type, replace assertion that
+ the file is BigTIFF, by a non-fatal error.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
+ Reported by team OWL337
+
+2017-06-30 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer()
+ function, variant of TIFFReadEncodedStrip() that allocates the
+ decoded buffer only after a first successful TIFFFillStrip(). This avoids
+ excessive memory allocation on corrupted files.
+ * libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer().
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 .
+ Credit to OSS Fuzz
+
+2017-06-30 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: TIFFFillTile(): add limitation to the number
+ of bytes read in case td_stripbytecount[strip] is bigger than
+ reasonable, so as to avoid excessive memory allocation (similarly to
+ what was done for TIFFFileStrip() on 2017-05-10)
+
+2017-06-29 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c,
+ libtiff/tif_read.c: make TIFFReadScanline() works in
+ CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans.
+ Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER
+ environment variable the maximum number of scans allowed. Defaults to
+ 100.
+
+2017-06-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a
+ double value can fit in a float before casting. Patch by Nicolas RUFF
+
+2017-06-26 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
+ Reported by team OWL337
+
+2017-06-24 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
+ memory allocation is above 100 MB. libjpeg in case of multiple scans,
+ which is allowed even in baseline JPEG, if components are spread over several
+ scans and not interleavedin a single one, needs to allocate memory (or
+ backing store) for the whole strip/tile.
+ See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
+ This limitation may be overriden by setting the
+ LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling
+ libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro.
+
+2017-06-24 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: add anti-denial of service measure to avoid excessive
+ CPU consumption on progressive JPEGs with a huge number of scans.
+ See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
+ Note: only affects libtiff since 2014-12-29 where support of non-baseline JPEG
+ was added.
+
+2017-06-18 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tiffiop.h: add TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW macro to
+ disable CLang warnings raised by -fsanitize=undefined,unsigned-integer-overflow
+ * libtiff/tif_predict.c: decorate legitimate functions where unsigned int
+ overflow occur with TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
+ * libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts()
+ and BYTECOUNTLOOKSBAD when file is too short.
+ * libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on tiled images.
+ * libtiff/tif_fax3.c: avoid unsigned int overflow in Fax3Encode2DRow(). Could
+ potentially be a bug with huge rows.
+ * libtiff/tif_getimage.c: avoid many (harmless) unsigned int overflows.
+
+2017-06-12 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: TIFFFetchStripThing(): limit the number of items
+ read in StripOffsets/StripByteCounts tags to the number of strips to avoid
+ excessive memory allocation.
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215
+ Credit to OSS Fuzz
+
+2017-06-12 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: fix regression of libtiff 4.0.8 in
+ ChopUpSingleUncompressedStrip() regarding update of newly single-strip
+ uncompressed files whose bytecount is 0. Before the change of 2016-12-03,
+ the condition bytecount==0 used to trigger an early exit/disabling of
+ strip chop. Re-introduce that in update mode. Otherwise this cause
+ later incorrect setting for the value of StripByCounts/StripOffsets.
+ ( https://trac.osgeo.org/gdal/ticket/6924 )
+
+2017-06-10 Even Rouault <even.rouault at spatialys.com>
+
+ * .appveyor.yml, .travis.yml, build/travis-ci: apply patches
+ 0001-ci-Travis-script-improvements.patch and
+ 0002-ci-Invoke-helper-script-via-shell.patch by Roger Leigh
+ (sent to mailing list)
+
+2017-06-08 Even Rouault <even.rouault at spatialys.com>
+
+ * .travis.yml, build/travis-ci: new files from
+ 0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch by
+ Roger Leigh (sent to mailing list on 2017-06-08)
+ This patch adds support for the Travis-CI service.
+
+ * .appveyor.yml: new file from
+ 0002-ci-Add-AppVeyor-support.patch by Roger Leigh (sent to mailing
+ list on 2017-06-08)
+ This patch adds a .appveyor.yml file to the top-level. This allows
+ one to opt in to having a branch built on Windows with Cygwin,
+ MinGW and MSVC automatically when a branch is pushed to GitHub,
+ GitLab, BitBucket or any other supported git hosting service.
+
+ * CMakeLists.txt, test/CMakeLists.txt, test/TiffTestCommon.cmake: apply
+ patch 0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch from Roger
+ Leigh (sent to mailing list on 2017-06-08)
+ This patch makes the CMake build system support running the tests
+ with MinGW or Cygwin.
+
+2017-06-08 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_swab.c: if DISABLE_CHECK_TIFFSWABMACROS is defined, do not do
+ the #ifdef TIFFSwabXXX checks. Make it easier for GDAL to rename the symbols
+ of its internal libtiff copy.
+
+2017-06-01 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+ codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+ to behave differently depending on whether the codec is enabled or not, and
+ thus can avoid stack based buffer overflows in a number of TIFF utilities
+ such as tiffsplit, tiffcmp, thumbnail, etc.
+ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+ Fixes:
+ http://bugzilla.maptools.org/show_bug.cgi?id=2580
+ http://bugzilla.maptools.org/show_bug.cgi?id=2693
+ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+ http://bugzilla.maptools.org/show_bug.cgi?id=2441
+ http://bugzilla.maptools.org/show_bug.cgi?id=2433
+
+2017-05-29 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
+ refBlackWhite coefficients values. To avoid invalid float->int32 conversion
+ (when refBlackWhite[0] == 2147483648.f)
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
+ Credit to OSS Fuzz
+
+2017-05-29 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid
+ int32 overflow in TIFFYCbCrtoRGB().
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
+ Credit to OSS Fuzz
+
+2017-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * configure.ac: libtiff 4.0.8 released.
+
+ * html/v4.0.8.html: Add description of changes targeting the 4.0.8
+ release.
+
+2017-05-20 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
+ refBlackWhite coefficients values. To avoid invalid float->int32 conversion.
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718
+ Credit to OSS Fuzz
+
+2017-05-18 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is not zero
+ to avoid division by zero.
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665
+ Credit to OSS Fuzz
+
+2017-05-17 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of double to
+ float.
+ Credit to Google Autofuzz project
+
+2017-05-17 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of
+ luma and refBlackWhite coefficients (just check they are not NaN for now),
+ to avoid potential float to int overflows.
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
+ Credit to OSS Fuzz
+
+2017-05-17 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with
+ next_in and tif_rawcc with avail_in at beginning and end of function,
+ similarly to what is done in LZWDecode(). Likely needed so that it
+ works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
+ mode. But untested...
+
+2017-05-17 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(),
+ and update tif_rawcc at end of LZWDecode(). This is needed to properly
+ work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
+ mode.
+
+2017-05-14 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory
+ allocation when RowsPerStrip tag is missing.
+ Credit to OSS-Fuzz (locally run, on GDAL)
+
+2017-05-14 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
+ Credit to OSS-Fuzz
+
+2017-05-13 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
+ overflows in multiply_ms() and add_ms().
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
+ Credit to OSS-Fuzz
+
+2017-05-13 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_color.c: avoid potential int32 overflow in
+ TIFFYCbCrToRGBInit()
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
+ Credit to OSS-Fuzz
+
+2017-05-13 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT
+ mode with tif_rawdataloaded when calling TIFFStartStrip() or
+ TIFFFillStripPartial(). This avoids reading beyond tif_rawdata
+ when bytecount > tif_rawdatasize.
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545.
+ Credit to OSS-Fuzz
+
+2017-05-12 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: TIFFFillStripPartial():
+ avoid excessive memory allocation in case of shorten files.
+ Only effective on 64 bit builds.
+ Credit to OSS-Fuzz (locally run, on GDAL)
+
+2017-05-12 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(),
+ avoid potential integer overflows with read_ahead in
+ CHUNKY_STRIP_READ_SUPPORT mode. Should
+ especially occur on 32 bit platforms.
+
+2017-05-10 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile():
+ avoid excessive memory allocation in case of shorten files.
+ Only effective on 64 bit builds and non-mapped cases.
+ Credit to OSS-Fuzz (locally run, on GDAL)
+
+2017-05-10 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory
+ leak when the underlying codec (ZIP, PixarLog) succeeds its
+ setupdecode() method, but PredictorSetup fails.
+ Credit to OSS-Fuzz (locally run, on GDAL)
+
+2017-05-10 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number
+ of bytes read in case td_stripbytecount[strip] is bigger than
+ reasonable, so as to avoid excessive memory allocation.
+
+2017-04-28 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2bw.c: close TIFF handle in error code path.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
+
+2017-04-27 Even Rouault <even.rouault at spatialys.com>
+
+ * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file.
+ Patch by Alan Coopersmith + complement by myself.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
+ * tools/fax2tiff.c: emit appropriate message if the input file is
+ empty. Patch by Alan Coopersmith.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
+
+2017-04-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_ojpeg.c: fix potential memory leak in
+ OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable
+ and OJPEGReadHeaderInfoSecTablesAcTable
+ Patch by Nicolás Peña.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670
+
+2017-04-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD
+ mode (ie default) when there is both a StripOffsets and
+ TileOffsets tag, or a StripByteCounts and TileByteCounts
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
+ * tools/tiff2ps.c: call TIFFClose() in error code paths.
+
+2017-02-25 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7
+ -Wimplicit-fallthrough warnings.
+
+2017-02-18 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_pixarlog.c: fix memory leak in error code path of
+ PixarLogSetupDecode(). Patch by Nicolás Peña.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665
+
+2017-02-18 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary, the
+ code bit-width after flushing the remaining code and before emitting
+ the EOI code.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982
+
+2017-01-31 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if the
+ YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce
+ the I/O amount when te tag is present (especially on cloud hosted files).
+
+2017-01-14 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/raw2tiff.c: avoid integer division by zero.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
+
+2017-01-12 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable,
+ OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
+ when read fails.
+ Patch by Nicolás Peña.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode
+ functions instead of -1 when TIFFFlushData1() fails.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
+ cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+ http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc()
+
+ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+ initialize tif_rawdata.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
+ avoid UndefinedBehaviorSanitizer warning.
+ Patch by Nicolás Peña.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
+ addition in TIFFReadRawStrip1() in isMapped() case.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
+ undefined behaviour caused by invalid shift exponent.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
+ of double to other data types to avoid undefined behaviour if the output range
+ isn't big enough to hold the input value.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
+ http://bugzilla.maptools.org/show_bug.cgi?id=2642
+ http://bugzilla.maptools.org/show_bug.cgi?id=2646
+ http://bugzilla.maptools.org/show_bug.cgi?id=2647
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: avoid division by floating point 0 in
+ TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
+ and return 0 in that case (instead of infinity as before presumably)
+ Apparently some sanitizers do not like those divisions by zero.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace
+ assertion by runtime check to error out if passed value is strictly
+ negative.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535
+
+ * tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
+ caused double free.
+ Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: avoid integer division by zero in
+ JPEGSetupEncode() when horizontal or vertical sampling is set to 0.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
+
+2017-01-03 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: increase libjpeg max memory usable to
+ 10 MB instead of libjpeg 1MB default. This helps when creating files
+ with "big" tile, without using libjpeg temporary files.
+ Related to https://trac.osgeo.org/gdal/ticket/6757
+
+2016-12-20 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: avoid potential heap-based overflow in
+ t2p_readwrite_pdf_image_tile().
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
+
+2016-12-20 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: avoid potential invalid memory read in
+ t2p_writeproc.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
+
+2016-12-20 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger
+ unspecified behaviour.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
+
+2016-12-18 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: fix potential memory leaks in error code
+ path of TIFFRGBAImageBegin().
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2627
+
+2016-12-18 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode
+ on a paletted image. Note: this fix errors out before the overflow
+ happens. There could probably be a better fix.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
+
+2016-12-17 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt()
+ and TIFFReadRGBATileExt() variants of the functions without ext, with
+ an extra argument to control the stop_on_error behaviour.
+
+2016-12-17 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW
+ and PSDataColorContig). Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
+ http://bugzilla.maptools.org/show_bug.cgi?id=2634.
+
+2016-12-13 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
+ Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
+ the binary. It happens that the Hylafax software uses the tables that
+ follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
+ TIFFFaxBlackTable), although they are not in a public libtiff header.
+ Raised by Lee Howard.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
+
+2016-12-04 Even Rouault <even.rouault at spatialys.com>
+
+ * html/man/Makefile.am: remove thumbnail.1.html and rgb2ycbcr.1.html
+ from installed pages since the corresponding utilities are no longer
+ installed. Reported by Havard Eidnes
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_write.c: fix misleading indentation as warned by GCC.
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
+ buffer overflow.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is
+ missing.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * man/Makefile.am: remove thumbnail.1 and rgb2ycbcr.1 from installed man
+ pages since the corresponding utilities are no longer installed.
+ Reported by Havard Eidnes
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
+ limit the return number of inks to SamplesPerPixel, so that code that parses
+ ink names doesn't go past the end of the buffer.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is
+ missing.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has
+ no StripByteCount tag.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
+ readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so
+ that the output buffer is correctly incremented to avoid write outside bounds.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in
+ OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
+ instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
+ instead of a logic based on the total size of data. Which is faulty is
+ the total size of data is not sufficient to fill the whole image, and thus
+ results in reading outside of the StripByCounts/StripOffsets arrays when
+ using TIFFReadScanline().
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+
+ * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+ for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
+ the above change is a better fix that makes it unnecessary.
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
+ overflow on generation of PixarLog / LUV compressed files, with
+ ColorMap, TransferFunction attached and nasty plays with bitspersample.
+ The fix for LUV has not been tested, but suffers from the same kind
+ of issue of PixarLog.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
+
+2016-12-02 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
+ can cause various issues, such as buffer overflows in the library.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
+
+2016-12-02 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
+ TIFFReadEncodedStrip() that caused an integer division by zero.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
+
+2016-11-20 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis to
+ fix cppcheck clarifyCalculation warnings
+ * libtiff/tif_predict.c, libtiff/tif_print.c: fix printf unsigned
+ vs signed formatting (cppcheck invalidPrintfArgType_uint warnings)
+
+2016-11-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix
+ passing client data for Win32 builds using tif_win32.c
+ (USE_WIN32_FILEIO defined) for file I/O. Patch was provided via
+ email on November 20, 2016.
+
2016-11-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff 4.0.7 released.
@@ -85,7 +907,7 @@
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592 (CVE-2016-9532)
2016-11-10 Even Rouault <even.rouault at spatialys.com>
diff --git a/src/3rdparty/libtiff/RELEASE-DATE b/src/3rdparty/libtiff/RELEASE-DATE
index fb9e3f6..301f356 100644
--- a/src/3rdparty/libtiff/RELEASE-DATE
+++ b/src/3rdparty/libtiff/RELEASE-DATE
@@ -1 +1 @@
-20161119
+20170521
diff --git a/src/3rdparty/libtiff/TODO b/src/3rdparty/libtiff/TODO
index 2ff8627..121d93d 100644
--- a/src/3rdparty/libtiff/TODO
+++ b/src/3rdparty/libtiff/TODO
@@ -1,4 +1,4 @@
-# $Header: /cvs/libtiff/TODO,v 1.6 2002/10/10 05:28:43 warmerda Exp $
+# $Header: /cvs/maptools/cvsroot/libtiff/TODO,v 1.6 2002-10-10 05:28:43 warmerda Exp $
o gif2tiff segaulting on selected images
o tiffcmp read data by strip/tile instead of scanline
diff --git a/src/3rdparty/libtiff/VERSION b/src/3rdparty/libtiff/VERSION
index 43beb40..a2cec7a 100644
--- a/src/3rdparty/libtiff/VERSION
+++ b/src/3rdparty/libtiff/VERSION
@@ -1 +1 @@
-4.0.7
+4.0.8
diff --git a/src/3rdparty/libtiff/libtiff/SConstruct b/src/3rdparty/libtiff/libtiff/SConstruct
index cb6a7cc..dc00c8c 100644
--- a/src/3rdparty/libtiff/libtiff/SConstruct
+++ b/src/3rdparty/libtiff/libtiff/SConstruct
@@ -1,4 +1,4 @@
-# $Id: SConstruct,v 1.4 2007/02/24 15:03:50 dron Exp $
+# $Id: SConstruct,v 1.4 2007-02-24 15:03:50 dron Exp $
# Tag Image File Format (TIFF) Software
#
diff --git a/src/3rdparty/libtiff/libtiff/libtiff.def b/src/3rdparty/libtiff/libtiff/libtiff.def
index acf8609..341c719 100644
--- a/src/3rdparty/libtiff/libtiff/libtiff.def
+++ b/src/3rdparty/libtiff/libtiff/libtiff.def
@@ -85,7 +85,9 @@ EXPORTS TIFFAccessTagMethods
TIFFReadRGBAImage
TIFFReadRGBAImageOriented
TIFFReadRGBAStrip
+ TIFFReadRGBAStripExt
TIFFReadRGBATile
+ TIFFReadRGBATileExt
TIFFReadRawStrip
TIFFReadRawTile
TIFFReadScanline
diff --git a/src/3rdparty/libtiff/libtiff/tif_aux.c b/src/3rdparty/libtiff/libtiff/tif_aux.c
index 3d35ba9..7f6721b 100644
--- a/src/3rdparty/libtiff/libtiff/tif_aux.c
+++ b/src/3rdparty/libtiff/libtiff/tif_aux.c
@@ -1,4 +1,4 @@
-/* $Id: tif_aux.c,v 1.29 2016-11-11 20:45:53 erouault Exp $ */
+/* $Id: tif_aux.c,v 1.30 2017-09-07 14:02:52 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -359,6 +359,13 @@ _TIFFUInt64ToDouble(uint64 ui64)
}
}
+int _TIFFSeekOK(TIFF* tif, toff_t off)
+{
+ /* Huge offsets, expecially -1 / UINT64_MAX, can cause issues */
+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2726 */
+ return off <= (~(uint64)0)/2 && TIFFSeekFile(tif,off,SEEK_SET)==off;
+}
+
/* vim: set ts=8 sts=8 sw=8 noet: */
/*
* Local Variables:
diff --git a/src/3rdparty/libtiff/libtiff/tif_color.c b/src/3rdparty/libtiff/libtiff/tif_color.c
index 89194c2..71cafcd 100644
--- a/src/3rdparty/libtiff/libtiff/tif_color.c
+++ b/src/3rdparty/libtiff/libtiff/tif_color.c
@@ -1,4 +1,4 @@
-/* $Id: tif_color.c,v 1.22 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_color.c,v 1.24 2017-05-29 10:12:54 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -199,6 +199,23 @@ TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
*b = CLAMP(i, 0, 255);
}
+/* Clamp function for sanitization purposes. Normally clamping should not */
+/* occur for well behaved chroma and refBlackWhite coefficients */
+static float CLAMPw(float v, float vmin, float vmax)
+{
+ if( v < vmin )
+ {
+ /* printf("%f clamped to %f\n", v, vmin); */
+ return vmin;
+ }
+ if( v > vmax )
+ {
+ /* printf("%f clamped to %f\n", v, vmax); */
+ return vmax;
+ }
+ return v;
+}
+
/*
* Initialize the YCbCr->RGB conversion tables. The conversion
* is done according to the 6.0 spec:
@@ -238,10 +255,10 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr, float *luma, float *refBlackWhite)
ycbcr->Cb_g_tab = ycbcr->Cr_g_tab + 256;
ycbcr->Y_tab = ycbcr->Cb_g_tab + 256;
- { float f1 = 2-2*LumaRed; int32 D1 = FIX(f1);
- float f2 = LumaRed*f1/LumaGreen; int32 D2 = -FIX(f2);
- float f3 = 2-2*LumaBlue; int32 D3 = FIX(f3);
- float f4 = LumaBlue*f3/LumaGreen; int32 D4 = -FIX(f4);
+ { float f1 = 2-2*LumaRed; int32 D1 = FIX(CLAMP(f1,0.0F,2.0F));
+ float f2 = LumaRed*f1/LumaGreen; int32 D2 = -FIX(CLAMP(f2,0.0F,2.0F));
+ float f3 = 2-2*LumaBlue; int32 D3 = FIX(CLAMP(f3,0.0F,2.0F));
+ float f4 = LumaBlue*f3/LumaGreen; int32 D4 = -FIX(CLAMP(f4,0.0F,2.0F));
int x;
#undef LumaBlue
@@ -256,17 +273,20 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr, float *luma, float *refBlackWhite)
* constructing tables indexed by the raw pixel data.
*/
for (i = 0, x = -128; i < 256; i++, x++) {
- int32 Cr = (int32)Code2V(x, refBlackWhite[4] - 128.0F,
- refBlackWhite[5] - 128.0F, 127);
- int32 Cb = (int32)Code2V(x, refBlackWhite[2] - 128.0F,
- refBlackWhite[3] - 128.0F, 127);
+ int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F,
+ refBlackWhite[5] - 128.0F, 127),
+ -128.0F * 32, 128.0F * 32);
+ int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F,
+ refBlackWhite[3] - 128.0F, 127),
+ -128.0F * 32, 128.0F * 32);
ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT);
ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT);
ycbcr->Cr_g_tab[i] = D2*Cr;
ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF;
ycbcr->Y_tab[i] =
- (int32)Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255);
+ (int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255),
+ -128.0F * 32, 128.0F * 32);
}
}
diff --git a/src/3rdparty/libtiff/libtiff/tif_config.h b/src/3rdparty/libtiff/libtiff/tif_config.h
index b0618df..2924a34 100644
--- a/src/3rdparty/libtiff/libtiff/tif_config.h
+++ b/src/3rdparty/libtiff/libtiff/tif_config.h
@@ -266,7 +266,7 @@
/* #undef PACKAGE_URL */
/* Define to the version of this package. */
-#define PACKAGE_VERSION "4.0.6"
+#define PACKAGE_VERSION "4.0.8"
/* Support Macintosh PackBits algorithm */
/* #undef PACKBITS_SUPPORT */
diff --git a/src/3rdparty/libtiff/libtiff/tif_dir.c b/src/3rdparty/libtiff/libtiff/tif_dir.c
index ad21655..f00f808 100644
--- a/src/3rdparty/libtiff/libtiff/tif_dir.c
+++ b/src/3rdparty/libtiff/libtiff/tif_dir.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */
+/* $Id: tif_dir.c,v 1.131 2017-07-11 21:38:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -31,6 +31,7 @@
* (and also some miscellaneous stuff)
*/
#include "tiffiop.h"
+#include <float.h>
/*
* These are used in the backwards compatibility code...
@@ -154,6 +155,15 @@ bad:
return (0);
}
+static float TIFFClampDoubleToFloat( double val )
+{
+ if( val > FLT_MAX )
+ return FLT_MAX;
+ if( val < -FLT_MAX )
+ return -FLT_MAX;
+ return (float)val;
+}
+
static int
_TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
{
@@ -312,13 +322,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
dblval = va_arg(ap, double);
if( dblval < 0 )
goto badvaluedouble;
- td->td_xresolution = (float) dblval;
+ td->td_xresolution = TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_YRESOLUTION:
dblval = va_arg(ap, double);
if( dblval < 0 )
goto badvaluedouble;
- td->td_yresolution = (float) dblval;
+ td->td_yresolution = TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_PLANARCONFIG:
v = (uint16) va_arg(ap, uint16_vap);
@@ -327,10 +337,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
td->td_planarconfig = (uint16) v;
break;
case TIFFTAG_XPOSITION:
- td->td_xposition = (float) va_arg(ap, double);
+ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
break;
case TIFFTAG_YPOSITION:
- td->td_yposition = (float) va_arg(ap, double);
+ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
break;
case TIFFTAG_RESOLUTIONUNIT:
v = (uint16) va_arg(ap, uint16_vap);
@@ -676,7 +686,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
case TIFF_SRATIONAL:
case TIFF_FLOAT:
{
- float v2 = (float)va_arg(ap, double);
+ float v2 = TIFFClampDoubleToFloat(va_arg(ap, double));
_TIFFmemcpy(val, &v2, tv_size);
}
break;
@@ -854,6 +864,34 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
return 0;
+ if( tag == TIFFTAG_NUMBEROFINKS )
+ {
+ int i;
+ for (i = 0; i < td->td_customValueCount; i++) {
+ uint16 val;
+ TIFFTagValue *tv = td->td_customValues + i;
+ if (tv->info->field_tag != tag)
+ continue;
+ if( tv->value == NULL )
+ return 0;
+ val = *(uint16 *)tv->value;
+ /* Truncate to SamplesPerPixel, since the */
+ /* setting code for INKNAMES assume that there are SamplesPerPixel */
+ /* inknames. */
+ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
+ if( val > td->td_samplesperpixel )
+ {
+ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
+ "Truncating NumberOfInks from %u to %u",
+ val, td->td_samplesperpixel);
+ val = td->td_samplesperpixel;
+ }
+ *va_arg(ap, uint16*) = val;
+ return 1;
+ }
+ return 0;
+ }
+
/*
* We want to force the custom code to be used for custom
* fields even if the tag happens to match a well known
diff --git a/src/3rdparty/libtiff/libtiff/tif_dir.h b/src/3rdparty/libtiff/libtiff/tif_dir.h
index 6af5f3d..5a38076 100644
--- a/src/3rdparty/libtiff/libtiff/tif_dir.h
+++ b/src/3rdparty/libtiff/libtiff/tif_dir.h
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
+/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -291,6 +291,7 @@ struct _TIFFField {
extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
#if defined(__cplusplus)
}
diff --git a/src/3rdparty/libtiff/libtiff/tif_dirinfo.c b/src/3rdparty/libtiff/libtiff/tif_dirinfo.c
index 23ad002..4904f54 100644
--- a/src/3rdparty/libtiff/libtiff/tif_dirinfo.c
+++ b/src/3rdparty/libtiff/libtiff/tif_dirinfo.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
+/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
return 0;
}
+int
+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
+{
+ /* Filter out non-codec specific tags */
+ switch (tag) {
+ /* Shared tags */
+ case TIFFTAG_PREDICTOR:
+ /* JPEG tags */
+ case TIFFTAG_JPEGTABLES:
+ /* OJPEG tags */
+ case TIFFTAG_JPEGIFOFFSET:
+ case TIFFTAG_JPEGIFBYTECOUNT:
+ case TIFFTAG_JPEGQTABLES:
+ case TIFFTAG_JPEGDCTABLES:
+ case TIFFTAG_JPEGACTABLES:
+ case TIFFTAG_JPEGPROC:
+ case TIFFTAG_JPEGRESTARTINTERVAL:
+ /* CCITT* */
+ case TIFFTAG_BADFAXLINES:
+ case TIFFTAG_CLEANFAXDATA:
+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
+ case TIFFTAG_GROUP3OPTIONS:
+ case TIFFTAG_GROUP4OPTIONS:
+ break;
+ default:
+ return 1;
+ }
+ /* Check if codec specific tags are allowed for the current
+ * compression scheme (codec) */
+ switch (tif->tif_dir.td_compression) {
+ case COMPRESSION_LZW:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_PACKBITS:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_THUNDERSCAN:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_NEXT:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_JPEG:
+ if (tag == TIFFTAG_JPEGTABLES)
+ return 1;
+ break;
+ case COMPRESSION_OJPEG:
+ switch (tag) {
+ case TIFFTAG_JPEGIFOFFSET:
+ case TIFFTAG_JPEGIFBYTECOUNT:
+ case TIFFTAG_JPEGQTABLES:
+ case TIFFTAG_JPEGDCTABLES:
+ case TIFFTAG_JPEGACTABLES:
+ case TIFFTAG_JPEGPROC:
+ case TIFFTAG_JPEGRESTARTINTERVAL:
+ return 1;
+ }
+ break;
+ case COMPRESSION_CCITTRLE:
+ case COMPRESSION_CCITTRLEW:
+ case COMPRESSION_CCITTFAX3:
+ case COMPRESSION_CCITTFAX4:
+ switch (tag) {
+ case TIFFTAG_BADFAXLINES:
+ case TIFFTAG_CLEANFAXDATA:
+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
+ return 1;
+ case TIFFTAG_GROUP3OPTIONS:
+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
+ return 1;
+ break;
+ case TIFFTAG_GROUP4OPTIONS:
+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
+ return 1;
+ break;
+ }
+ break;
+ case COMPRESSION_JBIG:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_DEFLATE:
+ case COMPRESSION_ADOBE_DEFLATE:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_PIXARLOG:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_SGILOG:
+ case COMPRESSION_SGILOG24:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_LZMA:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+
+ }
+ return 0;
+}
+
/* vim: set ts=8 sts=8 sw=8 noet: */
/*
diff --git a/src/3rdparty/libtiff/libtiff/tif_dirread.c b/src/3rdparty/libtiff/libtiff/tif_dirread.c
index 01070f2..5e62e81 100644
--- a/src/3rdparty/libtiff/libtiff/tif_dirread.c
+++ b/src/3rdparty/libtiff/libtiff/tif_dirread.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.218 2017-09-09 21:44:42 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -40,6 +40,8 @@
*/
#include "tiffiop.h"
+#include <float.h>
+#include <stdlib.h>
#define IGNORE 0 /* tag placeholder used below */
#define FAILED_FII ((uint32) -1)
@@ -635,6 +637,8 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloat(TIFF* tif, TIFFDirEntry* d
err=TIFFReadDirEntryCheckedDouble(tif,direntry,&m);
if (err!=TIFFReadDirEntryErrOk)
return(err);
+ if ((m > FLT_MAX) || (m < FLT_MIN))
+ return(TIFFReadDirEntryErrRange);
*value=(float)m;
return(TIFFReadDirEntryErrOk);
}
@@ -764,13 +768,80 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8(TIFF* tif, TIFFDirEntry* di
}
}
-static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value)
+
+#define INITIAL_THRESHOLD (1024 * 1024)
+#define THRESHOLD_MULTIPLIER 10
+#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
+
+static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc(
+ TIFF* tif, uint64 offset, tmsize_t size, void** pdest)
+{
+#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8
+ tmsize_t threshold = INITIAL_THRESHOLD;
+#endif
+ tmsize_t already_read = 0;
+
+ assert( !isMapped(tif) );
+
+ if (!SeekOK(tif,offset))
+ return(TIFFReadDirEntryErrIo);
+
+ /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
+ /* so as to avoid allocating too much memory in case the file is too */
+ /* short. We could ask for the file size, but this might be */
+ /* expensive with some I/O layers (think of reading a gzipped file) */
+ /* Restrict to 64 bit processes, so as to avoid reallocs() */
+ /* on 32 bit processes where virtual memory is scarce. */
+ while( already_read < size )
+ {
+ void* new_dest;
+ tmsize_t bytes_read;
+ tmsize_t to_read = size - already_read;
+#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8
+ if( to_read >= threshold && threshold < MAX_THRESHOLD )
+ {
+ to_read = threshold;
+ threshold *= THRESHOLD_MULTIPLIER;
+ }
+#endif
+
+ new_dest = (uint8*) _TIFFrealloc(
+ *pdest, already_read + to_read);
+ if( new_dest == NULL )
+ {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Failed to allocate memory for %s "
+ "(%ld elements of %ld bytes each)",
+ "TIFFReadDirEntryArray",
+ (long) 1, (long) (already_read + to_read));
+ return TIFFReadDirEntryErrAlloc;
+ }
+ *pdest = new_dest;
+
+ bytes_read = TIFFReadFile(tif,
+ (char*)*pdest + already_read, to_read);
+ already_read += bytes_read;
+ if (bytes_read != to_read) {
+ return TIFFReadDirEntryErrIo;
+ }
+ }
+ return TIFFReadDirEntryErrOk;
+}
+
+static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
+ TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize,
+ void** value, uint64 maxcount)
{
int typesize;
uint32 datasize;
void* data;
+ uint64 target_count64;
typesize=TIFFDataWidth(direntry->tdir_type);
- if ((direntry->tdir_count==0)||(typesize==0))
+
+ target_count64 = (direntry->tdir_count > maxcount) ?
+ maxcount : direntry->tdir_count;
+
+ if ((target_count64==0)||(typesize==0))
{
*value=0;
return(TIFFReadDirEntryErrOk);
@@ -782,17 +853,30 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d
* in either the current data type or the dest data type. This also
* avoids problems with overflow of tmsize_t on 32bit systems.
*/
- if ((uint64)(2147483647/typesize)<direntry->tdir_count)
+ if ((uint64)(2147483647/typesize)<target_count64)
return(TIFFReadDirEntryErrSizesan);
- if ((uint64)(2147483647/desttypesize)<direntry->tdir_count)
+ if ((uint64)(2147483647/desttypesize)<target_count64)
return(TIFFReadDirEntryErrSizesan);
- *count=(uint32)direntry->tdir_count;
+ *count=(uint32)target_count64;
datasize=(*count)*typesize;
assert((tmsize_t)datasize>0);
- data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");
- if (data==0)
- return(TIFFReadDirEntryErrAlloc);
+
+ if( isMapped(tif) && datasize > (uint32)tif->tif_size )
+ return TIFFReadDirEntryErrIo;
+
+ if( !isMapped(tif) &&
+ (((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) ||
+ (!(tif->tif_flags&TIFF_BIGTIFF) && datasize > 4)) )
+ {
+ data = NULL;
+ }
+ else
+ {
+ data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");
+ if (data==0)
+ return(TIFFReadDirEntryErrAlloc);
+ }
if (!(tif->tif_flags&TIFF_BIGTIFF))
{
if (datasize<=4)
@@ -803,7 +887,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d
uint32 offset = direntry->tdir_offset.toff_long;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong(&offset);
- err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);
+ if( isMapped(tif) )
+ err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);
+ else
+ err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data);
if (err!=TIFFReadDirEntryErrOk)
{
_TIFFfree(data);
@@ -821,7 +908,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d
uint64 offset = direntry->tdir_offset.toff_long8;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong8(&offset);
- err=TIFFReadDirEntryData(tif,offset,(tmsize_t)datasize,data);
+ if( isMapped(tif) )
+ err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);
+ else
+ err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data);
if (err!=TIFFReadDirEntryErrOk)
{
_TIFFfree(data);
@@ -833,6 +923,12 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d
return(TIFFReadDirEntryErrOk);
}
+static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value)
+{
+ return TIFFReadDirEntryArrayWithLimit(tif, direntry, count,
+ desttypesize, value, ~((uint64)0));
+}
+
static enum TIFFReadDirEntryErr TIFFReadDirEntryByteArray(TIFF* tif, TIFFDirEntry* direntry, uint8** value)
{
enum TIFFReadDirEntryErr err;
@@ -1862,7 +1958,8 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntrySlongArray(TIFF* tif, TIFFDirEnt
return(TIFFReadDirEntryErrOk);
}
-static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEntry* direntry, uint64** value)
+static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8ArrayWithLimit(
+ TIFF* tif, TIFFDirEntry* direntry, uint64** value, uint64 maxcount)
{
enum TIFFReadDirEntryErr err;
uint32 count;
@@ -1882,7 +1979,7 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEnt
default:
return(TIFFReadDirEntryErrType);
}
- err=TIFFReadDirEntryArray(tif,direntry,&count,8,&origdata);
+ err=TIFFReadDirEntryArrayWithLimit(tif,direntry,&count,8,&origdata,maxcount);
if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
{
*value=0;
@@ -2028,6 +2125,11 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEnt
return(TIFFReadDirEntryErrOk);
}
+static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEntry* direntry, uint64** value)
+{
+ return TIFFReadDirEntryLong8ArrayWithLimit(tif, direntry, value, ~((uint64)0));
+}
+
static enum TIFFReadDirEntryErr TIFFReadDirEntrySlong8Array(TIFF* tif, TIFFDirEntry* direntry, int64** value)
{
enum TIFFReadDirEntryErr err;
@@ -2406,7 +2508,14 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloatArray(TIFF* tif, TIFFDirEnt
ma=(double*)origdata;
mb=data;
for (n=0; n<count; n++)
- *mb++=(float)(*ma++);
+ {
+ double val = *ma++;
+ if( val > FLT_MAX )
+ val = FLT_MAX;
+ else if( val < -FLT_MAX )
+ val = -FLT_MAX;
+ *mb++=(float)val;
+ }
}
break;
}
@@ -2723,7 +2832,7 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleShort(TIFF* tif, TIFFDi
if (direntry->tdir_count<(uint64)tif->tif_dir.td_samplesperpixel)
return(TIFFReadDirEntryErrCount);
err=TIFFReadDirEntryShortArray(tif,direntry,&m);
- if (err!=TIFFReadDirEntryErrOk)
+ if (err!=TIFFReadDirEntryErrOk || m == NULL)
return(err);
na=m;
nb=tif->tif_dir.td_samplesperpixel;
@@ -2872,7 +2981,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFD
m.l = direntry->tdir_offset.toff_long8;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong(m.i,2);
- if (m.i[0]==0)
+ /* Not completely sure what we should do when m.i[1]==0, but some */
+ /* sanitizers do not like division by 0.0: */
+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
+ if (m.i[0]==0 || m.i[1]==0)
*value=0.0;
else
*value=(double)m.i[0]/(double)m.i[1];
@@ -2900,7 +3012,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFF
m.l=direntry->tdir_offset.toff_long8;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong(m.i,2);
- if ((int32)m.i[0]==0)
+ /* Not completely sure what we should do when m.i[1]==0, but some */
+ /* sanitizers do not like division by 0.0: */
+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
+ if ((int32)m.i[0]==0 || m.i[1]==0)
*value=0.0;
else
*value=(double)((int32)m.i[0])/(double)m.i[1];
@@ -3566,6 +3681,10 @@ TIFFReadDirectory(TIFF* tif)
goto bad;
dp->tdir_tag=IGNORE;
break;
+ default:
+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
+ dp->tdir_tag=IGNORE;
+ break;
}
}
}
@@ -3724,6 +3843,14 @@ TIFFReadDirectory(TIFF* tif)
_TIFFmemcpy( &(tif->tif_dir.td_stripoffset_entry),
dp, sizeof(TIFFDirEntry) );
#else
+ if( tif->tif_dir.td_stripoffset != NULL )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "tif->tif_dir.td_stripoffset is "
+ "already allocated. Likely duplicated "
+ "StripOffsets/TileOffsets tag");
+ goto bad;
+ }
if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripoffset))
goto bad;
#endif
@@ -3734,7 +3861,15 @@ TIFFReadDirectory(TIFF* tif)
_TIFFmemcpy( &(tif->tif_dir.td_stripbytecount_entry),
dp, sizeof(TIFFDirEntry) );
#else
- if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripbytecount))
+ if( tif->tif_dir.td_stripbytecount != NULL )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "tif->tif_dir.td_stripbytecount is "
+ "already allocated. Likely duplicated "
+ "StripByteCounts/TileByteCounts tag");
+ goto bad;
+ }
+ if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripbytecount))
goto bad;
#endif
break;
@@ -3949,12 +4084,14 @@ TIFFReadDirectory(TIFF* tif)
#define BYTECOUNTLOOKSBAD \
( (tif->tif_dir.td_stripbytecount[0] == 0 && tif->tif_dir.td_stripoffset[0] != 0) || \
(tif->tif_dir.td_compression == COMPRESSION_NONE && \
- tif->tif_dir.td_stripbytecount[0] > TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) || \
+ (tif->tif_dir.td_stripoffset[0] <= TIFFGetFileSize(tif) && \
+ tif->tif_dir.td_stripbytecount[0] > TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0])) || \
(tif->tif_mode == O_RDONLY && \
tif->tif_dir.td_compression == COMPRESSION_NONE && \
tif->tif_dir.td_stripbytecount[0] < TIFFScanlineSize64(tif) * tif->tif_dir.td_imagelength) )
} else if (tif->tif_dir.td_nstrips == 1
+ && !(tif->tif_flags&TIFF_ISTILED)
&& _TIFFFillStriles(tif)
&& tif->tif_dir.td_stripoffset[0] != 0
&& BYTECOUNTLOOKSBAD) {
@@ -4332,7 +4469,11 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount)
}
space+=datasize;
}
- space = filesize - space;
+ if( filesize < space )
+ /* we should perhaps return in error ? */
+ space = filesize;
+ else
+ space = filesize - space;
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
space /= td->td_samplesperpixel;
for (strip = 0; strip < td->td_nstrips; strip++)
@@ -5399,28 +5540,39 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
static const char module[] = "TIFFFetchStripThing";
enum TIFFReadDirEntryErr err;
uint64* data;
- err=TIFFReadDirEntryLong8Array(tif,dir,&data);
+ err=TIFFReadDirEntryLong8ArrayWithLimit(tif,dir,&data,nstrips);
if (err!=TIFFReadDirEntryErrOk)
{
const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag);
TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",0);
return(0);
}
- if (dir->tdir_count!=(uint64)nstrips)
+ if (dir->tdir_count<(uint64)nstrips)
{
uint64* resizeddata;
+ const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag);
+ const char* pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT");
+ uint32 max_nstrips = 1000000;
+ if( pszMax )
+ max_nstrips = (uint32) atoi(pszMax);
+ TIFFReadDirEntryOutputErr(tif,TIFFReadDirEntryErrCount,
+ module,
+ fip ? fip->field_name : "unknown tagname",
+ ( nstrips <= max_nstrips ) );
+
+ if( nstrips > max_nstrips )
+ {
+ _TIFFfree(data);
+ return(0);
+ }
+
resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
if (resizeddata==0) {
_TIFFfree(data);
return(0);
}
- if (dir->tdir_count<(uint64)nstrips)
- {
- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
- }
- else
- _TIFFmemcpy(resizeddata,data,nstrips*sizeof(uint64));
+ _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
_TIFFfree(data);
data=resizeddata;
}
@@ -5502,13 +5654,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
uint64 rowblockbytes;
uint64 stripbytes;
uint32 strip;
- uint64 nstrips64;
- uint32 nstrips32;
+ uint32 nstrips;
uint32 rowsperstrip;
uint64* newcounts;
uint64* newoffsets;
bytecount = td->td_stripbytecount[0];
+ /* On a newly created file, just re-opened to be filled, we */
+ /* don't want strip chop to trigger as it is going to cause issues */
+ /* later ( StripOffsets and StripByteCounts improperly filled) . */
+ if( bytecount == 0 && tif->tif_mode != O_RDONLY )
+ return;
offset = td->td_stripoffset[0];
assert(td->td_planarconfig == PLANARCONFIG_CONTIG);
if ((td->td_photometric == PHOTOMETRIC_YCBCR)&&
@@ -5534,18 +5690,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
return;
/*
- * never increase the number of strips in an image
+ * never increase the number of rows per strip
*/
if (rowsperstrip >= td->td_rowsperstrip)
return;
- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
- return;
- nstrips32 = (uint32)nstrips64;
+ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
+ if( nstrips == 0 )
+ return;
- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripOffsets\" array");
if (newcounts == NULL || newoffsets == NULL) {
/*
@@ -5562,18 +5717,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
* Fill the strip information arrays with new bytecounts and offsets
* that reflect the broken-up format.
*/
- for (strip = 0; strip < nstrips32; strip++) {
+ for (strip = 0; strip < nstrips; strip++) {
if (stripbytes > bytecount)
stripbytes = bytecount;
newcounts[strip] = stripbytes;
- newoffsets[strip] = offset;
+ newoffsets[strip] = stripbytes ? offset : 0;
offset += stripbytes;
bytecount -= stripbytes;
}
/*
* Replace old single strip info with multi-strip info.
*/
- td->td_stripsperimage = td->td_nstrips = nstrips32;
+ td->td_stripsperimage = td->td_nstrips = nstrips;
TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
_TIFFfree(td->td_stripbytecount);
diff --git a/src/3rdparty/libtiff/libtiff/tif_dirwrite.c b/src/3rdparty/libtiff/libtiff/tif_dirwrite.c
index d34f6f6..c68d6d2 100644
--- a/src/3rdparty/libtiff/libtiff/tif_dirwrite.c
+++ b/src/3rdparty/libtiff/libtiff/tif_dirwrite.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */
+/* $Id: tif_dirwrite.c,v 1.89 2017-08-23 13:33:42 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -30,6 +30,7 @@
* Directory Write Support Routines.
*/
#include "tiffiop.h"
+#include <float.h>
#ifdef HAVE_IEEEFP
#define TIFFCvtNativeToIEEEFloat(tif, n, fp)
@@ -820,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
TIFFDirEntry* nb;
for (na=0, nb=dir; ; na++, nb++)
{
- assert(na<ndir);
+ if( na == ndir )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,
+ "Cannot find SubIFD tag");
+ goto bad;
+ }
if (nb->tdir_tag==TIFFTAG_SUBIFD)
break;
}
@@ -939,6 +945,69 @@ bad:
return(0);
}
+static float TIFFClampDoubleToFloat( double val )
+{
+ if( val > FLT_MAX )
+ return FLT_MAX;
+ if( val < -FLT_MAX )
+ return -FLT_MAX;
+ return (float)val;
+}
+
+static int8 TIFFClampDoubleToInt8( double val )
+{
+ if( val > 127 )
+ return 127;
+ if( val < -128 || val != val )
+ return -128;
+ return (int8)val;
+}
+
+static int16 TIFFClampDoubleToInt16( double val )
+{
+ if( val > 32767 )
+ return 32767;
+ if( val < -32768 || val != val )
+ return -32768;
+ return (int16)val;
+}
+
+static int32 TIFFClampDoubleToInt32( double val )
+{
+ if( val > 0x7FFFFFFF )
+ return 0x7FFFFFFF;
+ if( val < -0x7FFFFFFF-1 || val != val )
+ return -0x7FFFFFFF-1;
+ return (int32)val;
+}
+
+static uint8 TIFFClampDoubleToUInt8( double val )
+{
+ if( val < 0 )
+ return 0;
+ if( val > 255 || val != val )
+ return 255;
+ return (uint8)val;
+}
+
+static uint16 TIFFClampDoubleToUInt16( double val )
+{
+ if( val < 0 )
+ return 0;
+ if( val > 65535 || val != val )
+ return 65535;
+ return (uint16)val;
+}
+
+static uint32 TIFFClampDoubleToUInt32( double val )
+{
+ if( val < 0 )
+ return 0;
+ if( val > 0xFFFFFFFFU || val != val )
+ return 0xFFFFFFFFU;
+ return (uint32)val;
+}
+
static int
TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
{
@@ -959,7 +1028,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
if (tif->tif_dir.td_bitspersample<=32)
{
for (i = 0; i < count; ++i)
- ((float*)conv)[i] = (float)value[i];
+ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
}
else
@@ -971,19 +1040,19 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
if (tif->tif_dir.td_bitspersample<=8)
{
for (i = 0; i < count; ++i)
- ((int8*)conv)[i] = (int8)value[i];
+ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
}
else if (tif->tif_dir.td_bitspersample<=16)
{
for (i = 0; i < count; ++i)
- ((int16*)conv)[i] = (int16)value[i];
+ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
}
else
{
for (i = 0; i < count; ++i)
- ((int32*)conv)[i] = (int32)value[i];
+ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
}
break;
@@ -991,19 +1060,19 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
if (tif->tif_dir.td_bitspersample<=8)
{
for (i = 0; i < count; ++i)
- ((uint8*)conv)[i] = (uint8)value[i];
+ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
}
else if (tif->tif_dir.td_bitspersample<=16)
{
for (i = 0; i < count; ++i)
- ((uint16*)conv)[i] = (uint16)value[i];
+ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
}
else
{
for (i = 0; i < count; ++i)
- ((uint32*)conv)[i] = (uint32)value[i];
+ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
}
break;
@@ -1880,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
for (p=0; p < tif->tif_dir.td_nsubifd; p++)
{
assert(pa != 0);
- assert(*pa <= 0xFFFFFFFFUL);
+
+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
+ if( *pa > 0xFFFFFFFFUL)
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
+ _TIFFfree(o);
+ return(0);
+ }
*pb++=(uint32)(*pa++);
}
n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
@@ -2047,7 +2123,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
{
uint64 m;
assert(sizeof(uint64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
m=value;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong8(&m);
@@ -2060,7 +2139,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
{
assert(count<0x20000000);
assert(sizeof(uint64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8Array","LONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong8(value,count);
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
@@ -2072,7 +2154,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
{
int64 m;
assert(sizeof(int64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedSlong8","SLONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
m=value;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong8((uint64*)(&m));
@@ -2085,7 +2170,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
{
assert(count<0x20000000);
assert(sizeof(int64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedSlong8Array","SLONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong8((uint64*)value,count);
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
@@ -2094,15 +2182,25 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
static int
TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
{
+ static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
uint32 m[2];
- assert(value>=0.0);
assert(sizeof(uint32)==4);
- if (value<=0.0)
+ if( value < 0 )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
+ return 0;
+ }
+ else if( value != value )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
+ return 0;
+ }
+ else if (value==0.0)
{
m[0]=0;
m[1]=1;
}
- else if (value==(double)(uint32)value)
+ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
{
m[0]=(uint32)value;
m[1]=1;
@@ -2143,12 +2241,13 @@ TIFFWriteDirectoryTagCheckedRationalArray(TIFF* tif, uint32* ndir, TIFFDirEntry*
}
for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
{
- if (*na<=0.0)
+ if (*na<=0.0 || *na != *na)
{
nb[0]=0;
nb[1]=1;
}
- else if (*na==(float)(uint32)(*na))
+ else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
+ *na==(float)(uint32)(*na))
{
nb[0]=(uint32)(*na);
nb[1]=1;
diff --git a/src/3rdparty/libtiff/libtiff/tif_error.c b/src/3rdparty/libtiff/libtiff/tif_error.c
index 0bc8b87..47516b4 100644
--- a/src/3rdparty/libtiff/libtiff/tif_error.c
+++ b/src/3rdparty/libtiff/libtiff/tif_error.c
@@ -1,4 +1,4 @@
-/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_error.c,v 1.5 2010-03-10 18:56:48 bfriesen Exp $ */
+/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_error.c,v 1.6 2017-07-04 12:54:42 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -51,24 +51,32 @@ void
TIFFError(const char* module, const char* fmt, ...)
{
va_list ap;
- va_start(ap, fmt);
- if (_TIFFerrorHandler)
+ if (_TIFFerrorHandler) {
+ va_start(ap, fmt);
(*_TIFFerrorHandler)(module, fmt, ap);
- if (_TIFFerrorHandlerExt)
+ va_end(ap);
+ }
+ if (_TIFFerrorHandlerExt) {
+ va_start(ap, fmt);
(*_TIFFerrorHandlerExt)(0, module, fmt, ap);
- va_end(ap);
+ va_end(ap);
+ }
}
void
TIFFErrorExt(thandle_t fd, const char* module, const char* fmt, ...)
{
va_list ap;
- va_start(ap, fmt);
- if (_TIFFerrorHandler)
+ if (_TIFFerrorHandler) {
+ va_start(ap, fmt);
(*_TIFFerrorHandler)(module, fmt, ap);
- if (_TIFFerrorHandlerExt)
+ va_end(ap);
+ }
+ if (_TIFFerrorHandlerExt) {
+ va_start(ap, fmt);
(*_TIFFerrorHandlerExt)(fd, module, fmt, ap);
- va_end(ap);
+ va_end(ap);
+ }
}
/*
diff --git a/src/3rdparty/libtiff/libtiff/tif_fax3.c b/src/3rdparty/libtiff/libtiff/tif_fax3.c
index 16bb4d3..5fd5141 100644
--- a/src/3rdparty/libtiff/libtiff/tif_fax3.c
+++ b/src/3rdparty/libtiff/libtiff/tif_fax3.c
@@ -1,4 +1,4 @@
-/* $Id: tif_fax3.c,v 1.78 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_fax3.c,v 1.81 2017-06-18 10:31:50 erouault Exp $ */
/*
* Copyright (c) 1990-1997 Sam Leffler
@@ -329,34 +329,64 @@ Fax3Decode2D(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
#if SIZEOF_UNSIGNED_LONG == 8
# define FILL(n, cp) \
switch (n) { \
- case 15:(cp)[14] = 0xff; case 14:(cp)[13] = 0xff; case 13: (cp)[12] = 0xff;\
- case 12:(cp)[11] = 0xff; case 11:(cp)[10] = 0xff; case 10: (cp)[9] = 0xff;\
- case 9: (cp)[8] = 0xff; case 8: (cp)[7] = 0xff; case 7: (cp)[6] = 0xff;\
- case 6: (cp)[5] = 0xff; case 5: (cp)[4] = 0xff; case 4: (cp)[3] = 0xff;\
- case 3: (cp)[2] = 0xff; case 2: (cp)[1] = 0xff; \
- case 1: (cp)[0] = 0xff; (cp) += (n); case 0: ; \
+ case 15:(cp)[14] = 0xff; /*-fallthrough*/ \
+ case 14:(cp)[13] = 0xff; /*-fallthrough*/ \
+ case 13:(cp)[12] = 0xff; /*-fallthrough*/ \
+ case 12:(cp)[11] = 0xff; /*-fallthrough*/ \
+ case 11:(cp)[10] = 0xff; /*-fallthrough*/ \
+ case 10: (cp)[9] = 0xff; /*-fallthrough*/ \
+ case 9: (cp)[8] = 0xff; /*-fallthrough*/ \
+ case 8: (cp)[7] = 0xff; /*-fallthrough*/ \
+ case 7: (cp)[6] = 0xff; /*-fallthrough*/ \
+ case 6: (cp)[5] = 0xff; /*-fallthrough*/ \
+ case 5: (cp)[4] = 0xff; /*-fallthrough*/ \
+ case 4: (cp)[3] = 0xff; /*-fallthrough*/ \
+ case 3: (cp)[2] = 0xff; /*-fallthrough*/ \
+ case 2: (cp)[1] = 0xff; /*-fallthrough*/ \
+ case 1: (cp)[0] = 0xff; (cp) += (n); /*-fallthrough*/ \
+ case 0: ; \
}
# define ZERO(n, cp) \
switch (n) { \
- case 15:(cp)[14] = 0; case 14:(cp)[13] = 0; case 13: (cp)[12] = 0; \
- case 12:(cp)[11] = 0; case 11:(cp)[10] = 0; case 10: (cp)[9] = 0; \
- case 9: (cp)[8] = 0; case 8: (cp)[7] = 0; case 7: (cp)[6] = 0; \
- case 6: (cp)[5] = 0; case 5: (cp)[4] = 0; case 4: (cp)[3] = 0; \
- case 3: (cp)[2] = 0; case 2: (cp)[1] = 0; \
- case 1: (cp)[0] = 0; (cp) += (n); case 0: ; \
+ case 15:(cp)[14] = 0; /*-fallthrough*/ \
+ case 14:(cp)[13] = 0; /*-fallthrough*/ \
+ case 13:(cp)[12] = 0; /*-fallthrough*/ \
+ case 12:(cp)[11] = 0; /*-fallthrough*/ \
+ case 11:(cp)[10] = 0; /*-fallthrough*/ \
+ case 10: (cp)[9] = 0; /*-fallthrough*/ \
+ case 9: (cp)[8] = 0; /*-fallthrough*/ \
+ case 8: (cp)[7] = 0; /*-fallthrough*/ \
+ case 7: (cp)[6] = 0; /*-fallthrough*/ \
+ case 6: (cp)[5] = 0; /*-fallthrough*/ \
+ case 5: (cp)[4] = 0; /*-fallthrough*/ \
+ case 4: (cp)[3] = 0; /*-fallthrough*/ \
+ case 3: (cp)[2] = 0; /*-fallthrough*/ \
+ case 2: (cp)[1] = 0; /*-fallthrough*/ \
+ case 1: (cp)[0] = 0; (cp) += (n); /*-fallthrough*/ \
+ case 0: ; \
}
#else
# define FILL(n, cp) \
switch (n) { \
- case 7: (cp)[6] = 0xff; case 6: (cp)[5] = 0xff; case 5: (cp)[4] = 0xff; \
- case 4: (cp)[3] = 0xff; case 3: (cp)[2] = 0xff; case 2: (cp)[1] = 0xff; \
- case 1: (cp)[0] = 0xff; (cp) += (n); case 0: ; \
+ case 7: (cp)[6] = 0xff; /*-fallthrough*/ \
+ case 6: (cp)[5] = 0xff; /*-fallthrough*/ \
+ case 5: (cp)[4] = 0xff; /*-fallthrough*/ \
+ case 4: (cp)[3] = 0xff; /*-fallthrough*/ \
+ case 3: (cp)[2] = 0xff; /*-fallthrough*/ \
+ case 2: (cp)[1] = 0xff; /*-fallthrough*/ \
+ case 1: (cp)[0] = 0xff; (cp) += (n); /*-fallthrough*/ \
+ case 0: ; \
}
# define ZERO(n, cp) \
switch (n) { \
- case 7: (cp)[6] = 0; case 6: (cp)[5] = 0; case 5: (cp)[4] = 0; \
- case 4: (cp)[3] = 0; case 3: (cp)[2] = 0; case 2: (cp)[1] = 0; \
- case 1: (cp)[0] = 0; (cp) += (n); case 0: ; \
+ case 7: (cp)[6] = 0; /*-fallthrough*/ \
+ case 6: (cp)[5] = 0; /*-fallthrough*/ \
+ case 5: (cp)[4] = 0; /*-fallthrough*/ \
+ case 4: (cp)[3] = 0; /*-fallthrough*/ \
+ case 3: (cp)[2] = 0; /*-fallthrough*/ \
+ case 2: (cp)[1] = 0; /*-fallthrough*/ \
+ case 1: (cp)[0] = 0; (cp) += (n); /*-fallthrough*/ \
+ case 0: ; \
}
#endif
@@ -1013,7 +1043,11 @@ Fax3Encode2DRow(TIFF* tif, unsigned char* bp, unsigned char* rp, uint32 bits)
for (;;) {
b2 = finddiff2(rp, b1, bits, PIXEL(rp,b1));
if (b2 >= a1) {
- int32 d = b1 - a1;
+ /* Naive computation triggers -fsanitize=undefined,unsigned-integer-overflow */
+ /* although it is correct unless the difference between both is < 31 bit */
+ /* int32 d = b1 - a1; */
+ int32 d = (b1 >= a1 && b1 - a1 <= 3U) ? (int32)(b1 - a1):
+ (b1 < a1 && a1 - b1 <= 3U) ? -(int32)(a1 - b1) : 0x7FFFFFFF;
if (!(-3 <= d && d <= 3)) { /* horizontal mode */
a2 = finddiff2(bp, a1, bits, PIXEL(bp,a1));
putcode(tif, &horizcode);
@@ -1099,7 +1133,7 @@ Fax3PostEncode(TIFF* tif)
static void
Fax3Close(TIFF* tif)
{
- if ((Fax3State(tif)->mode & FAXMODE_NORTC) == 0) {
+ if ((Fax3State(tif)->mode & FAXMODE_NORTC) == 0 && tif->tif_rawcp) {
Fax3CodecState* sp = EncoderState(tif);
unsigned int code = EOL;
unsigned int length = 12;
@@ -1321,6 +1355,7 @@ InitCCITTFax3(TIFF* tif)
"No space for state block");
return (0);
}
+ _TIFFmemset(tif->tif_data, 0, sizeof (Fax3CodecState));
sp = Fax3State(tif);
sp->rw_mode = tif->tif_mode;
diff --git a/src/3rdparty/libtiff/libtiff/tif_fax3.h b/src/3rdparty/libtiff/libtiff/tif_fax3.h
index e0b2ca6..8a43505 100644
--- a/src/3rdparty/libtiff/libtiff/tif_fax3.h
+++ b/src/3rdparty/libtiff/libtiff/tif_fax3.h
@@ -1,4 +1,4 @@
-/* $Id: tif_fax3.h,v 1.11 2016-01-23 21:20:34 erouault Exp $ */
+/* $Id: tif_fax3.h,v 1.13 2016-12-14 18:36:27 faxguy Exp $ */
/*
* Copyright (c) 1990-1997 Sam Leffler
@@ -81,10 +81,12 @@ extern void _TIFFFax3fillruns(unsigned char*, uint32*, uint32*, uint32);
#define S_MakeUp 11
#define S_EOL 12
+/* WARNING: do not change the layout of this structure as the HylaFAX software */
+/* really depends on it. See http://bugzilla.maptools.org/show_bug.cgi?id=2636 */
typedef struct { /* state table entry */
unsigned char State; /* see above */
unsigned char Width; /* width of code in bits */
- uint16 Param; /* unsigned 16-bit run length in bits */
+ uint32 Param; /* unsigned 32-bit run length in bits (holds on 16 bit actually, but cannot be changed. See above warning) */
} TIFFFaxTabEnt;
extern const TIFFFaxTabEnt TIFFFaxMainTable[];
diff --git a/src/3rdparty/libtiff/libtiff/tif_getimage.c b/src/3rdparty/libtiff/libtiff/tif_getimage.c
index 0f5e932..c51c889 100644
--- a/src/3rdparty/libtiff/libtiff/tif_getimage.c
+++ b/src/3rdparty/libtiff/libtiff/tif_getimage.c
@@ -1,4 +1,4 @@
-/* $Id: tif_getimage.c,v 1.98 2016-11-18 02:47:45 bfriesen Exp $ */
+/* $Id: tif_getimage.c,v 1.112 2017-07-24 10:34:14 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -283,6 +283,13 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
img->redcmap = NULL;
img->greencmap = NULL;
img->bluecmap = NULL;
+ img->Map = NULL;
+ img->BWmap = NULL;
+ img->PALmap = NULL;
+ img->ycbcr = NULL;
+ img->cielab = NULL;
+ img->UaToAa = NULL;
+ img->Bitdepth16To8 = NULL;
img->req_orientation = ORIENTATION_BOTLEFT; /* It is the default */
img->tif = tif;
@@ -468,13 +475,6 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
photoTag, img->photometric);
goto fail_return;
}
- img->Map = NULL;
- img->BWmap = NULL;
- img->PALmap = NULL;
- img->ycbcr = NULL;
- img->cielab = NULL;
- img->UaToAa = NULL;
- img->Bitdepth16To8 = NULL;
TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &img->width);
TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &img->height);
TIFFGetFieldDefaulted(tif, TIFFTAG_ORIENTATION, &img->orientation);
@@ -494,10 +494,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
return 1;
fail_return:
- _TIFFfree( img->redcmap );
- _TIFFfree( img->greencmap );
- _TIFFfree( img->bluecmap );
- img->redcmap = img->greencmap = img->bluecmap = NULL;
+ TIFFRGBAImageEnd( img );
return 0;
}
@@ -629,7 +626,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
uint32 col, row, y, rowstoread;
tmsize_t pos;
uint32 tw, th;
- unsigned char* buf;
+ unsigned char* buf = NULL;
int32 fromskew, toskew;
uint32 nrow;
int ret = 1, flip;
@@ -637,13 +634,14 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
int32 this_toskew, leftmost_toskew;
int32 leftmost_fromskew;
uint32 leftmost_tw;
+ tmsize_t bufsize;
- buf = (unsigned char*) _TIFFmalloc(TIFFTileSize(tif));
- if (buf == 0) {
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
- return (0);
+ bufsize = TIFFTileSize(tif);
+ if (bufsize == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
+ return (0);
}
- _TIFFmemset(buf, 0, TIFFTileSize(tif));
+
TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
@@ -663,7 +661,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
leftmost_fromskew = img->col_offset % tw;
leftmost_tw = tw - leftmost_fromskew;
leftmost_toskew = toskew + leftmost_fromskew;
- for (row = 0; row < h; row += nrow)
+ for (row = 0; ret != 0 && row < h; row += nrow)
{
rowstoread = th - (row + img->row_offset) % th;
nrow = (row + rowstoread > h ? h - row : rowstoread);
@@ -674,8 +672,9 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
col = img->col_offset;
while (tocol < w)
{
- if (TIFFReadTile(tif, buf, col,
- row+img->row_offset, 0, 0)==(tmsize_t)(-1) && img->stoponerr)
+ if (_TIFFReadTileAndAllocBuffer(tif, (void**) &buf, bufsize, col,
+ row+img->row_offset, 0, 0)==(tmsize_t)(-1) &&
+ (buf == NULL || img->stoponerr))
{
ret = 0;
break;
@@ -702,7 +701,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
this_toskew = toskew;
}
- y += (flip & FLIP_VERTICALLY ? -(int32) nrow : (int32) nrow);
+ y += ((flip & FLIP_VERTICALLY) ? -(int32) nrow : (int32) nrow);
}
_TIFFfree(buf);
@@ -740,11 +739,11 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
uint32 col, row, y, rowstoread;
tmsize_t pos;
uint32 tw, th;
- unsigned char* buf;
- unsigned char* p0;
- unsigned char* p1;
- unsigned char* p2;
- unsigned char* pa;
+ unsigned char* buf = NULL;
+ unsigned char* p0 = NULL;
+ unsigned char* p1 = NULL;
+ unsigned char* p2 = NULL;
+ unsigned char* pa = NULL;
tmsize_t tilesize;
tmsize_t bufsize;
int32 fromskew, toskew;
@@ -763,16 +762,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
return (0);
}
- buf = (unsigned char*) _TIFFmalloc(bufsize);
- if (buf == 0) {
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
- return (0);
- }
- _TIFFmemset(buf, 0, bufsize);
- p0 = buf;
- p1 = p0 + tilesize;
- p2 = p1 + tilesize;
- pa = (alpha?(p2+tilesize):NULL);
+
TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
@@ -792,7 +782,6 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
case PHOTOMETRIC_MINISBLACK:
case PHOTOMETRIC_PALETTE:
colorchannels = 1;
- p2 = p1 = p0;
break;
default:
@@ -806,7 +795,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
leftmost_fromskew = img->col_offset % tw;
leftmost_tw = tw - leftmost_fromskew;
leftmost_toskew = toskew + leftmost_fromskew;
- for (row = 0; row < h; row += nrow)
+ for (row = 0; ret != 0 && row < h; row += nrow)
{
rowstoread = th - (row + img->row_offset) % th;
nrow = (row + rowstoread > h ? h - row : rowstoread);
@@ -817,7 +806,30 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
col = img->col_offset;
while (tocol < w)
{
- if (TIFFReadTile(tif, p0, col,
+ if( buf == NULL )
+ {
+ if (_TIFFReadTileAndAllocBuffer(
+ tif, (void**) &buf, bufsize, col,
+ row+img->row_offset,0,0)==(tmsize_t)(-1)
+ && (buf == NULL || img->stoponerr))
+ {
+ ret = 0;
+ break;
+ }
+ p0 = buf;
+ if( colorchannels == 1 )
+ {
+ p2 = p1 = p0;
+ pa = (alpha?(p0+3*tilesize):NULL);
+ }
+ else
+ {
+ p1 = p0 + tilesize;
+ p2 = p1 + tilesize;
+ pa = (alpha?(p2+tilesize):NULL);
+ }
+ }
+ else if (TIFFReadTile(tif, p0, col,
row+img->row_offset,0,0)==(tmsize_t)(-1) && img->stoponerr)
{
ret = 0;
@@ -871,7 +883,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
this_toskew = toskew;
}
- y += (flip & FLIP_VERTICALLY ?-(int32) nrow : (int32) nrow);
+ y += ((flip & FLIP_VERTICALLY) ?-(int32) nrow : (int32) nrow);
}
if (flip & FLIP_HORIZONTALLY) {
@@ -908,26 +920,22 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
tileContigRoutine put = img->put.contig;
uint32 row, y, nrow, nrowsub, rowstoread;
tmsize_t pos;
- unsigned char* buf;
+ unsigned char* buf = NULL;
uint32 rowsperstrip;
uint16 subsamplinghor,subsamplingver;
uint32 imagewidth = img->width;
tmsize_t scanline;
int32 fromskew, toskew;
int ret = 1, flip;
+ tmsize_t maxstripsize;
TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
if( subsamplingver == 0 ) {
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling");
return (0);
}
-
- buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif));
- if (buf == 0) {
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
- return (0);
- }
- _TIFFmemset(buf, 0, TIFFStripSize(tif));
+
+ maxstripsize = TIFFStripSize(tif);
flip = setorientation(img);
if (flip & FLIP_VERTICALLY) {
@@ -949,11 +957,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
nrowsub = nrow;
if ((nrowsub%subsamplingver)!=0)
nrowsub+=subsamplingver-nrowsub%subsamplingver;
- if (TIFFReadEncodedStrip(tif,
+ if (_TIFFReadEncodedStripAndAllocBuffer(tif,
TIFFComputeStrip(tif,row+img->row_offset, 0),
- buf,
+ (void**)(&buf),
+ maxstripsize,
((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
- && img->stoponerr)
+ && (buf == NULL || img->stoponerr))
{
ret = 0;
break;
@@ -962,7 +971,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
pos = ((row + img->row_offset) % rowsperstrip) * scanline + \
((tmsize_t) img->col_offset * img->samplesperpixel);
(*put)(img, raster+y*w, 0, y, w, nrow, fromskew, toskew, buf + pos);
- y += (flip & FLIP_VERTICALLY ? -(int32) nrow : (int32) nrow);
+ y += ((flip & FLIP_VERTICALLY) ? -(int32) nrow : (int32) nrow);
}
if (flip & FLIP_HORIZONTALLY) {
@@ -997,8 +1006,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
{
TIFF* tif = img->tif;
tileSeparateRoutine put = img->put.separate;
- unsigned char *buf;
- unsigned char *p0, *p1, *p2, *pa;
+ unsigned char *buf = NULL;
+ unsigned char *p0 = NULL, *p1 = NULL, *p2 = NULL, *pa = NULL;
uint32 row, y, nrow, rowstoread;
tmsize_t pos;
tmsize_t scanline;
@@ -1017,15 +1026,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
return (0);
}
- p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
- if (buf == 0) {
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
- return (0);
- }
- _TIFFmemset(buf, 0, bufsize);
- p1 = p0 + stripsize;
- p2 = p1 + stripsize;
- pa = (alpha?(p2+stripsize):NULL);
flip = setorientation(img);
if (flip & FLIP_VERTICALLY) {
@@ -1043,7 +1043,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
case PHOTOMETRIC_MINISBLACK:
case PHOTOMETRIC_PALETTE:
colorchannels = 1;
- p2 = p1 = p0;
break;
default:
@@ -1059,7 +1058,31 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
nrow = (row + rowstoread > h ? h - row : rowstoread);
offset_row = row + img->row_offset;
- if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
+ if( buf == NULL )
+ {
+ if (_TIFFReadEncodedStripAndAllocBuffer(
+ tif, TIFFComputeStrip(tif, offset_row, 0),
+ (void**) &buf, bufsize,
+ ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
+ && (buf == NULL || img->stoponerr))
+ {
+ ret = 0;
+ break;
+ }
+ p0 = buf;
+ if( colorchannels == 1 )
+ {
+ p2 = p1 = p0;
+ pa = (alpha?(p0+3*stripsize):NULL);
+ }
+ else
+ {
+ p1 = p0 + stripsize;
+ p2 = p1 + stripsize;
+ pa = (alpha?(p2+stripsize):NULL);
+ }
+ }
+ else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
&& img->stoponerr)
{
@@ -1097,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
((tmsize_t) img->col_offset * img->samplesperpixel);
(*put)(img, raster+y*w, 0, y, w, nrow, fromskew, toskew, p0 + pos, p1 + pos,
p2 + pos, (alpha?(pa+pos):NULL));
- y += (flip & FLIP_VERTICALLY ? -(int32) nrow : (int32) nrow);
+ y += ((flip & FLIP_VERTICALLY) ? -(int32) nrow : (int32) nrow);
}
if (flip & FLIP_HORIZONTALLY) {
@@ -1136,11 +1159,15 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
#define REPEAT2(op) op; op
#define CASE8(x,op) \
switch (x) { \
- case 7: op; case 6: op; case 5: op; \
- case 4: op; case 3: op; case 2: op; \
+ case 7: op; /*-fallthrough*/ \
+ case 6: op; /*-fallthrough*/ \
+ case 5: op; /*-fallthrough*/ \
+ case 4: op; /*-fallthrough*/ \
+ case 3: op; /*-fallthrough*/ \
+ case 2: op; /*-fallthrough*/ \
case 1: op; \
}
-#define CASE4(x,op) switch (x) { case 3: op; case 2: op; case 1: op; }
+#define CASE4(x,op) switch (x) { case 3: op; /*-fallthrough*/ case 2: op; /*-fallthrough*/ case 1: op; }
#define NOP
#define UNROLL8(w, op1, op2) { \
@@ -1211,8 +1238,8 @@ DECLAREContigPutFunc(put8bitcmaptile)
int samplesperpixel = img->samplesperpixel;
(void) y;
- while (h-- > 0) {
- for (x = w; x-- > 0;)
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x)
{
*cp++ = PALmap[*pp][0];
pp += samplesperpixel;
@@ -1231,7 +1258,7 @@ DECLAREContigPutFunc(put4bitcmaptile)
(void) x; (void) y;
fromskew /= 2;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL2(w, bw = PALmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1248,7 +1275,7 @@ DECLAREContigPutFunc(put2bitcmaptile)
(void) x; (void) y;
fromskew /= 4;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL4(w, bw = PALmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1265,7 +1292,7 @@ DECLAREContigPutFunc(put1bitcmaptile)
(void) x; (void) y;
fromskew /= 8;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL8(w, bw = PALmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1282,8 +1309,8 @@ DECLAREContigPutFunc(putgreytile)
uint32** BWmap = img->BWmap;
(void) y;
- while (h-- > 0) {
- for (x = w; x-- > 0;)
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x)
{
*cp++ = BWmap[*pp][0];
pp += samplesperpixel;
@@ -1302,10 +1329,10 @@ DECLAREContigPutFunc(putagreytile)
uint32** BWmap = img->BWmap;
(void) y;
- while (h-- > 0) {
- for (x = w; x-- > 0;)
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x)
{
- *cp++ = BWmap[*pp][0] & (*(pp+1) << 24 | ~A1);
+ *cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1);
pp += samplesperpixel;
}
cp += toskew;
@@ -1322,10 +1349,10 @@ DECLAREContigPutFunc(put16bitbwtile)
uint32** BWmap = img->BWmap;
(void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint16 *wp = (uint16 *) pp;
- for (x = w; x-- > 0;)
+ for (x = w; x > 0; --x)
{
/* use high order byte of 16bit value */
@@ -1347,7 +1374,7 @@ DECLAREContigPutFunc(put1bitbwtile)
(void) x; (void) y;
fromskew /= 8;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1364,7 +1391,7 @@ DECLAREContigPutFunc(put2bitbwtile)
(void) x; (void) y;
fromskew /= 4;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL4(w, bw = BWmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1381,7 +1408,7 @@ DECLAREContigPutFunc(put4bitbwtile)
(void) x; (void) y;
fromskew /= 2;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32* bw;
UNROLL2(w, bw = BWmap[*pp++], *cp++ = *bw++);
cp += toskew;
@@ -1398,7 +1425,7 @@ DECLAREContigPutFunc(putRGBcontig8bittile)
(void) x; (void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
UNROLL8(w, NOP,
*cp++ = PACK(pp[0], pp[1], pp[2]);
pp += samplesperpixel);
@@ -1417,7 +1444,7 @@ DECLAREContigPutFunc(putRGBAAcontig8bittile)
(void) x; (void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
UNROLL8(w, NOP,
*cp++ = PACK4(pp[0], pp[1], pp[2], pp[3]);
pp += samplesperpixel);
@@ -1435,10 +1462,10 @@ DECLAREContigPutFunc(putRGBUAcontig8bittile)
int samplesperpixel = img->samplesperpixel;
(void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32 r, g, b, a;
uint8* m;
- for (x = w; x-- > 0;) {
+ for (x = w; x > 0; --x) {
a = pp[3];
m = img->UaToAa+((size_t) a<<8);
r = m[pp[0]];
@@ -1461,8 +1488,8 @@ DECLAREContigPutFunc(putRGBcontig16bittile)
uint16 *wp = (uint16 *)pp;
(void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
- for (x = w; x-- > 0;) {
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x) {
*cp++ = PACK(img->Bitdepth16To8[wp[0]],
img->Bitdepth16To8[wp[1]],
img->Bitdepth16To8[wp[2]]);
@@ -1483,8 +1510,8 @@ DECLAREContigPutFunc(putRGBAAcontig16bittile)
uint16 *wp = (uint16 *)pp;
(void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
- for (x = w; x-- > 0;) {
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x) {
*cp++ = PACK4(img->Bitdepth16To8[wp[0]],
img->Bitdepth16To8[wp[1]],
img->Bitdepth16To8[wp[2]],
@@ -1506,10 +1533,10 @@ DECLAREContigPutFunc(putRGBUAcontig16bittile)
uint16 *wp = (uint16 *)pp;
(void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32 r,g,b,a;
uint8* m;
- for (x = w; x-- > 0;) {
+ for (x = w; x > 0; --x) {
a = img->Bitdepth16To8[wp[3]];
m = img->UaToAa+((size_t) a<<8);
r = m[img->Bitdepth16To8[wp[0]]];
@@ -1535,7 +1562,7 @@ DECLAREContigPutFunc(putRGBcontig8bitCMYKtile)
(void) x; (void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
UNROLL8(w, NOP,
k = 255 - pp[3];
r = (k*(255-pp[0]))/255;
@@ -1561,8 +1588,8 @@ DECLAREContigPutFunc(putRGBcontig8bitCMYKMaptile)
(void) y;
fromskew *= samplesperpixel;
- while (h-- > 0) {
- for (x = w; x-- > 0;) {
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x) {
k = 255 - pp[3];
r = (k*(255-pp[0]))/255;
g = (k*(255-pp[1]))/255;
@@ -1591,7 +1618,7 @@ static void name(\
DECLARESepPutFunc(putRGBseparate8bittile)
{
(void) img; (void) x; (void) y; (void) a;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
UNROLL8(w, NOP, *cp++ = PACK(*r++, *g++, *b++));
SKEW(r, g, b, fromskew);
cp += toskew;
@@ -1604,7 +1631,7 @@ DECLARESepPutFunc(putRGBseparate8bittile)
DECLARESepPutFunc(putRGBAAseparate8bittile)
{
(void) img; (void) x; (void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
UNROLL8(w, NOP, *cp++ = PACK4(*r++, *g++, *b++, *a++));
SKEW4(r, g, b, a, fromskew);
cp += toskew;
@@ -1617,9 +1644,9 @@ DECLARESepPutFunc(putRGBAAseparate8bittile)
DECLARESepPutFunc(putCMYKseparate8bittile)
{
(void) img; (void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32 rv, gv, bv, kv;
- for (x = w; x-- > 0;) {
+ for (x = w; x > 0; --x) {
kv = 255 - *a++;
rv = (kv*(255-*r++))/255;
gv = (kv*(255-*g++))/255;
@@ -1637,10 +1664,10 @@ DECLARESepPutFunc(putCMYKseparate8bittile)
DECLARESepPutFunc(putRGBUAseparate8bittile)
{
(void) img; (void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32 rv, gv, bv, av;
uint8* m;
- for (x = w; x-- > 0;) {
+ for (x = w; x > 0; --x) {
av = *a++;
m = img->UaToAa+((size_t) av<<8);
rv = m[*r++];
@@ -1662,7 +1689,7 @@ DECLARESepPutFunc(putRGBseparate16bittile)
uint16 *wg = (uint16*) g;
uint16 *wb = (uint16*) b;
(void) img; (void) y; (void) a;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
for (x = 0; x < w; x++)
*cp++ = PACK(img->Bitdepth16To8[*wr++],
img->Bitdepth16To8[*wg++],
@@ -1682,7 +1709,7 @@ DECLARESepPutFunc(putRGBAAseparate16bittile)
uint16 *wb = (uint16*) b;
uint16 *wa = (uint16*) a;
(void) img; (void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
for (x = 0; x < w; x++)
*cp++ = PACK4(img->Bitdepth16To8[*wr++],
img->Bitdepth16To8[*wg++],
@@ -1703,10 +1730,10 @@ DECLARESepPutFunc(putRGBUAseparate16bittile)
uint16 *wb = (uint16*) b;
uint16 *wa = (uint16*) a;
(void) img; (void) y;
- while (h-- > 0) {
+ for( ; h > 0; --h) {
uint32 r2,g2,b2,a2;
uint8* m;
- for (x = w; x-- > 0;) {
+ for (x = w; x > 0; --x) {
a2 = img->Bitdepth16To8[*wa++];
m = img->UaToAa+((size_t) a2<<8);
r2 = m[img->Bitdepth16To8[*wr++]];
@@ -1728,8 +1755,8 @@ DECLAREContigPutFunc(putcontig8bitCIELab)
uint32 r, g, b;
(void) y;
fromskew *= 3;
- while (h-- > 0) {
- for (x = w; x-- > 0;) {
+ for( ; h > 0; --h) {
+ for (x = w; x > 0; --x) {
TIFFCIELabToXYZ(img->cielab,
(unsigned char)pp[0],
(signed char)pp[1],
@@ -1842,7 +1869,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile)
(void) y;
/* adjust fromskew */
- fromskew = (fromskew * 18) / 4;
+ fromskew = (fromskew / 4) * (4*2+2);
if ((h & 3) == 0 && (w & 3) == 0) {
for (; h >= 4; h -= 4) {
x = w>>2;
@@ -1945,7 +1972,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
int32 incr = 2*toskew+w;
(void) y;
- fromskew = (fromskew * 10) / 4;
+ fromskew = (fromskew / 4) * (4*2+2);
if ((w & 3) == 0 && (h & 1) == 0) {
for (; h >= 2; h -= 2) {
x = w>>2;
@@ -2023,7 +2050,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
{
(void) y;
- /* XXX adjust fromskew */
+ fromskew = (fromskew / 4) * (4*1+2);
do {
x = w>>2;
while(x>0) {
@@ -2046,9 +2073,9 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
int32 Cr = pp[5];
switch( (w&3) ) {
- case 3: YCbCrtoRGB(cp [2], pp[2]);
- case 2: YCbCrtoRGB(cp [1], pp[1]);
- case 1: YCbCrtoRGB(cp [0], pp[0]);
+ case 3: YCbCrtoRGB(cp [2], pp[2]); /*-fallthrough*/
+ case 2: YCbCrtoRGB(cp [1], pp[1]); /*-fallthrough*/
+ case 1: YCbCrtoRGB(cp [0], pp[0]); /*-fallthrough*/
case 0: break;
}
@@ -2070,7 +2097,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
uint32* cp2;
int32 incr = 2*toskew+w;
(void) y;
- fromskew = (fromskew / 2) * 6;
+ fromskew = (fromskew / 2) * (2*2+2);
cp2 = cp+w+toskew;
while (h>=2) {
x = w;
@@ -2126,7 +2153,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
{
(void) y;
- fromskew = (fromskew * 4) / 2;
+ fromskew = (fromskew / 2) * (2*1+2);
do {
x = w>>1;
while(x>0) {
@@ -2165,7 +2192,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
uint32* cp2;
int32 incr = 2*toskew+w;
(void) y;
- fromskew = (fromskew / 2) * 4;
+ fromskew = (fromskew / 1) * (1 * 2 + 2);
cp2 = cp+w+toskew;
while (h>=2) {
x = w;
@@ -2201,7 +2228,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
DECLAREContigPutFunc(putcontig8bitYCbCr11tile)
{
(void) y;
- fromskew *= 3;
+ fromskew = (fromskew / 1) * (1 * 1 + 2);
do {
x = w; /* was x = w>>1; patched 2000/09/25 warmerda@home.com */
do {
@@ -2225,7 +2252,7 @@ DECLARESepPutFunc(putseparate8bitYCbCr11tile)
(void) y;
(void) a;
/* TODO: naming of input vars is still off, change obfuscating declaration inside define, or resolve obfuscation */
- while (h-- > 0) {
+ for( ; h > 0; --h) {
x = w;
do {
uint32 dr, dg, db;
@@ -2238,6 +2265,11 @@ DECLARESepPutFunc(putseparate8bitYCbCr11tile)
}
#undef YCbCrtoRGB
+static int isInRefBlackWhiteRange(float f)
+{
+ return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF;
+}
+
static int
initYCbCrConversion(TIFFRGBAImage* img)
{
@@ -2262,6 +2294,31 @@ initYCbCrConversion(TIFFRGBAImage* img)
TIFFGetFieldDefaulted(img->tif, TIFFTAG_YCBCRCOEFFICIENTS, &luma);
TIFFGetFieldDefaulted(img->tif, TIFFTAG_REFERENCEBLACKWHITE,
&refBlackWhite);
+
+ /* Do some validation to avoid later issues. Detect NaN for now */
+ /* and also if lumaGreen is zero since we divide by it later */
+ if( luma[0] != luma[0] ||
+ luma[1] != luma[1] ||
+ luma[1] == 0.0 ||
+ luma[2] != luma[2] )
+ {
+ TIFFErrorExt(img->tif->tif_clientdata, module,
+ "Invalid values for YCbCrCoefficients tag");
+ return (0);
+ }
+
+ if( !isInRefBlackWhiteRange(refBlackWhite[0]) ||
+ !isInRefBlackWhiteRange(refBlackWhite[1]) ||
+ !isInRefBlackWhiteRange(refBlackWhite[2]) ||
+ !isInRefBlackWhiteRange(refBlackWhite[3]) ||
+ !isInRefBlackWhiteRange(refBlackWhite[4]) ||
+ !isInRefBlackWhiteRange(refBlackWhite[5]) )
+ {
+ TIFFErrorExt(img->tif->tif_clientdata, module,
+ "Invalid values for ReferenceBlackWhite tag");
+ return (0);
+ }
+
if (TIFFYCbCrToRGBInit(img->ycbcr, luma, refBlackWhite) < 0)
return(0);
return (1);
@@ -2816,6 +2873,13 @@ int
TIFFReadRGBAStrip(TIFF* tif, uint32 row, uint32 * raster )
{
+ return TIFFReadRGBAStripExt(tif, row, raster, 0 );
+}
+
+int
+TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error)
+
+{
char emsg[1024] = "";
TIFFRGBAImage img;
int ok;
@@ -2836,7 +2900,7 @@ TIFFReadRGBAStrip(TIFF* tif, uint32 row, uint32 * raster )
return (0);
}
- if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, 0, emsg)) {
+ if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
img.row_offset = row;
img.col_offset = 0;
@@ -2867,6 +2931,13 @@ int
TIFFReadRGBATile(TIFF* tif, uint32 col, uint32 row, uint32 * raster)
{
+ return TIFFReadRGBATileExt(tif, col, row, raster, 0 );
+}
+
+
+int
+TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop_on_error )
+{
char emsg[1024] = "";
TIFFRGBAImage img;
int ok;
@@ -2901,7 +2972,7 @@ TIFFReadRGBATile(TIFF* tif, uint32 col, uint32 row, uint32 * raster)
*/
if (!TIFFRGBAImageOK(tif, emsg)
- || !TIFFRGBAImageBegin(&img, tif, 0, emsg)) {
+ || !TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
return( 0 );
}
diff --git a/src/3rdparty/libtiff/libtiff/tif_jbig.c b/src/3rdparty/libtiff/libtiff/tif_jbig.c
index 37878f6..7a14dd9 100644
--- a/src/3rdparty/libtiff/libtiff/tif_jbig.c
+++ b/src/3rdparty/libtiff/libtiff/tif_jbig.c
@@ -1,4 +1,4 @@
-/* $Id: tif_jbig.c,v 1.15 2010-03-10 18:56:48 bfriesen Exp $ */
+/* $Id: tif_jbig.c,v 1.16 2017-06-26 15:20:00 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
jbg_strerror(decodeStatus)
#endif
);
+ jbg_dec_free(&decoder);
return 0;
}
diff --git a/src/3rdparty/libtiff/libtiff/tif_jpeg.c b/src/3rdparty/libtiff/libtiff/tif_jpeg.c
index 70b72d8..eed1357 100644
--- a/src/3rdparty/libtiff/libtiff/tif_jpeg.c
+++ b/src/3rdparty/libtiff/libtiff/tif_jpeg.c
@@ -1,4 +1,4 @@
-/* $Id: tif_jpeg.c,v 1.123 2016-01-23 21:20:34 erouault Exp $ */
+/* $Id: tif_jpeg.c,v 1.133 2017-08-29 08:08:10 erouault Exp $ */
/*
* Copyright (c) 1994-1997 Sam Leffler
@@ -27,6 +27,8 @@
#define WIN32_LEAN_AND_MEAN
#define VC_EXTRALEAN
+#include <stdlib.h>
+
#include "tiffiop.h"
#ifdef JPEG_SUPPORT
@@ -47,6 +49,7 @@
int TIFFFillStrip(TIFF* tif, uint32 strip);
int TIFFFillTile(TIFF* tif, uint32 tile);
int TIFFReInitJPEG_12( TIFF *tif, int scheme, int is_encode );
+int TIFFJPEGIsFullStripRequired_12(TIFF* tif);
/* We undefine FAR to avoid conflict with JPEG definition */
@@ -145,6 +148,8 @@ typedef struct {
jpeg_error_mgr err; /* libjpeg error manager */
JMP_BUF exit_jmpbuf; /* for catching libjpeg failures */
+
+ struct jpeg_progress_mgr progress;
/*
* The following two members could be a union, but
* they're small enough that it's not worth the effort.
@@ -175,6 +180,7 @@ typedef struct {
int jpegtablesmode; /* What to put in JPEGTables */
int ycbcrsampling_fetched;
+ int max_allowed_scan_number;
} JPEGState;
#define JState(tif) ((JPEGState*)(tif)->tif_data)
@@ -235,6 +241,33 @@ TIFFjpeg_output_message(j_common_ptr cinfo)
TIFFWarningExt(((JPEGState *) cinfo)->tif->tif_clientdata, "JPEGLib", "%s", buffer);
}
+/* Avoid the risk of denial-of-service on crafted JPEGs with an insane */
+/* number of scans. */
+/* See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf */
+static void
+TIFFjpeg_progress_monitor(j_common_ptr cinfo)
+{
+ JPEGState *sp = (JPEGState *) cinfo; /* NB: cinfo assumed first */
+ if (cinfo->is_decompressor)
+ {
+ const int scan_no =
+ ((j_decompress_ptr)cinfo)->input_scan_number;
+ if (scan_no >= sp->max_allowed_scan_number)
+ {
+ TIFFErrorExt(((JPEGState *) cinfo)->tif->tif_clientdata,
+ "TIFFjpeg_progress_monitor",
+ "Scan number %d exceeds maximum scans (%d). This limit "
+ "can be raised through the LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER "
+ "environment variable.",
+ scan_no, sp->max_allowed_scan_number);
+
+ jpeg_abort(cinfo); /* clean up libjpeg state */
+ LONGJMP(sp->exit_jmpbuf, 1); /* return to libtiff caller */
+ }
+ }
+}
+
+
/*
* Interface routines. This layer of routines exists
* primarily to limit side-effects from using setjmp.
@@ -337,8 +370,23 @@ TIFFjpeg_read_header(JPEGState* sp, boolean require_image)
}
static int
+TIFFjpeg_has_multiple_scans(JPEGState* sp)
+{
+ return CALLJPEG(sp, 0, jpeg_has_multiple_scans(&sp->cinfo.d));
+}
+
+static int
TIFFjpeg_start_decompress(JPEGState* sp)
{
+ const char* sz_max_allowed_scan_number;
+ /* progress monitor */
+ sp->cinfo.d.progress = &sp->progress;
+ sp->progress.progress_monitor = TIFFjpeg_progress_monitor;
+ sp->max_allowed_scan_number = 100;
+ sz_max_allowed_scan_number = getenv("LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER");
+ if( sz_max_allowed_scan_number )
+ sp->max_allowed_scan_number = atoi(sz_max_allowed_scan_number);
+
return CALLVJPEG(sp, jpeg_start_decompress(&sp->cinfo.d));
}
@@ -589,9 +637,8 @@ std_term_source(j_decompress_ptr cinfo)
}
static void
-TIFFjpeg_data_src(JPEGState* sp, TIFF* tif)
+TIFFjpeg_data_src(JPEGState* sp)
{
- (void) tif;
sp->cinfo.d.src = &sp->src;
sp->src.init_source = std_init_source;
sp->src.fill_input_buffer = std_fill_input_buffer;
@@ -617,9 +664,9 @@ tables_init_source(j_decompress_ptr cinfo)
}
static void
-TIFFjpeg_tables_src(JPEGState* sp, TIFF* tif)
+TIFFjpeg_tables_src(JPEGState* sp)
{
- TIFFjpeg_data_src(sp, tif);
+ TIFFjpeg_data_src(sp);
sp->src.init_source = tables_init_source;
}
@@ -697,9 +744,11 @@ static int
JPEGFixupTags(TIFF* tif)
{
#ifdef CHECK_JPEG_YCBCR_SUBSAMPLING
+ JPEGState* sp = JState(tif);
if ((tif->tif_dir.td_photometric==PHOTOMETRIC_YCBCR)&&
(tif->tif_dir.td_planarconfig==PLANARCONFIG_CONTIG)&&
- (tif->tif_dir.td_samplesperpixel==3))
+ (tif->tif_dir.td_samplesperpixel==3) &&
+ !sp->ycbcrsampling_fetched)
JPEGFixupTagsSubsampling(tif);
#endif
@@ -974,7 +1023,7 @@ JPEGSetupDecode(TIFF* tif)
/* Read JPEGTables if it is present */
if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) {
- TIFFjpeg_tables_src(sp, tif);
+ TIFFjpeg_tables_src(sp);
if(TIFFjpeg_read_header(sp,FALSE) != JPEG_HEADER_TABLES_ONLY) {
TIFFErrorExt(tif->tif_clientdata, "JPEGSetupDecode", "Bogus JPEGTables field");
return (0);
@@ -996,11 +1045,47 @@ JPEGSetupDecode(TIFF* tif)
}
/* Set up for reading normal data */
- TIFFjpeg_data_src(sp, tif);
+ TIFFjpeg_data_src(sp);
tif->tif_postdecode = _TIFFNoPostDecode; /* override byte swapping */
return (1);
}
+/* Returns 1 if the full strip should be read, even when doing scanline per */
+/* scanline decoding. This happens when the JPEG stream uses multiple scans. */
+/* Currently only called in CHUNKY_STRIP_READ_SUPPORT mode through */
+/* scanline interface. */
+/* Only reads tif->tif_dir.td_bitspersample, tif->tif_rawdata and */
+/* tif->tif_rawcc members. */
+/* Can be called independently of the usual setup/predecode/decode states */
+int TIFFJPEGIsFullStripRequired(TIFF* tif)
+{
+ int ret;
+ JPEGState state;
+
+#if defined(JPEG_DUAL_MODE_8_12) && !defined(TIFFJPEGIsFullStripRequired)
+ if( tif->tif_dir.td_bitspersample == 12 )
+ return TIFFJPEGIsFullStripRequired_12( tif );
+#endif
+
+ memset(&state, 0, sizeof(JPEGState));
+ state.tif = tif;
+
+ TIFFjpeg_create_decompress(&state);
+
+ TIFFjpeg_data_src(&state);
+
+ if (TIFFjpeg_read_header(&state, TRUE) != JPEG_HEADER_OK)
+ {
+ TIFFjpeg_destroy(&state);
+ return (0);
+ }
+ ret = TIFFjpeg_has_multiple_scans(&state);
+
+ TIFFjpeg_destroy(&state);
+
+ return ret;
+}
+
/*
* Set up for decoding a strip or tile.
*/
@@ -1041,13 +1126,13 @@ JPEGPreDecode(TIFF* tif, uint16 s)
/*
* Check image parameters and set decompression parameters.
*/
- segment_width = td->td_imagewidth;
- segment_height = td->td_imagelength - tif->tif_row;
if (isTiled(tif)) {
segment_width = td->td_tilewidth;
segment_height = td->td_tilelength;
sp->bytesperline = TIFFTileRowSize(tif);
} else {
+ segment_width = td->td_imagewidth;
+ segment_height = td->td_imagelength - tif->tif_row;
if (segment_height > td->td_rowsperstrip)
segment_height = td->td_rowsperstrip;
sp->bytesperline = TIFFScanlineSize(tif);
@@ -1068,9 +1153,23 @@ JPEGPreDecode(TIFF* tif, uint16 s)
segment_width, segment_height,
sp->cinfo.d.image_width,
sp->cinfo.d.image_height);
- }
- if (sp->cinfo.d.image_width > segment_width ||
- sp->cinfo.d.image_height > segment_height) {
+ }
+ if( sp->cinfo.d.image_width == segment_width &&
+ sp->cinfo.d.image_height > segment_height &&
+ tif->tif_row + segment_height == td->td_imagelength &&
+ !isTiled(tif) ) {
+ /* Some files have a last strip, that should be truncated, */
+ /* but their JPEG codestream has still the maximum strip */
+ /* height. Warn about this as this is non compliant, but */
+ /* we can safely recover from that. */
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "JPEG strip size exceeds expected dimensions,"
+ " expected %dx%d, got %dx%d",
+ segment_width, segment_height,
+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
+ }
+ else if (sp->cinfo.d.image_width > segment_width ||
+ sp->cinfo.d.image_height > segment_height) {
/*
* This case could be dangerous, if the strip or tile size has
* been reported as less than the amount of data jpeg will
@@ -1103,6 +1202,47 @@ JPEGPreDecode(TIFF* tif, uint16 s)
return (0);
}
#endif
+
+ /* In some cases, libjpeg needs to allocate a lot of memory */
+ /* http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf */
+ if( TIFFjpeg_has_multiple_scans(sp) )
+ {
+ /* In this case libjpeg will need to allocate memory or backing */
+ /* store for all coefficients */
+ /* See call to jinit_d_coef_controller() from master_selection() */
+ /* in libjpeg */
+ toff_t nRequiredMemory = (toff_t)sp->cinfo.d.image_width *
+ sp->cinfo.d.image_height *
+ sp->cinfo.d.num_components *
+ ((td->td_bitspersample+7)/8);
+ /* BLOCK_SMOOTHING_SUPPORTED is generally defined, so we need */
+ /* to replicate the logic of jinit_d_coef_controller() */
+ if( sp->cinfo.d.progressive_mode )
+ nRequiredMemory *= 3;
+
+#ifndef TIFF_LIBJPEG_LARGEST_MEM_ALLOC
+#define TIFF_LIBJPEG_LARGEST_MEM_ALLOC (100 * 1024 * 1024)
+#endif
+
+ if( nRequiredMemory > TIFF_LIBJPEG_LARGEST_MEM_ALLOC &&
+ getenv("LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC") == NULL )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Reading this strip would require libjpeg to allocate "
+ "at least %u bytes. "
+ "This is disabled since above the %u threshold. "
+ "You may override this restriction by defining the "
+ "LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, "
+ "or recompile libtiff by defining the "
+ "TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro to a value greater "
+ "than %u",
+ (unsigned)nRequiredMemory,
+ (unsigned)TIFF_LIBJPEG_LARGEST_MEM_ALLOC,
+ (unsigned)TIFF_LIBJPEG_LARGEST_MEM_ALLOC);
+ return (0);
+ }
+ }
+
if (td->td_planarconfig == PLANARCONFIG_CONTIG) {
/* Component 0 should have expected sampling factors */
if (sp->cinfo.d.comp_info[0].h_samp_factor != sp->h_sampling ||
@@ -1364,10 +1504,18 @@ JPEGDecodeRaw(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
{
JPEGState *sp = JState(tif);
tmsize_t nrows;
+ TIFFDirectory *td = &tif->tif_dir;
(void) s;
+ nrows = sp->cinfo.d.image_height;
+ /* For last strip, limit number of rows to its truncated height */
+ /* even if the codestream height is larger (which is not compliant, */
+ /* but that we tolerate) */
+ if( (uint32)nrows > td->td_imagelength - tif->tif_row && !isTiled(tif) )
+ nrows = td->td_imagelength - tif->tif_row;
+
/* data is expected to be read in multiples of a scanline */
- if ( (nrows = sp->cinfo.d.image_height) != 0 ) {
+ if ( nrows != 0 ) {
/* Cb,Cr both have sampling factors 1, so this is correct */
JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width;
@@ -1626,6 +1774,20 @@ JPEGSetupEncode(TIFF* tif)
case PHOTOMETRIC_YCBCR:
sp->h_sampling = td->td_ycbcrsubsampling[0];
sp->v_sampling = td->td_ycbcrsubsampling[1];
+ if( sp->h_sampling == 0 || sp->v_sampling == 0 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Invalig horizontal/vertical sampling value");
+ return (0);
+ }
+ if( td->td_bitspersample > 16 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "BitsPerSample %d not allowed for JPEG",
+ td->td_bitspersample);
+ return (0);
+ }
+
/*
* A ReferenceBlackWhite field *must* be present since the
* default value is inappropriate for YCbCr. Fill in the
@@ -2291,6 +2453,15 @@ static int JPEGInitializeLibJPEG( TIFF * tif, int decompress )
} else {
if (!TIFFjpeg_create_compress(sp))
return (0);
+#ifndef TIFF_JPEG_MAX_MEMORY_TO_USE
+#define TIFF_JPEG_MAX_MEMORY_TO_USE (10 * 1024 * 1024)
+#endif
+ /* Increase the max memory usable. This helps when creating files */
+ /* with "big" tile, without using libjpeg temporary files. */
+ /* For example a 512x512 tile with 3 bands */
+ /* requires 1.5 MB which is above libjpeg 1MB default */
+ if( sp->cinfo.c.mem->max_memory_to_use < TIFF_JPEG_MAX_MEMORY_TO_USE )
+ sp->cinfo.c.mem->max_memory_to_use = TIFF_JPEG_MAX_MEMORY_TO_USE;
}
sp->cinfo_initialized = TRUE;
diff --git a/src/3rdparty/libtiff/libtiff/tif_jpeg_12.c b/src/3rdparty/libtiff/libtiff/tif_jpeg_12.c
index 8499e64..b458c25 100644
--- a/src/3rdparty/libtiff/libtiff/tif_jpeg_12.c
+++ b/src/3rdparty/libtiff/libtiff/tif_jpeg_12.c
@@ -4,6 +4,7 @@
#if defined(JPEG_DUAL_MODE_8_12)
# define TIFFInitJPEG TIFFInitJPEG_12
+# define TIFFJPEGIsFullStripRequired TIFFJPEGIsFullStripRequired_12
int
TIFFInitJPEG_12(TIFF* tif, int scheme);
diff --git a/src/3rdparty/libtiff/libtiff/tif_luv.c b/src/3rdparty/libtiff/libtiff/tif_luv.c
index ca08f30..4b25244 100644
--- a/src/3rdparty/libtiff/libtiff/tif_luv.c
+++ b/src/3rdparty/libtiff/libtiff/tif_luv.c
@@ -1,4 +1,4 @@
-/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_luv.c,v 1.49 2017-07-24 12:47:30 erouault Exp $ */
/*
* Copyright (c) 1997 Greg Ward Larson
@@ -158,6 +158,7 @@
typedef struct logLuvState LogLuvState;
struct logLuvState {
+ int encoder_state; /* 1 if encoder correctly initialized */
int user_datafmt; /* user data format */
int encode_meth; /* encoding method */
int pixel_size; /* bytes per pixel */
@@ -472,7 +473,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tif->tif_rawcp = op;
tif->tif_rawcc = tif->tif_rawdatasize - occ;
if (!TIFFFlushData1(tif))
- return (-1);
+ return (0);
op = tif->tif_rawcp;
occ = tif->tif_rawdatasize - tif->tif_rawcc;
}
@@ -504,7 +505,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tif->tif_rawcp = op;
tif->tif_rawcc = tif->tif_rawdatasize - occ;
if (!TIFFFlushData1(tif))
- return (-1);
+ return (0);
op = tif->tif_rawcp;
occ = tif->tif_rawdatasize - tif->tif_rawcc;
}
@@ -564,7 +565,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tif->tif_rawcp = op;
tif->tif_rawcc = tif->tif_rawdatasize - occ;
if (!TIFFFlushData1(tif))
- return (-1);
+ return (0);
op = tif->tif_rawcp;
occ = tif->tif_rawdatasize - tif->tif_rawcc;
}
@@ -623,7 +624,7 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tif->tif_rawcp = op;
tif->tif_rawcc = tif->tif_rawdatasize - occ;
if (!TIFFFlushData1(tif))
- return (-1);
+ return (0);
op = tif->tif_rawcp;
occ = tif->tif_rawdatasize - tif->tif_rawcc;
}
@@ -655,7 +656,7 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
tif->tif_rawcp = op;
tif->tif_rawcc = tif->tif_rawdatasize - occ;
if (!TIFFFlushData1(tif))
- return (-1);
+ return (0);
op = tif->tif_rawcp;
occ = tif->tif_rawdatasize - tif->tif_rawcc;
}
@@ -1263,15 +1264,16 @@ LogL16GuessDataFmt(TIFFDirectory *td)
return (SGILOGDATAFMT_UNKNOWN);
}
+
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+
static tmsize_t
multiply_ms(tmsize_t m1, tmsize_t m2)
{
- tmsize_t bytes = m1 * m2;
-
- if (m1 && bytes / m1 != m2)
- bytes = 0;
-
- return bytes;
+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+ return 0;
+ return m1 * m2;
}
static int
@@ -1312,8 +1314,10 @@ LogL16InitState(TIFF* tif)
}
if( isTiled(tif) )
sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength);
- else
+ else if( td->td_rowsperstrip < td->td_imagelength )
sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip);
+ else
+ sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength);
if (multiply_ms(sp->tbuflen, sizeof (int16)) == 0 ||
(sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (int16))) == NULL) {
TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer");
@@ -1412,8 +1416,10 @@ LogLuvInitState(TIFF* tif)
}
if( isTiled(tif) )
sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength);
- else
+ else if( td->td_rowsperstrip < td->td_imagelength )
sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip);
+ else
+ sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength);
if (multiply_ms(sp->tbuflen, sizeof (uint32)) == 0 ||
(sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (uint32))) == NULL) {
TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer");
@@ -1552,6 +1558,7 @@ LogLuvSetupEncode(TIFF* tif)
td->td_photometric, "must be either LogLUV or LogL");
break;
}
+ sp->encoder_state = 1;
return (1);
notsupported:
TIFFErrorExt(tif->tif_clientdata, module,
@@ -1563,19 +1570,27 @@ notsupported:
static void
LogLuvClose(TIFF* tif)
{
+ LogLuvState* sp = (LogLuvState*) tif->tif_data;
TIFFDirectory *td = &tif->tif_dir;
+ assert(sp != 0);
/*
* For consistency, we always want to write out the same
* bitspersample and sampleformat for our TIFF file,
* regardless of the data format being used by the application.
* Since this routine is called after tags have been set but
* before they have been recorded in the file, we reset them here.
+ * Note: this is really a nasty approach. See PixarLogClose
*/
- td->td_samplesperpixel =
- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
- td->td_bitspersample = 16;
- td->td_sampleformat = SAMPLEFORMAT_INT;
+ if( sp->encoder_state )
+ {
+ /* See PixarLogClose. Might avoid issues with tags whose size depends
+ * on those below, but not completely sure this is enough. */
+ td->td_samplesperpixel =
+ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+ td->td_bitspersample = 16;
+ td->td_sampleformat = SAMPLEFORMAT_INT;
+ }
}
static void
diff --git a/src/3rdparty/libtiff/libtiff/tif_lzw.c b/src/3rdparty/libtiff/libtiff/tif_lzw.c
index 240e19c..bc8f9c8 100644
--- a/src/3rdparty/libtiff/libtiff/tif_lzw.c
+++ b/src/3rdparty/libtiff/libtiff/tif_lzw.c
@@ -1,4 +1,4 @@
-/* $Id: tif_lzw.c,v 1.52 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_lzw.c,v 1.57 2017-07-11 10:54:29 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -275,7 +275,8 @@ LZWPreDecode(TIFF* tif, uint16 s)
/*
* Check for old bit-reversed codes.
*/
- if (tif->tif_rawdata[0] == 0 && (tif->tif_rawdata[1] & 0x1)) {
+ if (tif->tif_rawcc >= 2 &&
+ tif->tif_rawdata[0] == 0 && (tif->tif_rawdata[1] & 0x1)) {
#ifdef LZW_COMPAT
if (!sp->dec_decode) {
TIFFWarningExt(tif->tif_clientdata, module,
@@ -318,7 +319,7 @@ LZWPreDecode(TIFF* tif, uint16 s)
sp->dec_restart = 0;
sp->dec_nbitsmask = MAXCODE(BITS_MIN);
#ifdef LZW_CHECKEOS
- sp->dec_bitsleft = ((uint64)tif->tif_rawcc) << 3;
+ sp->dec_bitsleft = 0;
#endif
sp->dec_free_entp = sp->dec_codetab + CODE_FIRST;
/*
@@ -425,6 +426,9 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
}
bp = (unsigned char *)tif->tif_rawcp;
+#ifdef LZW_CHECKEOS
+ sp->dec_bitsleft = (((uint64)tif->tif_rawcc) << 3);
+#endif
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -549,6 +553,7 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
}
}
+ tif->tif_rawcc -= (tmsize_t)( (uint8*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8*) bp;
sp->lzw_nbits = (unsigned short) nbits;
sp->lzw_nextdata = nextdata;
@@ -651,6 +656,9 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
}
bp = (unsigned char *)tif->tif_rawcp;
+#ifdef LZW_CHECKEOS
+ sp->dec_bitsleft = (((uint64)tif->tif_rawcc) << 3);
+#endif
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -760,6 +768,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
}
}
+ tif->tif_rawcc -= (tmsize_t)( (uint8*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8*) bp;
sp->lzw_nbits = (unsigned short)nbits;
sp->lzw_nextdata = nextdata;
@@ -969,7 +978,8 @@ LZWEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
*/
if (op > limit) {
tif->tif_rawcc = (tmsize_t)(op - tif->tif_rawdata);
- TIFFFlushData1(tif);
+ if( !TIFFFlushData1(tif) )
+ return 0;
op = tif->tif_rawdata;
}
PutNextCode(op, ent);
@@ -1054,12 +1064,32 @@ LZWPostEncode(TIFF* tif)
if (op > sp->enc_rawlimit) {
tif->tif_rawcc = (tmsize_t)(op - tif->tif_rawdata);
- TIFFFlushData1(tif);
+ if( !TIFFFlushData1(tif) )
+ return 0;
op = tif->tif_rawdata;
}
if (sp->enc_oldcode != (hcode_t) -1) {
+ int free_ent = sp->lzw_free_ent;
+
PutNextCode(op, sp->enc_oldcode);
sp->enc_oldcode = (hcode_t) -1;
+ free_ent ++;
+
+ if (free_ent == CODE_MAX-1) {
+ /* table is full, emit clear code and reset */
+ outcount = 0;
+ PutNextCode(op, CODE_CLEAR);
+ nbits = BITS_MIN;
+ } else {
+ /*
+ * If the next entry is going to be too big for
+ * the code size, then increase it, if possible.
+ */
+ if (free_ent > sp->lzw_maxcode) {
+ nbits++;
+ assert(nbits <= BITS_MAX);
+ }
+ }
}
PutNextCode(op, CODE_EOI);
/* Explicit 0xff masking to make icc -check=conversions happy */
diff --git a/src/3rdparty/libtiff/libtiff/tif_ojpeg.c b/src/3rdparty/libtiff/libtiff/tif_ojpeg.c
index 30a1812..92ed1fa 100644
--- a/src/3rdparty/libtiff/libtiff/tif_ojpeg.c
+++ b/src/3rdparty/libtiff/libtiff/tif_ojpeg.c
@@ -1,4 +1,4 @@
-/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_ojpeg.c,v 1.69 2017-04-27 17:29:26 erouault Exp $ */
/* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
specification is now totally obsolete and deprecated for new applications and
@@ -244,6 +244,7 @@ typedef enum {
typedef struct {
TIFF* tif;
+ int decoder_ok;
#ifndef LIBJPEG_ENCAP_EXTERNAL
JMP_BUF exit_jmpbuf;
#endif
@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s)
}
sp->write_curstrile++;
}
+ sp->decoder_ok = 1;
return(1);
}
@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif)
static int
OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
{
+ static const char module[]="OJPEGDecode";
OJPEGState* sp=(OJPEGState*)tif->tif_data;
(void)s;
+ if( !sp->decoder_ok )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
+ return 0;
+ }
if (sp->libjpeg_jpeg_query_style==0)
{
if (OJPEGDecodeRaw(tif,buf,cc)==0)
@@ -1782,7 +1790,12 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif)
TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);
p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
if (p!=64)
+ {
+ _TIFFfree(ob);
return(0);
+ }
+ if (sp->qtable[m]!=0)
+ _TIFFfree(sp->qtable[m]);
sp->qtable[m]=ob;
sp->sof_tq[m]=m;
}
@@ -1846,7 +1859,12 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif)
rb[sizeof(uint32)+5+n]=o[n];
p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
if (p!=q)
+ {
+ _TIFFfree(rb);
return(0);
+ }
+ if (sp->dctable[m]!=0)
+ _TIFFfree(sp->dctable[m]);
sp->dctable[m]=rb;
sp->sos_tda[m]=(m<<4);
}
@@ -1910,7 +1928,12 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif)
rb[sizeof(uint32)+5+n]=o[n];
p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
if (p!=q)
+ {
+ _TIFFfree(rb);
return(0);
+ }
+ if (sp->actable[m]!=0)
+ _TIFFfree(sp->actable[m]);
sp->actable[m]=rb;
sp->sos_tda[m]=(sp->sos_tda[m]|m);
}
diff --git a/src/3rdparty/libtiff/libtiff/tif_open.c b/src/3rdparty/libtiff/libtiff/tif_open.c
index 5c9036e..a7279e1 100644
--- a/src/3rdparty/libtiff/libtiff/tif_open.c
+++ b/src/3rdparty/libtiff/libtiff/tif_open.c
@@ -1,4 +1,4 @@
-/* $Id: tif_open.c,v 1.47 2016-01-23 21:20:34 erouault Exp $ */
+/* $Id: tif_open.c,v 1.48 2016-11-20 22:29:47 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -279,10 +279,10 @@ TIFFClientOpen(
* Setup header and write.
*/
#ifdef WORDS_BIGENDIAN
- tif->tif_header.common.tiff_magic = tif->tif_flags & TIFF_SWAB
+ tif->tif_header.common.tiff_magic = (tif->tif_flags & TIFF_SWAB)
? TIFF_LITTLEENDIAN : TIFF_BIGENDIAN;
#else
- tif->tif_header.common.tiff_magic = tif->tif_flags & TIFF_SWAB
+ tif->tif_header.common.tiff_magic = (tif->tif_flags & TIFF_SWAB)
? TIFF_BIGENDIAN : TIFF_LITTLEENDIAN;
#endif
if (!(tif->tif_flags&TIFF_BIGTIFF))
diff --git a/src/3rdparty/libtiff/libtiff/tif_packbits.c b/src/3rdparty/libtiff/libtiff/tif_packbits.c
index d2a0165..18904b0 100644
--- a/src/3rdparty/libtiff/libtiff/tif_packbits.c
+++ b/src/3rdparty/libtiff/libtiff/tif_packbits.c
@@ -1,4 +1,4 @@
-/* $Id: tif_packbits.c,v 1.24 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_packbits.c,v 1.26 2017-05-14 02:26:07 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -99,7 +99,7 @@ PackBitsEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
slop = (long)(op - lastliteral);
tif->tif_rawcc += (tmsize_t)(lastliteral - tif->tif_rawcp);
if (!TIFFFlushData1(tif))
- return (-1);
+ return (0);
op = tif->tif_rawcp;
while (slop-- > 0)
*op++ = *lastliteral++;
@@ -107,7 +107,7 @@ PackBitsEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
} else {
tif->tif_rawcc += (tmsize_t)(op - tif->tif_rawcp);
if (!TIFFFlushData1(tif))
- return (-1);
+ return (0);
op = tif->tif_rawcp;
}
}
@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
(unsigned long) ((tmsize_t)n - occ));
n = (long)occ;
}
+ if( cc == 0 )
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Terminating PackBitsDecode due to lack of data.");
+ break;
+ }
occ -= n;
b = *bp++;
cc--;
diff --git a/src/3rdparty/libtiff/libtiff/tif_pixarlog.c b/src/3rdparty/libtiff/libtiff/tif_pixarlog.c
index f4af2ba..979858d 100644
--- a/src/3rdparty/libtiff/libtiff/tif_pixarlog.c
+++ b/src/3rdparty/libtiff/libtiff/tif_pixarlog.c
@@ -1,4 +1,4 @@
-/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */
+/* $Id: tif_pixarlog.c,v 1.54 2017-07-10 10:40:28 erouault Exp $ */
/*
* Copyright (c) 1996-1997 Sam Leffler
@@ -636,29 +636,27 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
return guess;
}
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+
static tmsize_t
multiply_ms(tmsize_t m1, tmsize_t m2)
{
- tmsize_t bytes = m1 * m2;
-
- if (m1 && bytes / m1 != m2)
- bytes = 0;
-
- return bytes;
+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+ return 0;
+ return m1 * m2;
}
static tmsize_t
add_ms(tmsize_t m1, tmsize_t m2)
{
- tmsize_t bytes = m1 + m2;
-
/* if either input is zero, assume overflow already occurred */
if (m1 == 0 || m2 == 0)
- bytes = 0;
- else if (bytes <= m1 || bytes <= m2)
- bytes = 0;
+ return 0;
+ else if (m1 > TIFF_TMSIZE_T_MAX - m2)
+ return 0;
- return bytes;
+ return m1 + m2;
}
static int
@@ -675,9 +673,20 @@ PixarLogSetupDecode(TIFF* tif)
TIFFDirectory *td = &tif->tif_dir;
PixarLogState* sp = DecoderState(tif);
tmsize_t tbuf_size;
+ uint32 strip_height;
assert(sp != NULL);
+ /* This function can possibly be called several times by */
+ /* PredictorSetupDecode() if this function succeeds but */
+ /* PredictorSetup() fails */
+ if( (sp->state & PLSTATE_INIT) != 0 )
+ return 1;
+
+ strip_height = td->td_rowsperstrip;
+ if( strip_height > td->td_imagelength )
+ strip_height = td->td_imagelength;
+
/* Make sure no byte swapping happens on the data
* after decompression. */
tif->tif_postdecode = _TIFFNoPostDecode;
@@ -687,7 +696,7 @@ PixarLogSetupDecode(TIFF* tif)
sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ?
td->td_samplesperpixel : 1);
tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
- td->td_rowsperstrip), sizeof(uint16));
+ strip_height), sizeof(uint16));
/* add one more stride in case input ends mid-stride */
tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
if (tbuf_size == 0)
@@ -699,6 +708,9 @@ PixarLogSetupDecode(TIFF* tif)
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
sp->user_datafmt = PixarLogGuessDataFmt(td);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+ _TIFFfree(sp->tbuf);
+ sp->tbuf = NULL;
+ sp->tbuf_size = 0;
TIFFErrorExt(tif->tif_clientdata, module,
"PixarLog compression can't handle bits depth/data format combination (depth: %d)",
td->td_bitspersample);
@@ -706,6 +718,9 @@ PixarLogSetupDecode(TIFF* tif)
}
if (inflateInit(&sp->stream) != Z_OK) {
+ _TIFFfree(sp->tbuf);
+ sp->tbuf = NULL;
+ sp->tbuf_size = 0;
TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg ? sp->stream.msg : "(null)");
return (0);
} else {
@@ -774,6 +789,10 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
(void) s;
assert(sp != NULL);
+
+ sp->stream.next_in = tif->tif_rawcp;
+ sp->stream.avail_in = (uInt) tif->tif_rawcc;
+
sp->stream.next_out = (unsigned char *) sp->tbuf;
assert(sizeof(sp->stream.avail_out)==4); /* if this assert gets raised,
we need to simplify this code to reflect a ZLib that is likely updated
@@ -819,6 +838,9 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
return (0);
}
+ tif->tif_rawcp = sp->stream.next_in;
+ tif->tif_rawcc = sp->stream.avail_in;
+
up = sp->tbuf;
/* Swap bytes in the data if from a different endian machine. */
if (tif->tif_flags & TIFF_SWAB)
@@ -1233,8 +1255,10 @@ PixarLogPostEncode(TIFF* tif)
static void
PixarLogClose(TIFF* tif)
{
+ PixarLogState* sp = (PixarLogState*) tif->tif_data;
TIFFDirectory *td = &tif->tif_dir;
+ assert(sp != 0);
/* In a really sneaky (and really incorrect, and untruthful, and
* troublesome, and error-prone) maneuver that completely goes against
* the spirit of TIFF, and breaks TIFF, on close, we covertly
@@ -1243,8 +1267,19 @@ PixarLogClose(TIFF* tif)
* readers that don't know about PixarLog, or how to set
* the PIXARLOGDATFMT pseudo-tag.
*/
- td->td_bitspersample = 8;
- td->td_sampleformat = SAMPLEFORMAT_UINT;
+
+ if (sp->state&PLSTATE_INIT) {
+ /* We test the state to avoid an issue such as in
+ * http://bugzilla.maptools.org/show_bug.cgi?id=2604
+ * What appends in that case is that the bitspersample is 1 and
+ * a TransferFunction is set. The size of the TransferFunction
+ * depends on 1<<bitspersample. So if we increase it, an access
+ * out of the buffer will happen at directory flushing.
+ * Another option would be to clear those targs.
+ */
+ td->td_bitspersample = 8;
+ td->td_sampleformat = SAMPLEFORMAT_UINT;
+ }
}
static void
diff --git a/src/3rdparty/libtiff/libtiff/tif_predict.c b/src/3rdparty/libtiff/libtiff/tif_predict.c
index 0b185d2..9ae1f57 100644
--- a/src/3rdparty/libtiff/libtiff/tif_predict.c
+++ b/src/3rdparty/libtiff/libtiff/tif_predict.c
@@ -1,4 +1,4 @@
-/* $Id: tif_predict.c,v 1.40 2016-11-04 09:19:13 erouault Exp $ */
+/* $Id: tif_predict.c,v 1.44 2017-06-18 10:31:50 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -117,6 +117,9 @@ PredictorSetupDecode(TIFF* tif)
TIFFPredictorState* sp = PredictorState(tif);
TIFFDirectory* td = &tif->tif_dir;
+ /* Note: when PredictorSetup() fails, the effets of setupdecode() */
+ /* will not be "cancelled" so setupdecode() might be robust to */
+ /* be called several times. */
if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif))
return 0;
@@ -259,11 +262,12 @@ PredictorSetupEncode(TIFF* tif)
#define REPEAT4(n, op) \
switch (n) { \
- default: { tmsize_t i; for (i = n-4; i > 0; i--) { op; } } \
- case 4: op; \
- case 3: op; \
- case 2: op; \
- case 1: op; \
+ default: { \
+ tmsize_t i; for (i = n-4; i > 0; i--) { op; } } /*-fallthrough*/ \
+ case 4: op; /*-fallthrough*/ \
+ case 3: op; /*-fallthrough*/ \
+ case 2: op; /*-fallthrough*/ \
+ case 1: op; /*-fallthrough*/ \
case 0: ; \
}
@@ -273,6 +277,7 @@ PredictorSetupEncode(TIFF* tif)
/* - when storing into the byte stream, we explicitly mask with 0xff so */
/* as to make icc -check=conversions happy (not necessary by the standard) */
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -340,6 +345,7 @@ swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
return horAcc16(tif, cp0, cc);
}
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -374,6 +380,7 @@ swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
return horAcc32(tif, cp0, cc);
}
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -499,6 +506,7 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
return 0;
}
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -552,6 +560,7 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
return 1;
}
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -591,6 +600,7 @@ swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
return 1;
}
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -633,6 +643,7 @@ swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
/*
* Floating point predictor differencing routine.
*/
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static int
fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
{
@@ -797,7 +808,7 @@ PredictorPrintDir(TIFF* tif, FILE* fd, long flags)
case 2: fprintf(fd, "horizontal differencing "); break;
case 3: fprintf(fd, "floating point predictor "); break;
}
- fprintf(fd, "%u (0x%x)\n", sp->predictor, sp->predictor);
+ fprintf(fd, "%d (0x%x)\n", sp->predictor, sp->predictor);
}
if (sp->printdir)
(*sp->printdir)(tif, fd, flags);
diff --git a/src/3rdparty/libtiff/libtiff/tif_print.c b/src/3rdparty/libtiff/libtiff/tif_print.c
index 186f2ee..24d4b98 100644
--- a/src/3rdparty/libtiff/libtiff/tif_print.c
+++ b/src/3rdparty/libtiff/libtiff/tif_print.c
@@ -1,4 +1,4 @@
-/* $Id: tif_print.c,v 1.64 2015-12-06 22:19:56 erouault Exp $ */
+/* $Id: tif_print.c,v 1.65 2016-11-20 22:31:22 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -262,7 +262,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
if (td->td_subfiletype & FILETYPE_MASK)
fprintf(fd, "%stransparency mask", sep);
fprintf(fd, " (%lu = 0x%lx)\n",
- (long) td->td_subfiletype, (long) td->td_subfiletype);
+ (unsigned long) td->td_subfiletype, (long) td->td_subfiletype);
}
if (TIFFFieldSet(tif,FIELD_IMAGEDIMENSIONS)) {
fprintf(fd, " Image Width: %lu Image Length: %lu",
@@ -521,7 +521,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
fprintf(fd, "\n");
n = 1L<<td->td_bitspersample;
for (l = 0; l < n; l++)
- fprintf(fd, " %5lu: %5u %5u %5u\n",
+ fprintf(fd, " %5ld: %5u %5u %5u\n",
l,
td->td_colormap[0][l],
td->td_colormap[1][l],
@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
n = 1L<<td->td_bitspersample;
for (l = 0; l < n; l++) {
uint16 i;
- fprintf(fd, " %2lu: %5u",
+ fprintf(fd, " %2ld: %5u",
l, td->td_transferfunction[0][l]);
for (i = 1; i < td->td_samplesperpixel; i++)
fprintf(fd, " %5u",
@@ -661,7 +661,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
uint32 s;
fprintf(fd, " %lu %s:\n",
- (long) td->td_nstrips,
+ (unsigned long) td->td_nstrips,
isTiled(tif) ? "Tiles" : "Strips");
for (s = 0; s < td->td_nstrips; s++)
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
diff --git a/src/3rdparty/libtiff/libtiff/tif_read.c b/src/3rdparty/libtiff/libtiff/tif_read.c
index 8003592..d5ce837 100644
--- a/src/3rdparty/libtiff/libtiff/tif_read.c
+++ b/src/3rdparty/libtiff/libtiff/tif_read.c
@@ -1,4 +1,4 @@
-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */
+/* $Id: tif_read.c,v 1.65 2017-07-15 12:33:25 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -47,6 +47,121 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
#define NOSTRIP ((uint32)(-1)) /* undefined state */
#define NOTILE ((uint32)(-1)) /* undefined state */
+#define INITIAL_THRESHOLD (1024 * 1024)
+#define THRESHOLD_MULTIPLIER 10
+#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
+
+/* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
+ * Returns 1 in case of success, 0 otherwise. */
+static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
+ tmsize_t rawdata_offset,
+ int is_strip, uint32 strip_or_tile,
+ const char* module )
+{
+#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8
+ tmsize_t threshold = INITIAL_THRESHOLD;
+#endif
+ tmsize_t already_read = 0;
+
+ /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
+ /* so as to avoid allocating too much memory in case the file is too */
+ /* short. We could ask for the file size, but this might be */
+ /* expensive with some I/O layers (think of reading a gzipped file) */
+ /* Restrict to 64 bit processes, so as to avoid reallocs() */
+ /* on 32 bit processes where virtual memory is scarce. */
+ while( already_read < size )
+ {
+ tmsize_t bytes_read;
+ tmsize_t to_read = size - already_read;
+#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8
+ if( to_read >= threshold && threshold < MAX_THRESHOLD &&
+ already_read + to_read + rawdata_offset > tif->tif_rawdatasize )
+ {
+ to_read = threshold;
+ threshold *= THRESHOLD_MULTIPLIER;
+ }
+#endif
+ if (already_read + to_read + rawdata_offset > tif->tif_rawdatasize) {
+ uint8* new_rawdata;
+ assert((tif->tif_flags & TIFF_MYBUFFER) != 0);
+ tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64(
+ (uint64)already_read + to_read + rawdata_offset, 1024);
+ if (tif->tif_rawdatasize==0) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Invalid buffer size");
+ return 0;
+ }
+ new_rawdata = (uint8*) _TIFFrealloc(
+ tif->tif_rawdata, tif->tif_rawdatasize);
+ if( new_rawdata == 0 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "No space for data buffer at scanline %lu",
+ (unsigned long) tif->tif_row);
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_rawdata = 0;
+ tif->tif_rawdatasize = 0;
+ return 0;
+ }
+ tif->tif_rawdata = new_rawdata;
+ }
+
+ bytes_read = TIFFReadFile(tif,
+ tif->tif_rawdata + rawdata_offset + already_read, to_read);
+ already_read += bytes_read;
+ if (bytes_read != to_read) {
+ memset( tif->tif_rawdata + rawdata_offset + already_read, 0,
+ tif->tif_rawdatasize - rawdata_offset - already_read );
+#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ if( is_strip )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Read error at scanline %lu; got %I64u bytes, "
+ "expected %I64u",
+ (unsigned long) tif->tif_row,
+ (unsigned __int64) already_read,
+ (unsigned __int64) size);
+ }
+ else
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Read error at row %lu, col %lu, tile %lu; "
+ "got %I64u bytes, expected %I64u",
+ (unsigned long) tif->tif_row,
+ (unsigned long) tif->tif_col,
+ (unsigned long) strip_or_tile,
+ (unsigned __int64) already_read,
+ (unsigned __int64) size);
+ }
+#else
+ if( is_strip )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Read error at scanline %lu; got %llu bytes, "
+ "expected %llu",
+ (unsigned long) tif->tif_row,
+ (unsigned long long) already_read,
+ (unsigned long long) size);
+ }
+ else
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Read error at row %lu, col %lu, tile %lu; "
+ "got %llu bytes, expected %llu",
+ (unsigned long) tif->tif_row,
+ (unsigned long) tif->tif_col,
+ (unsigned long) strip_or_tile,
+ (unsigned long long) already_read,
+ (unsigned long long) size);
+ }
+#endif
+ return 0;
+ }
+ }
+ return 1;
+}
+
+
static int
TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
{
@@ -54,7 +169,8 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
register TIFFDirectory *td = &tif->tif_dir;
tmsize_t unused_data;
uint64 read_offset;
- tmsize_t cc, to_read;
+ tmsize_t to_read;
+ tmsize_t read_ahead_mod;
/* tmsize_t bytecountm; */
if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
@@ -67,7 +183,14 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
*/
/* bytecountm=(tmsize_t) td->td_stripbytecount[strip]; */
- if (read_ahead*2 > tif->tif_rawdatasize) {
+
+ /* Not completely sure where the * 2 comes from, but probably for */
+ /* an exponentional growth strategy of tif_rawdatasize */
+ if( read_ahead < TIFF_TMSIZE_T_MAX / 2 )
+ read_ahead_mod = read_ahead * 2;
+ else
+ read_ahead_mod = read_ahead;
+ if (read_ahead_mod > tif->tif_rawdatasize) {
assert( restart );
tif->tif_curstrip = NOSTRIP;
@@ -77,8 +200,6 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
(unsigned long) strip);
return (0);
}
- if (!TIFFReadBufferSetup(tif, 0, read_ahead*2))
- return (0);
}
if( restart )
@@ -118,7 +239,10 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
/*
** How much do we want to read?
*/
- to_read = tif->tif_rawdatasize - unused_data;
+ if( read_ahead_mod > tif->tif_rawdatasize )
+ to_read = read_ahead_mod - unused_data;
+ else
+ to_read = tif->tif_rawdatasize - unused_data;
if( (uint64) to_read > td->td_stripbytecount[strip]
- tif->tif_rawdataoff - tif->tif_rawdataloaded )
{
@@ -127,28 +251,18 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
}
assert((tif->tif_flags&TIFF_BUFFERMMAP)==0);
- cc = TIFFReadFile(tif, tif->tif_rawdata + unused_data, to_read);
-
- if (cc != to_read) {
-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
- "Read error at scanline %lu; got %I64u bytes, expected %I64u",
- (unsigned long) tif->tif_row,
- (unsigned __int64) cc,
- (unsigned __int64) to_read);
-#else
- TIFFErrorExt(tif->tif_clientdata, module,
- "Read error at scanline %lu; got %llu bytes, expected %llu",
- (unsigned long) tif->tif_row,
- (unsigned long long) cc,
- (unsigned long long) to_read);
-#endif
+ if( !TIFFReadAndRealloc( tif, to_read, unused_data,
+ 1, /* is_strip */
+ 0, /* strip_or_tile */
+ module) )
+ {
return 0;
}
-
+
tif->tif_rawdataoff = tif->tif_rawdataoff + tif->tif_rawdataloaded - unused_data ;
tif->tif_rawdataloaded = unused_data + to_read;
+ tif->tif_rawcc = tif->tif_rawdataloaded;
tif->tif_rawcp = tif->tif_rawdata;
if (!isFillOrder(tif, td->td_fillorder) &&
@@ -162,9 +276,30 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
** restart the decoder.
*/
if( restart )
- return TIFFStartStrip(tif, strip);
+ {
+
+#ifdef JPEG_SUPPORT
+ /* A bit messy since breaks the codec abstraction. Ultimately */
+ /* there should be a function pointer for that, but it seems */
+ /* only JPEG is affected. */
+ /* For JPEG, if there are multiple scans (can generally be known */
+ /* with the read_ahead used), we need to read the whole strip */
+ if( tif->tif_dir.td_compression==COMPRESSION_JPEG &&
+ (uint64)tif->tif_rawcc < td->td_stripbytecount[strip] )
+ {
+ if( TIFFJPEGIsFullStripRequired(tif) )
+ {
+ return TIFFFillStrip(tif, strip);
+ }
+ }
+#endif
+
+ return TIFFStartStrip(tif, strip);
+ }
else
+ {
return 1;
+ }
}
/*
@@ -219,7 +354,18 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
if( !whole_strip )
{
- read_ahead = tif->tif_scanlinesize * 16 + 5000;
+ /* 16 is for YCbCr mode where we may need to read 16 */
+ /* lines at a time to get a decompressed line, and 5000 */
+ /* is some constant value, for example for JPEG tables */
+ if( tif->tif_scanlinesize < TIFF_TMSIZE_T_MAX / 16 &&
+ tif->tif_scanlinesize * 16 < TIFF_TMSIZE_T_MAX - 5000 )
+ {
+ read_ahead = tif->tif_scanlinesize * 16 + 5000;
+ }
+ else
+ {
+ read_ahead = tif->tif_scanlinesize;
+ }
}
/*
@@ -315,18 +461,17 @@ TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample)
}
/*
- * Read a strip of data and decompress the specified
- * amount into the user-supplied buffer.
+ * Calculate the strip size according to the number of
+ * rows in the strip (check for truncated last strip on any
+ * of the separations).
*/
-tmsize_t
-TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane)
{
static const char module[] = "TIFFReadEncodedStrip";
TIFFDirectory *td = &tif->tif_dir;
uint32 rowsperstrip;
uint32 stripsperplane;
uint32 stripinplane;
- uint16 plane;
uint32 rows;
tmsize_t stripsize;
if (!TIFFCheckRead(tif,0))
@@ -338,23 +483,37 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
(unsigned long)td->td_nstrips);
return((tmsize_t)(-1));
}
- /*
- * Calculate the strip size according to the number of
- * rows in the strip (check for truncated last strip on any
- * of the separations).
- */
+
rowsperstrip=td->td_rowsperstrip;
if (rowsperstrip>td->td_imagelength)
rowsperstrip=td->td_imagelength;
- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
+ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
stripinplane=(strip%stripsperplane);
- plane=(uint16)(strip/stripsperplane);
+ if( pplane ) *pplane=(uint16)(strip/stripsperplane);
rows=td->td_imagelength-stripinplane*rowsperstrip;
if (rows>rowsperstrip)
rows=rowsperstrip;
stripsize=TIFFVStripSize(tif,rows);
if (stripsize==0)
return((tmsize_t)(-1));
+ return stripsize;
+}
+
+/*
+ * Read a strip of data and decompress the specified
+ * amount into the user-supplied buffer.
+ */
+tmsize_t
+TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+{
+ static const char module[] = "TIFFReadEncodedStrip";
+ TIFFDirectory *td = &tif->tif_dir;
+ tmsize_t stripsize;
+ uint16 plane;
+
+ stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
+ if (stripsize==((tmsize_t)(-1)))
+ return((tmsize_t)(-1));
/* shortcut to avoid an extra memcpy() */
if( td->td_compression == COMPRESSION_NONE &&
@@ -383,6 +542,49 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
return(stripsize);
}
+/* Variant of TIFFReadEncodedStrip() that does
+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has
+ * suceeded. This avoid excessive memory allocation in case of truncated
+ * file.
+ * * calls regular TIFFReadEncodedStrip() if *buf != NULL
+ */
+tmsize_t
+_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
+ void **buf, tmsize_t bufsizetoalloc,
+ tmsize_t size_to_read)
+{
+ tmsize_t this_stripsize;
+ uint16 plane;
+
+ if( *buf != NULL )
+ {
+ return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read);
+ }
+
+ this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
+ if (this_stripsize==((tmsize_t)(-1)))
+ return((tmsize_t)(-1));
+
+ if ((size_to_read!=(tmsize_t)(-1))&&(size_to_read<this_stripsize))
+ this_stripsize=size_to_read;
+ if (!TIFFFillStrip(tif,strip))
+ return((tmsize_t)(-1));
+
+ *buf = _TIFFmalloc(bufsizetoalloc);
+ if (*buf == NULL) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
+ return((tmsize_t)(-1));
+ }
+ _TIFFmemset(*buf, 0, bufsizetoalloc);
+
+ if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0)
+ return((tmsize_t)(-1));
+ (*tif->tif_postdecode)(tif,*buf,this_stripsize);
+ return(this_stripsize);
+
+
+}
+
static tmsize_t
TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
const char* module)
@@ -420,16 +622,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
return ((tmsize_t)(-1));
}
} else {
- tmsize_t ma,mb;
+ tmsize_t ma = 0;
tmsize_t n;
- ma=(tmsize_t)td->td_stripoffset[strip];
- mb=ma+size;
- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
- n=0;
- else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
- n=tif->tif_size-ma;
- else
- n=size;
+ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
+ ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
+ {
+ n=0;
+ }
+ else if( ma > TIFF_TMSIZE_T_MAX - size )
+ {
+ n=0;
+ }
+ else
+ {
+ tmsize_t mb=ma+size;
+ if (mb>tif->tif_size)
+ n=tif->tif_size-ma;
+ else
+ n=size;
+ }
if (n!=size) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -454,6 +665,43 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
return (size);
}
+static tmsize_t
+TIFFReadRawStripOrTile2(TIFF* tif, uint32 strip_or_tile, int is_strip,
+ tmsize_t size, const char* module)
+{
+ TIFFDirectory *td = &tif->tif_dir;
+
+ assert( !isMapped(tif) );
+ assert((tif->tif_flags&TIFF_NOREADRAW)==0);
+
+ if (!SeekOK(tif, td->td_stripoffset[strip_or_tile])) {
+ if( is_strip )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Seek error at scanline %lu, strip %lu",
+ (unsigned long) tif->tif_row,
+ (unsigned long) strip_or_tile);
+ }
+ else
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Seek error at row %lu, col %lu, tile %lu",
+ (unsigned long) tif->tif_row,
+ (unsigned long) tif->tif_col,
+ (unsigned long) strip_or_tile);
+ }
+ return ((tmsize_t)(-1));
+ }
+
+ if( !TIFFReadAndRealloc( tif, size, 0, is_strip,
+ strip_or_tile, module ) )
+ {
+ return ((tmsize_t)(-1));
+ }
+
+ return (size);
+}
+
/*
* Read a strip of data from the file.
*/
@@ -535,26 +783,40 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
#endif
return (0);
}
- if (isMapped(tif) &&
- (isFillOrder(tif, td->td_fillorder)
- || (tif->tif_flags & TIFF_NOBITREV))) {
- /*
- * The image is mapped into memory and we either don't
- * need to flip bits or the compression routine is
- * going to handle this operation itself. In this
- * case, avoid copying the raw data and instead just
- * reference the data from the memory mapped file
- * image. This assumes that the decompression
- * routines do not modify the contents of the raw data
- * buffer (if they try to, the application will get a
- * fault since the file is mapped read-only).
- */
- if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) {
- _TIFFfree(tif->tif_rawdata);
- tif->tif_rawdata = NULL;
- tif->tif_rawdatasize = 0;
+
+ /* To avoid excessive memory allocations: */
+ /* Byte count should normally not be larger than a number of */
+ /* times the uncompressed size plus some margin */
+ if( bytecount > 1024 * 1024 )
+ {
+ /* 10 and 4096 are just values that could be adjusted. */
+ /* Hopefully they are safe enough for all codecs */
+ tmsize_t stripsize = TIFFStripSize(tif);
+ if( stripsize != 0 &&
+ (bytecount - 4096) / 10 > (uint64)stripsize )
+ {
+ uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+ if( (int64)newbytecount >= 0 )
+ {
+#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Too large strip byte count %I64u, strip %lu. Limiting to %I64u",
+ (unsigned __int64) bytecount,
+ (unsigned long) strip,
+ (unsigned __int64) newbytecount);
+#else
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Too large strip byte count %llu, strip %lu. Limiting to %llu",
+ (unsigned long long) bytecount,
+ (unsigned long) strip,
+ (unsigned long long) newbytecount);
+#endif
+ bytecount = newbytecount;
+ }
}
- tif->tif_flags &= ~TIFF_MYBUFFER;
+ }
+
+ if (isMapped(tif)) {
/*
* We must check for overflow, potentially causing
* an OOB read. Instead of simple
@@ -591,6 +853,28 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
tif->tif_curstrip = NOSTRIP;
return (0);
}
+ }
+
+ if (isMapped(tif) &&
+ (isFillOrder(tif, td->td_fillorder)
+ || (tif->tif_flags & TIFF_NOBITREV))) {
+ /*
+ * The image is mapped into memory and we either don't
+ * need to flip bits or the compression routine is
+ * going to handle this operation itself. In this
+ * case, avoid copying the raw data and instead just
+ * reference the data from the memory mapped file
+ * image. This assumes that the decompression
+ * routines do not modify the contents of the raw data
+ * buffer (if they try to, the application will get a
+ * fault since the file is mapped read-only).
+ */
+ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) {
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_rawdata = NULL;
+ tif->tif_rawdatasize = 0;
+ }
+ tif->tif_flags &= ~TIFF_MYBUFFER;
tif->tif_rawdatasize = (tmsize_t)bytecount;
tif->tif_rawdata = tif->tif_base + (tmsize_t)td->td_stripoffset[strip];
tif->tif_rawdataoff = 0;
@@ -624,17 +908,36 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
(unsigned long) strip);
return (0);
}
- if (!TIFFReadBufferSetup(tif, 0, bytecountm))
- return (0);
}
if (tif->tif_flags&TIFF_BUFFERMMAP) {
tif->tif_curstrip = NOSTRIP;
- if (!TIFFReadBufferSetup(tif, 0, bytecountm))
+ tif->tif_rawdata = NULL;
+ tif->tif_rawdatasize = 0;
+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
+ }
+
+ if( isMapped(tif) )
+ {
+ if (bytecountm > tif->tif_rawdatasize &&
+ !TIFFReadBufferSetup(tif, 0, bytecountm))
+ {
+ return (0);
+ }
+ if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata,
+ bytecountm, module) != bytecountm)
+ {
return (0);
+ }
}
- if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata,
- bytecountm, module) != bytecountm)
- return (0);
+ else
+ {
+ if (TIFFReadRawStripOrTile2(tif, strip, 1,
+ bytecountm, module) != bytecountm)
+ {
+ return (0);
+ }
+ }
+
tif->tif_rawdataoff = 0;
tif->tif_rawdataloaded = bytecountm;
@@ -714,6 +1017,77 @@ TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
return ((tmsize_t)(-1));
}
+/* Variant of TIFFReadTile() that does
+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
+ * suceeded. This avoid excessive memory allocation in case of truncated
+ * file.
+ * * calls regular TIFFReadEncodedTile() if *buf != NULL
+ */
+tmsize_t
+_TIFFReadTileAndAllocBuffer(TIFF* tif,
+ void **buf, tmsize_t bufsizetoalloc,
+ uint32 x, uint32 y, uint32 z, uint16 s)
+{
+ if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
+ return ((tmsize_t)(-1));
+ return (_TIFFReadEncodedTileAndAllocBuffer(tif,
+ TIFFComputeTile(tif, x, y, z, s),
+ buf, bufsizetoalloc,
+ (tmsize_t)(-1)));
+}
+
+/* Variant of TIFFReadEncodedTile() that does
+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
+ * suceeded. This avoid excessive memory allocation in case of truncated
+ * file.
+ * * calls regular TIFFReadEncodedTile() if *buf != NULL
+ */
+tmsize_t
+_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile,
+ void **buf, tmsize_t bufsizetoalloc,
+ tmsize_t size_to_read)
+{
+ static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer";
+ TIFFDirectory *td = &tif->tif_dir;
+ tmsize_t tilesize = tif->tif_tilesize;
+
+ if( *buf != NULL )
+ {
+ return TIFFReadEncodedTile(tif, tile, *buf, size_to_read);
+ }
+
+ if (!TIFFCheckRead(tif, 1))
+ return ((tmsize_t)(-1));
+ if (tile >= td->td_nstrips) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%lu: Tile out of range, max %lu",
+ (unsigned long) tile, (unsigned long) td->td_nstrips);
+ return ((tmsize_t)(-1));
+ }
+
+ if (!TIFFFillTile(tif,tile))
+ return((tmsize_t)(-1));
+
+ *buf = _TIFFmalloc(bufsizetoalloc);
+ if (*buf == NULL) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "No space for tile buffer");
+ return((tmsize_t)(-1));
+ }
+ _TIFFmemset(*buf, 0, bufsizetoalloc);
+
+ if (size_to_read == (tmsize_t)(-1))
+ size_to_read = tilesize;
+ else if (size_to_read > tilesize)
+ size_to_read = tilesize;
+ if( (*tif->tif_decodetile)(tif,
+ (uint8*) *buf, size_to_read, (uint16)(tile/td->td_stripsperimage))) {
+ (*tif->tif_postdecode)(tif, (uint8*) *buf, size_to_read);
+ return (size_to_read);
+ } else
+ return ((tmsize_t)(-1));
+}
+
static tmsize_t
TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module)
{
@@ -856,6 +1230,56 @@ TIFFFillTile(TIFF* tif, uint32 tile)
#endif
return (0);
}
+
+ /* To avoid excessive memory allocations: */
+ /* Byte count should normally not be larger than a number of */
+ /* times the uncompressed size plus some margin */
+ if( bytecount > 1024 * 1024 )
+ {
+ /* 10 and 4096 are just values that could be adjusted. */
+ /* Hopefully they are safe enough for all codecs */
+ tmsize_t stripsize = TIFFTileSize(tif);
+ if( stripsize != 0 &&
+ (bytecount - 4096) / 10 > (uint64)stripsize )
+ {
+ uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+ if( (int64)newbytecount >= 0 )
+ {
+#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Too large tile byte count %I64u, tile %lu. Limiting to %I64u",
+ (unsigned __int64) bytecount,
+ (unsigned long) tile,
+ (unsigned __int64) newbytecount);
+#else
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Too large tile byte count %llu, tile %lu. Limiting to %llu",
+ (unsigned long long) bytecount,
+ (unsigned long) tile,
+ (unsigned long long) newbytecount);
+#endif
+ bytecount = newbytecount;
+ }
+ }
+ }
+
+ if (isMapped(tif)) {
+ /*
+ * We must check for overflow, potentially causing
+ * an OOB read. Instead of simple
+ *
+ * td->td_stripoffset[tile]+bytecount > tif->tif_size
+ *
+ * comparison (which can overflow) we do the following
+ * two comparisons:
+ */
+ if (bytecount > (uint64)tif->tif_size ||
+ td->td_stripoffset[tile] > (uint64)tif->tif_size - bytecount) {
+ tif->tif_curtile = NOTILE;
+ return (0);
+ }
+ }
+
if (isMapped(tif) &&
(isFillOrder(tif, td->td_fillorder)
|| (tif->tif_flags & TIFF_NOBITREV))) {
@@ -876,20 +1300,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
tif->tif_rawdatasize = 0;
}
tif->tif_flags &= ~TIFF_MYBUFFER;
- /*
- * We must check for overflow, potentially causing
- * an OOB read. Instead of simple
- *
- * td->td_stripoffset[tile]+bytecount > tif->tif_size
- *
- * comparison (which can overflow) we do the following
- * two comparisons:
- */
- if (bytecount > (uint64)tif->tif_size ||
- td->td_stripoffset[tile] > (uint64)tif->tif_size - bytecount) {
- tif->tif_curtile = NOTILE;
- return (0);
- }
+
tif->tif_rawdatasize = (tmsize_t)bytecount;
tif->tif_rawdata =
tif->tif_base + (tmsize_t)td->td_stripoffset[tile];
@@ -917,18 +1328,36 @@ TIFFFillTile(TIFF* tif, uint32 tile)
(unsigned long) tile);
return (0);
}
- if (!TIFFReadBufferSetup(tif, 0, bytecountm))
- return (0);
}
if (tif->tif_flags&TIFF_BUFFERMMAP) {
tif->tif_curtile = NOTILE;
- if (!TIFFReadBufferSetup(tif, 0, bytecountm))
+ tif->tif_rawdata = NULL;
+ tif->tif_rawdatasize = 0;
+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
+ }
+
+ if( isMapped(tif) )
+ {
+ if (bytecountm > tif->tif_rawdatasize &&
+ !TIFFReadBufferSetup(tif, 0, bytecountm))
+ {
+ return (0);
+ }
+ if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata,
+ bytecountm, module) != bytecountm)
+ {
return (0);
+ }
+ }
+ else
+ {
+ if (TIFFReadRawStripOrTile2(tif, tile, 0,
+ bytecountm, module) != bytecountm)
+ {
+ return (0);
+ }
}
- if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata,
- bytecountm, module) != bytecountm)
- return (0);
tif->tif_rawdataoff = 0;
tif->tif_rawdataloaded = bytecountm;
@@ -976,7 +1405,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
"Invalid buffer size");
return (0);
}
- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
+ /* Initialize to zero to avoid uninitialized buffers in case of */
+ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
+ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
tif->tif_flags |= TIFF_MYBUFFER;
}
if (tif->tif_rawdata == NULL) {
@@ -1018,7 +1449,10 @@ TIFFStartStrip(TIFF* tif, uint32 strip)
else
{
tif->tif_rawcp = tif->tif_rawdata;
- tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[strip];
+ if( tif->tif_rawdataloaded > 0 )
+ tif->tif_rawcc = tif->tif_rawdataloaded;
+ else
+ tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[strip];
}
return ((*tif->tif_predecode)(tif,
(uint16)(strip / td->td_stripsperimage)));
@@ -1065,7 +1499,10 @@ TIFFStartTile(TIFF* tif, uint32 tile)
else
{
tif->tif_rawcp = tif->tif_rawdata;
- tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile];
+ if( tif->tif_rawdataloaded > 0 )
+ tif->tif_rawcc = tif->tif_rawdataloaded;
+ else
+ tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile];
}
return ((*tif->tif_predecode)(tif,
(uint16)(tile/td->td_stripsperimage)));
diff --git a/src/3rdparty/libtiff/libtiff/tif_strip.c b/src/3rdparty/libtiff/libtiff/tif_strip.c
index b6098dd..6e9f2ef 100644
--- a/src/3rdparty/libtiff/libtiff/tif_strip.c
+++ b/src/3rdparty/libtiff/libtiff/tif_strip.c
@@ -1,4 +1,4 @@
-/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */
+/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
TIFFDirectory *td = &tif->tif_dir;
uint32 nstrips;
- /* If the value was already computed and store in td_nstrips, then return it,
- since ChopUpSingleUncompressedStrip might have altered and resized the
- since the td_stripbytecount and td_stripoffset arrays to the new value
- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
- tif_dirread.c ~line 3612.
- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
- if( td->td_nstrips )
- return td->td_nstrips;
-
nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
diff --git a/src/3rdparty/libtiff/libtiff/tif_swab.c b/src/3rdparty/libtiff/libtiff/tif_swab.c
index 211dc57..4b2e5f1 100644
--- a/src/3rdparty/libtiff/libtiff/tif_swab.c
+++ b/src/3rdparty/libtiff/libtiff/tif_swab.c
@@ -1,4 +1,4 @@
-/* $Id: tif_swab.c,v 1.14 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_swab.c,v 1.15 2017-06-08 16:39:50 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -31,7 +31,7 @@
*/
#include "tiffiop.h"
-#ifndef TIFFSwabShort
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabShort)
void
TIFFSwabShort(uint16* wp)
{
@@ -42,7 +42,7 @@ TIFFSwabShort(uint16* wp)
}
#endif
-#ifndef TIFFSwabLong
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabLong)
void
TIFFSwabLong(uint32* lp)
{
@@ -54,7 +54,7 @@ TIFFSwabLong(uint32* lp)
}
#endif
-#ifndef TIFFSwabLong8
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabLong8)
void
TIFFSwabLong8(uint64* lp)
{
@@ -68,7 +68,7 @@ TIFFSwabLong8(uint64* lp)
}
#endif
-#ifndef TIFFSwabArrayOfShort
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfShort)
void
TIFFSwabArrayOfShort(register uint16* wp, tmsize_t n)
{
@@ -84,7 +84,7 @@ TIFFSwabArrayOfShort(register uint16* wp, tmsize_t n)
}
#endif
-#ifndef TIFFSwabArrayOfTriples
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfTriples)
void
TIFFSwabArrayOfTriples(register uint8* tp, tmsize_t n)
{
@@ -100,7 +100,7 @@ TIFFSwabArrayOfTriples(register uint8* tp, tmsize_t n)
}
#endif
-#ifndef TIFFSwabArrayOfLong
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfLong)
void
TIFFSwabArrayOfLong(register uint32* lp, tmsize_t n)
{
@@ -117,7 +117,7 @@ TIFFSwabArrayOfLong(register uint32* lp, tmsize_t n)
}
#endif
-#ifndef TIFFSwabArrayOfLong8
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfLong8)
void
TIFFSwabArrayOfLong8(register uint64* lp, tmsize_t n)
{
@@ -136,7 +136,7 @@ TIFFSwabArrayOfLong8(register uint64* lp, tmsize_t n)
}
#endif
-#ifndef TIFFSwabFloat
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabFloat)
void
TIFFSwabFloat(float* fp)
{
@@ -148,7 +148,7 @@ TIFFSwabFloat(float* fp)
}
#endif
-#ifndef TIFFSwabArrayOfFloat
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfFloat)
void
TIFFSwabArrayOfFloat(register float* fp, tmsize_t n)
{
@@ -165,7 +165,7 @@ TIFFSwabArrayOfFloat(register float* fp, tmsize_t n)
}
#endif
-#ifndef TIFFSwabDouble
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabDouble)
void
TIFFSwabDouble(double *dp)
{
@@ -179,7 +179,7 @@ TIFFSwabDouble(double *dp)
}
#endif
-#ifndef TIFFSwabArrayOfDouble
+#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfDouble)
void
TIFFSwabArrayOfDouble(double* dp, tmsize_t n)
{
diff --git a/src/3rdparty/libtiff/libtiff/tif_unix.c b/src/3rdparty/libtiff/libtiff/tif_unix.c
index 81e9d66..80c437c 100644
--- a/src/3rdparty/libtiff/libtiff/tif_unix.c
+++ b/src/3rdparty/libtiff/libtiff/tif_unix.c
@@ -1,4 +1,4 @@
-/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */
+/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -316,6 +316,14 @@ _TIFFmalloc(tmsize_t s)
return (malloc((size_t) s));
}
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+ if( nmemb == 0 || siz == 0 )
+ return ((void *) NULL);
+
+ return calloc((size_t) nmemb, (size_t)siz);
+}
+
void
_TIFFfree(void* p)
{
diff --git a/src/3rdparty/libtiff/libtiff/tif_warning.c b/src/3rdparty/libtiff/libtiff/tif_warning.c
index 423b636..dc79f14 100644
--- a/src/3rdparty/libtiff/libtiff/tif_warning.c
+++ b/src/3rdparty/libtiff/libtiff/tif_warning.c
@@ -1,4 +1,4 @@
-/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_warning.c,v 1.3 2010-03-10 18:56:49 bfriesen Exp $ */
+/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_warning.c,v 1.4 2017-07-04 12:54:42 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -51,24 +51,32 @@ void
TIFFWarning(const char* module, const char* fmt, ...)
{
va_list ap;
- va_start(ap, fmt);
- if (_TIFFwarningHandler)
+ if (_TIFFwarningHandler) {
+ va_start(ap, fmt);
(*_TIFFwarningHandler)(module, fmt, ap);
- if (_TIFFwarningHandlerExt)
+ va_end(ap);
+ }
+ if (_TIFFwarningHandlerExt) {
+ va_start(ap, fmt);
(*_TIFFwarningHandlerExt)(0, module, fmt, ap);
- va_end(ap);
+ va_end(ap);
+ }
}
void
TIFFWarningExt(thandle_t fd, const char* module, const char* fmt, ...)
{
va_list ap;
- va_start(ap, fmt);
- if (_TIFFwarningHandler)
+ if (_TIFFwarningHandler) {
+ va_start(ap, fmt);
(*_TIFFwarningHandler)(module, fmt, ap);
- if (_TIFFwarningHandlerExt)
+ va_end(ap);
+ }
+ if (_TIFFwarningHandlerExt) {
+ va_start(ap, fmt);
(*_TIFFwarningHandlerExt)(fd, module, fmt, ap);
- va_end(ap);
+ va_end(ap);
+ }
}
diff --git a/src/3rdparty/libtiff/libtiff/tif_win32.c b/src/3rdparty/libtiff/libtiff/tif_win32.c
index fdc2ee6..ea40163 100644
--- a/src/3rdparty/libtiff/libtiff/tif_win32.c
+++ b/src/3rdparty/libtiff/libtiff/tif_win32.c
@@ -1,4 +1,4 @@
-/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */
+/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -360,6 +360,14 @@ _TIFFmalloc(tmsize_t s)
return (malloc((size_t) s));
}
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+ if( nmemb == 0 || siz == 0 )
+ return ((void *) NULL);
+
+ return calloc((size_t) nmemb, (size_t)siz);
+}
+
void
_TIFFfree(void* p)
{
diff --git a/src/3rdparty/libtiff/libtiff/tif_write.c b/src/3rdparty/libtiff/libtiff/tif_write.c
index 34c4d81..4c216ec 100644
--- a/src/3rdparty/libtiff/libtiff/tif_write.c
+++ b/src/3rdparty/libtiff/libtiff/tif_write.c
@@ -1,4 +1,4 @@
-/* $Id: tif_write.c,v 1.45 2016-09-23 22:12:18 erouault Exp $ */
+/* $Id: tif_write.c,v 1.46 2016-12-03 21:57:44 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -476,22 +476,22 @@ TIFFWriteEncodedTile(TIFF* tif, uint32 tile, void* data, tmsize_t cc)
sample = (uint16)(tile/td->td_stripsperimage);
if (!(*tif->tif_preencode)(tif, sample))
return ((tmsize_t)(-1));
- /* swab if needed - note that source buffer will be altered */
- tif->tif_postdecode( tif, (uint8*) data, cc );
+ /* swab if needed - note that source buffer will be altered */
+ tif->tif_postdecode( tif, (uint8*) data, cc );
- if (!(*tif->tif_encodetile)(tif, (uint8*) data, cc, sample))
- return ((tmsize_t) -1);
- if (!(*tif->tif_postencode)(tif))
- return ((tmsize_t)(-1));
- if (!isFillOrder(tif, td->td_fillorder) &&
- (tif->tif_flags & TIFF_NOBITREV) == 0)
- TIFFReverseBits((uint8*)tif->tif_rawdata, tif->tif_rawcc);
- if (tif->tif_rawcc > 0 && !TIFFAppendToStrip(tif, tile,
- tif->tif_rawdata, tif->tif_rawcc))
- return ((tmsize_t)(-1));
- tif->tif_rawcc = 0;
- tif->tif_rawcp = tif->tif_rawdata;
- return (cc);
+ if (!(*tif->tif_encodetile)(tif, (uint8*) data, cc, sample))
+ return ((tmsize_t) -1);
+ if (!(*tif->tif_postencode)(tif))
+ return ((tmsize_t)(-1));
+ if (!isFillOrder(tif, td->td_fillorder) &&
+ (tif->tif_flags & TIFF_NOBITREV) == 0)
+ TIFFReverseBits((uint8*)tif->tif_rawdata, tif->tif_rawcc);
+ if (tif->tif_rawcc > 0 && !TIFFAppendToStrip(tif, tile,
+ tif->tif_rawdata, tif->tif_rawcc))
+ return ((tmsize_t)(-1));
+ tif->tif_rawcc = 0;
+ tif->tif_rawcp = tif->tif_rawdata;
+ return (cc);
}
/*
diff --git a/src/3rdparty/libtiff/libtiff/tif_zip.c b/src/3rdparty/libtiff/libtiff/tif_zip.c
index 8c35aea..42943fb 100644
--- a/src/3rdparty/libtiff/libtiff/tif_zip.c
+++ b/src/3rdparty/libtiff/libtiff/tif_zip.c
@@ -1,4 +1,4 @@
-/* $Id: tif_zip.c,v 1.36 2016-11-12 16:48:28 erouault Exp $ */
+/* $Id: tif_zip.c,v 1.37 2017-05-10 15:21:16 erouault Exp $ */
/*
* Copyright (c) 1995-1997 Sam Leffler
@@ -107,7 +107,11 @@ ZIPSetupDecode(TIFF* tif)
sp->state = 0;
}
- if (inflateInit(&sp->stream) != Z_OK) {
+ /* This function can possibly be called several times by */
+ /* PredictorSetupDecode() if this function succeeds but */
+ /* PredictorSetup() fails */
+ if ((sp->state & ZSTATE_INIT_DECODE) == 0 &&
+ inflateInit(&sp->stream) != Z_OK) {
TIFFErrorExt(tif->tif_clientdata, module, "%s", SAFE_MSG(sp));
return (0);
} else {
diff --git a/src/3rdparty/libtiff/libtiff/tiffio.h b/src/3rdparty/libtiff/libtiff/tiffio.h
index 6a84d80..ef61b5c 100644
--- a/src/3rdparty/libtiff/libtiff/tiffio.h
+++ b/src/3rdparty/libtiff/libtiff/tiffio.h
@@ -1,4 +1,4 @@
-/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */
+/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void);
*/
extern void* _TIFFmalloc(tmsize_t s);
+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
extern void* _TIFFrealloc(void* p, tmsize_t s);
extern void _TIFFmemset(void* p, int v, tmsize_t c);
extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
@@ -430,6 +431,8 @@ extern int TIFFReadRGBAImageOriented(TIFF*, uint32, uint32, uint32*, int, int);
extern int TIFFReadRGBAStrip(TIFF*, uint32, uint32 * );
extern int TIFFReadRGBATile(TIFF*, uint32, uint32, uint32 * );
+extern int TIFFReadRGBAStripExt(TIFF*, uint32, uint32 *, int stop_on_error );
+extern int TIFFReadRGBATileExt(TIFF*, uint32, uint32, uint32 *, int stop_on_error );
extern int TIFFRGBAImageOK(TIFF*, char [1024]);
extern int TIFFRGBAImageBegin(TIFFRGBAImage*, TIFF*, int, char [1024]);
extern int TIFFRGBAImageGet(TIFFRGBAImage*, uint32*, uint32, uint32);
diff --git a/src/3rdparty/libtiff/libtiff/tiffiop.h b/src/3rdparty/libtiff/libtiff/tiffiop.h
index 0b4e590..4da486b 100644
--- a/src/3rdparty/libtiff/libtiff/tiffiop.h
+++ b/src/3rdparty/libtiff/libtiff/tiffiop.h
@@ -1,4 +1,4 @@
-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */
+/* $Id: tiffiop.h,v 1.95 2017-09-07 14:02:52 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -242,8 +242,7 @@ struct tiff {
(TIFFReadFile((tif),(buf),(size))==(size))
#endif
#ifndef SeekOK
-#define SeekOK(tif, off) \
- (TIFFSeekFile((tif),(off),SEEK_SET)==(off))
+#define SeekOK(tif, off) _TIFFSeekOK(tif, off)
#endif
#ifndef WriteOK
#define WriteOK(tif, buf, size) \
@@ -254,6 +253,10 @@ struct tiff {
#define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
0U)
+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
+#define TIFFhowmany_32_maxuint_compat(x, y) \
+ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
#define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
#define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
#define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
@@ -315,6 +318,13 @@ typedef size_t TIFFIOSize_t;
#define _TIFF_off_t off_t
#endif
+#if __clang_major__ >= 4 || (__clang_major__ == 3 && __clang_minor__ >= 8)
+#define TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW __attribute__((no_sanitize("unsigned-integer-overflow")))
+#else
+#define TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
+#endif
+
+
#if defined(__cplusplus)
extern "C" {
#endif
@@ -365,6 +375,20 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
extern double _TIFFUInt64ToDouble(uint64);
extern float _TIFFUInt64ToFloat(uint64);
+extern tmsize_t
+_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
+ void **buf, tmsize_t bufsizetoalloc,
+ tmsize_t size_to_read);
+extern tmsize_t
+_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile,
+ void **buf, tmsize_t bufsizetoalloc,
+ tmsize_t size_to_read);
+extern tmsize_t
+_TIFFReadTileAndAllocBuffer(TIFF* tif,
+ void **buf, tmsize_t bufsizetoalloc,
+ uint32 x, uint32 y, uint32 z, uint16 s);
+extern int _TIFFSeekOK(TIFF* tif, toff_t off);
+
extern int TIFFInitDumpMode(TIFF*, int);
#ifdef PACKBITS_SUPPORT
extern int TIFFInitPackBits(TIFF*, int);
@@ -387,6 +411,7 @@ extern int TIFFInitOJPEG(TIFF*, int);
#endif
#ifdef JPEG_SUPPORT
extern int TIFFInitJPEG(TIFF*, int);
+extern int TIFFJPEGIsFullStripRequired(TIFF*);
#endif
#ifdef JBIG_SUPPORT
extern int TIFFInitJBIG(TIFF*, int);
diff --git a/src/3rdparty/libtiff/libtiff/tiffvers.h b/src/3rdparty/libtiff/libtiff/tiffvers.h
index fe55c72..890e433 100644
--- a/src/3rdparty/libtiff/libtiff/tiffvers.h
+++ b/src/3rdparty/libtiff/libtiff/tiffvers.h
@@ -1,4 +1,4 @@
-#define TIFFLIB_VERSION_STR "LIBTIFF, Version 4.0.7\nCopyright (c) 1988-1996 Sam Leffler\nCopyright (c) 1991-1996 Silicon Graphics, Inc."
+#define TIFFLIB_VERSION_STR "LIBTIFF, Version 4.0.8\nCopyright (c) 1988-1996 Sam Leffler\nCopyright (c) 1991-1996 Silicon Graphics, Inc."
/*
* This define can be used in code that requires
* compilation-related definitions specific to a
@@ -6,4 +6,4 @@
* version checking should be done based on the
* string returned by TIFFGetVersion.
*/
-#define TIFFLIB_VERSION 20161119
+#define TIFFLIB_VERSION 20170521
diff --git a/src/3rdparty/libtiff/port/dummy.c b/src/3rdparty/libtiff/port/dummy.c
index 46f93bc..923ee7b 100644
--- a/src/3rdparty/libtiff/port/dummy.c
+++ b/src/3rdparty/libtiff/port/dummy.c
@@ -1,4 +1,4 @@
-/* $Id: dummy.c,v 1.3 2007/03/21 14:54:16 dron Exp $ */
+/* $Id: dummy.c,v 1.3 2007-03-21 14:54:16 dron Exp $ */
/*
* Dummy function, just to be ensure that the library always will be created.
diff --git a/src/3rdparty/libtiff/port/lfind.c b/src/3rdparty/libtiff/port/lfind.c
index 64b261c..22d9798 100644
--- a/src/3rdparty/libtiff/port/lfind.c
+++ b/src/3rdparty/libtiff/port/lfind.c
@@ -1,4 +1,4 @@
-/* $Id: lfind.c,v 1.4 2007/01/15 18:40:39 mloskot Exp $ */
+/* $Id: lfind.c,v 1.4 2007-01-15 18:40:39 mloskot Exp $ */
/*
* Copyright (c) 1989, 1993
diff --git a/src/3rdparty/libtiff/port/strtoul.c b/src/3rdparty/libtiff/port/strtoul.c
index f7a9a1a..84ab215 100644
--- a/src/3rdparty/libtiff/port/strtoul.c
+++ b/src/3rdparty/libtiff/port/strtoul.c
@@ -1,4 +1,4 @@
-/* $Id: strtoul.c,v 1.2 2005/07/07 16:34:06 dron Exp $ */
+/* $Id: strtoul.c,v 1.2 2005-07-07 16:34:06 dron Exp $ */
/*
* Copyright (c) 1990, 1993
diff --git a/src/3rdparty/libtiff/qt_attribution.json b/src/3rdparty/libtiff/qt_attribution.json
index e330f93..52b4413 100644
--- a/src/3rdparty/libtiff/qt_attribution.json
+++ b/src/3rdparty/libtiff/qt_attribution.json
@@ -6,7 +6,7 @@
"Description": "",
"Homepage": "http://www.simplesystems.org/libtiff/",
- "Version": "4.0.7",
+ "Version": "4.0.8",
"License": "libtiff License",
"LicenseId": "libtiff",
"LicenseFile": "COPYRIGHT",
diff --git a/src/imageformats/doc/src/qtimageformats.qdoc b/src/imageformats/doc/src/qtimageformats.qdoc
index 2fea934..c161220 100644
--- a/src/imageformats/doc/src/qtimageformats.qdoc
+++ b/src/imageformats/doc/src/qtimageformats.qdoc
@@ -1,7 +1,7 @@
/****************************************************************************
**
-** Copyright (C) 2015 The Qt Company Ltd.
-** Contact: http://www.qt.io/licensing/
+** Copyright (C) 2017 The Qt Company Ltd.
+** Contact: https://www.qt.io/licensing/
**
** This file is part of the documentation of the Qt Image Formats module.
**
@@ -11,8 +11,8 @@
** accordance with the commercial license agreement provided with the
** Software or, alternatively, in accordance with the terms contained in
** a written agreement between you and The Qt Company. For licensing terms
-** and conditions see http://www.qt.io/terms-conditions. For further
-** information use the contact form at http://www.qt.io/contact-us.
+** and conditions see https://www.qt.io/terms-conditions. For further
+** information use the contact form at https://www.qt.io/contact-us.
**
** GNU Free Documentation License Usage
** Alternatively, this file may be used under the terms of the GNU Free
@@ -20,7 +20,7 @@
** Foundation and appearing in the file included in the packaging of
** this file. Please review the following information to ensure
** the GNU Free Documentation License version 1.3 requirements
-** will be met: http://www.gnu.org/copyleft/fdl.html.
+** will be met: https://www.gnu.org/licenses/fdl-1.3.html.
** $QT_END_LICENSE$
**
****************************************************************************/
diff --git a/src/plugins/imageformats/tga/qtgafile.cpp b/src/plugins/imageformats/tga/qtgafile.cpp
index e2f20a7..97510df 100644
--- a/src/plugins/imageformats/tga/qtgafile.cpp
+++ b/src/plugins/imageformats/tga/qtgafile.cpp
@@ -45,6 +45,10 @@
struct TgaReader
{
+ Q_DISABLE_COPY(TgaReader)
+
+ TgaReader() = default;
+
virtual ~TgaReader() {}
virtual QRgb operator()(QIODevice *s) const = 0;
};
diff --git a/src/plugins/imageformats/webp/qwebphandler.cpp b/src/plugins/imageformats/webp/qwebphandler.cpp
index f47040a..7bea4d0 100644
--- a/src/plugins/imageformats/webp/qwebphandler.cpp
+++ b/src/plugins/imageformats/webp/qwebphandler.cpp
@@ -295,7 +295,7 @@ void QWebpHandler::setOption(ImageOption option, const QVariant &value)
default:
break;
}
- return QImageIOHandler::setOption(option, value);
+ QImageIOHandler::setOption(option, value);
}
bool QWebpHandler::supportsOption(ImageOption option) const