From 0d42a2e44491980e6803d6aee6c7d2e83acadec4 Mon Sep 17 00:00:00 2001 From: Antti Kokko Date: Mon, 28 Aug 2017 11:39:58 +0300 Subject: Add changes file for Qt 5.6.3 Task-number: QTBUG-62717 Change-Id: If125eec9f76187afcc6722f7b0825745ffe31303 Reviewed-by: Liang Qi --- dist/changes-5.6.3 | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 dist/changes-5.6.3 diff --git a/dist/changes-5.6.3 b/dist/changes-5.6.3 new file mode 100644 index 0000000..87807cd --- /dev/null +++ b/dist/changes-5.6.3 @@ -0,0 +1,26 @@ +Qt 5.6.3 is a bug-fix release. It maintains both forward and backward +compatibility (source and binary) with Qt 5.6.0. + +For more details, refer to the online documentation included in this +distribution. The documentation is also available online: + + http://doc.qt.io/qt-5/index.html + +The Qt version 5.6 series is binary compatible with the 5.5.x series. +Applications compiled for 5.5 will continue to run with 5.6. + +Some of the changes listed in this file include issue tracking numbers +corresponding to tasks in the Qt Bug Tracker: + + https://bugreports.qt.io/ + +Each of these identifiers can be entered in the bug tracker to obtain more +information about a particular change. + +**************************************************************************** +* Important Behavior Changes * +**************************************************************************** + + - For security reasons, the DDS handler will no longer be built by + default. Users who still want this handler can build it from the + source project. -- cgit v1.2.3 From dc6dc3b088d1828ee6d31f92528e0c87272ad4ed Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Fri, 22 Sep 2017 13:28:25 +0200 Subject: Add changes file for Qt 5.9.2 Change-Id: Ic9bf390feceac545e3ab971dff72ff36b00535e0 Reviewed-by: Andy Shaw --- dist/changes-5.9.2 | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 dist/changes-5.9.2 diff --git a/dist/changes-5.9.2 b/dist/changes-5.9.2 new file mode 100644 index 0000000..918c4e5 --- /dev/null +++ b/dist/changes-5.9.2 @@ -0,0 +1,24 @@ +Qt 5.9.2 is a bug-fix release. It maintains both forward and backward +compatibility (source and binary) with Qt 5.9.0. + +For more details, refer to the online documentation included in this +distribution. The documentation is also available online: + +http://doc.qt.io/qt-5/index.html + +The Qt version 5.9 series is binary compatible with the 5.8.x series. +Applications compiled for 5.8 will continue to run with 5.9. + +Some of the changes listed in this file include issue tracking numbers +corresponding to tasks in the Qt Bug Tracker: + +https://bugreports.qt.io/ + +Each of these identifiers can be entered in the bug tracker to obtain more +information about a particular change. + +**************************************************************************** +* Qt 5.9.2 Changes * +**************************************************************************** + + - Minor bugfixes for animated webp images. -- cgit v1.2.3 From fbf08943ac39c0187013c2924e572d06c1372412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Klitzing?= Date: Fri, 6 Oct 2017 13:11:45 +0200 Subject: Avoid returning void expression Change-Id: I32dd4ece07c0ff4ef882fffe69afbe2f4a818a96 Reviewed-by: Eirik Aavitsland --- src/plugins/imageformats/webp/qwebphandler.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/plugins/imageformats/webp/qwebphandler.cpp b/src/plugins/imageformats/webp/qwebphandler.cpp index ce90158..7f7bdd9 100644 --- a/src/plugins/imageformats/webp/qwebphandler.cpp +++ b/src/plugins/imageformats/webp/qwebphandler.cpp @@ -295,7 +295,7 @@ void QWebpHandler::setOption(ImageOption option, const QVariant &value) default: break; } - return QImageIOHandler::setOption(option, value); + QImageIOHandler::setOption(option, value); } bool QWebpHandler::supportsOption(ImageOption option) const -- cgit v1.2.3 From 058fbfed210abce0b74c198f3a69940aadc9d48a Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Fri, 6 Oct 2017 18:00:43 +0200 Subject: Bump version Change-Id: Ib87dfcc477d0a0a189e9caf5cb73489b1ad923c2 --- .qmake.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.qmake.conf b/.qmake.conf index 78a277a..2108ac6 100644 --- a/.qmake.conf +++ b/.qmake.conf @@ -1,3 +1,3 @@ load(qt_build_config) -MODULE_VERSION = 5.9.2 +MODULE_VERSION = 5.9.3 -- cgit v1.2.3 From 78dae6abac3909e138848c2a25495d5e893ed65a Mon Sep 17 00:00:00 2001 From: Kai Koehne Date: Thu, 28 Sep 2017 16:21:29 +0200 Subject: Fix outdated FDL license header Change-Id: I1e024810b9c5a9fc32986507d263f8b9727f2315 Reviewed-by: Jani Heikkinen --- src/imageformats/doc/src/qtimageformats.qdoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/imageformats/doc/src/qtimageformats.qdoc b/src/imageformats/doc/src/qtimageformats.qdoc index 2fea934..c161220 100644 --- a/src/imageformats/doc/src/qtimageformats.qdoc +++ b/src/imageformats/doc/src/qtimageformats.qdoc @@ -1,7 +1,7 @@ /**************************************************************************** ** -** Copyright (C) 2015 The Qt Company Ltd. -** Contact: http://www.qt.io/licensing/ +** Copyright (C) 2017 The Qt Company Ltd. +** Contact: https://www.qt.io/licensing/ ** ** This file is part of the documentation of the Qt Image Formats module. ** @@ -11,8 +11,8 @@ ** accordance with the commercial license agreement provided with the ** Software or, alternatively, in accordance with the terms contained in ** a written agreement between you and The Qt Company. For licensing terms -** and conditions see http://www.qt.io/terms-conditions. For further -** information use the contact form at http://www.qt.io/contact-us. +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. ** ** GNU Free Documentation License Usage ** Alternatively, this file may be used under the terms of the GNU Free @@ -20,7 +20,7 @@ ** Foundation and appearing in the file included in the packaging of ** this file. Please review the following information to ensure ** the GNU Free Documentation License version 1.3 requirements -** will be met: http://www.gnu.org/copyleft/fdl.html. +** will be met: https://www.gnu.org/licenses/fdl-1.3.html. ** $QT_END_LICENSE$ ** ****************************************************************************/ -- cgit v1.2.3 From aae637d37ea1e9b362c6f5202a3eda6a0856df75 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Tue, 17 Oct 2017 15:13:16 +0200 Subject: Update bundled libtiff to version 4.0.8+ This updates the bundled libtiff to release 4.0.8. In addition, since after that release a number of security-related fixes has been added to the upstream CVS repository, this commit comprises the upstream changes of libtiff until 2017-10-10. (Corresponds to commit 46195f7 in the unofficial mirror at github.com/vadz/libtiff.git.) [ChangeLog][Third-Party Code] Bundled libtiff was updated to version 4.0.8+ Change-Id: I9f45387ab48383ef2635d60aeda5c74828f1a6fc Reviewed-by: Liang Qi --- src/3rdparty/libtiff/ChangeLog | 824 +++++++++++++++++++++++++++- src/3rdparty/libtiff/RELEASE-DATE | 2 +- src/3rdparty/libtiff/TODO | 2 +- src/3rdparty/libtiff/VERSION | 2 +- src/3rdparty/libtiff/libtiff/SConstruct | 2 +- src/3rdparty/libtiff/libtiff/libtiff.def | 2 + src/3rdparty/libtiff/libtiff/tif_aux.c | 9 +- src/3rdparty/libtiff/libtiff/tif_color.c | 40 +- src/3rdparty/libtiff/libtiff/tif_config.h | 2 +- src/3rdparty/libtiff/libtiff/tif_dir.c | 50 +- src/3rdparty/libtiff/libtiff/tif_dir.h | 3 +- src/3rdparty/libtiff/libtiff/tif_dirinfo.c | 105 +++- src/3rdparty/libtiff/libtiff/tif_dirread.c | 237 ++++++-- src/3rdparty/libtiff/libtiff/tif_dirwrite.c | 137 ++++- src/3rdparty/libtiff/libtiff/tif_error.c | 26 +- src/3rdparty/libtiff/libtiff/tif_fax3.c | 77 ++- src/3rdparty/libtiff/libtiff/tif_fax3.h | 6 +- src/3rdparty/libtiff/libtiff/tif_getimage.c | 317 ++++++----- src/3rdparty/libtiff/libtiff/tif_jbig.c | 3 +- src/3rdparty/libtiff/libtiff/tif_jpeg.c | 199 ++++++- src/3rdparty/libtiff/libtiff/tif_jpeg_12.c | 1 + src/3rdparty/libtiff/libtiff/tif_luv.c | 51 +- src/3rdparty/libtiff/libtiff/tif_lzw.c | 40 +- src/3rdparty/libtiff/libtiff/tif_ojpeg.c | 25 +- src/3rdparty/libtiff/libtiff/tif_open.c | 6 +- src/3rdparty/libtiff/libtiff/tif_packbits.c | 12 +- src/3rdparty/libtiff/libtiff/tif_pixarlog.c | 67 ++- src/3rdparty/libtiff/libtiff/tif_predict.c | 25 +- src/3rdparty/libtiff/libtiff/tif_print.c | 10 +- src/3rdparty/libtiff/libtiff/tif_read.c | 625 +++++++++++++++++---- src/3rdparty/libtiff/libtiff/tif_strip.c | 11 +- src/3rdparty/libtiff/libtiff/tif_swab.c | 24 +- src/3rdparty/libtiff/libtiff/tif_unix.c | 10 +- src/3rdparty/libtiff/libtiff/tif_warning.c | 26 +- src/3rdparty/libtiff/libtiff/tif_win32.c | 10 +- src/3rdparty/libtiff/libtiff/tif_write.c | 32 +- src/3rdparty/libtiff/libtiff/tif_zip.c | 8 +- src/3rdparty/libtiff/libtiff/tiffio.h | 5 +- src/3rdparty/libtiff/libtiff/tiffiop.h | 31 +- src/3rdparty/libtiff/libtiff/tiffvers.h | 4 +- src/3rdparty/libtiff/port/dummy.c | 2 +- src/3rdparty/libtiff/port/lfind.c | 2 +- src/3rdparty/libtiff/port/strtoul.c | 2 +- src/3rdparty/libtiff/qt_attribution.json | 2 +- 44 files changed, 2608 insertions(+), 468 deletions(-) diff --git a/src/3rdparty/libtiff/ChangeLog b/src/3rdparty/libtiff/ChangeLog index 9b9d397..e15feec 100644 --- a/src/3rdparty/libtiff/ChangeLog +++ b/src/3rdparty/libtiff/ChangeLog @@ -1,3 +1,825 @@ +2017-10-10 Even Rouault + + * nmake.opt: support a DEBUG=1 option, so as to adjust OPTFLAGS and use + /MDd runtime in debug mode. + +2017-10-01 Even Rouault + + * tools/tiffset.c: fix setting a single value for the ExtraSamples tag + (and other tags with variable number of values). + So 'tiffset -s ExtraSamples 1 X'. This only worked + when setting 2 or more values, but not just one. + +2017-09-29 Even Rouault + + * libtiff/libtiff.def: add TIFFReadRGBAStripExt and TIFFReadRGBATileExt + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2735 + +2017-09-09 Even Rouault + + * libtiff/tif_dirread.c: add NULL check to avoid likely false positive + null-pointer dereference warning by CLang Static Analyzer. + +2017-09-07 Even Rouault + + * libtiff/tiffiop.h, tif_aux.c: redirect SeekOK() macro to a _TIFFSeekoK() + function that checks if the offset is not bigger than INT64_MAX, so as + to avoid a -1 error return code of TIFFSeekFile() to match a required + seek to UINT64_MAX/-1. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726 + Adapted from proposal by Nicolas Ruff. + +2017-08-29 Even Rouault + + * libtiff/tif_jpeg.c: accept reading the last strip of a JPEG compressed + file if the codestream height is larger than the truncated height of the + strip. Emit a warning in this situation since this is non compliant. + +2017-08-28 Even Rouault + + * test/Makefile.am: add missing reference to images/quad-lzw-compat.tiff + to fix "make distcheck". Patch by Roger Leigh + +2017-08-23 Even Rouault + + * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting + on uint32 when selecting the value of SubIFD tag by runtime check + (in TIFFWriteDirectoryTagSubifd()). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 + Reported by team OWL337 + +2017-08-23 Even Rouault + + * libtiff/tif_dirwrite.c: replace assertion related to not finding the + SubIFD tag by runtime check (in TIFFWriteDirectorySec()) + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 + Reported by team OWL337 + +2017-07-24 Even Rouault + + * libtiff/tif_luv.c: further reduce memory requirements for temporary + buffer when RowsPerStrip >= image_length in LogLuvInitState() and + LogL16InitState(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700 + Credit to OSS Fuzz + +2017-07-24 Even Rouault + + * libtiff/tif_getimage.c: fix fromskew computation when to-be-skipped + pixel number is not a multiple of the horizontal subsampling, and + also in some other cases. Impact putcontig8bitYCbCr44tile, + putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile, + putcontig8bitYCbCr21tile and putcontig8bitYCbCr12tile + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2637 (discovered + by Agostino Sarubbo) + and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691 (credit + to OSS Fuzz) + +2017-07-24 Even Rouault + + * libtiff/tif_getimage.c: gtTileContig() and gtTileSeparate(): + properly break from loops on error when stoponerr is set, instead + of going on iterating on row based loop. + +2017-07-18 Even Rouault + + * libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory + allocation when RowsPerStrip tag is missing. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683 + Credit to OSS-Fuzz + +2017-07-15 Even Rouault + + * libtiff/tif_read.c: add protection against excessive memory + allocation attempts in TIFFReadDirEntryArray() on short files. + Effective for mmap'ed case. And non-mmap'ed case, but restricted + to 64bit builds. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675 + +2017-07-15 Even Rouault + + * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the + arrays that hold StripOffsets/StripByteCounts, when they are smaller + than the expected number of striles, up to 1 million striles, and + error out beyond. Can be tweaked by setting the environment variable + LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. + This partially goes against a change added on 2002-12-17 to accept + those arrays of wrong sizes, but is needed to avoid denial of services. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 + Credit to OSS Fuzz + +2017-07-15 Even Rouault + + * libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile(). + Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708 + in the isMapped() case, so as to avoid excessive memory allocation + when we need a temporary buffer but the file is truncated. + +2017-07-15 Even Rouault + + * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" + mode on PlanarConfig=Contig input images. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 + Reported by team OWL337 + +2017-07-11 Even Rouault + + * libtiff/tif_dir.c: avoid potential null pointer dereference in + _TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713 + +2017-07-11 Even Rouault + + * libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW + strips. Crashing issue only on memory mapped files, where the strip + offset is the last byte of the file, and the file size is a multiple + of one page size on the CPU architecture (typically 4096). Credit + to myself :-) + +2017-07-11 Even Rouault + + * test/tiffcp-lzw-compat.sh, test/images/quad-lzw-compat.tiff: new files + to test old-style LZW decompression + * test/common.sh, Makefile.am, CMakeList.txt: updated with above + +2017-07-11 Even Rouault + + * refresh autoconf/make stuff with what is on Ubuntu 16.04 (minor changes) + +2017-07-11 Even Rouault + + * libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of old-style LZW + compressed files. + +2017-07-10 Even Rouault + + * libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding + when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX) + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554 + Credit to OSS Fuzz + +2017-07-04 Even Rouault + + * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedTileAndAllocBuffer() + and _TIFFReadTileAndAllocBuffer() variants of TIFFReadEncodedTile() and + TIFFReadTile() that allocates the decoded buffer only after a first + successful TIFFFillTile(). This avoids excessive memory allocation + on corrupted files. + * libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470 + Credit to OSS Fuzz. + +2017-07-04 Even Rouault + + * libtiff/tif_error.c, tif_warning.c: correctly use va_list when both + an old-style and new-style warning/error handlers are installed. + Patch by Paavo Helde (sent on the mailing list) + +2017-07-02 Even Rouault + + * libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to + tif_rawdataloaded when it is set. Similarly to TIFFStartStrip(). + This issue was revealed by the change of 2017-06-30 in TIFFFileTile(), + limiting the number of bytes read. But it could probably have been hit + too in CHUNKY_STRIP_READ_SUPPORT mode previously ? + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454 + Credit to OSS Fuzz + +2017-06-30 Even Rouault + + * man: update documentation regarding SubIFD tag and + TIFFSetSubDirectory() data type. + Patch by Eric Piel + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2671 + +2017-06-30 Even Rouault + + * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() + functions associated with LONG8/SLONG8 data type, replace assertion that + the file is BigTIFF, by a non-fatal error. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 + Reported by team OWL337 + +2017-06-30 Even Rouault + + * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer() + function, variant of TIFFReadEncodedStrip() that allocates the + decoded buffer only after a first successful TIFFFillStrip(). This avoids + excessive memory allocation on corrupted files. + * libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 . + Credit to OSS Fuzz + +2017-06-30 Even Rouault + + * libtiff/tif_read.c: TIFFFillTile(): add limitation to the number + of bytes read in case td_stripbytecount[strip] is bigger than + reasonable, so as to avoid excessive memory allocation (similarly to + what was done for TIFFFileStrip() on 2017-05-10) + +2017-06-29 Even Rouault + + * libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c, + libtiff/tif_read.c: make TIFFReadScanline() works in + CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans. + Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER + environment variable the maximum number of scans allowed. Defaults to + 100. + +2017-06-27 Even Rouault + + * libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a + double value can fit in a float before casting. Patch by Nicolas RUFF + +2017-06-26 Even Rouault + + * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 + Reported by team OWL337 + +2017-06-24 Even Rouault + + * libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg + memory allocation is above 100 MB. libjpeg in case of multiple scans, + which is allowed even in baseline JPEG, if components are spread over several + scans and not interleavedin a single one, needs to allocate memory (or + backing store) for the whole strip/tile. + See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf + This limitation may be overriden by setting the + LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling + libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro. + +2017-06-24 Even Rouault + + * libtiff/tif_jpeg.c: add anti-denial of service measure to avoid excessive + CPU consumption on progressive JPEGs with a huge number of scans. + See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf + Note: only affects libtiff since 2014-12-29 where support of non-baseline JPEG + was added. + +2017-06-18 Even Rouault + + * libtiff/tiffiop.h: add TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW macro to + disable CLang warnings raised by -fsanitize=undefined,unsigned-integer-overflow + * libtiff/tif_predict.c: decorate legitimate functions where unsigned int + overflow occur with TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW + * libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts() + and BYTECOUNTLOOKSBAD when file is too short. + * libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on tiled images. + * libtiff/tif_fax3.c: avoid unsigned int overflow in Fax3Encode2DRow(). Could + potentially be a bug with huge rows. + * libtiff/tif_getimage.c: avoid many (harmless) unsigned int overflows. + +2017-06-12 Even Rouault + + * libtiff/tif_dirread.c: TIFFFetchStripThing(): limit the number of items + read in StripOffsets/StripByteCounts tags to the number of strips to avoid + excessive memory allocation. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215 + Credit to OSS Fuzz + +2017-06-12 Even Rouault + + * libtiff/tif_dirread.c: fix regression of libtiff 4.0.8 in + ChopUpSingleUncompressedStrip() regarding update of newly single-strip + uncompressed files whose bytecount is 0. Before the change of 2016-12-03, + the condition bytecount==0 used to trigger an early exit/disabling of + strip chop. Re-introduce that in update mode. Otherwise this cause + later incorrect setting for the value of StripByCounts/StripOffsets. + ( https://trac.osgeo.org/gdal/ticket/6924 ) + +2017-06-10 Even Rouault + + * .appveyor.yml, .travis.yml, build/travis-ci: apply patches + 0001-ci-Travis-script-improvements.patch and + 0002-ci-Invoke-helper-script-via-shell.patch by Roger Leigh + (sent to mailing list) + +2017-06-08 Even Rouault + + * .travis.yml, build/travis-ci: new files from + 0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch by + Roger Leigh (sent to mailing list on 2017-06-08) + This patch adds support for the Travis-CI service. + + * .appveyor.yml: new file from + 0002-ci-Add-AppVeyor-support.patch by Roger Leigh (sent to mailing + list on 2017-06-08) + This patch adds a .appveyor.yml file to the top-level. This allows + one to opt in to having a branch built on Windows with Cygwin, + MinGW and MSVC automatically when a branch is pushed to GitHub, + GitLab, BitBucket or any other supported git hosting service. + + * CMakeLists.txt, test/CMakeLists.txt, test/TiffTestCommon.cmake: apply + patch 0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch from Roger + Leigh (sent to mailing list on 2017-06-08) + This patch makes the CMake build system support running the tests + with MinGW or Cygwin. + +2017-06-08 Even Rouault + + * libtiff/tif_swab.c: if DISABLE_CHECK_TIFFSWABMACROS is defined, do not do + the #ifdef TIFFSwabXXX checks. Make it easier for GDAL to rename the symbols + of its internal libtiff copy. + +2017-06-01 Even Rouault + + * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), + and use it in TIFFReadDirectory() so as to ignore fields whose tag is a + codec-specified tag but this codec is not enabled. This avoids TIFFGetField() + to behave differently depending on whether the codec is enabled or not, and + thus can avoid stack based buffer overflows in a number of TIFF utilities + such as tiffsplit, tiffcmp, thumbnail, etc. + Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch + (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. + Fixes: + http://bugzilla.maptools.org/show_bug.cgi?id=2580 + http://bugzilla.maptools.org/show_bug.cgi?id=2693 + http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) + http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) + http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) + http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) + http://bugzilla.maptools.org/show_bug.cgi?id=2441 + http://bugzilla.maptools.org/show_bug.cgi?id=2433 + +2017-05-29 Even Rouault + + * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for + refBlackWhite coefficients values. To avoid invalid float->int32 conversion + (when refBlackWhite[0] == 2147483648.f) + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 + Credit to OSS Fuzz + +2017-05-29 Even Rouault + + * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid + int32 overflow in TIFFYCbCrtoRGB(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 + Credit to OSS Fuzz + +2017-05-21 Bob Friesenhahn + + * configure.ac: libtiff 4.0.8 released. + + * html/v4.0.8.html: Add description of changes targeting the 4.0.8 + release. + +2017-05-20 Even Rouault + + * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for + refBlackWhite coefficients values. To avoid invalid float->int32 conversion. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718 + Credit to OSS Fuzz + +2017-05-18 Even Rouault + + * libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is not zero + to avoid division by zero. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 + Credit to OSS Fuzz + +2017-05-17 Even Rouault + + * libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of double to + float. + Credit to Google Autofuzz project + +2017-05-17 Even Rouault + + * libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of + luma and refBlackWhite coefficients (just check they are not NaN for now), + to avoid potential float to int overflows. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 + Credit to OSS Fuzz + +2017-05-17 Even Rouault + + * libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with + next_in and tif_rawcc with avail_in at beginning and end of function, + similarly to what is done in LZWDecode(). Likely needed so that it + works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT + mode. But untested... + +2017-05-17 Even Rouault + + * libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(), + and update tif_rawcc at end of LZWDecode(). This is needed to properly + work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT + mode. + +2017-05-14 Even Rouault + + * libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory + allocation when RowsPerStrip tag is missing. + Credit to OSS-Fuzz (locally run, on GDAL) + +2017-05-14 Even Rouault + + * libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode() + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563 + Credit to OSS-Fuzz + +2017-05-13 Even Rouault + + * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32 + overflows in multiply_ms() and add_ms(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558 + Credit to OSS-Fuzz + +2017-05-13 Even Rouault + + * libtiff/tif_color.c: avoid potential int32 overflow in + TIFFYCbCrToRGBInit() + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533 + Credit to OSS-Fuzz + +2017-05-13 Even Rouault + + * libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT + mode with tif_rawdataloaded when calling TIFFStartStrip() or + TIFFFillStripPartial(). This avoids reading beyond tif_rawdata + when bytecount > tif_rawdatasize. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545. + Credit to OSS-Fuzz + +2017-05-12 Even Rouault + + * libtiff/tif_read.c: TIFFFillStripPartial(): + avoid excessive memory allocation in case of shorten files. + Only effective on 64 bit builds. + Credit to OSS-Fuzz (locally run, on GDAL) + +2017-05-12 Even Rouault + + * libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(), + avoid potential integer overflows with read_ahead in + CHUNKY_STRIP_READ_SUPPORT mode. Should + especially occur on 32 bit platforms. + +2017-05-10 Even Rouault + + * libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile(): + avoid excessive memory allocation in case of shorten files. + Only effective on 64 bit builds and non-mapped cases. + Credit to OSS-Fuzz (locally run, on GDAL) + +2017-05-10 Even Rouault + + * libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory + leak when the underlying codec (ZIP, PixarLog) succeeds its + setupdecode() method, but PredictorSetup fails. + Credit to OSS-Fuzz (locally run, on GDAL) + +2017-05-10 Even Rouault + + * libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number + of bytes read in case td_stripbytecount[strip] is bigger than + reasonable, so as to avoid excessive memory allocation. + +2017-04-28 Even Rouault + + * tools/tiff2bw.c: close TIFF handle in error code path. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677 + +2017-04-27 Even Rouault + + * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file. + Patch by Alan Coopersmith + complement by myself. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673 + * tools/fax2tiff.c: emit appropriate message if the input file is + empty. Patch by Alan Coopersmith. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672 + +2017-04-27 Even Rouault + + * libtiff/tif_ojpeg.c: fix potential memory leak in + OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable + and OJPEGReadHeaderInfoSecTablesAcTable + Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670 + +2017-04-27 Even Rouault + + * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD + mode (ie default) when there is both a StripOffsets and + TileOffsets tag, or a StripByteCounts and TileByteCounts + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689 + * tools/tiff2ps.c: call TIFFClose() in error code paths. + +2017-02-25 Even Rouault + + * libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7 + -Wimplicit-fallthrough warnings. + +2017-02-18 Even Rouault + + * libtiff/tif_pixarlog.c: fix memory leak in error code path of + PixarLogSetupDecode(). Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665 + +2017-02-18 Even Rouault + + * libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary, the + code bit-width after flushing the remaining code and before emitting + the EOI code. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982 + +2017-01-31 Even Rouault + + * libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if the + YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce + the I/O amount when te tag is present (especially on cloud hosted files). + +2017-01-14 Even Rouault + + * tools/raw2tiff.c: avoid integer division by zero. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631 + +2017-01-12 Even Rouault + + * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable, + OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable + when read fails. + Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 + +2017-01-11 Even Rouault + + * libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode + functions instead of -1 when TIFFFlushData1() fails. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130 + +2017-01-11 Even Rouault + + * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and + cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and + http://bugzilla.maptools.org/show_bug.cgi?id=2657 + +2017-01-11 Even Rouault + + * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc() + + * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero + initialize tif_rawdata. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 + +2017-01-11 Even Rouault + + * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to + avoid UndefinedBehaviorSanitizer warning. + Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658 + +2017-01-11 Even Rouault + + * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer + addition in TIFFReadRawStrip1() in isMapped() case. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 + +2017-01-11 Even Rouault + + * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid + undefined behaviour caused by invalid shift exponent. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 + +2017-01-11 Even Rouault + + * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings + of double to other data types to avoid undefined behaviour if the output range + isn't big enough to hold the input value. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643 + http://bugzilla.maptools.org/show_bug.cgi?id=2642 + http://bugzilla.maptools.org/show_bug.cgi?id=2646 + http://bugzilla.maptools.org/show_bug.cgi?id=2647 + +2017-01-11 Even Rouault + + * libtiff/tif_dirread.c: avoid division by floating point 0 in + TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(), + and return 0 in that case (instead of infinity as before presumably) + Apparently some sanitizers do not like those divisions by zero. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644 + +2017-01-11 Even Rouault + + * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace + assertion by runtime check to error out if passed value is strictly + negative. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535 + + * tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that + caused double free. + Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535 + +2017-01-11 Even Rouault + + * libtiff/tif_jpeg.c: avoid integer division by zero in + JPEGSetupEncode() when horizontal or vertical sampling is set to 0. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653 + +2017-01-03 Even Rouault + + * libtiff/tif_jpeg.c: increase libjpeg max memory usable to + 10 MB instead of libjpeg 1MB default. This helps when creating files + with "big" tile, without using libjpeg temporary files. + Related to https://trac.osgeo.org/gdal/ticket/6757 + +2016-12-20 Even Rouault + + * tools/tiff2pdf.c: avoid potential heap-based overflow in + t2p_readwrite_pdf_image_tile(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 + +2016-12-20 Even Rouault + + * tools/tiff2pdf.c: avoid potential invalid memory read in + t2p_writeproc. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639 + +2016-12-20 Even Rouault + + * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger + unspecified behaviour. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638 + +2016-12-18 Even Rouault + + * libtiff/tif_getimage.c: fix potential memory leaks in error code + path of TIFFRGBAImageBegin(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2627 + +2016-12-18 Even Rouault + + * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode + on a paletted image. Note: this fix errors out before the overflow + happens. There could probably be a better fix. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635 + +2016-12-17 Even Rouault + + * libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt() + and TIFFReadRGBATileExt() variants of the functions without ext, with + an extra argument to control the stop_on_error behaviour. + +2016-12-17 Even Rouault + + * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW + and PSDataColorContig). Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and + http://bugzilla.maptools.org/show_bug.cgi?id=2634. + +2016-12-13 Even Rouault + + * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made + Param member of TIFFFaxTabEnt structure a uint16 to reduce size of + the binary. It happens that the Hylafax software uses the tables that + follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable, + TIFFFaxBlackTable), although they are not in a public libtiff header. + Raised by Lee Howard. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636 + +2016-12-04 Even Rouault + + * html/man/Makefile.am: remove thumbnail.1.html and rgb2ycbcr.1.html + from installed pages since the corresponding utilities are no longer + installed. Reported by Havard Eidnes + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606 + +2016-12-03 Even Rouault + + * libtiff/tif_write.c: fix misleading indentation as warned by GCC. + +2016-12-03 Even Rouault + + * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +2016-12-03 Even Rouault + + * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based + buffer overflow. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 + +2016-12-03 Even Rouault + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is + missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 + +2016-12-03 Even Rouault + + * man/Makefile.am: remove thumbnail.1 and rgb2ycbcr.1 from installed man + pages since the corresponding utilities are no longer installed. + Reported by Havard Eidnes + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606 + +2016-12-03 Even Rouault + + * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, + limit the return number of inks to SamplesPerPixel, so that code that parses + ink names doesn't go past the end of the buffer. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 + +2016-12-03 Even Rouault + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is + missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 + +2016-12-03 Even Rouault + + * tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has + no StripByteCount tag. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594 + +2016-12-03 Even Rouault + + * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +2016-12-03 Even Rouault + + * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in + readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +2016-12-03 Even Rouault + + * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so + that the output buffer is correctly incremented to avoid write outside bounds. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 + +2016-12-03 Even Rouault + + * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in + OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +2016-12-03 Even Rouault + + * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to + instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip), + instead of a logic based on the total size of data. Which is faulty is + the total size of data is not sufficient to fill the whole image, and thus + results in reading outside of the StripByCounts/StripOffsets arrays when + using TIFFReadScanline(). + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. + + * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done + for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since + the above change is a better fix that makes it unnecessary. + +2016-12-03 Even Rouault + + * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer + overflow on generation of PixarLog / LUV compressed files, with + ColorMap, TransferFunction attached and nasty plays with bitspersample. + The fix for LUV has not been tested, but suffers from the same kind + of issue of PixarLog. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +2016-12-02 Even Rouault + + * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that + can cause various issues, such as buffer overflows in the library. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 + +2016-12-02 Even Rouault + + * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in + TIFFReadEncodedStrip() that caused an integer division by zero. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 + +2016-11-20 Even Rouault + + * libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis to + fix cppcheck clarifyCalculation warnings + * libtiff/tif_predict.c, libtiff/tif_print.c: fix printf unsigned + vs signed formatting (cppcheck invalidPrintfArgType_uint warnings) + +2016-11-20 Bob Friesenhahn + + * tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix + passing client data for Win32 builds using tif_win32.c + (USE_WIN32_FILEIO defined) for file I/O. Patch was provided via + email on November 20, 2016. + 2016-11-19 Bob Friesenhahn * libtiff 4.0.7 released. @@ -85,7 +907,7 @@ writeBufferToSeparateStrips(), writeBufferToContigTiles() and writeBufferToSeparateTiles() that could cause heap buffer overflows. Reported by Henri Salo from Nixu Corporation. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592 + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592 (CVE-2016-9532) 2016-11-10 Even Rouault diff --git a/src/3rdparty/libtiff/RELEASE-DATE b/src/3rdparty/libtiff/RELEASE-DATE index fb9e3f6..301f356 100644 --- a/src/3rdparty/libtiff/RELEASE-DATE +++ b/src/3rdparty/libtiff/RELEASE-DATE @@ -1 +1 @@ -20161119 +20170521 diff --git a/src/3rdparty/libtiff/TODO b/src/3rdparty/libtiff/TODO index 2ff8627..121d93d 100644 --- a/src/3rdparty/libtiff/TODO +++ b/src/3rdparty/libtiff/TODO @@ -1,4 +1,4 @@ -# $Header: /cvs/libtiff/TODO,v 1.6 2002/10/10 05:28:43 warmerda Exp $ +# $Header: /cvs/maptools/cvsroot/libtiff/TODO,v 1.6 2002-10-10 05:28:43 warmerda Exp $ o gif2tiff segaulting on selected images o tiffcmp read data by strip/tile instead of scanline diff --git a/src/3rdparty/libtiff/VERSION b/src/3rdparty/libtiff/VERSION index 43beb40..a2cec7a 100644 --- a/src/3rdparty/libtiff/VERSION +++ b/src/3rdparty/libtiff/VERSION @@ -1 +1 @@ -4.0.7 +4.0.8 diff --git a/src/3rdparty/libtiff/libtiff/SConstruct b/src/3rdparty/libtiff/libtiff/SConstruct index cb6a7cc..dc00c8c 100644 --- a/src/3rdparty/libtiff/libtiff/SConstruct +++ b/src/3rdparty/libtiff/libtiff/SConstruct @@ -1,4 +1,4 @@ -# $Id: SConstruct,v 1.4 2007/02/24 15:03:50 dron Exp $ +# $Id: SConstruct,v 1.4 2007-02-24 15:03:50 dron Exp $ # Tag Image File Format (TIFF) Software # diff --git a/src/3rdparty/libtiff/libtiff/libtiff.def b/src/3rdparty/libtiff/libtiff/libtiff.def index acf8609..341c719 100644 --- a/src/3rdparty/libtiff/libtiff/libtiff.def +++ b/src/3rdparty/libtiff/libtiff/libtiff.def @@ -85,7 +85,9 @@ EXPORTS TIFFAccessTagMethods TIFFReadRGBAImage TIFFReadRGBAImageOriented TIFFReadRGBAStrip + TIFFReadRGBAStripExt TIFFReadRGBATile + TIFFReadRGBATileExt TIFFReadRawStrip TIFFReadRawTile TIFFReadScanline diff --git a/src/3rdparty/libtiff/libtiff/tif_aux.c b/src/3rdparty/libtiff/libtiff/tif_aux.c index 3d35ba9..7f6721b 100644 --- a/src/3rdparty/libtiff/libtiff/tif_aux.c +++ b/src/3rdparty/libtiff/libtiff/tif_aux.c @@ -1,4 +1,4 @@ -/* $Id: tif_aux.c,v 1.29 2016-11-11 20:45:53 erouault Exp $ */ +/* $Id: tif_aux.c,v 1.30 2017-09-07 14:02:52 erouault Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -359,6 +359,13 @@ _TIFFUInt64ToDouble(uint64 ui64) } } +int _TIFFSeekOK(TIFF* tif, toff_t off) +{ + /* Huge offsets, expecially -1 / UINT64_MAX, can cause issues */ + /* See http://bugzilla.maptools.org/show_bug.cgi?id=2726 */ + return off <= (~(uint64)0)/2 && TIFFSeekFile(tif,off,SEEK_SET)==off; +} + /* vim: set ts=8 sts=8 sw=8 noet: */ /* * Local Variables: diff --git a/src/3rdparty/libtiff/libtiff/tif_color.c b/src/3rdparty/libtiff/libtiff/tif_color.c index 89194c2..71cafcd 100644 --- a/src/3rdparty/libtiff/libtiff/tif_color.c +++ b/src/3rdparty/libtiff/libtiff/tif_color.c @@ -1,4 +1,4 @@ -/* $Id: tif_color.c,v 1.22 2016-09-04 21:32:56 erouault Exp $ */ +/* $Id: tif_color.c,v 1.24 2017-05-29 10:12:54 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -199,6 +199,23 @@ TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, *b = CLAMP(i, 0, 255); } +/* Clamp function for sanitization purposes. Normally clamping should not */ +/* occur for well behaved chroma and refBlackWhite coefficients */ +static float CLAMPw(float v, float vmin, float vmax) +{ + if( v < vmin ) + { + /* printf("%f clamped to %f\n", v, vmin); */ + return vmin; + } + if( v > vmax ) + { + /* printf("%f clamped to %f\n", v, vmax); */ + return vmax; + } + return v; +} + /* * Initialize the YCbCr->RGB conversion tables. The conversion * is done according to the 6.0 spec: @@ -238,10 +255,10 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr, float *luma, float *refBlackWhite) ycbcr->Cb_g_tab = ycbcr->Cr_g_tab + 256; ycbcr->Y_tab = ycbcr->Cb_g_tab + 256; - { float f1 = 2-2*LumaRed; int32 D1 = FIX(f1); - float f2 = LumaRed*f1/LumaGreen; int32 D2 = -FIX(f2); - float f3 = 2-2*LumaBlue; int32 D3 = FIX(f3); - float f4 = LumaBlue*f3/LumaGreen; int32 D4 = -FIX(f4); + { float f1 = 2-2*LumaRed; int32 D1 = FIX(CLAMP(f1,0.0F,2.0F)); + float f2 = LumaRed*f1/LumaGreen; int32 D2 = -FIX(CLAMP(f2,0.0F,2.0F)); + float f3 = 2-2*LumaBlue; int32 D3 = FIX(CLAMP(f3,0.0F,2.0F)); + float f4 = LumaBlue*f3/LumaGreen; int32 D4 = -FIX(CLAMP(f4,0.0F,2.0F)); int x; #undef LumaBlue @@ -256,17 +273,20 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr, float *luma, float *refBlackWhite) * constructing tables indexed by the raw pixel data. */ for (i = 0, x = -128; i < 256; i++, x++) { - int32 Cr = (int32)Code2V(x, refBlackWhite[4] - 128.0F, - refBlackWhite[5] - 128.0F, 127); - int32 Cb = (int32)Code2V(x, refBlackWhite[2] - 128.0F, - refBlackWhite[3] - 128.0F, 127); + int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F, + refBlackWhite[5] - 128.0F, 127), + -128.0F * 32, 128.0F * 32); + int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F, + refBlackWhite[3] - 128.0F, 127), + -128.0F * 32, 128.0F * 32); ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT); ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT); ycbcr->Cr_g_tab[i] = D2*Cr; ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF; ycbcr->Y_tab[i] = - (int32)Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255); + (int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255), + -128.0F * 32, 128.0F * 32); } } diff --git a/src/3rdparty/libtiff/libtiff/tif_config.h b/src/3rdparty/libtiff/libtiff/tif_config.h index b0618df..2924a34 100644 --- a/src/3rdparty/libtiff/libtiff/tif_config.h +++ b/src/3rdparty/libtiff/libtiff/tif_config.h @@ -266,7 +266,7 @@ /* #undef PACKAGE_URL */ /* Define to the version of this package. */ -#define PACKAGE_VERSION "4.0.6" +#define PACKAGE_VERSION "4.0.8" /* Support Macintosh PackBits algorithm */ /* #undef PACKBITS_SUPPORT */ diff --git a/src/3rdparty/libtiff/libtiff/tif_dir.c b/src/3rdparty/libtiff/libtiff/tif_dir.c index ad21655..f00f808 100644 --- a/src/3rdparty/libtiff/libtiff/tif_dir.c +++ b/src/3rdparty/libtiff/libtiff/tif_dir.c @@ -1,4 +1,4 @@ -/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */ +/* $Id: tif_dir.c,v 1.131 2017-07-11 21:38:04 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -31,6 +31,7 @@ * (and also some miscellaneous stuff) */ #include "tiffiop.h" +#include /* * These are used in the backwards compatibility code... @@ -154,6 +155,15 @@ bad: return (0); } +static float TIFFClampDoubleToFloat( double val ) +{ + if( val > FLT_MAX ) + return FLT_MAX; + if( val < -FLT_MAX ) + return -FLT_MAX; + return (float)val; +} + static int _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) { @@ -312,13 +322,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) dblval = va_arg(ap, double); if( dblval < 0 ) goto badvaluedouble; - td->td_xresolution = (float) dblval; + td->td_xresolution = TIFFClampDoubleToFloat( dblval ); break; case TIFFTAG_YRESOLUTION: dblval = va_arg(ap, double); if( dblval < 0 ) goto badvaluedouble; - td->td_yresolution = (float) dblval; + td->td_yresolution = TIFFClampDoubleToFloat( dblval ); break; case TIFFTAG_PLANARCONFIG: v = (uint16) va_arg(ap, uint16_vap); @@ -327,10 +337,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) td->td_planarconfig = (uint16) v; break; case TIFFTAG_XPOSITION: - td->td_xposition = (float) va_arg(ap, double); + td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); break; case TIFFTAG_YPOSITION: - td->td_yposition = (float) va_arg(ap, double); + td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); break; case TIFFTAG_RESOLUTIONUNIT: v = (uint16) va_arg(ap, uint16_vap); @@ -676,7 +686,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) case TIFF_SRATIONAL: case TIFF_FLOAT: { - float v2 = (float)va_arg(ap, double); + float v2 = TIFFClampDoubleToFloat(va_arg(ap, double)); _TIFFmemcpy(val, &v2, tv_size); } break; @@ -854,6 +864,34 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ return 0; + if( tag == TIFFTAG_NUMBEROFINKS ) + { + int i; + for (i = 0; i < td->td_customValueCount; i++) { + uint16 val; + TIFFTagValue *tv = td->td_customValues + i; + if (tv->info->field_tag != tag) + continue; + if( tv->value == NULL ) + return 0; + val = *(uint16 *)tv->value; + /* Truncate to SamplesPerPixel, since the */ + /* setting code for INKNAMES assume that there are SamplesPerPixel */ + /* inknames. */ + /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ + if( val > td->td_samplesperpixel ) + { + TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", + "Truncating NumberOfInks from %u to %u", + val, td->td_samplesperpixel); + val = td->td_samplesperpixel; + } + *va_arg(ap, uint16*) = val; + return 1; + } + return 0; + } + /* * We want to force the custom code to be used for custom * fields even if the tag happens to match a well known diff --git a/src/3rdparty/libtiff/libtiff/tif_dir.h b/src/3rdparty/libtiff/libtiff/tif_dir.h index 6af5f3d..5a38076 100644 --- a/src/3rdparty/libtiff/libtiff/tif_dir.h +++ b/src/3rdparty/libtiff/libtiff/tif_dir.h @@ -1,4 +1,4 @@ -/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */ +/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -291,6 +291,7 @@ struct _TIFFField { extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32); extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType); extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType); +extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); #if defined(__cplusplus) } diff --git a/src/3rdparty/libtiff/libtiff/tif_dirinfo.c b/src/3rdparty/libtiff/libtiff/tif_dirinfo.c index 23ad002..4904f54 100644 --- a/src/3rdparty/libtiff/libtiff/tif_dirinfo.c +++ b/src/3rdparty/libtiff/libtiff/tif_dirinfo.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */ +/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n) return 0; } +int +_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) +{ + /* Filter out non-codec specific tags */ + switch (tag) { + /* Shared tags */ + case TIFFTAG_PREDICTOR: + /* JPEG tags */ + case TIFFTAG_JPEGTABLES: + /* OJPEG tags */ + case TIFFTAG_JPEGIFOFFSET: + case TIFFTAG_JPEGIFBYTECOUNT: + case TIFFTAG_JPEGQTABLES: + case TIFFTAG_JPEGDCTABLES: + case TIFFTAG_JPEGACTABLES: + case TIFFTAG_JPEGPROC: + case TIFFTAG_JPEGRESTARTINTERVAL: + /* CCITT* */ + case TIFFTAG_BADFAXLINES: + case TIFFTAG_CLEANFAXDATA: + case TIFFTAG_CONSECUTIVEBADFAXLINES: + case TIFFTAG_GROUP3OPTIONS: + case TIFFTAG_GROUP4OPTIONS: + break; + default: + return 1; + } + /* Check if codec specific tags are allowed for the current + * compression scheme (codec) */ + switch (tif->tif_dir.td_compression) { + case COMPRESSION_LZW: + if (tag == TIFFTAG_PREDICTOR) + return 1; + break; + case COMPRESSION_PACKBITS: + /* No codec-specific tags */ + break; + case COMPRESSION_THUNDERSCAN: + /* No codec-specific tags */ + break; + case COMPRESSION_NEXT: + /* No codec-specific tags */ + break; + case COMPRESSION_JPEG: + if (tag == TIFFTAG_JPEGTABLES) + return 1; + break; + case COMPRESSION_OJPEG: + switch (tag) { + case TIFFTAG_JPEGIFOFFSET: + case TIFFTAG_JPEGIFBYTECOUNT: + case TIFFTAG_JPEGQTABLES: + case TIFFTAG_JPEGDCTABLES: + case TIFFTAG_JPEGACTABLES: + case TIFFTAG_JPEGPROC: + case TIFFTAG_JPEGRESTARTINTERVAL: + return 1; + } + break; + case COMPRESSION_CCITTRLE: + case COMPRESSION_CCITTRLEW: + case COMPRESSION_CCITTFAX3: + case COMPRESSION_CCITTFAX4: + switch (tag) { + case TIFFTAG_BADFAXLINES: + case TIFFTAG_CLEANFAXDATA: + case TIFFTAG_CONSECUTIVEBADFAXLINES: + return 1; + case TIFFTAG_GROUP3OPTIONS: + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) + return 1; + break; + case TIFFTAG_GROUP4OPTIONS: + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4) + return 1; + break; + } + break; + case COMPRESSION_JBIG: + /* No codec-specific tags */ + break; + case COMPRESSION_DEFLATE: + case COMPRESSION_ADOBE_DEFLATE: + if (tag == TIFFTAG_PREDICTOR) + return 1; + break; + case COMPRESSION_PIXARLOG: + if (tag == TIFFTAG_PREDICTOR) + return 1; + break; + case COMPRESSION_SGILOG: + case COMPRESSION_SGILOG24: + /* No codec-specific tags */ + break; + case COMPRESSION_LZMA: + if (tag == TIFFTAG_PREDICTOR) + return 1; + break; + + } + return 0; +} + /* vim: set ts=8 sts=8 sw=8 noet: */ /* diff --git a/src/3rdparty/libtiff/libtiff/tif_dirread.c b/src/3rdparty/libtiff/libtiff/tif_dirread.c index 01070f2..5e62e81 100644 --- a/src/3rdparty/libtiff/libtiff/tif_dirread.c +++ b/src/3rdparty/libtiff/libtiff/tif_dirread.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */ +/* $Id: tif_dirread.c,v 1.218 2017-09-09 21:44:42 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -40,6 +40,8 @@ */ #include "tiffiop.h" +#include +#include #define IGNORE 0 /* tag placeholder used below */ #define FAILED_FII ((uint32) -1) @@ -635,6 +637,8 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloat(TIFF* tif, TIFFDirEntry* d err=TIFFReadDirEntryCheckedDouble(tif,direntry,&m); if (err!=TIFFReadDirEntryErrOk) return(err); + if ((m > FLT_MAX) || (m < FLT_MIN)) + return(TIFFReadDirEntryErrRange); *value=(float)m; return(TIFFReadDirEntryErrOk); } @@ -764,13 +768,80 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8(TIFF* tif, TIFFDirEntry* di } } -static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value) + +#define INITIAL_THRESHOLD (1024 * 1024) +#define THRESHOLD_MULTIPLIER 10 +#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) + +static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc( + TIFF* tif, uint64 offset, tmsize_t size, void** pdest) +{ +#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 + tmsize_t threshold = INITIAL_THRESHOLD; +#endif + tmsize_t already_read = 0; + + assert( !isMapped(tif) ); + + if (!SeekOK(tif,offset)) + return(TIFFReadDirEntryErrIo); + + /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */ + /* so as to avoid allocating too much memory in case the file is too */ + /* short. We could ask for the file size, but this might be */ + /* expensive with some I/O layers (think of reading a gzipped file) */ + /* Restrict to 64 bit processes, so as to avoid reallocs() */ + /* on 32 bit processes where virtual memory is scarce. */ + while( already_read < size ) + { + void* new_dest; + tmsize_t bytes_read; + tmsize_t to_read = size - already_read; +#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 + if( to_read >= threshold && threshold < MAX_THRESHOLD ) + { + to_read = threshold; + threshold *= THRESHOLD_MULTIPLIER; + } +#endif + + new_dest = (uint8*) _TIFFrealloc( + *pdest, already_read + to_read); + if( new_dest == NULL ) + { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Failed to allocate memory for %s " + "(%ld elements of %ld bytes each)", + "TIFFReadDirEntryArray", + (long) 1, (long) (already_read + to_read)); + return TIFFReadDirEntryErrAlloc; + } + *pdest = new_dest; + + bytes_read = TIFFReadFile(tif, + (char*)*pdest + already_read, to_read); + already_read += bytes_read; + if (bytes_read != to_read) { + return TIFFReadDirEntryErrIo; + } + } + return TIFFReadDirEntryErrOk; +} + +static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit( + TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, + void** value, uint64 maxcount) { int typesize; uint32 datasize; void* data; + uint64 target_count64; typesize=TIFFDataWidth(direntry->tdir_type); - if ((direntry->tdir_count==0)||(typesize==0)) + + target_count64 = (direntry->tdir_count > maxcount) ? + maxcount : direntry->tdir_count; + + if ((target_count64==0)||(typesize==0)) { *value=0; return(TIFFReadDirEntryErrOk); @@ -782,17 +853,30 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d * in either the current data type or the dest data type. This also * avoids problems with overflow of tmsize_t on 32bit systems. */ - if ((uint64)(2147483647/typesize)tdir_count) + if ((uint64)(2147483647/typesize)tdir_count) + if ((uint64)(2147483647/desttypesize)tdir_count; + *count=(uint32)target_count64; datasize=(*count)*typesize; assert((tmsize_t)datasize>0); - data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); - if (data==0) - return(TIFFReadDirEntryErrAlloc); + + if( isMapped(tif) && datasize > (uint32)tif->tif_size ) + return TIFFReadDirEntryErrIo; + + if( !isMapped(tif) && + (((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) || + (!(tif->tif_flags&TIFF_BIGTIFF) && datasize > 4)) ) + { + data = NULL; + } + else + { + data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); + if (data==0) + return(TIFFReadDirEntryErrAlloc); + } if (!(tif->tif_flags&TIFF_BIGTIFF)) { if (datasize<=4) @@ -803,7 +887,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d uint32 offset = direntry->tdir_offset.toff_long; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong(&offset); - err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); + if( isMapped(tif) ) + err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); + else + err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data); if (err!=TIFFReadDirEntryErrOk) { _TIFFfree(data); @@ -821,7 +908,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d uint64 offset = direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong8(&offset); - err=TIFFReadDirEntryData(tif,offset,(tmsize_t)datasize,data); + if( isMapped(tif) ) + err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); + else + err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data); if (err!=TIFFReadDirEntryErrOk) { _TIFFfree(data); @@ -833,6 +923,12 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* d return(TIFFReadDirEntryErrOk); } +static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value) +{ + return TIFFReadDirEntryArrayWithLimit(tif, direntry, count, + desttypesize, value, ~((uint64)0)); +} + static enum TIFFReadDirEntryErr TIFFReadDirEntryByteArray(TIFF* tif, TIFFDirEntry* direntry, uint8** value) { enum TIFFReadDirEntryErr err; @@ -1862,7 +1958,8 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntrySlongArray(TIFF* tif, TIFFDirEnt return(TIFFReadDirEntryErrOk); } -static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEntry* direntry, uint64** value) +static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8ArrayWithLimit( + TIFF* tif, TIFFDirEntry* direntry, uint64** value, uint64 maxcount) { enum TIFFReadDirEntryErr err; uint32 count; @@ -1882,7 +1979,7 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEnt default: return(TIFFReadDirEntryErrType); } - err=TIFFReadDirEntryArray(tif,direntry,&count,8,&origdata); + err=TIFFReadDirEntryArrayWithLimit(tif,direntry,&count,8,&origdata,maxcount); if ((err!=TIFFReadDirEntryErrOk)||(origdata==0)) { *value=0; @@ -2028,6 +2125,11 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEnt return(TIFFReadDirEntryErrOk); } +static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEntry* direntry, uint64** value) +{ + return TIFFReadDirEntryLong8ArrayWithLimit(tif, direntry, value, ~((uint64)0)); +} + static enum TIFFReadDirEntryErr TIFFReadDirEntrySlong8Array(TIFF* tif, TIFFDirEntry* direntry, int64** value) { enum TIFFReadDirEntryErr err; @@ -2406,7 +2508,14 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloatArray(TIFF* tif, TIFFDirEnt ma=(double*)origdata; mb=data; for (n=0; n FLT_MAX ) + val = FLT_MAX; + else if( val < -FLT_MAX ) + val = -FLT_MAX; + *mb++=(float)val; + } } break; } @@ -2723,7 +2832,7 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleShort(TIFF* tif, TIFFDi if (direntry->tdir_count<(uint64)tif->tif_dir.td_samplesperpixel) return(TIFFReadDirEntryErrCount); err=TIFFReadDirEntryShortArray(tif,direntry,&m); - if (err!=TIFFReadDirEntryErrOk) + if (err!=TIFFReadDirEntryErrOk || m == NULL) return(err); na=m; nb=tif->tif_dir.td_samplesperpixel; @@ -2872,7 +2981,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFD m.l = direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong(m.i,2); - if (m.i[0]==0) + /* Not completely sure what we should do when m.i[1]==0, but some */ + /* sanitizers do not like division by 0.0: */ + /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ + if (m.i[0]==0 || m.i[1]==0) *value=0.0; else *value=(double)m.i[0]/(double)m.i[1]; @@ -2900,7 +3012,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFF m.l=direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong(m.i,2); - if ((int32)m.i[0]==0) + /* Not completely sure what we should do when m.i[1]==0, but some */ + /* sanitizers do not like division by 0.0: */ + /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ + if ((int32)m.i[0]==0 || m.i[1]==0) *value=0.0; else *value=(double)((int32)m.i[0])/(double)m.i[1]; @@ -3566,6 +3681,10 @@ TIFFReadDirectory(TIFF* tif) goto bad; dp->tdir_tag=IGNORE; break; + default: + if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) + dp->tdir_tag=IGNORE; + break; } } } @@ -3724,6 +3843,14 @@ TIFFReadDirectory(TIFF* tif) _TIFFmemcpy( &(tif->tif_dir.td_stripoffset_entry), dp, sizeof(TIFFDirEntry) ); #else + if( tif->tif_dir.td_stripoffset != NULL ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "tif->tif_dir.td_stripoffset is " + "already allocated. Likely duplicated " + "StripOffsets/TileOffsets tag"); + goto bad; + } if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripoffset)) goto bad; #endif @@ -3734,7 +3861,15 @@ TIFFReadDirectory(TIFF* tif) _TIFFmemcpy( &(tif->tif_dir.td_stripbytecount_entry), dp, sizeof(TIFFDirEntry) ); #else - if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripbytecount)) + if( tif->tif_dir.td_stripbytecount != NULL ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "tif->tif_dir.td_stripbytecount is " + "already allocated. Likely duplicated " + "StripByteCounts/TileByteCounts tag"); + goto bad; + } + if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripbytecount)) goto bad; #endif break; @@ -3949,12 +4084,14 @@ TIFFReadDirectory(TIFF* tif) #define BYTECOUNTLOOKSBAD \ ( (tif->tif_dir.td_stripbytecount[0] == 0 && tif->tif_dir.td_stripoffset[0] != 0) || \ (tif->tif_dir.td_compression == COMPRESSION_NONE && \ - tif->tif_dir.td_stripbytecount[0] > TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) || \ + (tif->tif_dir.td_stripoffset[0] <= TIFFGetFileSize(tif) && \ + tif->tif_dir.td_stripbytecount[0] > TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0])) || \ (tif->tif_mode == O_RDONLY && \ tif->tif_dir.td_compression == COMPRESSION_NONE && \ tif->tif_dir.td_stripbytecount[0] < TIFFScanlineSize64(tif) * tif->tif_dir.td_imagelength) ) } else if (tif->tif_dir.td_nstrips == 1 + && !(tif->tif_flags&TIFF_ISTILED) && _TIFFFillStriles(tif) && tif->tif_dir.td_stripoffset[0] != 0 && BYTECOUNTLOOKSBAD) { @@ -4332,7 +4469,11 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount) } space+=datasize; } - space = filesize - space; + if( filesize < space ) + /* we should perhaps return in error ? */ + space = filesize; + else + space = filesize - space; if (td->td_planarconfig == PLANARCONFIG_SEPARATE) space /= td->td_samplesperpixel; for (strip = 0; strip < td->td_nstrips; strip++) @@ -5399,28 +5540,39 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) static const char module[] = "TIFFFetchStripThing"; enum TIFFReadDirEntryErr err; uint64* data; - err=TIFFReadDirEntryLong8Array(tif,dir,&data); + err=TIFFReadDirEntryLong8ArrayWithLimit(tif,dir,&data,nstrips); if (err!=TIFFReadDirEntryErrOk) { const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag); TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",0); return(0); } - if (dir->tdir_count!=(uint64)nstrips) + if (dir->tdir_count<(uint64)nstrips) { uint64* resizeddata; + const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag); + const char* pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT"); + uint32 max_nstrips = 1000000; + if( pszMax ) + max_nstrips = (uint32) atoi(pszMax); + TIFFReadDirEntryOutputErr(tif,TIFFReadDirEntryErrCount, + module, + fip ? fip->field_name : "unknown tagname", + ( nstrips <= max_nstrips ) ); + + if( nstrips > max_nstrips ) + { + _TIFFfree(data); + return(0); + } + resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); if (resizeddata==0) { _TIFFfree(data); return(0); } - if (dir->tdir_count<(uint64)nstrips) - { - _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64)); - _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64)); - } - else - _TIFFmemcpy(resizeddata,data,nstrips*sizeof(uint64)); + _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64)); + _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64)); _TIFFfree(data); data=resizeddata; } @@ -5502,13 +5654,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) uint64 rowblockbytes; uint64 stripbytes; uint32 strip; - uint64 nstrips64; - uint32 nstrips32; + uint32 nstrips; uint32 rowsperstrip; uint64* newcounts; uint64* newoffsets; bytecount = td->td_stripbytecount[0]; + /* On a newly created file, just re-opened to be filled, we */ + /* don't want strip chop to trigger as it is going to cause issues */ + /* later ( StripOffsets and StripByteCounts improperly filled) . */ + if( bytecount == 0 && tif->tif_mode != O_RDONLY ) + return; offset = td->td_stripoffset[0]; assert(td->td_planarconfig == PLANARCONFIG_CONTIG); if ((td->td_photometric == PHOTOMETRIC_YCBCR)&& @@ -5534,18 +5690,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) return; /* - * never increase the number of strips in an image + * never increase the number of rows per strip */ if (rowsperstrip >= td->td_rowsperstrip) return; - nstrips64 = TIFFhowmany_64(bytecount, stripbytes); - if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ - return; - nstrips32 = (uint32)nstrips64; + nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); + if( nstrips == 0 ) + return; - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), "for chopped \"StripByteCounts\" array"); - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), + newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), "for chopped \"StripOffsets\" array"); if (newcounts == NULL || newoffsets == NULL) { /* @@ -5562,18 +5717,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif) * Fill the strip information arrays with new bytecounts and offsets * that reflect the broken-up format. */ - for (strip = 0; strip < nstrips32; strip++) { + for (strip = 0; strip < nstrips; strip++) { if (stripbytes > bytecount) stripbytes = bytecount; newcounts[strip] = stripbytes; - newoffsets[strip] = offset; + newoffsets[strip] = stripbytes ? offset : 0; offset += stripbytes; bytecount -= stripbytes; } /* * Replace old single strip info with multi-strip info. */ - td->td_stripsperimage = td->td_nstrips = nstrips32; + td->td_stripsperimage = td->td_nstrips = nstrips; TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); _TIFFfree(td->td_stripbytecount); diff --git a/src/3rdparty/libtiff/libtiff/tif_dirwrite.c b/src/3rdparty/libtiff/libtiff/tif_dirwrite.c index d34f6f6..c68d6d2 100644 --- a/src/3rdparty/libtiff/libtiff/tif_dirwrite.c +++ b/src/3rdparty/libtiff/libtiff/tif_dirwrite.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */ +/* $Id: tif_dirwrite.c,v 1.89 2017-08-23 13:33:42 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -30,6 +30,7 @@ * Directory Write Support Routines. */ #include "tiffiop.h" +#include #ifdef HAVE_IEEEFP #define TIFFCvtNativeToIEEEFloat(tif, n, fp) @@ -820,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) TIFFDirEntry* nb; for (na=0, nb=dir; ; na++, nb++) { - assert(natif_clientdata,module, + "Cannot find SubIFD tag"); + goto bad; + } if (nb->tdir_tag==TIFFTAG_SUBIFD) break; } @@ -939,6 +945,69 @@ bad: return(0); } +static float TIFFClampDoubleToFloat( double val ) +{ + if( val > FLT_MAX ) + return FLT_MAX; + if( val < -FLT_MAX ) + return -FLT_MAX; + return (float)val; +} + +static int8 TIFFClampDoubleToInt8( double val ) +{ + if( val > 127 ) + return 127; + if( val < -128 || val != val ) + return -128; + return (int8)val; +} + +static int16 TIFFClampDoubleToInt16( double val ) +{ + if( val > 32767 ) + return 32767; + if( val < -32768 || val != val ) + return -32768; + return (int16)val; +} + +static int32 TIFFClampDoubleToInt32( double val ) +{ + if( val > 0x7FFFFFFF ) + return 0x7FFFFFFF; + if( val < -0x7FFFFFFF-1 || val != val ) + return -0x7FFFFFFF-1; + return (int32)val; +} + +static uint8 TIFFClampDoubleToUInt8( double val ) +{ + if( val < 0 ) + return 0; + if( val > 255 || val != val ) + return 255; + return (uint8)val; +} + +static uint16 TIFFClampDoubleToUInt16( double val ) +{ + if( val < 0 ) + return 0; + if( val > 65535 || val != val ) + return 65535; + return (uint16)val; +} + +static uint32 TIFFClampDoubleToUInt32( double val ) +{ + if( val < 0 ) + return 0; + if( val > 0xFFFFFFFFU || val != val ) + return 0xFFFFFFFFU; + return (uint32)val; +} + static int TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value) { @@ -959,7 +1028,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di if (tif->tif_dir.td_bitspersample<=32) { for (i = 0; i < count; ++i) - ((float*)conv)[i] = (float)value[i]; + ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]); ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv); } else @@ -971,19 +1040,19 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di if (tif->tif_dir.td_bitspersample<=8) { for (i = 0; i < count; ++i) - ((int8*)conv)[i] = (int8)value[i]; + ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]); ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv); } else if (tif->tif_dir.td_bitspersample<=16) { for (i = 0; i < count; ++i) - ((int16*)conv)[i] = (int16)value[i]; + ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]); ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv); } else { for (i = 0; i < count; ++i) - ((int32*)conv)[i] = (int32)value[i]; + ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]); ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv); } break; @@ -991,19 +1060,19 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di if (tif->tif_dir.td_bitspersample<=8) { for (i = 0; i < count; ++i) - ((uint8*)conv)[i] = (uint8)value[i]; + ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]); ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv); } else if (tif->tif_dir.td_bitspersample<=16) { for (i = 0; i < count; ++i) - ((uint16*)conv)[i] = (uint16)value[i]; + ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]); ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv); } else { for (i = 0; i < count; ++i) - ((uint32*)conv)[i] = (uint32)value[i]; + ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]); ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv); } break; @@ -1880,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir) for (p=0; p < tif->tif_dir.td_nsubifd; p++) { assert(pa != 0); - assert(*pa <= 0xFFFFFFFFUL); + + /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */ + if( *pa > 0xFFFFFFFFUL) + { + TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag"); + _TIFFfree(o); + return(0); + } *pb++=(uint32)(*pa++); } n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o); @@ -2047,7 +2123,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui { uint64 m; assert(sizeof(uint64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); + return(0); + } m=value; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong8(&m); @@ -2060,7 +2139,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di { assert(count<0x20000000); assert(sizeof(uint64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8Array","LONG8 not allowed for ClassicTIFF"); + return(0); + } if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong8(value,count); return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); @@ -2072,7 +2154,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u { int64 m; assert(sizeof(int64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedSlong8","SLONG8 not allowed for ClassicTIFF"); + return(0); + } m=value; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong8((uint64*)(&m)); @@ -2085,7 +2170,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d { assert(count<0x20000000); assert(sizeof(int64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedSlong8Array","SLONG8 not allowed for ClassicTIFF"); + return(0); + } if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong8((uint64*)value,count); return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); @@ -2094,15 +2182,25 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d static int TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value) { + static const char module[] = "TIFFWriteDirectoryTagCheckedRational"; uint32 m[2]; - assert(value>=0.0); assert(sizeof(uint32)==4); - if (value<=0.0) + if( value < 0 ) + { + TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal"); + return 0; + } + else if( value != value ) + { + TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal"); + return 0; + } + else if (value==0.0) { m[0]=0; m[1]=1; } - else if (value==(double)(uint32)value) + else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value) { m[0]=(uint32)value; m[1]=1; @@ -2143,12 +2241,13 @@ TIFFWriteDirectoryTagCheckedRationalArray(TIFF* tif, uint32* ndir, TIFFDirEntry* } for (na=value, nb=m, nc=0; nc= 0 && *na <= (float)0xFFFFFFFFU && + *na==(float)(uint32)(*na)) { nb[0]=(uint32)(*na); nb[1]=1; diff --git a/src/3rdparty/libtiff/libtiff/tif_error.c b/src/3rdparty/libtiff/libtiff/tif_error.c index 0bc8b87..47516b4 100644 --- a/src/3rdparty/libtiff/libtiff/tif_error.c +++ b/src/3rdparty/libtiff/libtiff/tif_error.c @@ -1,4 +1,4 @@ -/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_error.c,v 1.5 2010-03-10 18:56:48 bfriesen Exp $ */ +/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_error.c,v 1.6 2017-07-04 12:54:42 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -51,24 +51,32 @@ void TIFFError(const char* module, const char* fmt, ...) { va_list ap; - va_start(ap, fmt); - if (_TIFFerrorHandler) + if (_TIFFerrorHandler) { + va_start(ap, fmt); (*_TIFFerrorHandler)(module, fmt, ap); - if (_TIFFerrorHandlerExt) + va_end(ap); + } + if (_TIFFerrorHandlerExt) { + va_start(ap, fmt); (*_TIFFerrorHandlerExt)(0, module, fmt, ap); - va_end(ap); + va_end(ap); + } } void TIFFErrorExt(thandle_t fd, const char* module, const char* fmt, ...) { va_list ap; - va_start(ap, fmt); - if (_TIFFerrorHandler) + if (_TIFFerrorHandler) { + va_start(ap, fmt); (*_TIFFerrorHandler)(module, fmt, ap); - if (_TIFFerrorHandlerExt) + va_end(ap); + } + if (_TIFFerrorHandlerExt) { + va_start(ap, fmt); (*_TIFFerrorHandlerExt)(fd, module, fmt, ap); - va_end(ap); + va_end(ap); + } } /* diff --git a/src/3rdparty/libtiff/libtiff/tif_fax3.c b/src/3rdparty/libtiff/libtiff/tif_fax3.c index 16bb4d3..5fd5141 100644 --- a/src/3rdparty/libtiff/libtiff/tif_fax3.c +++ b/src/3rdparty/libtiff/libtiff/tif_fax3.c @@ -1,4 +1,4 @@ -/* $Id: tif_fax3.c,v 1.78 2016-09-04 21:32:56 erouault Exp $ */ +/* $Id: tif_fax3.c,v 1.81 2017-06-18 10:31:50 erouault Exp $ */ /* * Copyright (c) 1990-1997 Sam Leffler @@ -329,34 +329,64 @@ Fax3Decode2D(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) #if SIZEOF_UNSIGNED_LONG == 8 # define FILL(n, cp) \ switch (n) { \ - case 15:(cp)[14] = 0xff; case 14:(cp)[13] = 0xff; case 13: (cp)[12] = 0xff;\ - case 12:(cp)[11] = 0xff; case 11:(cp)[10] = 0xff; case 10: (cp)[9] = 0xff;\ - case 9: (cp)[8] = 0xff; case 8: (cp)[7] = 0xff; case 7: (cp)[6] = 0xff;\ - case 6: (cp)[5] = 0xff; case 5: (cp)[4] = 0xff; case 4: (cp)[3] = 0xff;\ - case 3: (cp)[2] = 0xff; case 2: (cp)[1] = 0xff; \ - case 1: (cp)[0] = 0xff; (cp) += (n); case 0: ; \ + case 15:(cp)[14] = 0xff; /*-fallthrough*/ \ + case 14:(cp)[13] = 0xff; /*-fallthrough*/ \ + case 13:(cp)[12] = 0xff; /*-fallthrough*/ \ + case 12:(cp)[11] = 0xff; /*-fallthrough*/ \ + case 11:(cp)[10] = 0xff; /*-fallthrough*/ \ + case 10: (cp)[9] = 0xff; /*-fallthrough*/ \ + case 9: (cp)[8] = 0xff; /*-fallthrough*/ \ + case 8: (cp)[7] = 0xff; /*-fallthrough*/ \ + case 7: (cp)[6] = 0xff; /*-fallthrough*/ \ + case 6: (cp)[5] = 0xff; /*-fallthrough*/ \ + case 5: (cp)[4] = 0xff; /*-fallthrough*/ \ + case 4: (cp)[3] = 0xff; /*-fallthrough*/ \ + case 3: (cp)[2] = 0xff; /*-fallthrough*/ \ + case 2: (cp)[1] = 0xff; /*-fallthrough*/ \ + case 1: (cp)[0] = 0xff; (cp) += (n); /*-fallthrough*/ \ + case 0: ; \ } # define ZERO(n, cp) \ switch (n) { \ - case 15:(cp)[14] = 0; case 14:(cp)[13] = 0; case 13: (cp)[12] = 0; \ - case 12:(cp)[11] = 0; case 11:(cp)[10] = 0; case 10: (cp)[9] = 0; \ - case 9: (cp)[8] = 0; case 8: (cp)[7] = 0; case 7: (cp)[6] = 0; \ - case 6: (cp)[5] = 0; case 5: (cp)[4] = 0; case 4: (cp)[3] = 0; \ - case 3: (cp)[2] = 0; case 2: (cp)[1] = 0; \ - case 1: (cp)[0] = 0; (cp) += (n); case 0: ; \ + case 15:(cp)[14] = 0; /*-fallthrough*/ \ + case 14:(cp)[13] = 0; /*-fallthrough*/ \ + case 13:(cp)[12] = 0; /*-fallthrough*/ \ + case 12:(cp)[11] = 0; /*-fallthrough*/ \ + case 11:(cp)[10] = 0; /*-fallthrough*/ \ + case 10: (cp)[9] = 0; /*-fallthrough*/ \ + case 9: (cp)[8] = 0; /*-fallthrough*/ \ + case 8: (cp)[7] = 0; /*-fallthrough*/ \ + case 7: (cp)[6] = 0; /*-fallthrough*/ \ + case 6: (cp)[5] = 0; /*-fallthrough*/ \ + case 5: (cp)[4] = 0; /*-fallthrough*/ \ + case 4: (cp)[3] = 0; /*-fallthrough*/ \ + case 3: (cp)[2] = 0; /*-fallthrough*/ \ + case 2: (cp)[1] = 0; /*-fallthrough*/ \ + case 1: (cp)[0] = 0; (cp) += (n); /*-fallthrough*/ \ + case 0: ; \ } #else # define FILL(n, cp) \ switch (n) { \ - case 7: (cp)[6] = 0xff; case 6: (cp)[5] = 0xff; case 5: (cp)[4] = 0xff; \ - case 4: (cp)[3] = 0xff; case 3: (cp)[2] = 0xff; case 2: (cp)[1] = 0xff; \ - case 1: (cp)[0] = 0xff; (cp) += (n); case 0: ; \ + case 7: (cp)[6] = 0xff; /*-fallthrough*/ \ + case 6: (cp)[5] = 0xff; /*-fallthrough*/ \ + case 5: (cp)[4] = 0xff; /*-fallthrough*/ \ + case 4: (cp)[3] = 0xff; /*-fallthrough*/ \ + case 3: (cp)[2] = 0xff; /*-fallthrough*/ \ + case 2: (cp)[1] = 0xff; /*-fallthrough*/ \ + case 1: (cp)[0] = 0xff; (cp) += (n); /*-fallthrough*/ \ + case 0: ; \ } # define ZERO(n, cp) \ switch (n) { \ - case 7: (cp)[6] = 0; case 6: (cp)[5] = 0; case 5: (cp)[4] = 0; \ - case 4: (cp)[3] = 0; case 3: (cp)[2] = 0; case 2: (cp)[1] = 0; \ - case 1: (cp)[0] = 0; (cp) += (n); case 0: ; \ + case 7: (cp)[6] = 0; /*-fallthrough*/ \ + case 6: (cp)[5] = 0; /*-fallthrough*/ \ + case 5: (cp)[4] = 0; /*-fallthrough*/ \ + case 4: (cp)[3] = 0; /*-fallthrough*/ \ + case 3: (cp)[2] = 0; /*-fallthrough*/ \ + case 2: (cp)[1] = 0; /*-fallthrough*/ \ + case 1: (cp)[0] = 0; (cp) += (n); /*-fallthrough*/ \ + case 0: ; \ } #endif @@ -1013,7 +1043,11 @@ Fax3Encode2DRow(TIFF* tif, unsigned char* bp, unsigned char* rp, uint32 bits) for (;;) { b2 = finddiff2(rp, b1, bits, PIXEL(rp,b1)); if (b2 >= a1) { - int32 d = b1 - a1; + /* Naive computation triggers -fsanitize=undefined,unsigned-integer-overflow */ + /* although it is correct unless the difference between both is < 31 bit */ + /* int32 d = b1 - a1; */ + int32 d = (b1 >= a1 && b1 - a1 <= 3U) ? (int32)(b1 - a1): + (b1 < a1 && a1 - b1 <= 3U) ? -(int32)(a1 - b1) : 0x7FFFFFFF; if (!(-3 <= d && d <= 3)) { /* horizontal mode */ a2 = finddiff2(bp, a1, bits, PIXEL(bp,a1)); putcode(tif, &horizcode); @@ -1099,7 +1133,7 @@ Fax3PostEncode(TIFF* tif) static void Fax3Close(TIFF* tif) { - if ((Fax3State(tif)->mode & FAXMODE_NORTC) == 0) { + if ((Fax3State(tif)->mode & FAXMODE_NORTC) == 0 && tif->tif_rawcp) { Fax3CodecState* sp = EncoderState(tif); unsigned int code = EOL; unsigned int length = 12; @@ -1321,6 +1355,7 @@ InitCCITTFax3(TIFF* tif) "No space for state block"); return (0); } + _TIFFmemset(tif->tif_data, 0, sizeof (Fax3CodecState)); sp = Fax3State(tif); sp->rw_mode = tif->tif_mode; diff --git a/src/3rdparty/libtiff/libtiff/tif_fax3.h b/src/3rdparty/libtiff/libtiff/tif_fax3.h index e0b2ca6..8a43505 100644 --- a/src/3rdparty/libtiff/libtiff/tif_fax3.h +++ b/src/3rdparty/libtiff/libtiff/tif_fax3.h @@ -1,4 +1,4 @@ -/* $Id: tif_fax3.h,v 1.11 2016-01-23 21:20:34 erouault Exp $ */ +/* $Id: tif_fax3.h,v 1.13 2016-12-14 18:36:27 faxguy Exp $ */ /* * Copyright (c) 1990-1997 Sam Leffler @@ -81,10 +81,12 @@ extern void _TIFFFax3fillruns(unsigned char*, uint32*, uint32*, uint32); #define S_MakeUp 11 #define S_EOL 12 +/* WARNING: do not change the layout of this structure as the HylaFAX software */ +/* really depends on it. See http://bugzilla.maptools.org/show_bug.cgi?id=2636 */ typedef struct { /* state table entry */ unsigned char State; /* see above */ unsigned char Width; /* width of code in bits */ - uint16 Param; /* unsigned 16-bit run length in bits */ + uint32 Param; /* unsigned 32-bit run length in bits (holds on 16 bit actually, but cannot be changed. See above warning) */ } TIFFFaxTabEnt; extern const TIFFFaxTabEnt TIFFFaxMainTable[]; diff --git a/src/3rdparty/libtiff/libtiff/tif_getimage.c b/src/3rdparty/libtiff/libtiff/tif_getimage.c index 0f5e932..c51c889 100644 --- a/src/3rdparty/libtiff/libtiff/tif_getimage.c +++ b/src/3rdparty/libtiff/libtiff/tif_getimage.c @@ -1,4 +1,4 @@ -/* $Id: tif_getimage.c,v 1.98 2016-11-18 02:47:45 bfriesen Exp $ */ +/* $Id: tif_getimage.c,v 1.112 2017-07-24 10:34:14 erouault Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -283,6 +283,13 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) img->redcmap = NULL; img->greencmap = NULL; img->bluecmap = NULL; + img->Map = NULL; + img->BWmap = NULL; + img->PALmap = NULL; + img->ycbcr = NULL; + img->cielab = NULL; + img->UaToAa = NULL; + img->Bitdepth16To8 = NULL; img->req_orientation = ORIENTATION_BOTLEFT; /* It is the default */ img->tif = tif; @@ -468,13 +475,6 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) photoTag, img->photometric); goto fail_return; } - img->Map = NULL; - img->BWmap = NULL; - img->PALmap = NULL; - img->ycbcr = NULL; - img->cielab = NULL; - img->UaToAa = NULL; - img->Bitdepth16To8 = NULL; TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &img->width); TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &img->height); TIFFGetFieldDefaulted(tif, TIFFTAG_ORIENTATION, &img->orientation); @@ -494,10 +494,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) return 1; fail_return: - _TIFFfree( img->redcmap ); - _TIFFfree( img->greencmap ); - _TIFFfree( img->bluecmap ); - img->redcmap = img->greencmap = img->bluecmap = NULL; + TIFFRGBAImageEnd( img ); return 0; } @@ -629,7 +626,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) uint32 col, row, y, rowstoread; tmsize_t pos; uint32 tw, th; - unsigned char* buf; + unsigned char* buf = NULL; int32 fromskew, toskew; uint32 nrow; int ret = 1, flip; @@ -637,13 +634,14 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) int32 this_toskew, leftmost_toskew; int32 leftmost_fromskew; uint32 leftmost_tw; + tmsize_t bufsize; - buf = (unsigned char*) _TIFFmalloc(TIFFTileSize(tif)); - if (buf == 0) { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); - return (0); + bufsize = TIFFTileSize(tif); + if (bufsize == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); + return (0); } - _TIFFmemset(buf, 0, TIFFTileSize(tif)); + TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); TIFFGetField(tif, TIFFTAG_TILELENGTH, &th); @@ -663,7 +661,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) leftmost_fromskew = img->col_offset % tw; leftmost_tw = tw - leftmost_fromskew; leftmost_toskew = toskew + leftmost_fromskew; - for (row = 0; row < h; row += nrow) + for (row = 0; ret != 0 && row < h; row += nrow) { rowstoread = th - (row + img->row_offset) % th; nrow = (row + rowstoread > h ? h - row : rowstoread); @@ -674,8 +672,9 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) col = img->col_offset; while (tocol < w) { - if (TIFFReadTile(tif, buf, col, - row+img->row_offset, 0, 0)==(tmsize_t)(-1) && img->stoponerr) + if (_TIFFReadTileAndAllocBuffer(tif, (void**) &buf, bufsize, col, + row+img->row_offset, 0, 0)==(tmsize_t)(-1) && + (buf == NULL || img->stoponerr)) { ret = 0; break; @@ -702,7 +701,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) this_toskew = toskew; } - y += (flip & FLIP_VERTICALLY ? -(int32) nrow : (int32) nrow); + y += ((flip & FLIP_VERTICALLY) ? -(int32) nrow : (int32) nrow); } _TIFFfree(buf); @@ -740,11 +739,11 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) uint32 col, row, y, rowstoread; tmsize_t pos; uint32 tw, th; - unsigned char* buf; - unsigned char* p0; - unsigned char* p1; - unsigned char* p2; - unsigned char* pa; + unsigned char* buf = NULL; + unsigned char* p0 = NULL; + unsigned char* p1 = NULL; + unsigned char* p2 = NULL; + unsigned char* pa = NULL; tmsize_t tilesize; tmsize_t bufsize; int32 fromskew, toskew; @@ -763,16 +762,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); return (0); } - buf = (unsigned char*) _TIFFmalloc(bufsize); - if (buf == 0) { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); - return (0); - } - _TIFFmemset(buf, 0, bufsize); - p0 = buf; - p1 = p0 + tilesize; - p2 = p1 + tilesize; - pa = (alpha?(p2+tilesize):NULL); + TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); TIFFGetField(tif, TIFFTAG_TILELENGTH, &th); @@ -792,7 +782,6 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) case PHOTOMETRIC_MINISBLACK: case PHOTOMETRIC_PALETTE: colorchannels = 1; - p2 = p1 = p0; break; default: @@ -806,7 +795,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) leftmost_fromskew = img->col_offset % tw; leftmost_tw = tw - leftmost_fromskew; leftmost_toskew = toskew + leftmost_fromskew; - for (row = 0; row < h; row += nrow) + for (row = 0; ret != 0 && row < h; row += nrow) { rowstoread = th - (row + img->row_offset) % th; nrow = (row + rowstoread > h ? h - row : rowstoread); @@ -817,7 +806,30 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) col = img->col_offset; while (tocol < w) { - if (TIFFReadTile(tif, p0, col, + if( buf == NULL ) + { + if (_TIFFReadTileAndAllocBuffer( + tif, (void**) &buf, bufsize, col, + row+img->row_offset,0,0)==(tmsize_t)(-1) + && (buf == NULL || img->stoponerr)) + { + ret = 0; + break; + } + p0 = buf; + if( colorchannels == 1 ) + { + p2 = p1 = p0; + pa = (alpha?(p0+3*tilesize):NULL); + } + else + { + p1 = p0 + tilesize; + p2 = p1 + tilesize; + pa = (alpha?(p2+tilesize):NULL); + } + } + else if (TIFFReadTile(tif, p0, col, row+img->row_offset,0,0)==(tmsize_t)(-1) && img->stoponerr) { ret = 0; @@ -871,7 +883,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) this_toskew = toskew; } - y += (flip & FLIP_VERTICALLY ?-(int32) nrow : (int32) nrow); + y += ((flip & FLIP_VERTICALLY) ?-(int32) nrow : (int32) nrow); } if (flip & FLIP_HORIZONTALLY) { @@ -908,26 +920,22 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) tileContigRoutine put = img->put.contig; uint32 row, y, nrow, nrowsub, rowstoread; tmsize_t pos; - unsigned char* buf; + unsigned char* buf = NULL; uint32 rowsperstrip; uint16 subsamplinghor,subsamplingver; uint32 imagewidth = img->width; tmsize_t scanline; int32 fromskew, toskew; int ret = 1, flip; + tmsize_t maxstripsize; TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); if( subsamplingver == 0 ) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling"); return (0); } - - buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif)); - if (buf == 0) { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); - return (0); - } - _TIFFmemset(buf, 0, TIFFStripSize(tif)); + + maxstripsize = TIFFStripSize(tif); flip = setorientation(img); if (flip & FLIP_VERTICALLY) { @@ -949,11 +957,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) nrowsub = nrow; if ((nrowsub%subsamplingver)!=0) nrowsub+=subsamplingver-nrowsub%subsamplingver; - if (TIFFReadEncodedStrip(tif, + if (_TIFFReadEncodedStripAndAllocBuffer(tif, TIFFComputeStrip(tif,row+img->row_offset, 0), - buf, + (void**)(&buf), + maxstripsize, ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) - && img->stoponerr) + && (buf == NULL || img->stoponerr)) { ret = 0; break; @@ -962,7 +971,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) pos = ((row + img->row_offset) % rowsperstrip) * scanline + \ ((tmsize_t) img->col_offset * img->samplesperpixel); (*put)(img, raster+y*w, 0, y, w, nrow, fromskew, toskew, buf + pos); - y += (flip & FLIP_VERTICALLY ? -(int32) nrow : (int32) nrow); + y += ((flip & FLIP_VERTICALLY) ? -(int32) nrow : (int32) nrow); } if (flip & FLIP_HORIZONTALLY) { @@ -997,8 +1006,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) { TIFF* tif = img->tif; tileSeparateRoutine put = img->put.separate; - unsigned char *buf; - unsigned char *p0, *p1, *p2, *pa; + unsigned char *buf = NULL; + unsigned char *p0 = NULL, *p1 = NULL, *p2 = NULL, *pa = NULL; uint32 row, y, nrow, rowstoread; tmsize_t pos; tmsize_t scanline; @@ -1017,15 +1026,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); return (0); } - p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); - if (buf == 0) { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); - return (0); - } - _TIFFmemset(buf, 0, bufsize); - p1 = p0 + stripsize; - p2 = p1 + stripsize; - pa = (alpha?(p2+stripsize):NULL); flip = setorientation(img); if (flip & FLIP_VERTICALLY) { @@ -1043,7 +1043,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) case PHOTOMETRIC_MINISBLACK: case PHOTOMETRIC_PALETTE: colorchannels = 1; - p2 = p1 = p0; break; default: @@ -1059,7 +1058,31 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; nrow = (row + rowstoread > h ? h - row : rowstoread); offset_row = row + img->row_offset; - if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), + if( buf == NULL ) + { + if (_TIFFReadEncodedStripAndAllocBuffer( + tif, TIFFComputeStrip(tif, offset_row, 0), + (void**) &buf, bufsize, + ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) + && (buf == NULL || img->stoponerr)) + { + ret = 0; + break; + } + p0 = buf; + if( colorchannels == 1 ) + { + p2 = p1 = p0; + pa = (alpha?(p0+3*stripsize):NULL); + } + else + { + p1 = p0 + stripsize; + p2 = p1 + stripsize; + pa = (alpha?(p2+stripsize):NULL); + } + } + else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) && img->stoponerr) { @@ -1097,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) ((tmsize_t) img->col_offset * img->samplesperpixel); (*put)(img, raster+y*w, 0, y, w, nrow, fromskew, toskew, p0 + pos, p1 + pos, p2 + pos, (alpha?(pa+pos):NULL)); - y += (flip & FLIP_VERTICALLY ? -(int32) nrow : (int32) nrow); + y += ((flip & FLIP_VERTICALLY) ? -(int32) nrow : (int32) nrow); } if (flip & FLIP_HORIZONTALLY) { @@ -1136,11 +1159,15 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) #define REPEAT2(op) op; op #define CASE8(x,op) \ switch (x) { \ - case 7: op; case 6: op; case 5: op; \ - case 4: op; case 3: op; case 2: op; \ + case 7: op; /*-fallthrough*/ \ + case 6: op; /*-fallthrough*/ \ + case 5: op; /*-fallthrough*/ \ + case 4: op; /*-fallthrough*/ \ + case 3: op; /*-fallthrough*/ \ + case 2: op; /*-fallthrough*/ \ case 1: op; \ } -#define CASE4(x,op) switch (x) { case 3: op; case 2: op; case 1: op; } +#define CASE4(x,op) switch (x) { case 3: op; /*-fallthrough*/ case 2: op; /*-fallthrough*/ case 1: op; } #define NOP #define UNROLL8(w, op1, op2) { \ @@ -1211,8 +1238,8 @@ DECLAREContigPutFunc(put8bitcmaptile) int samplesperpixel = img->samplesperpixel; (void) y; - while (h-- > 0) { - for (x = w; x-- > 0;) + for( ; h > 0; --h) { + for (x = w; x > 0; --x) { *cp++ = PALmap[*pp][0]; pp += samplesperpixel; @@ -1231,7 +1258,7 @@ DECLAREContigPutFunc(put4bitcmaptile) (void) x; (void) y; fromskew /= 2; - while (h-- > 0) { + for( ; h > 0; --h) { uint32* bw; UNROLL2(w, bw = PALmap[*pp++], *cp++ = *bw++); cp += toskew; @@ -1248,7 +1275,7 @@ DECLAREContigPutFunc(put2bitcmaptile) (void) x; (void) y; fromskew /= 4; - while (h-- > 0) { + for( ; h > 0; --h) { uint32* bw; UNROLL4(w, bw = PALmap[*pp++], *cp++ = *bw++); cp += toskew; @@ -1265,7 +1292,7 @@ DECLAREContigPutFunc(put1bitcmaptile) (void) x; (void) y; fromskew /= 8; - while (h-- > 0) { + for( ; h > 0; --h) { uint32* bw; UNROLL8(w, bw = PALmap[*pp++], *cp++ = *bw++); cp += toskew; @@ -1282,8 +1309,8 @@ DECLAREContigPutFunc(putgreytile) uint32** BWmap = img->BWmap; (void) y; - while (h-- > 0) { - for (x = w; x-- > 0;) + for( ; h > 0; --h) { + for (x = w; x > 0; --x) { *cp++ = BWmap[*pp][0]; pp += samplesperpixel; @@ -1302,10 +1329,10 @@ DECLAREContigPutFunc(putagreytile) uint32** BWmap = img->BWmap; (void) y; - while (h-- > 0) { - for (x = w; x-- > 0;) + for( ; h > 0; --h) { + for (x = w; x > 0; --x) { - *cp++ = BWmap[*pp][0] & (*(pp+1) << 24 | ~A1); + *cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1); pp += samplesperpixel; } cp += toskew; @@ -1322,10 +1349,10 @@ DECLAREContigPutFunc(put16bitbwtile) uint32** BWmap = img->BWmap; (void) y; - while (h-- > 0) { + for( ; h > 0; --h) { uint16 *wp = (uint16 *) pp; - for (x = w; x-- > 0;) + for (x = w; x > 0; --x) { /* use high order byte of 16bit value */ @@ -1347,7 +1374,7 @@ DECLAREContigPutFunc(put1bitbwtile) (void) x; (void) y; fromskew /= 8; - while (h-- > 0) { + for( ; h > 0; --h) { uint32* bw; UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++); cp += toskew; @@ -1364,7 +1391,7 @@ DECLAREContigPutFunc(put2bitbwtile) (void) x; (void) y; fromskew /= 4; - while (h-- > 0) { + for( ; h > 0; --h) { uint32* bw; UNROLL4(w, bw = BWmap[*pp++], *cp++ = *bw++); cp += toskew; @@ -1381,7 +1408,7 @@ DECLAREContigPutFunc(put4bitbwtile) (void) x; (void) y; fromskew /= 2; - while (h-- > 0) { + for( ; h > 0; --h) { uint32* bw; UNROLL2(w, bw = BWmap[*pp++], *cp++ = *bw++); cp += toskew; @@ -1398,7 +1425,7 @@ DECLAREContigPutFunc(putRGBcontig8bittile) (void) x; (void) y; fromskew *= samplesperpixel; - while (h-- > 0) { + for( ; h > 0; --h) { UNROLL8(w, NOP, *cp++ = PACK(pp[0], pp[1], pp[2]); pp += samplesperpixel); @@ -1417,7 +1444,7 @@ DECLAREContigPutFunc(putRGBAAcontig8bittile) (void) x; (void) y; fromskew *= samplesperpixel; - while (h-- > 0) { + for( ; h > 0; --h) { UNROLL8(w, NOP, *cp++ = PACK4(pp[0], pp[1], pp[2], pp[3]); pp += samplesperpixel); @@ -1435,10 +1462,10 @@ DECLAREContigPutFunc(putRGBUAcontig8bittile) int samplesperpixel = img->samplesperpixel; (void) y; fromskew *= samplesperpixel; - while (h-- > 0) { + for( ; h > 0; --h) { uint32 r, g, b, a; uint8* m; - for (x = w; x-- > 0;) { + for (x = w; x > 0; --x) { a = pp[3]; m = img->UaToAa+((size_t) a<<8); r = m[pp[0]]; @@ -1461,8 +1488,8 @@ DECLAREContigPutFunc(putRGBcontig16bittile) uint16 *wp = (uint16 *)pp; (void) y; fromskew *= samplesperpixel; - while (h-- > 0) { - for (x = w; x-- > 0;) { + for( ; h > 0; --h) { + for (x = w; x > 0; --x) { *cp++ = PACK(img->Bitdepth16To8[wp[0]], img->Bitdepth16To8[wp[1]], img->Bitdepth16To8[wp[2]]); @@ -1483,8 +1510,8 @@ DECLAREContigPutFunc(putRGBAAcontig16bittile) uint16 *wp = (uint16 *)pp; (void) y; fromskew *= samplesperpixel; - while (h-- > 0) { - for (x = w; x-- > 0;) { + for( ; h > 0; --h) { + for (x = w; x > 0; --x) { *cp++ = PACK4(img->Bitdepth16To8[wp[0]], img->Bitdepth16To8[wp[1]], img->Bitdepth16To8[wp[2]], @@ -1506,10 +1533,10 @@ DECLAREContigPutFunc(putRGBUAcontig16bittile) uint16 *wp = (uint16 *)pp; (void) y; fromskew *= samplesperpixel; - while (h-- > 0) { + for( ; h > 0; --h) { uint32 r,g,b,a; uint8* m; - for (x = w; x-- > 0;) { + for (x = w; x > 0; --x) { a = img->Bitdepth16To8[wp[3]]; m = img->UaToAa+((size_t) a<<8); r = m[img->Bitdepth16To8[wp[0]]]; @@ -1535,7 +1562,7 @@ DECLAREContigPutFunc(putRGBcontig8bitCMYKtile) (void) x; (void) y; fromskew *= samplesperpixel; - while (h-- > 0) { + for( ; h > 0; --h) { UNROLL8(w, NOP, k = 255 - pp[3]; r = (k*(255-pp[0]))/255; @@ -1561,8 +1588,8 @@ DECLAREContigPutFunc(putRGBcontig8bitCMYKMaptile) (void) y; fromskew *= samplesperpixel; - while (h-- > 0) { - for (x = w; x-- > 0;) { + for( ; h > 0; --h) { + for (x = w; x > 0; --x) { k = 255 - pp[3]; r = (k*(255-pp[0]))/255; g = (k*(255-pp[1]))/255; @@ -1591,7 +1618,7 @@ static void name(\ DECLARESepPutFunc(putRGBseparate8bittile) { (void) img; (void) x; (void) y; (void) a; - while (h-- > 0) { + for( ; h > 0; --h) { UNROLL8(w, NOP, *cp++ = PACK(*r++, *g++, *b++)); SKEW(r, g, b, fromskew); cp += toskew; @@ -1604,7 +1631,7 @@ DECLARESepPutFunc(putRGBseparate8bittile) DECLARESepPutFunc(putRGBAAseparate8bittile) { (void) img; (void) x; (void) y; - while (h-- > 0) { + for( ; h > 0; --h) { UNROLL8(w, NOP, *cp++ = PACK4(*r++, *g++, *b++, *a++)); SKEW4(r, g, b, a, fromskew); cp += toskew; @@ -1617,9 +1644,9 @@ DECLARESepPutFunc(putRGBAAseparate8bittile) DECLARESepPutFunc(putCMYKseparate8bittile) { (void) img; (void) y; - while (h-- > 0) { + for( ; h > 0; --h) { uint32 rv, gv, bv, kv; - for (x = w; x-- > 0;) { + for (x = w; x > 0; --x) { kv = 255 - *a++; rv = (kv*(255-*r++))/255; gv = (kv*(255-*g++))/255; @@ -1637,10 +1664,10 @@ DECLARESepPutFunc(putCMYKseparate8bittile) DECLARESepPutFunc(putRGBUAseparate8bittile) { (void) img; (void) y; - while (h-- > 0) { + for( ; h > 0; --h) { uint32 rv, gv, bv, av; uint8* m; - for (x = w; x-- > 0;) { + for (x = w; x > 0; --x) { av = *a++; m = img->UaToAa+((size_t) av<<8); rv = m[*r++]; @@ -1662,7 +1689,7 @@ DECLARESepPutFunc(putRGBseparate16bittile) uint16 *wg = (uint16*) g; uint16 *wb = (uint16*) b; (void) img; (void) y; (void) a; - while (h-- > 0) { + for( ; h > 0; --h) { for (x = 0; x < w; x++) *cp++ = PACK(img->Bitdepth16To8[*wr++], img->Bitdepth16To8[*wg++], @@ -1682,7 +1709,7 @@ DECLARESepPutFunc(putRGBAAseparate16bittile) uint16 *wb = (uint16*) b; uint16 *wa = (uint16*) a; (void) img; (void) y; - while (h-- > 0) { + for( ; h > 0; --h) { for (x = 0; x < w; x++) *cp++ = PACK4(img->Bitdepth16To8[*wr++], img->Bitdepth16To8[*wg++], @@ -1703,10 +1730,10 @@ DECLARESepPutFunc(putRGBUAseparate16bittile) uint16 *wb = (uint16*) b; uint16 *wa = (uint16*) a; (void) img; (void) y; - while (h-- > 0) { + for( ; h > 0; --h) { uint32 r2,g2,b2,a2; uint8* m; - for (x = w; x-- > 0;) { + for (x = w; x > 0; --x) { a2 = img->Bitdepth16To8[*wa++]; m = img->UaToAa+((size_t) a2<<8); r2 = m[img->Bitdepth16To8[*wr++]]; @@ -1728,8 +1755,8 @@ DECLAREContigPutFunc(putcontig8bitCIELab) uint32 r, g, b; (void) y; fromskew *= 3; - while (h-- > 0) { - for (x = w; x-- > 0;) { + for( ; h > 0; --h) { + for (x = w; x > 0; --x) { TIFFCIELabToXYZ(img->cielab, (unsigned char)pp[0], (signed char)pp[1], @@ -1842,7 +1869,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) (void) y; /* adjust fromskew */ - fromskew = (fromskew * 18) / 4; + fromskew = (fromskew / 4) * (4*2+2); if ((h & 3) == 0 && (w & 3) == 0) { for (; h >= 4; h -= 4) { x = w>>2; @@ -1945,7 +1972,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile) int32 incr = 2*toskew+w; (void) y; - fromskew = (fromskew * 10) / 4; + fromskew = (fromskew / 4) * (4*2+2); if ((w & 3) == 0 && (h & 1) == 0) { for (; h >= 2; h -= 2) { x = w>>2; @@ -2023,7 +2050,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile) DECLAREContigPutFunc(putcontig8bitYCbCr41tile) { (void) y; - /* XXX adjust fromskew */ + fromskew = (fromskew / 4) * (4*1+2); do { x = w>>2; while(x>0) { @@ -2046,9 +2073,9 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) int32 Cr = pp[5]; switch( (w&3) ) { - case 3: YCbCrtoRGB(cp [2], pp[2]); - case 2: YCbCrtoRGB(cp [1], pp[1]); - case 1: YCbCrtoRGB(cp [0], pp[0]); + case 3: YCbCrtoRGB(cp [2], pp[2]); /*-fallthrough*/ + case 2: YCbCrtoRGB(cp [1], pp[1]); /*-fallthrough*/ + case 1: YCbCrtoRGB(cp [0], pp[0]); /*-fallthrough*/ case 0: break; } @@ -2070,7 +2097,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr22tile) uint32* cp2; int32 incr = 2*toskew+w; (void) y; - fromskew = (fromskew / 2) * 6; + fromskew = (fromskew / 2) * (2*2+2); cp2 = cp+w+toskew; while (h>=2) { x = w; @@ -2126,7 +2153,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr22tile) DECLAREContigPutFunc(putcontig8bitYCbCr21tile) { (void) y; - fromskew = (fromskew * 4) / 2; + fromskew = (fromskew / 2) * (2*1+2); do { x = w>>1; while(x>0) { @@ -2165,7 +2192,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr12tile) uint32* cp2; int32 incr = 2*toskew+w; (void) y; - fromskew = (fromskew / 2) * 4; + fromskew = (fromskew / 1) * (1 * 2 + 2); cp2 = cp+w+toskew; while (h>=2) { x = w; @@ -2201,7 +2228,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr12tile) DECLAREContigPutFunc(putcontig8bitYCbCr11tile) { (void) y; - fromskew *= 3; + fromskew = (fromskew / 1) * (1 * 1 + 2); do { x = w; /* was x = w>>1; patched 2000/09/25 warmerda@home.com */ do { @@ -2225,7 +2252,7 @@ DECLARESepPutFunc(putseparate8bitYCbCr11tile) (void) y; (void) a; /* TODO: naming of input vars is still off, change obfuscating declaration inside define, or resolve obfuscation */ - while (h-- > 0) { + for( ; h > 0; --h) { x = w; do { uint32 dr, dg, db; @@ -2238,6 +2265,11 @@ DECLARESepPutFunc(putseparate8bitYCbCr11tile) } #undef YCbCrtoRGB +static int isInRefBlackWhiteRange(float f) +{ + return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF; +} + static int initYCbCrConversion(TIFFRGBAImage* img) { @@ -2262,6 +2294,31 @@ initYCbCrConversion(TIFFRGBAImage* img) TIFFGetFieldDefaulted(img->tif, TIFFTAG_YCBCRCOEFFICIENTS, &luma); TIFFGetFieldDefaulted(img->tif, TIFFTAG_REFERENCEBLACKWHITE, &refBlackWhite); + + /* Do some validation to avoid later issues. Detect NaN for now */ + /* and also if lumaGreen is zero since we divide by it later */ + if( luma[0] != luma[0] || + luma[1] != luma[1] || + luma[1] == 0.0 || + luma[2] != luma[2] ) + { + TIFFErrorExt(img->tif->tif_clientdata, module, + "Invalid values for YCbCrCoefficients tag"); + return (0); + } + + if( !isInRefBlackWhiteRange(refBlackWhite[0]) || + !isInRefBlackWhiteRange(refBlackWhite[1]) || + !isInRefBlackWhiteRange(refBlackWhite[2]) || + !isInRefBlackWhiteRange(refBlackWhite[3]) || + !isInRefBlackWhiteRange(refBlackWhite[4]) || + !isInRefBlackWhiteRange(refBlackWhite[5]) ) + { + TIFFErrorExt(img->tif->tif_clientdata, module, + "Invalid values for ReferenceBlackWhite tag"); + return (0); + } + if (TIFFYCbCrToRGBInit(img->ycbcr, luma, refBlackWhite) < 0) return(0); return (1); @@ -2815,6 +2872,13 @@ BuildMapBitdepth16To8(TIFFRGBAImage* img) int TIFFReadRGBAStrip(TIFF* tif, uint32 row, uint32 * raster ) +{ + return TIFFReadRGBAStripExt(tif, row, raster, 0 ); +} + +int +TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error) + { char emsg[1024] = ""; TIFFRGBAImage img; @@ -2836,7 +2900,7 @@ TIFFReadRGBAStrip(TIFF* tif, uint32 row, uint32 * raster ) return (0); } - if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, 0, emsg)) { + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { img.row_offset = row; img.col_offset = 0; @@ -2866,6 +2930,13 @@ TIFFReadRGBAStrip(TIFF* tif, uint32 row, uint32 * raster ) int TIFFReadRGBATile(TIFF* tif, uint32 col, uint32 row, uint32 * raster) +{ + return TIFFReadRGBATileExt(tif, col, row, raster, 0 ); +} + + +int +TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop_on_error ) { char emsg[1024] = ""; TIFFRGBAImage img; @@ -2901,7 +2972,7 @@ TIFFReadRGBATile(TIFF* tif, uint32 col, uint32 row, uint32 * raster) */ if (!TIFFRGBAImageOK(tif, emsg) - || !TIFFRGBAImageBegin(&img, tif, 0, emsg)) { + || !TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg); return( 0 ); } diff --git a/src/3rdparty/libtiff/libtiff/tif_jbig.c b/src/3rdparty/libtiff/libtiff/tif_jbig.c index 37878f6..7a14dd9 100644 --- a/src/3rdparty/libtiff/libtiff/tif_jbig.c +++ b/src/3rdparty/libtiff/libtiff/tif_jbig.c @@ -1,4 +1,4 @@ -/* $Id: tif_jbig.c,v 1.15 2010-03-10 18:56:48 bfriesen Exp $ */ +/* $Id: tif_jbig.c,v 1.16 2017-06-26 15:20:00 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) jbg_strerror(decodeStatus) #endif ); + jbg_dec_free(&decoder); return 0; } diff --git a/src/3rdparty/libtiff/libtiff/tif_jpeg.c b/src/3rdparty/libtiff/libtiff/tif_jpeg.c index 70b72d8..eed1357 100644 --- a/src/3rdparty/libtiff/libtiff/tif_jpeg.c +++ b/src/3rdparty/libtiff/libtiff/tif_jpeg.c @@ -1,4 +1,4 @@ -/* $Id: tif_jpeg.c,v 1.123 2016-01-23 21:20:34 erouault Exp $ */ +/* $Id: tif_jpeg.c,v 1.133 2017-08-29 08:08:10 erouault Exp $ */ /* * Copyright (c) 1994-1997 Sam Leffler @@ -27,6 +27,8 @@ #define WIN32_LEAN_AND_MEAN #define VC_EXTRALEAN +#include + #include "tiffiop.h" #ifdef JPEG_SUPPORT @@ -47,6 +49,7 @@ int TIFFFillStrip(TIFF* tif, uint32 strip); int TIFFFillTile(TIFF* tif, uint32 tile); int TIFFReInitJPEG_12( TIFF *tif, int scheme, int is_encode ); +int TIFFJPEGIsFullStripRequired_12(TIFF* tif); /* We undefine FAR to avoid conflict with JPEG definition */ @@ -145,6 +148,8 @@ typedef struct { jpeg_error_mgr err; /* libjpeg error manager */ JMP_BUF exit_jmpbuf; /* for catching libjpeg failures */ + + struct jpeg_progress_mgr progress; /* * The following two members could be a union, but * they're small enough that it's not worth the effort. @@ -175,6 +180,7 @@ typedef struct { int jpegtablesmode; /* What to put in JPEGTables */ int ycbcrsampling_fetched; + int max_allowed_scan_number; } JPEGState; #define JState(tif) ((JPEGState*)(tif)->tif_data) @@ -235,6 +241,33 @@ TIFFjpeg_output_message(j_common_ptr cinfo) TIFFWarningExt(((JPEGState *) cinfo)->tif->tif_clientdata, "JPEGLib", "%s", buffer); } +/* Avoid the risk of denial-of-service on crafted JPEGs with an insane */ +/* number of scans. */ +/* See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf */ +static void +TIFFjpeg_progress_monitor(j_common_ptr cinfo) +{ + JPEGState *sp = (JPEGState *) cinfo; /* NB: cinfo assumed first */ + if (cinfo->is_decompressor) + { + const int scan_no = + ((j_decompress_ptr)cinfo)->input_scan_number; + if (scan_no >= sp->max_allowed_scan_number) + { + TIFFErrorExt(((JPEGState *) cinfo)->tif->tif_clientdata, + "TIFFjpeg_progress_monitor", + "Scan number %d exceeds maximum scans (%d). This limit " + "can be raised through the LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER " + "environment variable.", + scan_no, sp->max_allowed_scan_number); + + jpeg_abort(cinfo); /* clean up libjpeg state */ + LONGJMP(sp->exit_jmpbuf, 1); /* return to libtiff caller */ + } + } +} + + /* * Interface routines. This layer of routines exists * primarily to limit side-effects from using setjmp. @@ -336,9 +369,24 @@ TIFFjpeg_read_header(JPEGState* sp, boolean require_image) return CALLJPEG(sp, -1, jpeg_read_header(&sp->cinfo.d, require_image)); } +static int +TIFFjpeg_has_multiple_scans(JPEGState* sp) +{ + return CALLJPEG(sp, 0, jpeg_has_multiple_scans(&sp->cinfo.d)); +} + static int TIFFjpeg_start_decompress(JPEGState* sp) { + const char* sz_max_allowed_scan_number; + /* progress monitor */ + sp->cinfo.d.progress = &sp->progress; + sp->progress.progress_monitor = TIFFjpeg_progress_monitor; + sp->max_allowed_scan_number = 100; + sz_max_allowed_scan_number = getenv("LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER"); + if( sz_max_allowed_scan_number ) + sp->max_allowed_scan_number = atoi(sz_max_allowed_scan_number); + return CALLVJPEG(sp, jpeg_start_decompress(&sp->cinfo.d)); } @@ -589,9 +637,8 @@ std_term_source(j_decompress_ptr cinfo) } static void -TIFFjpeg_data_src(JPEGState* sp, TIFF* tif) +TIFFjpeg_data_src(JPEGState* sp) { - (void) tif; sp->cinfo.d.src = &sp->src; sp->src.init_source = std_init_source; sp->src.fill_input_buffer = std_fill_input_buffer; @@ -617,9 +664,9 @@ tables_init_source(j_decompress_ptr cinfo) } static void -TIFFjpeg_tables_src(JPEGState* sp, TIFF* tif) +TIFFjpeg_tables_src(JPEGState* sp) { - TIFFjpeg_data_src(sp, tif); + TIFFjpeg_data_src(sp); sp->src.init_source = tables_init_source; } @@ -697,9 +744,11 @@ static int JPEGFixupTags(TIFF* tif) { #ifdef CHECK_JPEG_YCBCR_SUBSAMPLING + JPEGState* sp = JState(tif); if ((tif->tif_dir.td_photometric==PHOTOMETRIC_YCBCR)&& (tif->tif_dir.td_planarconfig==PLANARCONFIG_CONTIG)&& - (tif->tif_dir.td_samplesperpixel==3)) + (tif->tif_dir.td_samplesperpixel==3) && + !sp->ycbcrsampling_fetched) JPEGFixupTagsSubsampling(tif); #endif @@ -974,7 +1023,7 @@ JPEGSetupDecode(TIFF* tif) /* Read JPEGTables if it is present */ if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) { - TIFFjpeg_tables_src(sp, tif); + TIFFjpeg_tables_src(sp); if(TIFFjpeg_read_header(sp,FALSE) != JPEG_HEADER_TABLES_ONLY) { TIFFErrorExt(tif->tif_clientdata, "JPEGSetupDecode", "Bogus JPEGTables field"); return (0); @@ -996,11 +1045,47 @@ JPEGSetupDecode(TIFF* tif) } /* Set up for reading normal data */ - TIFFjpeg_data_src(sp, tif); + TIFFjpeg_data_src(sp); tif->tif_postdecode = _TIFFNoPostDecode; /* override byte swapping */ return (1); } +/* Returns 1 if the full strip should be read, even when doing scanline per */ +/* scanline decoding. This happens when the JPEG stream uses multiple scans. */ +/* Currently only called in CHUNKY_STRIP_READ_SUPPORT mode through */ +/* scanline interface. */ +/* Only reads tif->tif_dir.td_bitspersample, tif->tif_rawdata and */ +/* tif->tif_rawcc members. */ +/* Can be called independently of the usual setup/predecode/decode states */ +int TIFFJPEGIsFullStripRequired(TIFF* tif) +{ + int ret; + JPEGState state; + +#if defined(JPEG_DUAL_MODE_8_12) && !defined(TIFFJPEGIsFullStripRequired) + if( tif->tif_dir.td_bitspersample == 12 ) + return TIFFJPEGIsFullStripRequired_12( tif ); +#endif + + memset(&state, 0, sizeof(JPEGState)); + state.tif = tif; + + TIFFjpeg_create_decompress(&state); + + TIFFjpeg_data_src(&state); + + if (TIFFjpeg_read_header(&state, TRUE) != JPEG_HEADER_OK) + { + TIFFjpeg_destroy(&state); + return (0); + } + ret = TIFFjpeg_has_multiple_scans(&state); + + TIFFjpeg_destroy(&state); + + return ret; +} + /* * Set up for decoding a strip or tile. */ @@ -1041,13 +1126,13 @@ JPEGPreDecode(TIFF* tif, uint16 s) /* * Check image parameters and set decompression parameters. */ - segment_width = td->td_imagewidth; - segment_height = td->td_imagelength - tif->tif_row; if (isTiled(tif)) { segment_width = td->td_tilewidth; segment_height = td->td_tilelength; sp->bytesperline = TIFFTileRowSize(tif); } else { + segment_width = td->td_imagewidth; + segment_height = td->td_imagelength - tif->tif_row; if (segment_height > td->td_rowsperstrip) segment_height = td->td_rowsperstrip; sp->bytesperline = TIFFScanlineSize(tif); @@ -1068,9 +1153,23 @@ JPEGPreDecode(TIFF* tif, uint16 s) segment_width, segment_height, sp->cinfo.d.image_width, sp->cinfo.d.image_height); - } - if (sp->cinfo.d.image_width > segment_width || - sp->cinfo.d.image_height > segment_height) { + } + if( sp->cinfo.d.image_width == segment_width && + sp->cinfo.d.image_height > segment_height && + tif->tif_row + segment_height == td->td_imagelength && + !isTiled(tif) ) { + /* Some files have a last strip, that should be truncated, */ + /* but their JPEG codestream has still the maximum strip */ + /* height. Warn about this as this is non compliant, but */ + /* we can safely recover from that. */ + TIFFWarningExt(tif->tif_clientdata, module, + "JPEG strip size exceeds expected dimensions," + " expected %dx%d, got %dx%d", + segment_width, segment_height, + sp->cinfo.d.image_width, sp->cinfo.d.image_height); + } + else if (sp->cinfo.d.image_width > segment_width || + sp->cinfo.d.image_height > segment_height) { /* * This case could be dangerous, if the strip or tile size has * been reported as less than the amount of data jpeg will @@ -1103,6 +1202,47 @@ JPEGPreDecode(TIFF* tif, uint16 s) return (0); } #endif + + /* In some cases, libjpeg needs to allocate a lot of memory */ + /* http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf */ + if( TIFFjpeg_has_multiple_scans(sp) ) + { + /* In this case libjpeg will need to allocate memory or backing */ + /* store for all coefficients */ + /* See call to jinit_d_coef_controller() from master_selection() */ + /* in libjpeg */ + toff_t nRequiredMemory = (toff_t)sp->cinfo.d.image_width * + sp->cinfo.d.image_height * + sp->cinfo.d.num_components * + ((td->td_bitspersample+7)/8); + /* BLOCK_SMOOTHING_SUPPORTED is generally defined, so we need */ + /* to replicate the logic of jinit_d_coef_controller() */ + if( sp->cinfo.d.progressive_mode ) + nRequiredMemory *= 3; + +#ifndef TIFF_LIBJPEG_LARGEST_MEM_ALLOC +#define TIFF_LIBJPEG_LARGEST_MEM_ALLOC (100 * 1024 * 1024) +#endif + + if( nRequiredMemory > TIFF_LIBJPEG_LARGEST_MEM_ALLOC && + getenv("LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC") == NULL ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Reading this strip would require libjpeg to allocate " + "at least %u bytes. " + "This is disabled since above the %u threshold. " + "You may override this restriction by defining the " + "LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, " + "or recompile libtiff by defining the " + "TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro to a value greater " + "than %u", + (unsigned)nRequiredMemory, + (unsigned)TIFF_LIBJPEG_LARGEST_MEM_ALLOC, + (unsigned)TIFF_LIBJPEG_LARGEST_MEM_ALLOC); + return (0); + } + } + if (td->td_planarconfig == PLANARCONFIG_CONTIG) { /* Component 0 should have expected sampling factors */ if (sp->cinfo.d.comp_info[0].h_samp_factor != sp->h_sampling || @@ -1364,10 +1504,18 @@ JPEGDecodeRaw(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) { JPEGState *sp = JState(tif); tmsize_t nrows; + TIFFDirectory *td = &tif->tif_dir; (void) s; + nrows = sp->cinfo.d.image_height; + /* For last strip, limit number of rows to its truncated height */ + /* even if the codestream height is larger (which is not compliant, */ + /* but that we tolerate) */ + if( (uint32)nrows > td->td_imagelength - tif->tif_row && !isTiled(tif) ) + nrows = td->td_imagelength - tif->tif_row; + /* data is expected to be read in multiples of a scanline */ - if ( (nrows = sp->cinfo.d.image_height) != 0 ) { + if ( nrows != 0 ) { /* Cb,Cr both have sampling factors 1, so this is correct */ JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; @@ -1626,6 +1774,20 @@ JPEGSetupEncode(TIFF* tif) case PHOTOMETRIC_YCBCR: sp->h_sampling = td->td_ycbcrsubsampling[0]; sp->v_sampling = td->td_ycbcrsubsampling[1]; + if( sp->h_sampling == 0 || sp->v_sampling == 0 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Invalig horizontal/vertical sampling value"); + return (0); + } + if( td->td_bitspersample > 16 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "BitsPerSample %d not allowed for JPEG", + td->td_bitspersample); + return (0); + } + /* * A ReferenceBlackWhite field *must* be present since the * default value is inappropriate for YCbCr. Fill in the @@ -2291,6 +2453,15 @@ static int JPEGInitializeLibJPEG( TIFF * tif, int decompress ) } else { if (!TIFFjpeg_create_compress(sp)) return (0); +#ifndef TIFF_JPEG_MAX_MEMORY_TO_USE +#define TIFF_JPEG_MAX_MEMORY_TO_USE (10 * 1024 * 1024) +#endif + /* Increase the max memory usable. This helps when creating files */ + /* with "big" tile, without using libjpeg temporary files. */ + /* For example a 512x512 tile with 3 bands */ + /* requires 1.5 MB which is above libjpeg 1MB default */ + if( sp->cinfo.c.mem->max_memory_to_use < TIFF_JPEG_MAX_MEMORY_TO_USE ) + sp->cinfo.c.mem->max_memory_to_use = TIFF_JPEG_MAX_MEMORY_TO_USE; } sp->cinfo_initialized = TRUE; diff --git a/src/3rdparty/libtiff/libtiff/tif_jpeg_12.c b/src/3rdparty/libtiff/libtiff/tif_jpeg_12.c index 8499e64..b458c25 100644 --- a/src/3rdparty/libtiff/libtiff/tif_jpeg_12.c +++ b/src/3rdparty/libtiff/libtiff/tif_jpeg_12.c @@ -4,6 +4,7 @@ #if defined(JPEG_DUAL_MODE_8_12) # define TIFFInitJPEG TIFFInitJPEG_12 +# define TIFFJPEGIsFullStripRequired TIFFJPEGIsFullStripRequired_12 int TIFFInitJPEG_12(TIFF* tif, int scheme); diff --git a/src/3rdparty/libtiff/libtiff/tif_luv.c b/src/3rdparty/libtiff/libtiff/tif_luv.c index ca08f30..4b25244 100644 --- a/src/3rdparty/libtiff/libtiff/tif_luv.c +++ b/src/3rdparty/libtiff/libtiff/tif_luv.c @@ -1,4 +1,4 @@ -/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */ +/* $Id: tif_luv.c,v 1.49 2017-07-24 12:47:30 erouault Exp $ */ /* * Copyright (c) 1997 Greg Ward Larson @@ -158,6 +158,7 @@ typedef struct logLuvState LogLuvState; struct logLuvState { + int encoder_state; /* 1 if encoder correctly initialized */ int user_datafmt; /* user data format */ int encode_meth; /* encoding method */ int pixel_size; /* bytes per pixel */ @@ -472,7 +473,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tif->tif_rawcp = op; tif->tif_rawcc = tif->tif_rawdatasize - occ; if (!TIFFFlushData1(tif)) - return (-1); + return (0); op = tif->tif_rawcp; occ = tif->tif_rawdatasize - tif->tif_rawcc; } @@ -504,7 +505,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tif->tif_rawcp = op; tif->tif_rawcc = tif->tif_rawdatasize - occ; if (!TIFFFlushData1(tif)) - return (-1); + return (0); op = tif->tif_rawcp; occ = tif->tif_rawdatasize - tif->tif_rawcc; } @@ -564,7 +565,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tif->tif_rawcp = op; tif->tif_rawcc = tif->tif_rawdatasize - occ; if (!TIFFFlushData1(tif)) - return (-1); + return (0); op = tif->tif_rawcp; occ = tif->tif_rawdatasize - tif->tif_rawcc; } @@ -623,7 +624,7 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tif->tif_rawcp = op; tif->tif_rawcc = tif->tif_rawdatasize - occ; if (!TIFFFlushData1(tif)) - return (-1); + return (0); op = tif->tif_rawcp; occ = tif->tif_rawdatasize - tif->tif_rawcc; } @@ -655,7 +656,7 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tif->tif_rawcp = op; tif->tif_rawcc = tif->tif_rawdatasize - occ; if (!TIFFFlushData1(tif)) - return (-1); + return (0); op = tif->tif_rawcp; occ = tif->tif_rawdatasize - tif->tif_rawcc; } @@ -1263,15 +1264,16 @@ LogL16GuessDataFmt(TIFFDirectory *td) return (SGILOGDATAFMT_UNKNOWN); } + +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) + static tmsize_t multiply_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 * m2; - - if (m1 && bytes / m1 != m2) - bytes = 0; - - return bytes; + if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) + return 0; + return m1 * m2; } static int @@ -1312,8 +1314,10 @@ LogL16InitState(TIFF* tif) } if( isTiled(tif) ) sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength); - else + else if( td->td_rowsperstrip < td->td_imagelength ) sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip); + else + sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength); if (multiply_ms(sp->tbuflen, sizeof (int16)) == 0 || (sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (int16))) == NULL) { TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer"); @@ -1412,8 +1416,10 @@ LogLuvInitState(TIFF* tif) } if( isTiled(tif) ) sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength); - else + else if( td->td_rowsperstrip < td->td_imagelength ) sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip); + else + sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_imagelength); if (multiply_ms(sp->tbuflen, sizeof (uint32)) == 0 || (sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (uint32))) == NULL) { TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer"); @@ -1552,6 +1558,7 @@ LogLuvSetupEncode(TIFF* tif) td->td_photometric, "must be either LogLUV or LogL"); break; } + sp->encoder_state = 1; return (1); notsupported: TIFFErrorExt(tif->tif_clientdata, module, @@ -1563,19 +1570,27 @@ notsupported: static void LogLuvClose(TIFF* tif) { + LogLuvState* sp = (LogLuvState*) tif->tif_data; TIFFDirectory *td = &tif->tif_dir; + assert(sp != 0); /* * For consistency, we always want to write out the same * bitspersample and sampleformat for our TIFF file, * regardless of the data format being used by the application. * Since this routine is called after tags have been set but * before they have been recorded in the file, we reset them here. + * Note: this is really a nasty approach. See PixarLogClose */ - td->td_samplesperpixel = - (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; - td->td_bitspersample = 16; - td->td_sampleformat = SAMPLEFORMAT_INT; + if( sp->encoder_state ) + { + /* See PixarLogClose. Might avoid issues with tags whose size depends + * on those below, but not completely sure this is enough. */ + td->td_samplesperpixel = + (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; + td->td_bitspersample = 16; + td->td_sampleformat = SAMPLEFORMAT_INT; + } } static void diff --git a/src/3rdparty/libtiff/libtiff/tif_lzw.c b/src/3rdparty/libtiff/libtiff/tif_lzw.c index 240e19c..bc8f9c8 100644 --- a/src/3rdparty/libtiff/libtiff/tif_lzw.c +++ b/src/3rdparty/libtiff/libtiff/tif_lzw.c @@ -1,4 +1,4 @@ -/* $Id: tif_lzw.c,v 1.52 2016-09-04 21:32:56 erouault Exp $ */ +/* $Id: tif_lzw.c,v 1.57 2017-07-11 10:54:29 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -275,7 +275,8 @@ LZWPreDecode(TIFF* tif, uint16 s) /* * Check for old bit-reversed codes. */ - if (tif->tif_rawdata[0] == 0 && (tif->tif_rawdata[1] & 0x1)) { + if (tif->tif_rawcc >= 2 && + tif->tif_rawdata[0] == 0 && (tif->tif_rawdata[1] & 0x1)) { #ifdef LZW_COMPAT if (!sp->dec_decode) { TIFFWarningExt(tif->tif_clientdata, module, @@ -318,7 +319,7 @@ LZWPreDecode(TIFF* tif, uint16 s) sp->dec_restart = 0; sp->dec_nbitsmask = MAXCODE(BITS_MIN); #ifdef LZW_CHECKEOS - sp->dec_bitsleft = ((uint64)tif->tif_rawcc) << 3; + sp->dec_bitsleft = 0; #endif sp->dec_free_entp = sp->dec_codetab + CODE_FIRST; /* @@ -425,6 +426,9 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) } bp = (unsigned char *)tif->tif_rawcp; +#ifdef LZW_CHECKEOS + sp->dec_bitsleft = (((uint64)tif->tif_rawcc) << 3); +#endif nbits = sp->lzw_nbits; nextdata = sp->lzw_nextdata; nextbits = sp->lzw_nextbits; @@ -549,6 +553,7 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) } } + tif->tif_rawcc -= (tmsize_t)( (uint8*) bp - tif->tif_rawcp ); tif->tif_rawcp = (uint8*) bp; sp->lzw_nbits = (unsigned short) nbits; sp->lzw_nextdata = nextdata; @@ -651,6 +656,9 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) } bp = (unsigned char *)tif->tif_rawcp; +#ifdef LZW_CHECKEOS + sp->dec_bitsleft = (((uint64)tif->tif_rawcc) << 3); +#endif nbits = sp->lzw_nbits; nextdata = sp->lzw_nextdata; nextbits = sp->lzw_nextbits; @@ -760,6 +768,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) } } + tif->tif_rawcc -= (tmsize_t)( (uint8*) bp - tif->tif_rawcp ); tif->tif_rawcp = (uint8*) bp; sp->lzw_nbits = (unsigned short)nbits; sp->lzw_nextdata = nextdata; @@ -969,7 +978,8 @@ LZWEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) */ if (op > limit) { tif->tif_rawcc = (tmsize_t)(op - tif->tif_rawdata); - TIFFFlushData1(tif); + if( !TIFFFlushData1(tif) ) + return 0; op = tif->tif_rawdata; } PutNextCode(op, ent); @@ -1054,12 +1064,32 @@ LZWPostEncode(TIFF* tif) if (op > sp->enc_rawlimit) { tif->tif_rawcc = (tmsize_t)(op - tif->tif_rawdata); - TIFFFlushData1(tif); + if( !TIFFFlushData1(tif) ) + return 0; op = tif->tif_rawdata; } if (sp->enc_oldcode != (hcode_t) -1) { + int free_ent = sp->lzw_free_ent; + PutNextCode(op, sp->enc_oldcode); sp->enc_oldcode = (hcode_t) -1; + free_ent ++; + + if (free_ent == CODE_MAX-1) { + /* table is full, emit clear code and reset */ + outcount = 0; + PutNextCode(op, CODE_CLEAR); + nbits = BITS_MIN; + } else { + /* + * If the next entry is going to be too big for + * the code size, then increase it, if possible. + */ + if (free_ent > sp->lzw_maxcode) { + nbits++; + assert(nbits <= BITS_MAX); + } + } } PutNextCode(op, CODE_EOI); /* Explicit 0xff masking to make icc -check=conversions happy */ diff --git a/src/3rdparty/libtiff/libtiff/tif_ojpeg.c b/src/3rdparty/libtiff/libtiff/tif_ojpeg.c index 30a1812..92ed1fa 100644 --- a/src/3rdparty/libtiff/libtiff/tif_ojpeg.c +++ b/src/3rdparty/libtiff/libtiff/tif_ojpeg.c @@ -1,4 +1,4 @@ -/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */ +/* $Id: tif_ojpeg.c,v 1.69 2017-04-27 17:29:26 erouault Exp $ */ /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0 specification is now totally obsolete and deprecated for new applications and @@ -244,6 +244,7 @@ typedef enum { typedef struct { TIFF* tif; + int decoder_ok; #ifndef LIBJPEG_ENCAP_EXTERNAL JMP_BUF exit_jmpbuf; #endif @@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s) } sp->write_curstrile++; } + sp->decoder_ok = 1; return(1); } @@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif) static int OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) { + static const char module[]="OJPEGDecode"; OJPEGState* sp=(OJPEGState*)tif->tif_data; (void)s; + if( !sp->decoder_ok ) + { + TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); + return 0; + } if (sp->libjpeg_jpeg_query_style==0) { if (OJPEGDecodeRaw(tif,buf,cc)==0) @@ -1782,7 +1790,12 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif) TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64); if (p!=64) + { + _TIFFfree(ob); return(0); + } + if (sp->qtable[m]!=0) + _TIFFfree(sp->qtable[m]); sp->qtable[m]=ob; sp->sof_tq[m]=m; } @@ -1846,7 +1859,12 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif) rb[sizeof(uint32)+5+n]=o[n]; p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); if (p!=q) + { + _TIFFfree(rb); return(0); + } + if (sp->dctable[m]!=0) + _TIFFfree(sp->dctable[m]); sp->dctable[m]=rb; sp->sos_tda[m]=(m<<4); } @@ -1910,7 +1928,12 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif) rb[sizeof(uint32)+5+n]=o[n]; p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); if (p!=q) + { + _TIFFfree(rb); return(0); + } + if (sp->actable[m]!=0) + _TIFFfree(sp->actable[m]); sp->actable[m]=rb; sp->sos_tda[m]=(sp->sos_tda[m]|m); } diff --git a/src/3rdparty/libtiff/libtiff/tif_open.c b/src/3rdparty/libtiff/libtiff/tif_open.c index 5c9036e..a7279e1 100644 --- a/src/3rdparty/libtiff/libtiff/tif_open.c +++ b/src/3rdparty/libtiff/libtiff/tif_open.c @@ -1,4 +1,4 @@ -/* $Id: tif_open.c,v 1.47 2016-01-23 21:20:34 erouault Exp $ */ +/* $Id: tif_open.c,v 1.48 2016-11-20 22:29:47 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -279,10 +279,10 @@ TIFFClientOpen( * Setup header and write. */ #ifdef WORDS_BIGENDIAN - tif->tif_header.common.tiff_magic = tif->tif_flags & TIFF_SWAB + tif->tif_header.common.tiff_magic = (tif->tif_flags & TIFF_SWAB) ? TIFF_LITTLEENDIAN : TIFF_BIGENDIAN; #else - tif->tif_header.common.tiff_magic = tif->tif_flags & TIFF_SWAB + tif->tif_header.common.tiff_magic = (tif->tif_flags & TIFF_SWAB) ? TIFF_BIGENDIAN : TIFF_LITTLEENDIAN; #endif if (!(tif->tif_flags&TIFF_BIGTIFF)) diff --git a/src/3rdparty/libtiff/libtiff/tif_packbits.c b/src/3rdparty/libtiff/libtiff/tif_packbits.c index d2a0165..18904b0 100644 --- a/src/3rdparty/libtiff/libtiff/tif_packbits.c +++ b/src/3rdparty/libtiff/libtiff/tif_packbits.c @@ -1,4 +1,4 @@ -/* $Id: tif_packbits.c,v 1.24 2016-09-04 21:32:56 erouault Exp $ */ +/* $Id: tif_packbits.c,v 1.26 2017-05-14 02:26:07 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -99,7 +99,7 @@ PackBitsEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) slop = (long)(op - lastliteral); tif->tif_rawcc += (tmsize_t)(lastliteral - tif->tif_rawcp); if (!TIFFFlushData1(tif)) - return (-1); + return (0); op = tif->tif_rawcp; while (slop-- > 0) *op++ = *lastliteral++; @@ -107,7 +107,7 @@ PackBitsEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) } else { tif->tif_rawcc += (tmsize_t)(op - tif->tif_rawcp); if (!TIFFFlushData1(tif)) - return (-1); + return (0); op = tif->tif_rawcp; } } @@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) (unsigned long) ((tmsize_t)n - occ)); n = (long)occ; } + if( cc == 0 ) + { + TIFFWarningExt(tif->tif_clientdata, module, + "Terminating PackBitsDecode due to lack of data."); + break; + } occ -= n; b = *bp++; cc--; diff --git a/src/3rdparty/libtiff/libtiff/tif_pixarlog.c b/src/3rdparty/libtiff/libtiff/tif_pixarlog.c index f4af2ba..979858d 100644 --- a/src/3rdparty/libtiff/libtiff/tif_pixarlog.c +++ b/src/3rdparty/libtiff/libtiff/tif_pixarlog.c @@ -1,4 +1,4 @@ -/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */ +/* $Id: tif_pixarlog.c,v 1.54 2017-07-10 10:40:28 erouault Exp $ */ /* * Copyright (c) 1996-1997 Sam Leffler @@ -636,29 +636,27 @@ PixarLogGuessDataFmt(TIFFDirectory *td) return guess; } +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) + static tmsize_t multiply_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 * m2; - - if (m1 && bytes / m1 != m2) - bytes = 0; - - return bytes; + if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) + return 0; + return m1 * m2; } static tmsize_t add_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 + m2; - /* if either input is zero, assume overflow already occurred */ if (m1 == 0 || m2 == 0) - bytes = 0; - else if (bytes <= m1 || bytes <= m2) - bytes = 0; + return 0; + else if (m1 > TIFF_TMSIZE_T_MAX - m2) + return 0; - return bytes; + return m1 + m2; } static int @@ -675,9 +673,20 @@ PixarLogSetupDecode(TIFF* tif) TIFFDirectory *td = &tif->tif_dir; PixarLogState* sp = DecoderState(tif); tmsize_t tbuf_size; + uint32 strip_height; assert(sp != NULL); + /* This function can possibly be called several times by */ + /* PredictorSetupDecode() if this function succeeds but */ + /* PredictorSetup() fails */ + if( (sp->state & PLSTATE_INIT) != 0 ) + return 1; + + strip_height = td->td_rowsperstrip; + if( strip_height > td->td_imagelength ) + strip_height = td->td_imagelength; + /* Make sure no byte swapping happens on the data * after decompression. */ tif->tif_postdecode = _TIFFNoPostDecode; @@ -687,7 +696,7 @@ PixarLogSetupDecode(TIFF* tif) sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ? td->td_samplesperpixel : 1); tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), - td->td_rowsperstrip), sizeof(uint16)); + strip_height), sizeof(uint16)); /* add one more stride in case input ends mid-stride */ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); if (tbuf_size == 0) @@ -699,6 +708,9 @@ PixarLogSetupDecode(TIFF* tif) if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { + _TIFFfree(sp->tbuf); + sp->tbuf = NULL; + sp->tbuf_size = 0; TIFFErrorExt(tif->tif_clientdata, module, "PixarLog compression can't handle bits depth/data format combination (depth: %d)", td->td_bitspersample); @@ -706,6 +718,9 @@ PixarLogSetupDecode(TIFF* tif) } if (inflateInit(&sp->stream) != Z_OK) { + _TIFFfree(sp->tbuf); + sp->tbuf = NULL; + sp->tbuf_size = 0; TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg ? sp->stream.msg : "(null)"); return (0); } else { @@ -774,6 +789,10 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) (void) s; assert(sp != NULL); + + sp->stream.next_in = tif->tif_rawcp; + sp->stream.avail_in = (uInt) tif->tif_rawcc; + sp->stream.next_out = (unsigned char *) sp->tbuf; assert(sizeof(sp->stream.avail_out)==4); /* if this assert gets raised, we need to simplify this code to reflect a ZLib that is likely updated @@ -819,6 +838,9 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) return (0); } + tif->tif_rawcp = sp->stream.next_in; + tif->tif_rawcc = sp->stream.avail_in; + up = sp->tbuf; /* Swap bytes in the data if from a different endian machine. */ if (tif->tif_flags & TIFF_SWAB) @@ -1233,8 +1255,10 @@ PixarLogPostEncode(TIFF* tif) static void PixarLogClose(TIFF* tif) { + PixarLogState* sp = (PixarLogState*) tif->tif_data; TIFFDirectory *td = &tif->tif_dir; + assert(sp != 0); /* In a really sneaky (and really incorrect, and untruthful, and * troublesome, and error-prone) maneuver that completely goes against * the spirit of TIFF, and breaks TIFF, on close, we covertly @@ -1243,8 +1267,19 @@ PixarLogClose(TIFF* tif) * readers that don't know about PixarLog, or how to set * the PIXARLOGDATFMT pseudo-tag. */ - td->td_bitspersample = 8; - td->td_sampleformat = SAMPLEFORMAT_UINT; + + if (sp->state&PLSTATE_INIT) { + /* We test the state to avoid an issue such as in + * http://bugzilla.maptools.org/show_bug.cgi?id=2604 + * What appends in that case is that the bitspersample is 1 and + * a TransferFunction is set. The size of the TransferFunction + * depends on 1<td_bitspersample = 8; + td->td_sampleformat = SAMPLEFORMAT_UINT; + } } static void diff --git a/src/3rdparty/libtiff/libtiff/tif_predict.c b/src/3rdparty/libtiff/libtiff/tif_predict.c index 0b185d2..9ae1f57 100644 --- a/src/3rdparty/libtiff/libtiff/tif_predict.c +++ b/src/3rdparty/libtiff/libtiff/tif_predict.c @@ -1,4 +1,4 @@ -/* $Id: tif_predict.c,v 1.40 2016-11-04 09:19:13 erouault Exp $ */ +/* $Id: tif_predict.c,v 1.44 2017-06-18 10:31:50 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -117,6 +117,9 @@ PredictorSetupDecode(TIFF* tif) TIFFPredictorState* sp = PredictorState(tif); TIFFDirectory* td = &tif->tif_dir; + /* Note: when PredictorSetup() fails, the effets of setupdecode() */ + /* will not be "cancelled" so setupdecode() might be robust to */ + /* be called several times. */ if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif)) return 0; @@ -259,11 +262,12 @@ PredictorSetupEncode(TIFF* tif) #define REPEAT4(n, op) \ switch (n) { \ - default: { tmsize_t i; for (i = n-4; i > 0; i--) { op; } } \ - case 4: op; \ - case 3: op; \ - case 2: op; \ - case 1: op; \ + default: { \ + tmsize_t i; for (i = n-4; i > 0; i--) { op; } } /*-fallthrough*/ \ + case 4: op; /*-fallthrough*/ \ + case 3: op; /*-fallthrough*/ \ + case 2: op; /*-fallthrough*/ \ + case 1: op; /*-fallthrough*/ \ case 0: ; \ } @@ -273,6 +277,7 @@ PredictorSetupEncode(TIFF* tif) /* - when storing into the byte stream, we explicitly mask with 0xff so */ /* as to make icc -check=conversions happy (not necessary by the standard) */ +TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc) { @@ -340,6 +345,7 @@ swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) return horAcc16(tif, cp0, cc); } +TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc) { @@ -374,6 +380,7 @@ swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) return horAcc32(tif, cp0, cc); } +TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc) { @@ -499,6 +506,7 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) return 0; } +TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) { @@ -552,6 +560,7 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc) return 1; } +TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) { @@ -591,6 +600,7 @@ swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc) return 1; } +TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) { @@ -633,6 +643,7 @@ swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc) /* * Floating point predictor differencing routine. */ +TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc) { @@ -797,7 +808,7 @@ PredictorPrintDir(TIFF* tif, FILE* fd, long flags) case 2: fprintf(fd, "horizontal differencing "); break; case 3: fprintf(fd, "floating point predictor "); break; } - fprintf(fd, "%u (0x%x)\n", sp->predictor, sp->predictor); + fprintf(fd, "%d (0x%x)\n", sp->predictor, sp->predictor); } if (sp->printdir) (*sp->printdir)(tif, fd, flags); diff --git a/src/3rdparty/libtiff/libtiff/tif_print.c b/src/3rdparty/libtiff/libtiff/tif_print.c index 186f2ee..24d4b98 100644 --- a/src/3rdparty/libtiff/libtiff/tif_print.c +++ b/src/3rdparty/libtiff/libtiff/tif_print.c @@ -1,4 +1,4 @@ -/* $Id: tif_print.c,v 1.64 2015-12-06 22:19:56 erouault Exp $ */ +/* $Id: tif_print.c,v 1.65 2016-11-20 22:31:22 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -262,7 +262,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) if (td->td_subfiletype & FILETYPE_MASK) fprintf(fd, "%stransparency mask", sep); fprintf(fd, " (%lu = 0x%lx)\n", - (long) td->td_subfiletype, (long) td->td_subfiletype); + (unsigned long) td->td_subfiletype, (long) td->td_subfiletype); } if (TIFFFieldSet(tif,FIELD_IMAGEDIMENSIONS)) { fprintf(fd, " Image Width: %lu Image Length: %lu", @@ -521,7 +521,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) fprintf(fd, "\n"); n = 1L<td_bitspersample; for (l = 0; l < n; l++) - fprintf(fd, " %5lu: %5u %5u %5u\n", + fprintf(fd, " %5ld: %5u %5u %5u\n", l, td->td_colormap[0][l], td->td_colormap[1][l], @@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) n = 1L<td_bitspersample; for (l = 0; l < n; l++) { uint16 i; - fprintf(fd, " %2lu: %5u", + fprintf(fd, " %2ld: %5u", l, td->td_transferfunction[0][l]); for (i = 1; i < td->td_samplesperpixel; i++) fprintf(fd, " %5u", @@ -661,7 +661,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) uint32 s; fprintf(fd, " %lu %s:\n", - (long) td->td_nstrips, + (unsigned long) td->td_nstrips, isTiled(tif) ? "Tiles" : "Strips"); for (s = 0; s < td->td_nstrips; s++) #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) diff --git a/src/3rdparty/libtiff/libtiff/tif_read.c b/src/3rdparty/libtiff/libtiff/tif_read.c index 8003592..d5ce837 100644 --- a/src/3rdparty/libtiff/libtiff/tif_read.c +++ b/src/3rdparty/libtiff/libtiff/tif_read.c @@ -1,4 +1,4 @@ -/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */ +/* $Id: tif_read.c,v 1.65 2017-07-15 12:33:25 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -47,6 +47,121 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m #define NOSTRIP ((uint32)(-1)) /* undefined state */ #define NOTILE ((uint32)(-1)) /* undefined state */ +#define INITIAL_THRESHOLD (1024 * 1024) +#define THRESHOLD_MULTIPLIER 10 +#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) + +/* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' + * Returns 1 in case of success, 0 otherwise. */ +static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, + tmsize_t rawdata_offset, + int is_strip, uint32 strip_or_tile, + const char* module ) +{ +#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 + tmsize_t threshold = INITIAL_THRESHOLD; +#endif + tmsize_t already_read = 0; + + /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */ + /* so as to avoid allocating too much memory in case the file is too */ + /* short. We could ask for the file size, but this might be */ + /* expensive with some I/O layers (think of reading a gzipped file) */ + /* Restrict to 64 bit processes, so as to avoid reallocs() */ + /* on 32 bit processes where virtual memory is scarce. */ + while( already_read < size ) + { + tmsize_t bytes_read; + tmsize_t to_read = size - already_read; +#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 + if( to_read >= threshold && threshold < MAX_THRESHOLD && + already_read + to_read + rawdata_offset > tif->tif_rawdatasize ) + { + to_read = threshold; + threshold *= THRESHOLD_MULTIPLIER; + } +#endif + if (already_read + to_read + rawdata_offset > tif->tif_rawdatasize) { + uint8* new_rawdata; + assert((tif->tif_flags & TIFF_MYBUFFER) != 0); + tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64( + (uint64)already_read + to_read + rawdata_offset, 1024); + if (tif->tif_rawdatasize==0) { + TIFFErrorExt(tif->tif_clientdata, module, + "Invalid buffer size"); + return 0; + } + new_rawdata = (uint8*) _TIFFrealloc( + tif->tif_rawdata, tif->tif_rawdatasize); + if( new_rawdata == 0 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "No space for data buffer at scanline %lu", + (unsigned long) tif->tif_row); + _TIFFfree(tif->tif_rawdata); + tif->tif_rawdata = 0; + tif->tif_rawdatasize = 0; + return 0; + } + tif->tif_rawdata = new_rawdata; + } + + bytes_read = TIFFReadFile(tif, + tif->tif_rawdata + rawdata_offset + already_read, to_read); + already_read += bytes_read; + if (bytes_read != to_read) { + memset( tif->tif_rawdata + rawdata_offset + already_read, 0, + tif->tif_rawdatasize - rawdata_offset - already_read ); +#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + if( is_strip ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Read error at scanline %lu; got %I64u bytes, " + "expected %I64u", + (unsigned long) tif->tif_row, + (unsigned __int64) already_read, + (unsigned __int64) size); + } + else + { + TIFFErrorExt(tif->tif_clientdata, module, + "Read error at row %lu, col %lu, tile %lu; " + "got %I64u bytes, expected %I64u", + (unsigned long) tif->tif_row, + (unsigned long) tif->tif_col, + (unsigned long) strip_or_tile, + (unsigned __int64) already_read, + (unsigned __int64) size); + } +#else + if( is_strip ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Read error at scanline %lu; got %llu bytes, " + "expected %llu", + (unsigned long) tif->tif_row, + (unsigned long long) already_read, + (unsigned long long) size); + } + else + { + TIFFErrorExt(tif->tif_clientdata, module, + "Read error at row %lu, col %lu, tile %lu; " + "got %llu bytes, expected %llu", + (unsigned long) tif->tif_row, + (unsigned long) tif->tif_col, + (unsigned long) strip_or_tile, + (unsigned long long) already_read, + (unsigned long long) size); + } +#endif + return 0; + } + } + return 1; +} + + static int TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) { @@ -54,7 +169,8 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) register TIFFDirectory *td = &tif->tif_dir; tmsize_t unused_data; uint64 read_offset; - tmsize_t cc, to_read; + tmsize_t to_read; + tmsize_t read_ahead_mod; /* tmsize_t bytecountm; */ if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount) @@ -67,7 +183,14 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) */ /* bytecountm=(tmsize_t) td->td_stripbytecount[strip]; */ - if (read_ahead*2 > tif->tif_rawdatasize) { + + /* Not completely sure where the * 2 comes from, but probably for */ + /* an exponentional growth strategy of tif_rawdatasize */ + if( read_ahead < TIFF_TMSIZE_T_MAX / 2 ) + read_ahead_mod = read_ahead * 2; + else + read_ahead_mod = read_ahead; + if (read_ahead_mod > tif->tif_rawdatasize) { assert( restart ); tif->tif_curstrip = NOSTRIP; @@ -77,8 +200,6 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) (unsigned long) strip); return (0); } - if (!TIFFReadBufferSetup(tif, 0, read_ahead*2)) - return (0); } if( restart ) @@ -118,7 +239,10 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) /* ** How much do we want to read? */ - to_read = tif->tif_rawdatasize - unused_data; + if( read_ahead_mod > tif->tif_rawdatasize ) + to_read = read_ahead_mod - unused_data; + else + to_read = tif->tif_rawdatasize - unused_data; if( (uint64) to_read > td->td_stripbytecount[strip] - tif->tif_rawdataoff - tif->tif_rawdataloaded ) { @@ -127,28 +251,18 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) } assert((tif->tif_flags&TIFF_BUFFERMMAP)==0); - cc = TIFFReadFile(tif, tif->tif_rawdata + unused_data, to_read); - - if (cc != to_read) { -#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, - "Read error at scanline %lu; got %I64u bytes, expected %I64u", - (unsigned long) tif->tif_row, - (unsigned __int64) cc, - (unsigned __int64) to_read); -#else - TIFFErrorExt(tif->tif_clientdata, module, - "Read error at scanline %lu; got %llu bytes, expected %llu", - (unsigned long) tif->tif_row, - (unsigned long long) cc, - (unsigned long long) to_read); -#endif + if( !TIFFReadAndRealloc( tif, to_read, unused_data, + 1, /* is_strip */ + 0, /* strip_or_tile */ + module) ) + { return 0; } - + tif->tif_rawdataoff = tif->tif_rawdataoff + tif->tif_rawdataloaded - unused_data ; tif->tif_rawdataloaded = unused_data + to_read; + tif->tif_rawcc = tif->tif_rawdataloaded; tif->tif_rawcp = tif->tif_rawdata; if (!isFillOrder(tif, td->td_fillorder) && @@ -162,9 +276,30 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) ** restart the decoder. */ if( restart ) - return TIFFStartStrip(tif, strip); + { + +#ifdef JPEG_SUPPORT + /* A bit messy since breaks the codec abstraction. Ultimately */ + /* there should be a function pointer for that, but it seems */ + /* only JPEG is affected. */ + /* For JPEG, if there are multiple scans (can generally be known */ + /* with the read_ahead used), we need to read the whole strip */ + if( tif->tif_dir.td_compression==COMPRESSION_JPEG && + (uint64)tif->tif_rawcc < td->td_stripbytecount[strip] ) + { + if( TIFFJPEGIsFullStripRequired(tif) ) + { + return TIFFFillStrip(tif, strip); + } + } +#endif + + return TIFFStartStrip(tif, strip); + } else + { return 1; + } } /* @@ -219,7 +354,18 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample ) if( !whole_strip ) { - read_ahead = tif->tif_scanlinesize * 16 + 5000; + /* 16 is for YCbCr mode where we may need to read 16 */ + /* lines at a time to get a decompressed line, and 5000 */ + /* is some constant value, for example for JPEG tables */ + if( tif->tif_scanlinesize < TIFF_TMSIZE_T_MAX / 16 && + tif->tif_scanlinesize * 16 < TIFF_TMSIZE_T_MAX - 5000 ) + { + read_ahead = tif->tif_scanlinesize * 16 + 5000; + } + else + { + read_ahead = tif->tif_scanlinesize; + } } /* @@ -315,18 +461,17 @@ TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample) } /* - * Read a strip of data and decompress the specified - * amount into the user-supplied buffer. + * Calculate the strip size according to the number of + * rows in the strip (check for truncated last strip on any + * of the separations). */ -tmsize_t -TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) +static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane) { static const char module[] = "TIFFReadEncodedStrip"; TIFFDirectory *td = &tif->tif_dir; uint32 rowsperstrip; uint32 stripsperplane; uint32 stripinplane; - uint16 plane; uint32 rows; tmsize_t stripsize; if (!TIFFCheckRead(tif,0)) @@ -338,23 +483,37 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) (unsigned long)td->td_nstrips); return((tmsize_t)(-1)); } - /* - * Calculate the strip size according to the number of - * rows in the strip (check for truncated last strip on any - * of the separations). - */ + rowsperstrip=td->td_rowsperstrip; if (rowsperstrip>td->td_imagelength) rowsperstrip=td->td_imagelength; - stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); + stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); stripinplane=(strip%stripsperplane); - plane=(uint16)(strip/stripsperplane); + if( pplane ) *pplane=(uint16)(strip/stripsperplane); rows=td->td_imagelength-stripinplane*rowsperstrip; if (rows>rowsperstrip) rows=rowsperstrip; stripsize=TIFFVStripSize(tif,rows); if (stripsize==0) return((tmsize_t)(-1)); + return stripsize; +} + +/* + * Read a strip of data and decompress the specified + * amount into the user-supplied buffer. + */ +tmsize_t +TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) +{ + static const char module[] = "TIFFReadEncodedStrip"; + TIFFDirectory *td = &tif->tif_dir; + tmsize_t stripsize; + uint16 plane; + + stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane); + if (stripsize==((tmsize_t)(-1))) + return((tmsize_t)(-1)); /* shortcut to avoid an extra memcpy() */ if( td->td_compression == COMPRESSION_NONE && @@ -383,6 +542,49 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) return(stripsize); } +/* Variant of TIFFReadEncodedStrip() that does + * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has + * suceeded. This avoid excessive memory allocation in case of truncated + * file. + * * calls regular TIFFReadEncodedStrip() if *buf != NULL + */ +tmsize_t +_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, + void **buf, tmsize_t bufsizetoalloc, + tmsize_t size_to_read) +{ + tmsize_t this_stripsize; + uint16 plane; + + if( *buf != NULL ) + { + return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read); + } + + this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane); + if (this_stripsize==((tmsize_t)(-1))) + return((tmsize_t)(-1)); + + if ((size_to_read!=(tmsize_t)(-1))&&(size_to_readtif_clientdata, TIFFFileName(tif), "No space for strip buffer"); + return((tmsize_t)(-1)); + } + _TIFFmemset(*buf, 0, bufsizetoalloc); + + if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0) + return((tmsize_t)(-1)); + (*tif->tif_postdecode)(tif,*buf,this_stripsize); + return(this_stripsize); + + +} + static tmsize_t TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, const char* module) @@ -420,16 +622,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, return ((tmsize_t)(-1)); } } else { - tmsize_t ma,mb; + tmsize_t ma = 0; tmsize_t n; - ma=(tmsize_t)td->td_stripoffset[strip]; - mb=ma+size; - if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) - n=0; - else if ((mbtif->tif_size)) - n=tif->tif_size-ma; - else - n=size; + if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)|| + ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size)) + { + n=0; + } + else if( ma > TIFF_TMSIZE_T_MAX - size ) + { + n=0; + } + else + { + tmsize_t mb=ma+size; + if (mb>tif->tif_size) + n=tif->tif_size-ma; + else + n=size; + } if (n!=size) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, @@ -454,6 +665,43 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, return (size); } +static tmsize_t +TIFFReadRawStripOrTile2(TIFF* tif, uint32 strip_or_tile, int is_strip, + tmsize_t size, const char* module) +{ + TIFFDirectory *td = &tif->tif_dir; + + assert( !isMapped(tif) ); + assert((tif->tif_flags&TIFF_NOREADRAW)==0); + + if (!SeekOK(tif, td->td_stripoffset[strip_or_tile])) { + if( is_strip ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Seek error at scanline %lu, strip %lu", + (unsigned long) tif->tif_row, + (unsigned long) strip_or_tile); + } + else + { + TIFFErrorExt(tif->tif_clientdata, module, + "Seek error at row %lu, col %lu, tile %lu", + (unsigned long) tif->tif_row, + (unsigned long) tif->tif_col, + (unsigned long) strip_or_tile); + } + return ((tmsize_t)(-1)); + } + + if( !TIFFReadAndRealloc( tif, size, 0, is_strip, + strip_or_tile, module ) ) + { + return ((tmsize_t)(-1)); + } + + return (size); +} + /* * Read a strip of data from the file. */ @@ -535,26 +783,40 @@ TIFFFillStrip(TIFF* tif, uint32 strip) #endif return (0); } - if (isMapped(tif) && - (isFillOrder(tif, td->td_fillorder) - || (tif->tif_flags & TIFF_NOBITREV))) { - /* - * The image is mapped into memory and we either don't - * need to flip bits or the compression routine is - * going to handle this operation itself. In this - * case, avoid copying the raw data and instead just - * reference the data from the memory mapped file - * image. This assumes that the decompression - * routines do not modify the contents of the raw data - * buffer (if they try to, the application will get a - * fault since the file is mapped read-only). - */ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) { - _TIFFfree(tif->tif_rawdata); - tif->tif_rawdata = NULL; - tif->tif_rawdatasize = 0; + + /* To avoid excessive memory allocations: */ + /* Byte count should normally not be larger than a number of */ + /* times the uncompressed size plus some margin */ + if( bytecount > 1024 * 1024 ) + { + /* 10 and 4096 are just values that could be adjusted. */ + /* Hopefully they are safe enough for all codecs */ + tmsize_t stripsize = TIFFStripSize(tif); + if( stripsize != 0 && + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; + if( (int64)newbytecount >= 0 ) + { +#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, + "Too large strip byte count %I64u, strip %lu. Limiting to %I64u", + (unsigned __int64) bytecount, + (unsigned long) strip, + (unsigned __int64) newbytecount); +#else + TIFFErrorExt(tif->tif_clientdata, module, + "Too large strip byte count %llu, strip %lu. Limiting to %llu", + (unsigned long long) bytecount, + (unsigned long) strip, + (unsigned long long) newbytecount); +#endif + bytecount = newbytecount; + } } - tif->tif_flags &= ~TIFF_MYBUFFER; + } + + if (isMapped(tif)) { /* * We must check for overflow, potentially causing * an OOB read. Instead of simple @@ -591,6 +853,28 @@ TIFFFillStrip(TIFF* tif, uint32 strip) tif->tif_curstrip = NOSTRIP; return (0); } + } + + if (isMapped(tif) && + (isFillOrder(tif, td->td_fillorder) + || (tif->tif_flags & TIFF_NOBITREV))) { + /* + * The image is mapped into memory and we either don't + * need to flip bits or the compression routine is + * going to handle this operation itself. In this + * case, avoid copying the raw data and instead just + * reference the data from the memory mapped file + * image. This assumes that the decompression + * routines do not modify the contents of the raw data + * buffer (if they try to, the application will get a + * fault since the file is mapped read-only). + */ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) { + _TIFFfree(tif->tif_rawdata); + tif->tif_rawdata = NULL; + tif->tif_rawdatasize = 0; + } + tif->tif_flags &= ~TIFF_MYBUFFER; tif->tif_rawdatasize = (tmsize_t)bytecount; tif->tif_rawdata = tif->tif_base + (tmsize_t)td->td_stripoffset[strip]; tif->tif_rawdataoff = 0; @@ -624,17 +908,36 @@ TIFFFillStrip(TIFF* tif, uint32 strip) (unsigned long) strip); return (0); } - if (!TIFFReadBufferSetup(tif, 0, bytecountm)) - return (0); } if (tif->tif_flags&TIFF_BUFFERMMAP) { tif->tif_curstrip = NOSTRIP; - if (!TIFFReadBufferSetup(tif, 0, bytecountm)) + tif->tif_rawdata = NULL; + tif->tif_rawdatasize = 0; + tif->tif_flags &= ~TIFF_BUFFERMMAP; + } + + if( isMapped(tif) ) + { + if (bytecountm > tif->tif_rawdatasize && + !TIFFReadBufferSetup(tif, 0, bytecountm)) + { + return (0); + } + if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata, + bytecountm, module) != bytecountm) + { return (0); + } } - if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata, - bytecountm, module) != bytecountm) - return (0); + else + { + if (TIFFReadRawStripOrTile2(tif, strip, 1, + bytecountm, module) != bytecountm) + { + return (0); + } + } + tif->tif_rawdataoff = 0; tif->tif_rawdataloaded = bytecountm; @@ -714,6 +1017,77 @@ TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) return ((tmsize_t)(-1)); } +/* Variant of TIFFReadTile() that does + * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has + * suceeded. This avoid excessive memory allocation in case of truncated + * file. + * * calls regular TIFFReadEncodedTile() if *buf != NULL + */ +tmsize_t +_TIFFReadTileAndAllocBuffer(TIFF* tif, + void **buf, tmsize_t bufsizetoalloc, + uint32 x, uint32 y, uint32 z, uint16 s) +{ + if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s)) + return ((tmsize_t)(-1)); + return (_TIFFReadEncodedTileAndAllocBuffer(tif, + TIFFComputeTile(tif, x, y, z, s), + buf, bufsizetoalloc, + (tmsize_t)(-1))); +} + +/* Variant of TIFFReadEncodedTile() that does + * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has + * suceeded. This avoid excessive memory allocation in case of truncated + * file. + * * calls regular TIFFReadEncodedTile() if *buf != NULL + */ +tmsize_t +_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile, + void **buf, tmsize_t bufsizetoalloc, + tmsize_t size_to_read) +{ + static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer"; + TIFFDirectory *td = &tif->tif_dir; + tmsize_t tilesize = tif->tif_tilesize; + + if( *buf != NULL ) + { + return TIFFReadEncodedTile(tif, tile, *buf, size_to_read); + } + + if (!TIFFCheckRead(tif, 1)) + return ((tmsize_t)(-1)); + if (tile >= td->td_nstrips) { + TIFFErrorExt(tif->tif_clientdata, module, + "%lu: Tile out of range, max %lu", + (unsigned long) tile, (unsigned long) td->td_nstrips); + return ((tmsize_t)(-1)); + } + + if (!TIFFFillTile(tif,tile)) + return((tmsize_t)(-1)); + + *buf = _TIFFmalloc(bufsizetoalloc); + if (*buf == NULL) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), + "No space for tile buffer"); + return((tmsize_t)(-1)); + } + _TIFFmemset(*buf, 0, bufsizetoalloc); + + if (size_to_read == (tmsize_t)(-1)) + size_to_read = tilesize; + else if (size_to_read > tilesize) + size_to_read = tilesize; + if( (*tif->tif_decodetile)(tif, + (uint8*) *buf, size_to_read, (uint16)(tile/td->td_stripsperimage))) { + (*tif->tif_postdecode)(tif, (uint8*) *buf, size_to_read); + return (size_to_read); + } else + return ((tmsize_t)(-1)); +} + static tmsize_t TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module) { @@ -856,6 +1230,56 @@ TIFFFillTile(TIFF* tif, uint32 tile) #endif return (0); } + + /* To avoid excessive memory allocations: */ + /* Byte count should normally not be larger than a number of */ + /* times the uncompressed size plus some margin */ + if( bytecount > 1024 * 1024 ) + { + /* 10 and 4096 are just values that could be adjusted. */ + /* Hopefully they are safe enough for all codecs */ + tmsize_t stripsize = TIFFTileSize(tif); + if( stripsize != 0 && + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; + if( (int64)newbytecount >= 0 ) + { +#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, + "Too large tile byte count %I64u, tile %lu. Limiting to %I64u", + (unsigned __int64) bytecount, + (unsigned long) tile, + (unsigned __int64) newbytecount); +#else + TIFFErrorExt(tif->tif_clientdata, module, + "Too large tile byte count %llu, tile %lu. Limiting to %llu", + (unsigned long long) bytecount, + (unsigned long) tile, + (unsigned long long) newbytecount); +#endif + bytecount = newbytecount; + } + } + } + + if (isMapped(tif)) { + /* + * We must check for overflow, potentially causing + * an OOB read. Instead of simple + * + * td->td_stripoffset[tile]+bytecount > tif->tif_size + * + * comparison (which can overflow) we do the following + * two comparisons: + */ + if (bytecount > (uint64)tif->tif_size || + td->td_stripoffset[tile] > (uint64)tif->tif_size - bytecount) { + tif->tif_curtile = NOTILE; + return (0); + } + } + if (isMapped(tif) && (isFillOrder(tif, td->td_fillorder) || (tif->tif_flags & TIFF_NOBITREV))) { @@ -876,20 +1300,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) tif->tif_rawdatasize = 0; } tif->tif_flags &= ~TIFF_MYBUFFER; - /* - * We must check for overflow, potentially causing - * an OOB read. Instead of simple - * - * td->td_stripoffset[tile]+bytecount > tif->tif_size - * - * comparison (which can overflow) we do the following - * two comparisons: - */ - if (bytecount > (uint64)tif->tif_size || - td->td_stripoffset[tile] > (uint64)tif->tif_size - bytecount) { - tif->tif_curtile = NOTILE; - return (0); - } + tif->tif_rawdatasize = (tmsize_t)bytecount; tif->tif_rawdata = tif->tif_base + (tmsize_t)td->td_stripoffset[tile]; @@ -917,18 +1328,36 @@ TIFFFillTile(TIFF* tif, uint32 tile) (unsigned long) tile); return (0); } - if (!TIFFReadBufferSetup(tif, 0, bytecountm)) - return (0); } if (tif->tif_flags&TIFF_BUFFERMMAP) { tif->tif_curtile = NOTILE; - if (!TIFFReadBufferSetup(tif, 0, bytecountm)) + tif->tif_rawdata = NULL; + tif->tif_rawdatasize = 0; + tif->tif_flags &= ~TIFF_BUFFERMMAP; + } + + if( isMapped(tif) ) + { + if (bytecountm > tif->tif_rawdatasize && + !TIFFReadBufferSetup(tif, 0, bytecountm)) + { + return (0); + } + if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata, + bytecountm, module) != bytecountm) + { return (0); + } + } + else + { + if (TIFFReadRawStripOrTile2(tif, tile, 0, + bytecountm, module) != bytecountm) + { + return (0); + } } - if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata, - bytecountm, module) != bytecountm) - return (0); tif->tif_rawdataoff = 0; tif->tif_rawdataloaded = bytecountm; @@ -976,7 +1405,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size) "Invalid buffer size"); return (0); } - tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize); + /* Initialize to zero to avoid uninitialized buffers in case of */ + /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */ + tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); tif->tif_flags |= TIFF_MYBUFFER; } if (tif->tif_rawdata == NULL) { @@ -1018,7 +1449,10 @@ TIFFStartStrip(TIFF* tif, uint32 strip) else { tif->tif_rawcp = tif->tif_rawdata; - tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[strip]; + if( tif->tif_rawdataloaded > 0 ) + tif->tif_rawcc = tif->tif_rawdataloaded; + else + tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[strip]; } return ((*tif->tif_predecode)(tif, (uint16)(strip / td->td_stripsperimage))); @@ -1065,7 +1499,10 @@ TIFFStartTile(TIFF* tif, uint32 tile) else { tif->tif_rawcp = tif->tif_rawdata; - tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile]; + if( tif->tif_rawdataloaded > 0 ) + tif->tif_rawcc = tif->tif_rawdataloaded; + else + tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile]; } return ((*tif->tif_predecode)(tif, (uint16)(tile/td->td_stripsperimage))); diff --git a/src/3rdparty/libtiff/libtiff/tif_strip.c b/src/3rdparty/libtiff/libtiff/tif_strip.c index b6098dd..6e9f2ef 100644 --- a/src/3rdparty/libtiff/libtiff/tif_strip.c +++ b/src/3rdparty/libtiff/libtiff/tif_strip.c @@ -1,4 +1,4 @@ -/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */ +/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif) TIFFDirectory *td = &tif->tif_dir; uint32 nstrips; - /* If the value was already computed and store in td_nstrips, then return it, - since ChopUpSingleUncompressedStrip might have altered and resized the - since the td_stripbytecount and td_stripoffset arrays to the new value - after the initial affectation of td_nstrips = TIFFNumberOfStrips() in - tif_dirread.c ~line 3612. - See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ - if( td->td_nstrips ) - return td->td_nstrips; - nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); if (td->td_planarconfig == PLANARCONFIG_SEPARATE) diff --git a/src/3rdparty/libtiff/libtiff/tif_swab.c b/src/3rdparty/libtiff/libtiff/tif_swab.c index 211dc57..4b2e5f1 100644 --- a/src/3rdparty/libtiff/libtiff/tif_swab.c +++ b/src/3rdparty/libtiff/libtiff/tif_swab.c @@ -1,4 +1,4 @@ -/* $Id: tif_swab.c,v 1.14 2016-09-04 21:32:56 erouault Exp $ */ +/* $Id: tif_swab.c,v 1.15 2017-06-08 16:39:50 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -31,7 +31,7 @@ */ #include "tiffiop.h" -#ifndef TIFFSwabShort +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabShort) void TIFFSwabShort(uint16* wp) { @@ -42,7 +42,7 @@ TIFFSwabShort(uint16* wp) } #endif -#ifndef TIFFSwabLong +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabLong) void TIFFSwabLong(uint32* lp) { @@ -54,7 +54,7 @@ TIFFSwabLong(uint32* lp) } #endif -#ifndef TIFFSwabLong8 +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabLong8) void TIFFSwabLong8(uint64* lp) { @@ -68,7 +68,7 @@ TIFFSwabLong8(uint64* lp) } #endif -#ifndef TIFFSwabArrayOfShort +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfShort) void TIFFSwabArrayOfShort(register uint16* wp, tmsize_t n) { @@ -84,7 +84,7 @@ TIFFSwabArrayOfShort(register uint16* wp, tmsize_t n) } #endif -#ifndef TIFFSwabArrayOfTriples +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfTriples) void TIFFSwabArrayOfTriples(register uint8* tp, tmsize_t n) { @@ -100,7 +100,7 @@ TIFFSwabArrayOfTriples(register uint8* tp, tmsize_t n) } #endif -#ifndef TIFFSwabArrayOfLong +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfLong) void TIFFSwabArrayOfLong(register uint32* lp, tmsize_t n) { @@ -117,7 +117,7 @@ TIFFSwabArrayOfLong(register uint32* lp, tmsize_t n) } #endif -#ifndef TIFFSwabArrayOfLong8 +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfLong8) void TIFFSwabArrayOfLong8(register uint64* lp, tmsize_t n) { @@ -136,7 +136,7 @@ TIFFSwabArrayOfLong8(register uint64* lp, tmsize_t n) } #endif -#ifndef TIFFSwabFloat +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabFloat) void TIFFSwabFloat(float* fp) { @@ -148,7 +148,7 @@ TIFFSwabFloat(float* fp) } #endif -#ifndef TIFFSwabArrayOfFloat +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfFloat) void TIFFSwabArrayOfFloat(register float* fp, tmsize_t n) { @@ -165,7 +165,7 @@ TIFFSwabArrayOfFloat(register float* fp, tmsize_t n) } #endif -#ifndef TIFFSwabDouble +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabDouble) void TIFFSwabDouble(double *dp) { @@ -179,7 +179,7 @@ TIFFSwabDouble(double *dp) } #endif -#ifndef TIFFSwabArrayOfDouble +#if defined(DISABLE_CHECK_TIFFSWABMACROS) || !defined(TIFFSwabArrayOfDouble) void TIFFSwabArrayOfDouble(double* dp, tmsize_t n) { diff --git a/src/3rdparty/libtiff/libtiff/tif_unix.c b/src/3rdparty/libtiff/libtiff/tif_unix.c index 81e9d66..80c437c 100644 --- a/src/3rdparty/libtiff/libtiff/tif_unix.c +++ b/src/3rdparty/libtiff/libtiff/tif_unix.c @@ -1,4 +1,4 @@ -/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */ +/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -316,6 +316,14 @@ _TIFFmalloc(tmsize_t s) return (malloc((size_t) s)); } +void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) +{ + if( nmemb == 0 || siz == 0 ) + return ((void *) NULL); + + return calloc((size_t) nmemb, (size_t)siz); +} + void _TIFFfree(void* p) { diff --git a/src/3rdparty/libtiff/libtiff/tif_warning.c b/src/3rdparty/libtiff/libtiff/tif_warning.c index 423b636..dc79f14 100644 --- a/src/3rdparty/libtiff/libtiff/tif_warning.c +++ b/src/3rdparty/libtiff/libtiff/tif_warning.c @@ -1,4 +1,4 @@ -/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_warning.c,v 1.3 2010-03-10 18:56:49 bfriesen Exp $ */ +/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_warning.c,v 1.4 2017-07-04 12:54:42 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -51,24 +51,32 @@ void TIFFWarning(const char* module, const char* fmt, ...) { va_list ap; - va_start(ap, fmt); - if (_TIFFwarningHandler) + if (_TIFFwarningHandler) { + va_start(ap, fmt); (*_TIFFwarningHandler)(module, fmt, ap); - if (_TIFFwarningHandlerExt) + va_end(ap); + } + if (_TIFFwarningHandlerExt) { + va_start(ap, fmt); (*_TIFFwarningHandlerExt)(0, module, fmt, ap); - va_end(ap); + va_end(ap); + } } void TIFFWarningExt(thandle_t fd, const char* module, const char* fmt, ...) { va_list ap; - va_start(ap, fmt); - if (_TIFFwarningHandler) + if (_TIFFwarningHandler) { + va_start(ap, fmt); (*_TIFFwarningHandler)(module, fmt, ap); - if (_TIFFwarningHandlerExt) + va_end(ap); + } + if (_TIFFwarningHandlerExt) { + va_start(ap, fmt); (*_TIFFwarningHandlerExt)(fd, module, fmt, ap); - va_end(ap); + va_end(ap); + } } diff --git a/src/3rdparty/libtiff/libtiff/tif_win32.c b/src/3rdparty/libtiff/libtiff/tif_win32.c index fdc2ee6..ea40163 100644 --- a/src/3rdparty/libtiff/libtiff/tif_win32.c +++ b/src/3rdparty/libtiff/libtiff/tif_win32.c @@ -1,4 +1,4 @@ -/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */ +/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -360,6 +360,14 @@ _TIFFmalloc(tmsize_t s) return (malloc((size_t) s)); } +void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) +{ + if( nmemb == 0 || siz == 0 ) + return ((void *) NULL); + + return calloc((size_t) nmemb, (size_t)siz); +} + void _TIFFfree(void* p) { diff --git a/src/3rdparty/libtiff/libtiff/tif_write.c b/src/3rdparty/libtiff/libtiff/tif_write.c index 34c4d81..4c216ec 100644 --- a/src/3rdparty/libtiff/libtiff/tif_write.c +++ b/src/3rdparty/libtiff/libtiff/tif_write.c @@ -1,4 +1,4 @@ -/* $Id: tif_write.c,v 1.45 2016-09-23 22:12:18 erouault Exp $ */ +/* $Id: tif_write.c,v 1.46 2016-12-03 21:57:44 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -476,22 +476,22 @@ TIFFWriteEncodedTile(TIFF* tif, uint32 tile, void* data, tmsize_t cc) sample = (uint16)(tile/td->td_stripsperimage); if (!(*tif->tif_preencode)(tif, sample)) return ((tmsize_t)(-1)); - /* swab if needed - note that source buffer will be altered */ - tif->tif_postdecode( tif, (uint8*) data, cc ); + /* swab if needed - note that source buffer will be altered */ + tif->tif_postdecode( tif, (uint8*) data, cc ); - if (!(*tif->tif_encodetile)(tif, (uint8*) data, cc, sample)) - return ((tmsize_t) -1); - if (!(*tif->tif_postencode)(tif)) - return ((tmsize_t)(-1)); - if (!isFillOrder(tif, td->td_fillorder) && - (tif->tif_flags & TIFF_NOBITREV) == 0) - TIFFReverseBits((uint8*)tif->tif_rawdata, tif->tif_rawcc); - if (tif->tif_rawcc > 0 && !TIFFAppendToStrip(tif, tile, - tif->tif_rawdata, tif->tif_rawcc)) - return ((tmsize_t)(-1)); - tif->tif_rawcc = 0; - tif->tif_rawcp = tif->tif_rawdata; - return (cc); + if (!(*tif->tif_encodetile)(tif, (uint8*) data, cc, sample)) + return ((tmsize_t) -1); + if (!(*tif->tif_postencode)(tif)) + return ((tmsize_t)(-1)); + if (!isFillOrder(tif, td->td_fillorder) && + (tif->tif_flags & TIFF_NOBITREV) == 0) + TIFFReverseBits((uint8*)tif->tif_rawdata, tif->tif_rawcc); + if (tif->tif_rawcc > 0 && !TIFFAppendToStrip(tif, tile, + tif->tif_rawdata, tif->tif_rawcc)) + return ((tmsize_t)(-1)); + tif->tif_rawcc = 0; + tif->tif_rawcp = tif->tif_rawdata; + return (cc); } /* diff --git a/src/3rdparty/libtiff/libtiff/tif_zip.c b/src/3rdparty/libtiff/libtiff/tif_zip.c index 8c35aea..42943fb 100644 --- a/src/3rdparty/libtiff/libtiff/tif_zip.c +++ b/src/3rdparty/libtiff/libtiff/tif_zip.c @@ -1,4 +1,4 @@ -/* $Id: tif_zip.c,v 1.36 2016-11-12 16:48:28 erouault Exp $ */ +/* $Id: tif_zip.c,v 1.37 2017-05-10 15:21:16 erouault Exp $ */ /* * Copyright (c) 1995-1997 Sam Leffler @@ -107,7 +107,11 @@ ZIPSetupDecode(TIFF* tif) sp->state = 0; } - if (inflateInit(&sp->stream) != Z_OK) { + /* This function can possibly be called several times by */ + /* PredictorSetupDecode() if this function succeeds but */ + /* PredictorSetup() fails */ + if ((sp->state & ZSTATE_INIT_DECODE) == 0 && + inflateInit(&sp->stream) != Z_OK) { TIFFErrorExt(tif->tif_clientdata, module, "%s", SAFE_MSG(sp)); return (0); } else { diff --git a/src/3rdparty/libtiff/libtiff/tiffio.h b/src/3rdparty/libtiff/libtiff/tiffio.h index 6a84d80..ef61b5c 100644 --- a/src/3rdparty/libtiff/libtiff/tiffio.h +++ b/src/3rdparty/libtiff/libtiff/tiffio.h @@ -1,4 +1,4 @@ -/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */ +/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void); */ extern void* _TIFFmalloc(tmsize_t s); +extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); extern void* _TIFFrealloc(void* p, tmsize_t s); extern void _TIFFmemset(void* p, int v, tmsize_t c); extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); @@ -430,6 +431,8 @@ extern int TIFFReadRGBAImageOriented(TIFF*, uint32, uint32, uint32*, int, int); extern int TIFFReadRGBAStrip(TIFF*, uint32, uint32 * ); extern int TIFFReadRGBATile(TIFF*, uint32, uint32, uint32 * ); +extern int TIFFReadRGBAStripExt(TIFF*, uint32, uint32 *, int stop_on_error ); +extern int TIFFReadRGBATileExt(TIFF*, uint32, uint32, uint32 *, int stop_on_error ); extern int TIFFRGBAImageOK(TIFF*, char [1024]); extern int TIFFRGBAImageBegin(TIFFRGBAImage*, TIFF*, int, char [1024]); extern int TIFFRGBAImageGet(TIFFRGBAImage*, uint32*, uint32, uint32); diff --git a/src/3rdparty/libtiff/libtiff/tiffiop.h b/src/3rdparty/libtiff/libtiff/tiffiop.h index 0b4e590..4da486b 100644 --- a/src/3rdparty/libtiff/libtiff/tiffiop.h +++ b/src/3rdparty/libtiff/libtiff/tiffiop.h @@ -1,4 +1,4 @@ -/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */ +/* $Id: tiffiop.h,v 1.95 2017-09-07 14:02:52 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -242,8 +242,7 @@ struct tiff { (TIFFReadFile((tif),(buf),(size))==(size)) #endif #ifndef SeekOK -#define SeekOK(tif, off) \ - (TIFFSeekFile((tif),(off),SEEK_SET)==(off)) +#define SeekOK(tif, off) _TIFFSeekOK(tif, off) #endif #ifndef WriteOK #define WriteOK(tif, buf, size) \ @@ -254,6 +253,10 @@ struct tiff { #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ 0U) +/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ +/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ +#define TIFFhowmany_32_maxuint_compat(x, y) \ + (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) @@ -315,6 +318,13 @@ typedef size_t TIFFIOSize_t; #define _TIFF_off_t off_t #endif +#if __clang_major__ >= 4 || (__clang_major__ == 3 && __clang_minor__ >= 8) +#define TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW __attribute__((no_sanitize("unsigned-integer-overflow"))) +#else +#define TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW +#endif + + #if defined(__cplusplus) extern "C" { #endif @@ -365,6 +375,20 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); extern double _TIFFUInt64ToDouble(uint64); extern float _TIFFUInt64ToFloat(uint64); +extern tmsize_t +_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, + void **buf, tmsize_t bufsizetoalloc, + tmsize_t size_to_read); +extern tmsize_t +_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile, + void **buf, tmsize_t bufsizetoalloc, + tmsize_t size_to_read); +extern tmsize_t +_TIFFReadTileAndAllocBuffer(TIFF* tif, + void **buf, tmsize_t bufsizetoalloc, + uint32 x, uint32 y, uint32 z, uint16 s); +extern int _TIFFSeekOK(TIFF* tif, toff_t off); + extern int TIFFInitDumpMode(TIFF*, int); #ifdef PACKBITS_SUPPORT extern int TIFFInitPackBits(TIFF*, int); @@ -387,6 +411,7 @@ extern int TIFFInitOJPEG(TIFF*, int); #endif #ifdef JPEG_SUPPORT extern int TIFFInitJPEG(TIFF*, int); +extern int TIFFJPEGIsFullStripRequired(TIFF*); #endif #ifdef JBIG_SUPPORT extern int TIFFInitJBIG(TIFF*, int); diff --git a/src/3rdparty/libtiff/libtiff/tiffvers.h b/src/3rdparty/libtiff/libtiff/tiffvers.h index fe55c72..890e433 100644 --- a/src/3rdparty/libtiff/libtiff/tiffvers.h +++ b/src/3rdparty/libtiff/libtiff/tiffvers.h @@ -1,4 +1,4 @@ -#define TIFFLIB_VERSION_STR "LIBTIFF, Version 4.0.7\nCopyright (c) 1988-1996 Sam Leffler\nCopyright (c) 1991-1996 Silicon Graphics, Inc." +#define TIFFLIB_VERSION_STR "LIBTIFF, Version 4.0.8\nCopyright (c) 1988-1996 Sam Leffler\nCopyright (c) 1991-1996 Silicon Graphics, Inc." /* * This define can be used in code that requires * compilation-related definitions specific to a @@ -6,4 +6,4 @@ * version checking should be done based on the * string returned by TIFFGetVersion. */ -#define TIFFLIB_VERSION 20161119 +#define TIFFLIB_VERSION 20170521 diff --git a/src/3rdparty/libtiff/port/dummy.c b/src/3rdparty/libtiff/port/dummy.c index 46f93bc..923ee7b 100644 --- a/src/3rdparty/libtiff/port/dummy.c +++ b/src/3rdparty/libtiff/port/dummy.c @@ -1,4 +1,4 @@ -/* $Id: dummy.c,v 1.3 2007/03/21 14:54:16 dron Exp $ */ +/* $Id: dummy.c,v 1.3 2007-03-21 14:54:16 dron Exp $ */ /* * Dummy function, just to be ensure that the library always will be created. diff --git a/src/3rdparty/libtiff/port/lfind.c b/src/3rdparty/libtiff/port/lfind.c index 64b261c..22d9798 100644 --- a/src/3rdparty/libtiff/port/lfind.c +++ b/src/3rdparty/libtiff/port/lfind.c @@ -1,4 +1,4 @@ -/* $Id: lfind.c,v 1.4 2007/01/15 18:40:39 mloskot Exp $ */ +/* $Id: lfind.c,v 1.4 2007-01-15 18:40:39 mloskot Exp $ */ /* * Copyright (c) 1989, 1993 diff --git a/src/3rdparty/libtiff/port/strtoul.c b/src/3rdparty/libtiff/port/strtoul.c index f7a9a1a..84ab215 100644 --- a/src/3rdparty/libtiff/port/strtoul.c +++ b/src/3rdparty/libtiff/port/strtoul.c @@ -1,4 +1,4 @@ -/* $Id: strtoul.c,v 1.2 2005/07/07 16:34:06 dron Exp $ */ +/* $Id: strtoul.c,v 1.2 2005-07-07 16:34:06 dron Exp $ */ /* * Copyright (c) 1990, 1993 diff --git a/src/3rdparty/libtiff/qt_attribution.json b/src/3rdparty/libtiff/qt_attribution.json index e330f93..52b4413 100644 --- a/src/3rdparty/libtiff/qt_attribution.json +++ b/src/3rdparty/libtiff/qt_attribution.json @@ -6,7 +6,7 @@ "Description": "", "Homepage": "http://www.simplesystems.org/libtiff/", - "Version": "4.0.7", + "Version": "4.0.8", "License": "libtiff License", "LicenseId": "libtiff", "LicenseFile": "COPYRIGHT", -- cgit v1.2.3 From feca51d8c714781378cecc99122035348e0459bb Mon Sep 17 00:00:00 2001 From: Friedemann Kleint Date: Thu, 19 Oct 2017 11:16:40 +0200 Subject: TGA: Fix clazy-copyable-polymorphic Change-Id: Iba0631701fbecdd66ffa1d12c57387d76aa65475 Reviewed-by: Eirik Aavitsland --- src/plugins/imageformats/tga/qtgafile.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/plugins/imageformats/tga/qtgafile.cpp b/src/plugins/imageformats/tga/qtgafile.cpp index e2f20a7..97510df 100644 --- a/src/plugins/imageformats/tga/qtgafile.cpp +++ b/src/plugins/imageformats/tga/qtgafile.cpp @@ -45,6 +45,10 @@ struct TgaReader { + Q_DISABLE_COPY(TgaReader) + + TgaReader() = default; + virtual ~TgaReader() {} virtual QRgb operator()(QIODevice *s) const = 0; }; -- cgit v1.2.3 From 4d4de2e070178510afb7f160c2594ae7af34f782 Mon Sep 17 00:00:00 2001 From: Antti Kokko Date: Wed, 8 Nov 2017 12:14:07 +0200 Subject: Add changes file for Qt 5.10.0 Change-Id: I8834d6703950d9c105a738e660aaa4399ac8ce4e Reviewed-by: Eirik Aavitsland --- dist/changes-5.10.0 | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 dist/changes-5.10.0 diff --git a/dist/changes-5.10.0 b/dist/changes-5.10.0 new file mode 100644 index 0000000..375a223 --- /dev/null +++ b/dist/changes-5.10.0 @@ -0,0 +1,27 @@ +Qt 5.10 introduces many new features and improvements as well as bugfixes +over the 5.9.x series. For more details, refer to the online documentation +included in this distribution. The documentation is also available online: + +http://doc.qt.io/qt-5/index.html + +The Qt version 5.10 series is binary compatible with the 5.10.x series. +Applications compiled for 5.9 will continue to run with 5.10. + +Some of the changes listed in this file include issue tracking numbers +corresponding to tasks in the Qt Bug Tracker: + +https://bugreports.qt.io/ + +Each of these identifiers can be entered in the bug tracker to obtain more +information about a particular change. + +**************************************************************************** +* Qt 5.10.0 Changes * +**************************************************************************** + + - This release contains only minor code improvements. + +Third-Party Code +---------------- + + - Bundled libtiff was updated to version 4.0.8+ -- cgit v1.2.3