From aae637d37ea1e9b362c6f5202a3eda6a0856df75 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Tue, 17 Oct 2017 15:13:16 +0200 Subject: Update bundled libtiff to version 4.0.8+ This updates the bundled libtiff to release 4.0.8. In addition, since after that release a number of security-related fixes has been added to the upstream CVS repository, this commit comprises the upstream changes of libtiff until 2017-10-10. (Corresponds to commit 46195f7 in the unofficial mirror at github.com/vadz/libtiff.git.) [ChangeLog][Third-Party Code] Bundled libtiff was updated to version 4.0.8+ Change-Id: I9f45387ab48383ef2635d60aeda5c74828f1a6fc Reviewed-by: Liang Qi --- src/3rdparty/libtiff/libtiff/tif_pixarlog.c | 67 ++++++++++++++++++++++------- 1 file changed, 51 insertions(+), 16 deletions(-) (limited to 'src/3rdparty/libtiff/libtiff/tif_pixarlog.c') diff --git a/src/3rdparty/libtiff/libtiff/tif_pixarlog.c b/src/3rdparty/libtiff/libtiff/tif_pixarlog.c index f4af2ba..979858d 100644 --- a/src/3rdparty/libtiff/libtiff/tif_pixarlog.c +++ b/src/3rdparty/libtiff/libtiff/tif_pixarlog.c @@ -1,4 +1,4 @@ -/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */ +/* $Id: tif_pixarlog.c,v 1.54 2017-07-10 10:40:28 erouault Exp $ */ /* * Copyright (c) 1996-1997 Sam Leffler @@ -636,29 +636,27 @@ PixarLogGuessDataFmt(TIFFDirectory *td) return guess; } +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) + static tmsize_t multiply_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 * m2; - - if (m1 && bytes / m1 != m2) - bytes = 0; - - return bytes; + if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) + return 0; + return m1 * m2; } static tmsize_t add_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 + m2; - /* if either input is zero, assume overflow already occurred */ if (m1 == 0 || m2 == 0) - bytes = 0; - else if (bytes <= m1 || bytes <= m2) - bytes = 0; + return 0; + else if (m1 > TIFF_TMSIZE_T_MAX - m2) + return 0; - return bytes; + return m1 + m2; } static int @@ -675,9 +673,20 @@ PixarLogSetupDecode(TIFF* tif) TIFFDirectory *td = &tif->tif_dir; PixarLogState* sp = DecoderState(tif); tmsize_t tbuf_size; + uint32 strip_height; assert(sp != NULL); + /* This function can possibly be called several times by */ + /* PredictorSetupDecode() if this function succeeds but */ + /* PredictorSetup() fails */ + if( (sp->state & PLSTATE_INIT) != 0 ) + return 1; + + strip_height = td->td_rowsperstrip; + if( strip_height > td->td_imagelength ) + strip_height = td->td_imagelength; + /* Make sure no byte swapping happens on the data * after decompression. */ tif->tif_postdecode = _TIFFNoPostDecode; @@ -687,7 +696,7 @@ PixarLogSetupDecode(TIFF* tif) sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ? td->td_samplesperpixel : 1); tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), - td->td_rowsperstrip), sizeof(uint16)); + strip_height), sizeof(uint16)); /* add one more stride in case input ends mid-stride */ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); if (tbuf_size == 0) @@ -699,6 +708,9 @@ PixarLogSetupDecode(TIFF* tif) if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { + _TIFFfree(sp->tbuf); + sp->tbuf = NULL; + sp->tbuf_size = 0; TIFFErrorExt(tif->tif_clientdata, module, "PixarLog compression can't handle bits depth/data format combination (depth: %d)", td->td_bitspersample); @@ -706,6 +718,9 @@ PixarLogSetupDecode(TIFF* tif) } if (inflateInit(&sp->stream) != Z_OK) { + _TIFFfree(sp->tbuf); + sp->tbuf = NULL; + sp->tbuf_size = 0; TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg ? sp->stream.msg : "(null)"); return (0); } else { @@ -774,6 +789,10 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) (void) s; assert(sp != NULL); + + sp->stream.next_in = tif->tif_rawcp; + sp->stream.avail_in = (uInt) tif->tif_rawcc; + sp->stream.next_out = (unsigned char *) sp->tbuf; assert(sizeof(sp->stream.avail_out)==4); /* if this assert gets raised, we need to simplify this code to reflect a ZLib that is likely updated @@ -819,6 +838,9 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) return (0); } + tif->tif_rawcp = sp->stream.next_in; + tif->tif_rawcc = sp->stream.avail_in; + up = sp->tbuf; /* Swap bytes in the data if from a different endian machine. */ if (tif->tif_flags & TIFF_SWAB) @@ -1233,8 +1255,10 @@ PixarLogPostEncode(TIFF* tif) static void PixarLogClose(TIFF* tif) { + PixarLogState* sp = (PixarLogState*) tif->tif_data; TIFFDirectory *td = &tif->tif_dir; + assert(sp != 0); /* In a really sneaky (and really incorrect, and untruthful, and * troublesome, and error-prone) maneuver that completely goes against * the spirit of TIFF, and breaks TIFF, on close, we covertly @@ -1243,8 +1267,19 @@ PixarLogClose(TIFF* tif) * readers that don't know about PixarLog, or how to set * the PIXARLOGDATFMT pseudo-tag. */ - td->td_bitspersample = 8; - td->td_sampleformat = SAMPLEFORMAT_UINT; + + if (sp->state&PLSTATE_INIT) { + /* We test the state to avoid an issue such as in + * http://bugzilla.maptools.org/show_bug.cgi?id=2604 + * What appends in that case is that the bitspersample is 1 and + * a TransferFunction is set. The size of the TransferFunction + * depends on 1<td_bitspersample = 8; + td->td_sampleformat = SAMPLEFORMAT_UINT; + } } static void -- cgit v1.2.3