1 /*
2 * Copyright (c) 1988-1997 Sam Leffler
3 * Copyright (c) 1991-1997 Silicon Graphics, Inc.
4 *
5 * Permission to use, copy, modify, distribute, and sell this software and
6 * its documentation for any purpose is hereby granted without fee, provided
7 * that (i) the above copyright notices and this permission notice appear in
8 * all copies of the software and related documentation, and (ii) the names of
9 * Sam Leffler and Silicon Graphics may not be used in any advertising or
10 * publicity relating to the software without the specific, prior written
11 * permission of Sam Leffler and Silicon Graphics.
12 *
13 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
14 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
15 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
16 *
17 * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
18 * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
19 * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
20 * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
21 * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
22 * OF THIS SOFTWARE.
23 */
24
25 /*
26 * TIFF Library.
27 *
28 * Directory Read Support Routines.
29 */
30
31 /* Suggested pending improvements:
32 * - add a field 'field_info' to the TIFFDirEntry structure, and set that with
33 * the pointer to the appropriate TIFFField structure early on in
34 * TIFFReadDirectory, so as to eliminate current possibly repetitive lookup.
35 */
36
37 #include "tiffconf.h"
38 #include "tiffiop.h"
39 #include <float.h>
40 #include <stdlib.h>
41
42 #define FAILED_FII ((uint32_t) -1)
43
44 #ifdef HAVE_IEEEFP
45 # define TIFFCvtIEEEFloatToNative(tif, n, fp)
46 # define TIFFCvtIEEEDoubleToNative(tif, n, dp)
47 #else
48 extern void TIFFCvtIEEEFloatToNative(TIFF*, uint32_t, float*);
49 extern void TIFFCvtIEEEDoubleToNative(TIFF*, uint32_t, double*);
50 #endif
51
52 enum TIFFReadDirEntryErr {
53 TIFFReadDirEntryErrOk = 0,
54 TIFFReadDirEntryErrCount = 1,
55 TIFFReadDirEntryErrType = 2,
56 TIFFReadDirEntryErrIo = 3,
57 TIFFReadDirEntryErrRange = 4,
58 TIFFReadDirEntryErrPsdif = 5,
59 TIFFReadDirEntryErrSizesan = 6,
60 TIFFReadDirEntryErrAlloc = 7,
61 };
62
63 static enum TIFFReadDirEntryErr TIFFReadDirEntryByte(TIFF* tif, TIFFDirEntry* direntry, uint8_t* value);
64 static enum TIFFReadDirEntryErr TIFFReadDirEntryShort(TIFF* tif, TIFFDirEntry* direntry, uint16_t* value);
65 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong(TIFF* tif, TIFFDirEntry* direntry, uint32_t* value);
66 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8(TIFF* tif, TIFFDirEntry* direntry, uint64_t* value);
67 static enum TIFFReadDirEntryErr TIFFReadDirEntryFloat(TIFF* tif, TIFFDirEntry* direntry, float* value);
68 static enum TIFFReadDirEntryErr TIFFReadDirEntryDouble(TIFF* tif, TIFFDirEntry* direntry, double* value);
69 static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8(TIFF* tif, TIFFDirEntry* direntry, uint64_t* value);
70
71 static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32_t* count, uint32_t desttypesize, void** value);
72 static enum TIFFReadDirEntryErr TIFFReadDirEntryByteArray(TIFF* tif, TIFFDirEntry* direntry, uint8_t** value);
73 static enum TIFFReadDirEntryErr TIFFReadDirEntrySbyteArray(TIFF* tif, TIFFDirEntry* direntry, int8_t** value);
74 static enum TIFFReadDirEntryErr TIFFReadDirEntryShortArray(TIFF* tif, TIFFDirEntry* direntry, uint16_t** value);
75 static enum TIFFReadDirEntryErr TIFFReadDirEntrySshortArray(TIFF* tif, TIFFDirEntry* direntry, int16_t** value);
76 static enum TIFFReadDirEntryErr TIFFReadDirEntryLongArray(TIFF* tif, TIFFDirEntry* direntry, uint32_t** value);
77 static enum TIFFReadDirEntryErr TIFFReadDirEntrySlongArray(TIFF* tif, TIFFDirEntry* direntry, int32_t** value);
78 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEntry* direntry, uint64_t** value);
79 static enum TIFFReadDirEntryErr TIFFReadDirEntrySlong8Array(TIFF* tif, TIFFDirEntry* direntry, int64_t** value);
80 static enum TIFFReadDirEntryErr TIFFReadDirEntryFloatArray(TIFF* tif, TIFFDirEntry* direntry, float** value);
81 static enum TIFFReadDirEntryErr TIFFReadDirEntryDoubleArray(TIFF* tif, TIFFDirEntry* direntry, double** value);
82 static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8Array(TIFF* tif, TIFFDirEntry* direntry, uint64_t** value);
83
84 static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleShort(TIFF* tif, TIFFDirEntry* direntry, uint16_t* value);
85 #if 0
86 static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleDouble(TIFF* tif, TIFFDirEntry* direntry, double* value);
87 #endif
88
89 static void TIFFReadDirEntryCheckedByte(TIFF* tif, TIFFDirEntry* direntry, uint8_t* value);
90 static void TIFFReadDirEntryCheckedSbyte(TIFF* tif, TIFFDirEntry* direntry, int8_t* value);
91 static void TIFFReadDirEntryCheckedShort(TIFF* tif, TIFFDirEntry* direntry, uint16_t* value);
92 static void TIFFReadDirEntryCheckedSshort(TIFF* tif, TIFFDirEntry* direntry, int16_t* value);
93 static void TIFFReadDirEntryCheckedLong(TIFF* tif, TIFFDirEntry* direntry, uint32_t* value);
94 static void TIFFReadDirEntryCheckedSlong(TIFF* tif, TIFFDirEntry* direntry, int32_t* value);
95 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedLong8(TIFF* tif, TIFFDirEntry* direntry, uint64_t* value);
96 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSlong8(TIFF* tif, TIFFDirEntry* direntry, int64_t* value);
97 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFDirEntry* direntry, double* value);
98 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFFDirEntry* direntry, double* value);
99 static void TIFFReadDirEntryCheckedFloat(TIFF* tif, TIFFDirEntry* direntry, float* value);
100 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedDouble(TIFF* tif, TIFFDirEntry* direntry, double* value);
101
102 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSbyte(int8_t value);
103 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteShort(uint16_t value);
104 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSshort(int16_t value);
105 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteLong(uint32_t value);
106 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSlong(int32_t value);
107 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteLong8(uint64_t value);
108 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSlong8(int64_t value);
109
110 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteByte(uint8_t value);
111 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteShort(uint16_t value);
112 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSshort(int16_t value);
113 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteLong(uint32_t value);
114 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSlong(int32_t value);
115 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteLong8(uint64_t value);
116 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSlong8(int64_t value);
117
118 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSbyte(int8_t value);
119 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSshort(int16_t value);
120 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortLong(uint32_t value);
121 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSlong(int32_t value);
122 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortLong8(uint64_t value);
123 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSlong8(int64_t value);
124
125 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortShort(uint16_t value);
126 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortLong(uint32_t value);
127 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortSlong(int32_t value);
128 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortLong8(uint64_t value);
129 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortSlong8(int64_t value);
130
131 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSbyte(int8_t value);
132 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSshort(int16_t value);
133 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSlong(int32_t value);
134 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongLong8(uint64_t value);
135 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSlong8(int64_t value);
136
137 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSlongLong(uint32_t value);
138 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSlongLong8(uint64_t value);
139 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSlongSlong8(int64_t value);
140
141 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLong8Sbyte(int8_t value);
142 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLong8Sshort(int16_t value);
143 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLong8Slong(int32_t value);
144 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLong8Slong8(int64_t value);
145
146 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSlong8Long8(uint64_t value);
147
148 static enum TIFFReadDirEntryErr TIFFReadDirEntryData(TIFF* tif, uint64_t offset, tmsize_t size, void* dest);
149 static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, const char* module, const char* tagname, int recover);
150
151 static void TIFFReadDirectoryCheckOrder(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount);
152 static TIFFDirEntry* TIFFReadDirectoryFindEntry(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount, uint16_t tagid);
153 static void TIFFReadDirectoryFindFieldInfo(TIFF* tif, uint16_t tagid, uint32_t* fii);
154
155 static int EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount);
156 static void MissingRequired(TIFF*, const char*);
157 static int TIFFCheckDirOffset(TIFF* tif, uint64_t diroff);
158 static int CheckDirCount(TIFF*, TIFFDirEntry*, uint32_t);
159 static uint16_t TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir, uint64_t* nextdiroff);
160 static int TIFFFetchNormalTag(TIFF*, TIFFDirEntry*, int recover);
161 static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** lpp);
162 static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
163 static void ChopUpSingleUncompressedStrip(TIFF*);
164 static void TryChopUpUncompressedBigTiff(TIFF*);
165 static uint64_t TIFFReadUInt64(const uint8_t *value);
166 static int _TIFFGetMaxColorChannels(uint16_t photometric);
167
168 static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
169
170 typedef union _UInt64Aligned_t
171 {
172 double d;
173 uint64_t l;
174 uint32_t i[2];
175 uint16_t s[4];
176 uint8_t c[8];
177 } UInt64Aligned_t;
178
179 /*
180 Unaligned safe copy of a uint64_t value from an octet array.
181 */
TIFFReadUInt64(const uint8_t * value)182 static uint64_t TIFFReadUInt64(const uint8_t *value)
183 {
184 UInt64Aligned_t result;
185
186 result.c[0]=value[0];
187 result.c[1]=value[1];
188 result.c[2]=value[2];
189 result.c[3]=value[3];
190 result.c[4]=value[4];
191 result.c[5]=value[5];
192 result.c[6]=value[6];
193 result.c[7]=value[7];
194
195 return result.l;
196 }
197
TIFFReadDirEntryByte(TIFF * tif,TIFFDirEntry * direntry,uint8_t * value)198 static enum TIFFReadDirEntryErr TIFFReadDirEntryByte(TIFF* tif, TIFFDirEntry* direntry, uint8_t* value)
199 {
200 enum TIFFReadDirEntryErr err;
201 if (direntry->tdir_count!=1)
202 return(TIFFReadDirEntryErrCount);
203 switch (direntry->tdir_type)
204 {
205 case TIFF_BYTE:
206 case TIFF_UNDEFINED: /* Support to read TIFF_UNDEFINED with field_readcount==1 */
207 TIFFReadDirEntryCheckedByte(tif,direntry,value);
208 return(TIFFReadDirEntryErrOk);
209 case TIFF_SBYTE:
210 {
211 int8_t m;
212 TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
213 err=TIFFReadDirEntryCheckRangeByteSbyte(m);
214 if (err!=TIFFReadDirEntryErrOk)
215 return(err);
216 *value=(uint8_t)m;
217 return(TIFFReadDirEntryErrOk);
218 }
219 case TIFF_SHORT:
220 {
221 uint16_t m;
222 TIFFReadDirEntryCheckedShort(tif,direntry,&m);
223 err=TIFFReadDirEntryCheckRangeByteShort(m);
224 if (err!=TIFFReadDirEntryErrOk)
225 return(err);
226 *value=(uint8_t)m;
227 return(TIFFReadDirEntryErrOk);
228 }
229 case TIFF_SSHORT:
230 {
231 int16_t m;
232 TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
233 err=TIFFReadDirEntryCheckRangeByteSshort(m);
234 if (err!=TIFFReadDirEntryErrOk)
235 return(err);
236 *value=(uint8_t)m;
237 return(TIFFReadDirEntryErrOk);
238 }
239 case TIFF_LONG:
240 {
241 uint32_t m;
242 TIFFReadDirEntryCheckedLong(tif,direntry,&m);
243 err=TIFFReadDirEntryCheckRangeByteLong(m);
244 if (err!=TIFFReadDirEntryErrOk)
245 return(err);
246 *value=(uint8_t)m;
247 return(TIFFReadDirEntryErrOk);
248 }
249 case TIFF_SLONG:
250 {
251 int32_t m;
252 TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
253 err=TIFFReadDirEntryCheckRangeByteSlong(m);
254 if (err!=TIFFReadDirEntryErrOk)
255 return(err);
256 *value=(uint8_t)m;
257 return(TIFFReadDirEntryErrOk);
258 }
259 case TIFF_LONG8:
260 {
261 uint64_t m;
262 err=TIFFReadDirEntryCheckedLong8(tif,direntry,&m);
263 if (err!=TIFFReadDirEntryErrOk)
264 return(err);
265 err=TIFFReadDirEntryCheckRangeByteLong8(m);
266 if (err!=TIFFReadDirEntryErrOk)
267 return(err);
268 *value=(uint8_t)m;
269 return(TIFFReadDirEntryErrOk);
270 }
271 case TIFF_SLONG8:
272 {
273 int64_t m;
274 err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
275 if (err!=TIFFReadDirEntryErrOk)
276 return(err);
277 err=TIFFReadDirEntryCheckRangeByteSlong8(m);
278 if (err!=TIFFReadDirEntryErrOk)
279 return(err);
280 *value=(uint8_t)m;
281 return(TIFFReadDirEntryErrOk);
282 }
283 default:
284 return(TIFFReadDirEntryErrType);
285 }
286 }
287
TIFFReadDirEntryShort(TIFF * tif,TIFFDirEntry * direntry,uint16_t * value)288 static enum TIFFReadDirEntryErr TIFFReadDirEntryShort(TIFF* tif, TIFFDirEntry* direntry, uint16_t* value)
289 {
290 enum TIFFReadDirEntryErr err;
291 if (direntry->tdir_count!=1)
292 return(TIFFReadDirEntryErrCount);
293 switch (direntry->tdir_type)
294 {
295 case TIFF_BYTE:
296 {
297 uint8_t m;
298 TIFFReadDirEntryCheckedByte(tif,direntry,&m);
299 *value=(uint16_t)m;
300 return(TIFFReadDirEntryErrOk);
301 }
302 case TIFF_SBYTE:
303 {
304 int8_t m;
305 TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
306 err=TIFFReadDirEntryCheckRangeShortSbyte(m);
307 if (err!=TIFFReadDirEntryErrOk)
308 return(err);
309 *value=(uint16_t)m;
310 return(TIFFReadDirEntryErrOk);
311 }
312 case TIFF_SHORT:
313 TIFFReadDirEntryCheckedShort(tif,direntry,value);
314 return(TIFFReadDirEntryErrOk);
315 case TIFF_SSHORT:
316 {
317 int16_t m;
318 TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
319 err=TIFFReadDirEntryCheckRangeShortSshort(m);
320 if (err!=TIFFReadDirEntryErrOk)
321 return(err);
322 *value=(uint16_t)m;
323 return(TIFFReadDirEntryErrOk);
324 }
325 case TIFF_LONG:
326 {
327 uint32_t m;
328 TIFFReadDirEntryCheckedLong(tif,direntry,&m);
329 err=TIFFReadDirEntryCheckRangeShortLong(m);
330 if (err!=TIFFReadDirEntryErrOk)
331 return(err);
332 *value=(uint16_t)m;
333 return(TIFFReadDirEntryErrOk);
334 }
335 case TIFF_SLONG:
336 {
337 int32_t m;
338 TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
339 err=TIFFReadDirEntryCheckRangeShortSlong(m);
340 if (err!=TIFFReadDirEntryErrOk)
341 return(err);
342 *value=(uint16_t)m;
343 return(TIFFReadDirEntryErrOk);
344 }
345 case TIFF_LONG8:
346 {
347 uint64_t m;
348 err=TIFFReadDirEntryCheckedLong8(tif,direntry,&m);
349 if (err!=TIFFReadDirEntryErrOk)
350 return(err);
351 err=TIFFReadDirEntryCheckRangeShortLong8(m);
352 if (err!=TIFFReadDirEntryErrOk)
353 return(err);
354 *value=(uint16_t)m;
355 return(TIFFReadDirEntryErrOk);
356 }
357 case TIFF_SLONG8:
358 {
359 int64_t m;
360 err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
361 if (err!=TIFFReadDirEntryErrOk)
362 return(err);
363 err=TIFFReadDirEntryCheckRangeShortSlong8(m);
364 if (err!=TIFFReadDirEntryErrOk)
365 return(err);
366 *value=(uint16_t)m;
367 return(TIFFReadDirEntryErrOk);
368 }
369 default:
370 return(TIFFReadDirEntryErrType);
371 }
372 }
373
TIFFReadDirEntryLong(TIFF * tif,TIFFDirEntry * direntry,uint32_t * value)374 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong(TIFF* tif, TIFFDirEntry* direntry, uint32_t* value)
375 {
376 enum TIFFReadDirEntryErr err;
377 if (direntry->tdir_count!=1)
378 return(TIFFReadDirEntryErrCount);
379 switch (direntry->tdir_type)
380 {
381 case TIFF_BYTE:
382 {
383 uint8_t m;
384 TIFFReadDirEntryCheckedByte(tif,direntry,&m);
385 *value=(uint32_t)m;
386 return(TIFFReadDirEntryErrOk);
387 }
388 case TIFF_SBYTE:
389 {
390 int8_t m;
391 TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
392 err=TIFFReadDirEntryCheckRangeLongSbyte(m);
393 if (err!=TIFFReadDirEntryErrOk)
394 return(err);
395 *value=(uint32_t)m;
396 return(TIFFReadDirEntryErrOk);
397 }
398 case TIFF_SHORT:
399 {
400 uint16_t m;
401 TIFFReadDirEntryCheckedShort(tif,direntry,&m);
402 *value=(uint32_t)m;
403 return(TIFFReadDirEntryErrOk);
404 }
405 case TIFF_SSHORT:
406 {
407 int16_t m;
408 TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
409 err=TIFFReadDirEntryCheckRangeLongSshort(m);
410 if (err!=TIFFReadDirEntryErrOk)
411 return(err);
412 *value=(uint32_t)m;
413 return(TIFFReadDirEntryErrOk);
414 }
415 case TIFF_LONG:
416 TIFFReadDirEntryCheckedLong(tif,direntry,value);
417 return(TIFFReadDirEntryErrOk);
418 case TIFF_SLONG:
419 {
420 int32_t m;
421 TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
422 err=TIFFReadDirEntryCheckRangeLongSlong(m);
423 if (err!=TIFFReadDirEntryErrOk)
424 return(err);
425 *value=(uint32_t)m;
426 return(TIFFReadDirEntryErrOk);
427 }
428 case TIFF_LONG8:
429 {
430 uint64_t m;
431 err=TIFFReadDirEntryCheckedLong8(tif,direntry,&m);
432 if (err!=TIFFReadDirEntryErrOk)
433 return(err);
434 err=TIFFReadDirEntryCheckRangeLongLong8(m);
435 if (err!=TIFFReadDirEntryErrOk)
436 return(err);
437 *value=(uint32_t)m;
438 return(TIFFReadDirEntryErrOk);
439 }
440 case TIFF_SLONG8:
441 {
442 int64_t m;
443 err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
444 if (err!=TIFFReadDirEntryErrOk)
445 return(err);
446 err=TIFFReadDirEntryCheckRangeLongSlong8(m);
447 if (err!=TIFFReadDirEntryErrOk)
448 return(err);
449 *value=(uint32_t)m;
450 return(TIFFReadDirEntryErrOk);
451 }
452 default:
453 return(TIFFReadDirEntryErrType);
454 }
455 }
456
TIFFReadDirEntryLong8(TIFF * tif,TIFFDirEntry * direntry,uint64_t * value)457 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8(TIFF* tif, TIFFDirEntry* direntry, uint64_t* value)
458 {
459 enum TIFFReadDirEntryErr err;
460 if (direntry->tdir_count!=1)
461 return(TIFFReadDirEntryErrCount);
462 switch (direntry->tdir_type)
463 {
464 case TIFF_BYTE:
465 {
466 uint8_t m;
467 TIFFReadDirEntryCheckedByte(tif,direntry,&m);
468 *value=(uint64_t)m;
469 return(TIFFReadDirEntryErrOk);
470 }
471 case TIFF_SBYTE:
472 {
473 int8_t m;
474 TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
475 err=TIFFReadDirEntryCheckRangeLong8Sbyte(m);
476 if (err!=TIFFReadDirEntryErrOk)
477 return(err);
478 *value=(uint64_t)m;
479 return(TIFFReadDirEntryErrOk);
480 }
481 case TIFF_SHORT:
482 {
483 uint16_t m;
484 TIFFReadDirEntryCheckedShort(tif,direntry,&m);
485 *value=(uint64_t)m;
486 return(TIFFReadDirEntryErrOk);
487 }
488 case TIFF_SSHORT:
489 {
490 int16_t m;
491 TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
492 err=TIFFReadDirEntryCheckRangeLong8Sshort(m);
493 if (err!=TIFFReadDirEntryErrOk)
494 return(err);
495 *value=(uint64_t)m;
496 return(TIFFReadDirEntryErrOk);
497 }
498 case TIFF_LONG:
499 {
500 uint32_t m;
501 TIFFReadDirEntryCheckedLong(tif,direntry,&m);
502 *value=(uint64_t)m;
503 return(TIFFReadDirEntryErrOk);
504 }
505 case TIFF_SLONG:
506 {
507 int32_t m;
508 TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
509 err=TIFFReadDirEntryCheckRangeLong8Slong(m);
510 if (err!=TIFFReadDirEntryErrOk)
511 return(err);
512 *value=(uint64_t)m;
513 return(TIFFReadDirEntryErrOk);
514 }
515 case TIFF_LONG8:
516 err=TIFFReadDirEntryCheckedLong8(tif,direntry,value);
517 return(err);
518 case TIFF_SLONG8:
519 {
520 int64_t m;
521 err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
522 if (err!=TIFFReadDirEntryErrOk)
523 return(err);
524 err=TIFFReadDirEntryCheckRangeLong8Slong8(m);
525 if (err!=TIFFReadDirEntryErrOk)
526 return(err);
527 *value=(uint64_t)m;
528 return(TIFFReadDirEntryErrOk);
529 }
530 default:
531 return(TIFFReadDirEntryErrType);
532 }
533 }
534
TIFFReadDirEntryFloat(TIFF * tif,TIFFDirEntry * direntry,float * value)535 static enum TIFFReadDirEntryErr TIFFReadDirEntryFloat(TIFF* tif, TIFFDirEntry* direntry, float* value)
536 {
537 enum TIFFReadDirEntryErr err;
538 if (direntry->tdir_count!=1)
539 return(TIFFReadDirEntryErrCount);
540 switch (direntry->tdir_type)
541 {
542 case TIFF_BYTE:
543 {
544 uint8_t m;
545 TIFFReadDirEntryCheckedByte(tif,direntry,&m);
546 *value=(float)m;
547 return(TIFFReadDirEntryErrOk);
548 }
549 case TIFF_SBYTE:
550 {
551 int8_t m;
552 TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
553 *value=(float)m;
554 return(TIFFReadDirEntryErrOk);
555 }
556 case TIFF_SHORT:
557 {
558 uint16_t m;
559 TIFFReadDirEntryCheckedShort(tif,direntry,&m);
560 *value=(float)m;
561 return(TIFFReadDirEntryErrOk);
562 }
563 case TIFF_SSHORT:
564 {
565 int16_t m;
566 TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
567 *value=(float)m;
568 return(TIFFReadDirEntryErrOk);
569 }
570 case TIFF_LONG:
571 {
572 uint32_t m;
573 TIFFReadDirEntryCheckedLong(tif,direntry,&m);
574 *value=(float)m;
575 return(TIFFReadDirEntryErrOk);
576 }
577 case TIFF_SLONG:
578 {
579 int32_t m;
580 TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
581 *value=(float)m;
582 return(TIFFReadDirEntryErrOk);
583 }
584 case TIFF_LONG8:
585 {
586 uint64_t m;
587 err=TIFFReadDirEntryCheckedLong8(tif,direntry,&m);
588 if (err!=TIFFReadDirEntryErrOk)
589 return(err);
590 #if defined(__WIN32__) && (_MSC_VER < 1500)
591 /*
592 * XXX: MSVC 6.0 does not support conversion
593 * of 64-bit integers into floating point
594 * values.
595 */
596 *value = _TIFFUInt64ToFloat(m);
597 #else
598 *value=(float)m;
599 #endif
600 return(TIFFReadDirEntryErrOk);
601 }
602 case TIFF_SLONG8:
603 {
604 int64_t m;
605 err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
606 if (err!=TIFFReadDirEntryErrOk)
607 return(err);
608 *value=(float)m;
609 return(TIFFReadDirEntryErrOk);
610 }
611 case TIFF_RATIONAL:
612 {
613 double m;
614 err=TIFFReadDirEntryCheckedRational(tif,direntry,&m);
615 if (err!=TIFFReadDirEntryErrOk)
616 return(err);
617 *value=(float)m;
618 return(TIFFReadDirEntryErrOk);
619 }
620 case TIFF_SRATIONAL:
621 {
622 double m;
623 err=TIFFReadDirEntryCheckedSrational(tif,direntry,&m);
624 if (err!=TIFFReadDirEntryErrOk)
625 return(err);
626 *value=(float)m;
627 return(TIFFReadDirEntryErrOk);
628 }
629 case TIFF_FLOAT:
630 TIFFReadDirEntryCheckedFloat(tif,direntry,value);
631 return(TIFFReadDirEntryErrOk);
632 case TIFF_DOUBLE:
633 {
634 double m;
635 err=TIFFReadDirEntryCheckedDouble(tif,direntry,&m);
636 if (err!=TIFFReadDirEntryErrOk)
637 return(err);
638 if ((m > FLT_MAX) || (m < -FLT_MAX))
639 return(TIFFReadDirEntryErrRange);
640 *value=(float)m;
641 return(TIFFReadDirEntryErrOk);
642 }
643 default:
644 return(TIFFReadDirEntryErrType);
645 }
646 }
647
TIFFReadDirEntryDouble(TIFF * tif,TIFFDirEntry * direntry,double * value)648 static enum TIFFReadDirEntryErr TIFFReadDirEntryDouble(TIFF* tif, TIFFDirEntry* direntry, double* value)
649 {
650 enum TIFFReadDirEntryErr err;
651 if (direntry->tdir_count!=1)
652 return(TIFFReadDirEntryErrCount);
653 switch (direntry->tdir_type)
654 {
655 case TIFF_BYTE:
656 {
657 uint8_t m;
658 TIFFReadDirEntryCheckedByte(tif,direntry,&m);
659 *value=(double)m;
660 return(TIFFReadDirEntryErrOk);
661 }
662 case TIFF_SBYTE:
663 {
664 int8_t m;
665 TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
666 *value=(double)m;
667 return(TIFFReadDirEntryErrOk);
668 }
669 case TIFF_SHORT:
670 {
671 uint16_t m;
672 TIFFReadDirEntryCheckedShort(tif,direntry,&m);
673 *value=(double)m;
674 return(TIFFReadDirEntryErrOk);
675 }
676 case TIFF_SSHORT:
677 {
678 int16_t m;
679 TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
680 *value=(double)m;
681 return(TIFFReadDirEntryErrOk);
682 }
683 case TIFF_LONG:
684 {
685 uint32_t m;
686 TIFFReadDirEntryCheckedLong(tif,direntry,&m);
687 *value=(double)m;
688 return(TIFFReadDirEntryErrOk);
689 }
690 case TIFF_SLONG:
691 {
692 int32_t m;
693 TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
694 *value=(double)m;
695 return(TIFFReadDirEntryErrOk);
696 }
697 case TIFF_LONG8:
698 {
699 uint64_t m;
700 err=TIFFReadDirEntryCheckedLong8(tif,direntry,&m);
701 if (err!=TIFFReadDirEntryErrOk)
702 return(err);
703 #if defined(__WIN32__) && (_MSC_VER < 1500)
704 /*
705 * XXX: MSVC 6.0 does not support conversion
706 * of 64-bit integers into floating point
707 * values.
708 */
709 *value = _TIFFUInt64ToDouble(m);
710 #else
711 *value = (double)m;
712 #endif
713 return(TIFFReadDirEntryErrOk);
714 }
715 case TIFF_SLONG8:
716 {
717 int64_t m;
718 err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
719 if (err!=TIFFReadDirEntryErrOk)
720 return(err);
721 *value=(double)m;
722 return(TIFFReadDirEntryErrOk);
723 }
724 case TIFF_RATIONAL:
725 err=TIFFReadDirEntryCheckedRational(tif,direntry,value);
726 return(err);
727 case TIFF_SRATIONAL:
728 err=TIFFReadDirEntryCheckedSrational(tif,direntry,value);
729 return(err);
730 case TIFF_FLOAT:
731 {
732 float m;
733 TIFFReadDirEntryCheckedFloat(tif,direntry,&m);
734 *value=(double)m;
735 return(TIFFReadDirEntryErrOk);
736 }
737 case TIFF_DOUBLE:
738 err=TIFFReadDirEntryCheckedDouble(tif,direntry,value);
739 return(err);
740 default:
741 return(TIFFReadDirEntryErrType);
742 }
743 }
744
TIFFReadDirEntryIfd8(TIFF * tif,TIFFDirEntry * direntry,uint64_t * value)745 static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8(TIFF* tif, TIFFDirEntry* direntry, uint64_t* value)
746 {
747 enum TIFFReadDirEntryErr err;
748 if (direntry->tdir_count!=1)
749 return(TIFFReadDirEntryErrCount);
750 switch (direntry->tdir_type)
751 {
752 case TIFF_LONG:
753 case TIFF_IFD:
754 {
755 uint32_t m;
756 TIFFReadDirEntryCheckedLong(tif,direntry,&m);
757 *value=(uint64_t)m;
758 return(TIFFReadDirEntryErrOk);
759 }
760 case TIFF_LONG8:
761 case TIFF_IFD8:
762 err=TIFFReadDirEntryCheckedLong8(tif,direntry,value);
763 return(err);
764 default:
765 return(TIFFReadDirEntryErrType);
766 }
767 }
768
769
770 #define INITIAL_THRESHOLD (1024 * 1024)
771 #define THRESHOLD_MULTIPLIER 10
772 #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
773
TIFFReadDirEntryDataAndRealloc(TIFF * tif,uint64_t offset,tmsize_t size,void ** pdest)774 static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc(
775 TIFF* tif, uint64_t offset, tmsize_t size, void** pdest)
776 {
777 #if SIZEOF_SIZE_T == 8
778 tmsize_t threshold = INITIAL_THRESHOLD;
779 #endif
780 tmsize_t already_read = 0;
781
782 assert( !isMapped(tif) );
783
784 if (!SeekOK(tif,offset))
785 return(TIFFReadDirEntryErrIo);
786
787 /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
788 /* so as to avoid allocating too much memory in case the file is too */
789 /* short. We could ask for the file size, but this might be */
790 /* expensive with some I/O layers (think of reading a gzipped file) */
791 /* Restrict to 64 bit processes, so as to avoid reallocs() */
792 /* on 32 bit processes where virtual memory is scarce. */
793 while( already_read < size )
794 {
795 void* new_dest;
796 tmsize_t bytes_read;
797 tmsize_t to_read = size - already_read;
798 #if SIZEOF_SIZE_T == 8
799 if( to_read >= threshold && threshold < MAX_THRESHOLD )
800 {
801 to_read = threshold;
802 threshold *= THRESHOLD_MULTIPLIER;
803 }
804 #endif
805
806 new_dest = (uint8_t*) _TIFFrealloc(
807 *pdest, already_read + to_read);
808 if( new_dest == NULL )
809 {
810 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
811 "Failed to allocate memory for %s "
812 "(%"TIFF_SSIZE_FORMAT" elements of %"TIFF_SSIZE_FORMAT" bytes each)",
813 "TIFFReadDirEntryArray",
814 (tmsize_t) 1, already_read + to_read);
815 return TIFFReadDirEntryErrAlloc;
816 }
817 *pdest = new_dest;
818
819 bytes_read = TIFFReadFile(tif,
820 (char*)*pdest + already_read, to_read);
821 already_read += bytes_read;
822 if (bytes_read != to_read) {
823 return TIFFReadDirEntryErrIo;
824 }
825 }
826 return TIFFReadDirEntryErrOk;
827 }
828
TIFFReadDirEntryArrayWithLimit(TIFF * tif,TIFFDirEntry * direntry,uint32_t * count,uint32_t desttypesize,void ** value,uint64_t maxcount)829 static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
830 TIFF* tif, TIFFDirEntry* direntry, uint32_t* count, uint32_t desttypesize,
831 void** value, uint64_t maxcount)
832 {
833 int typesize;
834 uint32_t datasize;
835 void* data;
836 uint64_t target_count64;
837 int original_datasize_clamped;
838 typesize=TIFFDataWidth(direntry->tdir_type);
839
840 target_count64 = (direntry->tdir_count > maxcount) ?
841 maxcount : direntry->tdir_count;
842
843 if ((target_count64==0)||(typesize==0))
844 {
845 *value=0;
846 return(TIFFReadDirEntryErrOk);
847 }
848 (void) desttypesize;
849
850 /* We just want to know if the original tag size is more than 4 bytes
851 * (classic TIFF) or 8 bytes (BigTIFF)
852 */
853 original_datasize_clamped =
854 ((direntry->tdir_count > 10) ? 10 : (int)direntry->tdir_count) * typesize;
855
856 /*
857 * As a sanity check, make sure we have no more than a 2GB tag array
858 * in either the current data type or the dest data type. This also
859 * avoids problems with overflow of tmsize_t on 32bit systems.
860 */
861 if ((uint64_t)(2147483647 / typesize) < target_count64)
862 return(TIFFReadDirEntryErrSizesan);
863 if ((uint64_t)(2147483647 / desttypesize) < target_count64)
864 return(TIFFReadDirEntryErrSizesan);
865
866 *count=(uint32_t)target_count64;
867 datasize=(*count)*typesize;
868 assert((tmsize_t)datasize>0);
869
870 if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
871 return TIFFReadDirEntryErrIo;
872
873 if( !isMapped(tif) &&
874 (((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) ||
875 (!(tif->tif_flags&TIFF_BIGTIFF) && datasize > 4)) )
876 {
877 data = NULL;
878 }
879 else
880 {
881 data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");
882 if (data==0)
883 return(TIFFReadDirEntryErrAlloc);
884 }
885 if (!(tif->tif_flags&TIFF_BIGTIFF))
886 {
887 /* Only the condition on original_datasize_clamped. The second
888 * one is implied, but Coverity Scan cannot see it. */
889 if (original_datasize_clamped<=4 && datasize <= 4 )
890 _TIFFmemcpy(data,&direntry->tdir_offset,datasize);
891 else
892 {
893 enum TIFFReadDirEntryErr err;
894 uint32_t offset = direntry->tdir_offset.toff_long;
895 if (tif->tif_flags&TIFF_SWAB)
896 TIFFSwabLong(&offset);
897 if( isMapped(tif) )
898 err=TIFFReadDirEntryData(tif, (uint64_t)offset, (tmsize_t)datasize, data);
899 else
900 err=TIFFReadDirEntryDataAndRealloc(tif, (uint64_t)offset, (tmsize_t)datasize, &data);
901 if (err!=TIFFReadDirEntryErrOk)
902 {
903 _TIFFfree(data);
904 return(err);
905 }
906 }
907 }
908 else
909 {
910 /* See above comment for the Classic TIFF case */
911 if (original_datasize_clamped<=8 && datasize <= 8 )
912 _TIFFmemcpy(data,&direntry->tdir_offset,datasize);
913 else
914 {
915 enum TIFFReadDirEntryErr err;
916 uint64_t offset = direntry->tdir_offset.toff_long8;
917 if (tif->tif_flags&TIFF_SWAB)
918 TIFFSwabLong8(&offset);
919 if( isMapped(tif) )
920 err=TIFFReadDirEntryData(tif, (uint64_t)offset, (tmsize_t)datasize, data);
921 else
922 err=TIFFReadDirEntryDataAndRealloc(tif, (uint64_t)offset, (tmsize_t)datasize, &data);
923 if (err!=TIFFReadDirEntryErrOk)
924 {
925 _TIFFfree(data);
926 return(err);
927 }
928 }
929 }
930 *value=data;
931 return(TIFFReadDirEntryErrOk);
932 }
933
TIFFReadDirEntryArray(TIFF * tif,TIFFDirEntry * direntry,uint32_t * count,uint32_t desttypesize,void ** value)934 static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32_t* count, uint32_t desttypesize, void** value)
935 {
936 return TIFFReadDirEntryArrayWithLimit(tif, direntry, count,
937 desttypesize, value, ~((uint64_t)0));
938 }
939
TIFFReadDirEntryByteArray(TIFF * tif,TIFFDirEntry * direntry,uint8_t ** value)940 static enum TIFFReadDirEntryErr TIFFReadDirEntryByteArray(TIFF* tif, TIFFDirEntry* direntry, uint8_t** value)
941 {
942 enum TIFFReadDirEntryErr err;
943 uint32_t count;
944 void* origdata;
945 uint8_t* data;
946 switch (direntry->tdir_type)
947 {
948 case TIFF_ASCII:
949 case TIFF_UNDEFINED:
950 case TIFF_BYTE:
951 case TIFF_SBYTE:
952 case TIFF_SHORT:
953 case TIFF_SSHORT:
954 case TIFF_LONG:
955 case TIFF_SLONG:
956 case TIFF_LONG8:
957 case TIFF_SLONG8:
958 break;
959 default:
960 return(TIFFReadDirEntryErrType);
961 }
962 err=TIFFReadDirEntryArray(tif,direntry,&count,1,&origdata);
963 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
964 {
965 *value=0;
966 return(err);
967 }
968 switch (direntry->tdir_type)
969 {
970 case TIFF_ASCII:
971 case TIFF_UNDEFINED:
972 case TIFF_BYTE:
973 *value=(uint8_t*)origdata;
974 return(TIFFReadDirEntryErrOk);
975 case TIFF_SBYTE:
976 {
977 int8_t* m;
978 uint32_t n;
979 m=(int8_t*)origdata;
980 for (n=0; n<count; n++)
981 {
982 err=TIFFReadDirEntryCheckRangeByteSbyte(*m);
983 if (err!=TIFFReadDirEntryErrOk)
984 {
985 _TIFFfree(origdata);
986 return(err);
987 }
988 m++;
989 }
990 *value=(uint8_t*)origdata;
991 return(TIFFReadDirEntryErrOk);
992 }
993 }
994 data=(uint8_t*)_TIFFmalloc(count);
995 if (data==0)
996 {
997 _TIFFfree(origdata);
998 return(TIFFReadDirEntryErrAlloc);
999 }
1000 switch (direntry->tdir_type)
1001 {
1002 case TIFF_SHORT:
1003 {
1004 uint16_t* ma;
1005 uint8_t* mb;
1006 uint32_t n;
1007 ma=(uint16_t*)origdata;
1008 mb=data;
1009 for (n=0; n<count; n++)
1010 {
1011 if (tif->tif_flags&TIFF_SWAB)
1012 TIFFSwabShort(ma);
1013 err=TIFFReadDirEntryCheckRangeByteShort(*ma);
1014 if (err!=TIFFReadDirEntryErrOk)
1015 break;
1016 *mb++=(uint8_t)(*ma++);
1017 }
1018 }
1019 break;
1020 case TIFF_SSHORT:
1021 {
1022 int16_t* ma;
1023 uint8_t* mb;
1024 uint32_t n;
1025 ma=(int16_t*)origdata;
1026 mb=data;
1027 for (n=0; n<count; n++)
1028 {
1029 if (tif->tif_flags&TIFF_SWAB)
1030 TIFFSwabShort((uint16_t*)ma);
1031 err=TIFFReadDirEntryCheckRangeByteSshort(*ma);
1032 if (err!=TIFFReadDirEntryErrOk)
1033 break;
1034 *mb++=(uint8_t)(*ma++);
1035 }
1036 }
1037 break;
1038 case TIFF_LONG:
1039 {
1040 uint32_t* ma;
1041 uint8_t* mb;
1042 uint32_t n;
1043 ma=(uint32_t*)origdata;
1044 mb=data;
1045 for (n=0; n<count; n++)
1046 {
1047 if (tif->tif_flags&TIFF_SWAB)
1048 TIFFSwabLong(ma);
1049 err=TIFFReadDirEntryCheckRangeByteLong(*ma);
1050 if (err!=TIFFReadDirEntryErrOk)
1051 break;
1052 *mb++=(uint8_t)(*ma++);
1053 }
1054 }
1055 break;
1056 case TIFF_SLONG:
1057 {
1058 int32_t* ma;
1059 uint8_t* mb;
1060 uint32_t n;
1061 ma=(int32_t*)origdata;
1062 mb=data;
1063 for (n=0; n<count; n++)
1064 {
1065 if (tif->tif_flags&TIFF_SWAB)
1066 TIFFSwabLong((uint32_t*)ma);
1067 err=TIFFReadDirEntryCheckRangeByteSlong(*ma);
1068 if (err!=TIFFReadDirEntryErrOk)
1069 break;
1070 *mb++=(uint8_t)(*ma++);
1071 }
1072 }
1073 break;
1074 case TIFF_LONG8:
1075 {
1076 uint64_t* ma;
1077 uint8_t* mb;
1078 uint32_t n;
1079 ma=(uint64_t*)origdata;
1080 mb=data;
1081 for (n=0; n<count; n++)
1082 {
1083 if (tif->tif_flags&TIFF_SWAB)
1084 TIFFSwabLong8(ma);
1085 err=TIFFReadDirEntryCheckRangeByteLong8(*ma);
1086 if (err!=TIFFReadDirEntryErrOk)
1087 break;
1088 *mb++=(uint8_t)(*ma++);
1089 }
1090 }
1091 break;
1092 case TIFF_SLONG8:
1093 {
1094 int64_t* ma;
1095 uint8_t* mb;
1096 uint32_t n;
1097 ma=(int64_t*)origdata;
1098 mb=data;
1099 for (n=0; n<count; n++)
1100 {
1101 if (tif->tif_flags&TIFF_SWAB)
1102 TIFFSwabLong8((uint64_t*)ma);
1103 err=TIFFReadDirEntryCheckRangeByteSlong8(*ma);
1104 if (err!=TIFFReadDirEntryErrOk)
1105 break;
1106 *mb++=(uint8_t)(*ma++);
1107 }
1108 }
1109 break;
1110 }
1111 _TIFFfree(origdata);
1112 if (err!=TIFFReadDirEntryErrOk)
1113 {
1114 _TIFFfree(data);
1115 return(err);
1116 }
1117 *value=data;
1118 return(TIFFReadDirEntryErrOk);
1119 }
1120
TIFFReadDirEntrySbyteArray(TIFF * tif,TIFFDirEntry * direntry,int8_t ** value)1121 static enum TIFFReadDirEntryErr TIFFReadDirEntrySbyteArray(TIFF* tif, TIFFDirEntry* direntry, int8_t** value)
1122 {
1123 enum TIFFReadDirEntryErr err;
1124 uint32_t count;
1125 void* origdata;
1126 int8_t* data;
1127 switch (direntry->tdir_type)
1128 {
1129 case TIFF_UNDEFINED:
1130 case TIFF_BYTE:
1131 case TIFF_SBYTE:
1132 case TIFF_SHORT:
1133 case TIFF_SSHORT:
1134 case TIFF_LONG:
1135 case TIFF_SLONG:
1136 case TIFF_LONG8:
1137 case TIFF_SLONG8:
1138 break;
1139 default:
1140 return(TIFFReadDirEntryErrType);
1141 }
1142 err=TIFFReadDirEntryArray(tif,direntry,&count,1,&origdata);
1143 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1144 {
1145 *value=0;
1146 return(err);
1147 }
1148 switch (direntry->tdir_type)
1149 {
1150 case TIFF_UNDEFINED:
1151 case TIFF_BYTE:
1152 {
1153 uint8_t* m;
1154 uint32_t n;
1155 m=(uint8_t*)origdata;
1156 for (n=0; n<count; n++)
1157 {
1158 err=TIFFReadDirEntryCheckRangeSbyteByte(*m);
1159 if (err!=TIFFReadDirEntryErrOk)
1160 {
1161 _TIFFfree(origdata);
1162 return(err);
1163 }
1164 m++;
1165 }
1166 *value=(int8_t*)origdata;
1167 return(TIFFReadDirEntryErrOk);
1168 }
1169 case TIFF_SBYTE:
1170 *value=(int8_t*)origdata;
1171 return(TIFFReadDirEntryErrOk);
1172 }
1173 data=(int8_t*)_TIFFmalloc(count);
1174 if (data==0)
1175 {
1176 _TIFFfree(origdata);
1177 return(TIFFReadDirEntryErrAlloc);
1178 }
1179 switch (direntry->tdir_type)
1180 {
1181 case TIFF_SHORT:
1182 {
1183 uint16_t* ma;
1184 int8_t* mb;
1185 uint32_t n;
1186 ma=(uint16_t*)origdata;
1187 mb=data;
1188 for (n=0; n<count; n++)
1189 {
1190 if (tif->tif_flags&TIFF_SWAB)
1191 TIFFSwabShort(ma);
1192 err=TIFFReadDirEntryCheckRangeSbyteShort(*ma);
1193 if (err!=TIFFReadDirEntryErrOk)
1194 break;
1195 *mb++=(int8_t)(*ma++);
1196 }
1197 }
1198 break;
1199 case TIFF_SSHORT:
1200 {
1201 int16_t* ma;
1202 int8_t* mb;
1203 uint32_t n;
1204 ma=(int16_t*)origdata;
1205 mb=data;
1206 for (n=0; n<count; n++)
1207 {
1208 if (tif->tif_flags&TIFF_SWAB)
1209 TIFFSwabShort((uint16_t*)ma);
1210 err=TIFFReadDirEntryCheckRangeSbyteSshort(*ma);
1211 if (err!=TIFFReadDirEntryErrOk)
1212 break;
1213 *mb++=(int8_t)(*ma++);
1214 }
1215 }
1216 break;
1217 case TIFF_LONG:
1218 {
1219 uint32_t* ma;
1220 int8_t* mb;
1221 uint32_t n;
1222 ma=(uint32_t*)origdata;
1223 mb=data;
1224 for (n=0; n<count; n++)
1225 {
1226 if (tif->tif_flags&TIFF_SWAB)
1227 TIFFSwabLong(ma);
1228 err=TIFFReadDirEntryCheckRangeSbyteLong(*ma);
1229 if (err!=TIFFReadDirEntryErrOk)
1230 break;
1231 *mb++=(int8_t)(*ma++);
1232 }
1233 }
1234 break;
1235 case TIFF_SLONG:
1236 {
1237 int32_t* ma;
1238 int8_t* mb;
1239 uint32_t n;
1240 ma=(int32_t*)origdata;
1241 mb=data;
1242 for (n=0; n<count; n++)
1243 {
1244 if (tif->tif_flags&TIFF_SWAB)
1245 TIFFSwabLong((uint32_t*)ma);
1246 err=TIFFReadDirEntryCheckRangeSbyteSlong(*ma);
1247 if (err!=TIFFReadDirEntryErrOk)
1248 break;
1249 *mb++=(int8_t)(*ma++);
1250 }
1251 }
1252 break;
1253 case TIFF_LONG8:
1254 {
1255 uint64_t* ma;
1256 int8_t* mb;
1257 uint32_t n;
1258 ma=(uint64_t*)origdata;
1259 mb=data;
1260 for (n=0; n<count; n++)
1261 {
1262 if (tif->tif_flags&TIFF_SWAB)
1263 TIFFSwabLong8(ma);
1264 err=TIFFReadDirEntryCheckRangeSbyteLong8(*ma);
1265 if (err!=TIFFReadDirEntryErrOk)
1266 break;
1267 *mb++=(int8_t)(*ma++);
1268 }
1269 }
1270 break;
1271 case TIFF_SLONG8:
1272 {
1273 int64_t* ma;
1274 int8_t* mb;
1275 uint32_t n;
1276 ma=(int64_t*)origdata;
1277 mb=data;
1278 for (n=0; n<count; n++)
1279 {
1280 if (tif->tif_flags&TIFF_SWAB)
1281 TIFFSwabLong8((uint64_t*)ma);
1282 err=TIFFReadDirEntryCheckRangeSbyteSlong8(*ma);
1283 if (err!=TIFFReadDirEntryErrOk)
1284 break;
1285 *mb++=(int8_t)(*ma++);
1286 }
1287 }
1288 break;
1289 }
1290 _TIFFfree(origdata);
1291 if (err!=TIFFReadDirEntryErrOk)
1292 {
1293 _TIFFfree(data);
1294 return(err);
1295 }
1296 *value=data;
1297 return(TIFFReadDirEntryErrOk);
1298 }
1299
TIFFReadDirEntryShortArray(TIFF * tif,TIFFDirEntry * direntry,uint16_t ** value)1300 static enum TIFFReadDirEntryErr TIFFReadDirEntryShortArray(TIFF* tif, TIFFDirEntry* direntry, uint16_t** value)
1301 {
1302 enum TIFFReadDirEntryErr err;
1303 uint32_t count;
1304 void* origdata;
1305 uint16_t* data;
1306 switch (direntry->tdir_type)
1307 {
1308 case TIFF_BYTE:
1309 case TIFF_SBYTE:
1310 case TIFF_SHORT:
1311 case TIFF_SSHORT:
1312 case TIFF_LONG:
1313 case TIFF_SLONG:
1314 case TIFF_LONG8:
1315 case TIFF_SLONG8:
1316 break;
1317 default:
1318 return(TIFFReadDirEntryErrType);
1319 }
1320 err=TIFFReadDirEntryArray(tif,direntry,&count,2,&origdata);
1321 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1322 {
1323 *value=0;
1324 return(err);
1325 }
1326 switch (direntry->tdir_type)
1327 {
1328 case TIFF_SHORT:
1329 *value=(uint16_t*)origdata;
1330 if (tif->tif_flags&TIFF_SWAB)
1331 TIFFSwabArrayOfShort(*value,count);
1332 return(TIFFReadDirEntryErrOk);
1333 case TIFF_SSHORT:
1334 {
1335 int16_t* m;
1336 uint32_t n;
1337 m=(int16_t*)origdata;
1338 for (n=0; n<count; n++)
1339 {
1340 if (tif->tif_flags&TIFF_SWAB)
1341 TIFFSwabShort((uint16_t*)m);
1342 err=TIFFReadDirEntryCheckRangeShortSshort(*m);
1343 if (err!=TIFFReadDirEntryErrOk)
1344 {
1345 _TIFFfree(origdata);
1346 return(err);
1347 }
1348 m++;
1349 }
1350 *value=(uint16_t*)origdata;
1351 return(TIFFReadDirEntryErrOk);
1352 }
1353 }
1354 data=(uint16_t*)_TIFFmalloc(count * 2);
1355 if (data==0)
1356 {
1357 _TIFFfree(origdata);
1358 return(TIFFReadDirEntryErrAlloc);
1359 }
1360 switch (direntry->tdir_type)
1361 {
1362 case TIFF_BYTE:
1363 {
1364 uint8_t* ma;
1365 uint16_t* mb;
1366 uint32_t n;
1367 ma=(uint8_t*)origdata;
1368 mb=data;
1369 for (n=0; n<count; n++)
1370 *mb++=(uint16_t)(*ma++);
1371 }
1372 break;
1373 case TIFF_SBYTE:
1374 {
1375 int8_t* ma;
1376 uint16_t* mb;
1377 uint32_t n;
1378 ma=(int8_t*)origdata;
1379 mb=data;
1380 for (n=0; n<count; n++)
1381 {
1382 err=TIFFReadDirEntryCheckRangeShortSbyte(*ma);
1383 if (err!=TIFFReadDirEntryErrOk)
1384 break;
1385 *mb++=(uint16_t)(*ma++);
1386 }
1387 }
1388 break;
1389 case TIFF_LONG:
1390 {
1391 uint32_t* ma;
1392 uint16_t* mb;
1393 uint32_t n;
1394 ma=(uint32_t*)origdata;
1395 mb=data;
1396 for (n=0; n<count; n++)
1397 {
1398 if (tif->tif_flags&TIFF_SWAB)
1399 TIFFSwabLong(ma);
1400 err=TIFFReadDirEntryCheckRangeShortLong(*ma);
1401 if (err!=TIFFReadDirEntryErrOk)
1402 break;
1403 *mb++=(uint16_t)(*ma++);
1404 }
1405 }
1406 break;
1407 case TIFF_SLONG:
1408 {
1409 int32_t* ma;
1410 uint16_t* mb;
1411 uint32_t n;
1412 ma=(int32_t*)origdata;
1413 mb=data;
1414 for (n=0; n<count; n++)
1415 {
1416 if (tif->tif_flags&TIFF_SWAB)
1417 TIFFSwabLong((uint32_t*)ma);
1418 err=TIFFReadDirEntryCheckRangeShortSlong(*ma);
1419 if (err!=TIFFReadDirEntryErrOk)
1420 break;
1421 *mb++=(uint16_t)(*ma++);
1422 }
1423 }
1424 break;
1425 case TIFF_LONG8:
1426 {
1427 uint64_t* ma;
1428 uint16_t* mb;
1429 uint32_t n;
1430 ma=(uint64_t*)origdata;
1431 mb=data;
1432 for (n=0; n<count; n++)
1433 {
1434 if (tif->tif_flags&TIFF_SWAB)
1435 TIFFSwabLong8(ma);
1436 err=TIFFReadDirEntryCheckRangeShortLong8(*ma);
1437 if (err!=TIFFReadDirEntryErrOk)
1438 break;
1439 *mb++=(uint16_t)(*ma++);
1440 }
1441 }
1442 break;
1443 case TIFF_SLONG8:
1444 {
1445 int64_t* ma;
1446 uint16_t* mb;
1447 uint32_t n;
1448 ma=(int64_t*)origdata;
1449 mb=data;
1450 for (n=0; n<count; n++)
1451 {
1452 if (tif->tif_flags&TIFF_SWAB)
1453 TIFFSwabLong8((uint64_t*)ma);
1454 err=TIFFReadDirEntryCheckRangeShortSlong8(*ma);
1455 if (err!=TIFFReadDirEntryErrOk)
1456 break;
1457 *mb++=(uint16_t)(*ma++);
1458 }
1459 }
1460 break;
1461 }
1462 _TIFFfree(origdata);
1463 if (err!=TIFFReadDirEntryErrOk)
1464 {
1465 _TIFFfree(data);
1466 return(err);
1467 }
1468 *value=data;
1469 return(TIFFReadDirEntryErrOk);
1470 }
1471
TIFFReadDirEntrySshortArray(TIFF * tif,TIFFDirEntry * direntry,int16_t ** value)1472 static enum TIFFReadDirEntryErr TIFFReadDirEntrySshortArray(TIFF* tif, TIFFDirEntry* direntry, int16_t** value)
1473 {
1474 enum TIFFReadDirEntryErr err;
1475 uint32_t count;
1476 void* origdata;
1477 int16_t* data;
1478 switch (direntry->tdir_type)
1479 {
1480 case TIFF_BYTE:
1481 case TIFF_SBYTE:
1482 case TIFF_SHORT:
1483 case TIFF_SSHORT:
1484 case TIFF_LONG:
1485 case TIFF_SLONG:
1486 case TIFF_LONG8:
1487 case TIFF_SLONG8:
1488 break;
1489 default:
1490 return(TIFFReadDirEntryErrType);
1491 }
1492 err=TIFFReadDirEntryArray(tif,direntry,&count,2,&origdata);
1493 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1494 {
1495 *value=0;
1496 return(err);
1497 }
1498 switch (direntry->tdir_type)
1499 {
1500 case TIFF_SHORT:
1501 {
1502 uint16_t* m;
1503 uint32_t n;
1504 m=(uint16_t*)origdata;
1505 for (n=0; n<count; n++)
1506 {
1507 if (tif->tif_flags&TIFF_SWAB)
1508 TIFFSwabShort(m);
1509 err=TIFFReadDirEntryCheckRangeSshortShort(*m);
1510 if (err!=TIFFReadDirEntryErrOk)
1511 {
1512 _TIFFfree(origdata);
1513 return(err);
1514 }
1515 m++;
1516 }
1517 *value=(int16_t*)origdata;
1518 return(TIFFReadDirEntryErrOk);
1519 }
1520 case TIFF_SSHORT:
1521 *value=(int16_t*)origdata;
1522 if (tif->tif_flags&TIFF_SWAB)
1523 TIFFSwabArrayOfShort((uint16_t*)(*value), count);
1524 return(TIFFReadDirEntryErrOk);
1525 }
1526 data=(int16_t*)_TIFFmalloc(count * 2);
1527 if (data==0)
1528 {
1529 _TIFFfree(origdata);
1530 return(TIFFReadDirEntryErrAlloc);
1531 }
1532 switch (direntry->tdir_type)
1533 {
1534 case TIFF_BYTE:
1535 {
1536 uint8_t* ma;
1537 int16_t* mb;
1538 uint32_t n;
1539 ma=(uint8_t*)origdata;
1540 mb=data;
1541 for (n=0; n<count; n++)
1542 *mb++=(int16_t)(*ma++);
1543 }
1544 break;
1545 case TIFF_SBYTE:
1546 {
1547 int8_t* ma;
1548 int16_t* mb;
1549 uint32_t n;
1550 ma=(int8_t*)origdata;
1551 mb=data;
1552 for (n=0; n<count; n++)
1553 *mb++=(int16_t)(*ma++);
1554 }
1555 break;
1556 case TIFF_LONG:
1557 {
1558 uint32_t* ma;
1559 int16_t* mb;
1560 uint32_t n;
1561 ma=(uint32_t*)origdata;
1562 mb=data;
1563 for (n=0; n<count; n++)
1564 {
1565 if (tif->tif_flags&TIFF_SWAB)
1566 TIFFSwabLong(ma);
1567 err=TIFFReadDirEntryCheckRangeSshortLong(*ma);
1568 if (err!=TIFFReadDirEntryErrOk)
1569 break;
1570 *mb++=(int16_t)(*ma++);
1571 }
1572 }
1573 break;
1574 case TIFF_SLONG:
1575 {
1576 int32_t* ma;
1577 int16_t* mb;
1578 uint32_t n;
1579 ma=(int32_t*)origdata;
1580 mb=data;
1581 for (n=0; n<count; n++)
1582 {
1583 if (tif->tif_flags&TIFF_SWAB)
1584 TIFFSwabLong((uint32_t*)ma);
1585 err=TIFFReadDirEntryCheckRangeSshortSlong(*ma);
1586 if (err!=TIFFReadDirEntryErrOk)
1587 break;
1588 *mb++=(int16_t)(*ma++);
1589 }
1590 }
1591 break;
1592 case TIFF_LONG8:
1593 {
1594 uint64_t* ma;
1595 int16_t* mb;
1596 uint32_t n;
1597 ma=(uint64_t*)origdata;
1598 mb=data;
1599 for (n=0; n<count; n++)
1600 {
1601 if (tif->tif_flags&TIFF_SWAB)
1602 TIFFSwabLong8(ma);
1603 err=TIFFReadDirEntryCheckRangeSshortLong8(*ma);
1604 if (err!=TIFFReadDirEntryErrOk)
1605 break;
1606 *mb++=(int16_t)(*ma++);
1607 }
1608 }
1609 break;
1610 case TIFF_SLONG8:
1611 {
1612 int64_t* ma;
1613 int16_t* mb;
1614 uint32_t n;
1615 ma=(int64_t*)origdata;
1616 mb=data;
1617 for (n=0; n<count; n++)
1618 {
1619 if (tif->tif_flags&TIFF_SWAB)
1620 TIFFSwabLong8((uint64_t*)ma);
1621 err=TIFFReadDirEntryCheckRangeSshortSlong8(*ma);
1622 if (err!=TIFFReadDirEntryErrOk)
1623 break;
1624 *mb++=(int16_t)(*ma++);
1625 }
1626 }
1627 break;
1628 }
1629 _TIFFfree(origdata);
1630 if (err!=TIFFReadDirEntryErrOk)
1631 {
1632 _TIFFfree(data);
1633 return(err);
1634 }
1635 *value=data;
1636 return(TIFFReadDirEntryErrOk);
1637 }
1638
TIFFReadDirEntryLongArray(TIFF * tif,TIFFDirEntry * direntry,uint32_t ** value)1639 static enum TIFFReadDirEntryErr TIFFReadDirEntryLongArray(TIFF* tif, TIFFDirEntry* direntry, uint32_t** value)
1640 {
1641 enum TIFFReadDirEntryErr err;
1642 uint32_t count;
1643 void* origdata;
1644 uint32_t* data;
1645 switch (direntry->tdir_type)
1646 {
1647 case TIFF_BYTE:
1648 case TIFF_SBYTE:
1649 case TIFF_SHORT:
1650 case TIFF_SSHORT:
1651 case TIFF_LONG:
1652 case TIFF_SLONG:
1653 case TIFF_LONG8:
1654 case TIFF_SLONG8:
1655 break;
1656 default:
1657 return(TIFFReadDirEntryErrType);
1658 }
1659 err=TIFFReadDirEntryArray(tif,direntry,&count,4,&origdata);
1660 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1661 {
1662 *value=0;
1663 return(err);
1664 }
1665 switch (direntry->tdir_type)
1666 {
1667 case TIFF_LONG:
1668 *value=(uint32_t*)origdata;
1669 if (tif->tif_flags&TIFF_SWAB)
1670 TIFFSwabArrayOfLong(*value,count);
1671 return(TIFFReadDirEntryErrOk);
1672 case TIFF_SLONG:
1673 {
1674 int32_t* m;
1675 uint32_t n;
1676 m=(int32_t*)origdata;
1677 for (n=0; n<count; n++)
1678 {
1679 if (tif->tif_flags&TIFF_SWAB)
1680 TIFFSwabLong((uint32_t*)m);
1681 err=TIFFReadDirEntryCheckRangeLongSlong(*m);
1682 if (err!=TIFFReadDirEntryErrOk)
1683 {
1684 _TIFFfree(origdata);
1685 return(err);
1686 }
1687 m++;
1688 }
1689 *value=(uint32_t*)origdata;
1690 return(TIFFReadDirEntryErrOk);
1691 }
1692 }
1693 data=(uint32_t*)_TIFFmalloc(count * 4);
1694 if (data==0)
1695 {
1696 _TIFFfree(origdata);
1697 return(TIFFReadDirEntryErrAlloc);
1698 }
1699 switch (direntry->tdir_type)
1700 {
1701 case TIFF_BYTE:
1702 {
1703 uint8_t* ma;
1704 uint32_t* mb;
1705 uint32_t n;
1706 ma=(uint8_t*)origdata;
1707 mb=data;
1708 for (n=0; n<count; n++)
1709 *mb++=(uint32_t)(*ma++);
1710 }
1711 break;
1712 case TIFF_SBYTE:
1713 {
1714 int8_t* ma;
1715 uint32_t* mb;
1716 uint32_t n;
1717 ma=(int8_t*)origdata;
1718 mb=data;
1719 for (n=0; n<count; n++)
1720 {
1721 err=TIFFReadDirEntryCheckRangeLongSbyte(*ma);
1722 if (err!=TIFFReadDirEntryErrOk)
1723 break;
1724 *mb++=(uint32_t)(*ma++);
1725 }
1726 }
1727 break;
1728 case TIFF_SHORT:
1729 {
1730 uint16_t* ma;
1731 uint32_t* mb;
1732 uint32_t n;
1733 ma=(uint16_t*)origdata;
1734 mb=data;
1735 for (n=0; n<count; n++)
1736 {
1737 if (tif->tif_flags&TIFF_SWAB)
1738 TIFFSwabShort(ma);
1739 *mb++=(uint32_t)(*ma++);
1740 }
1741 }
1742 break;
1743 case TIFF_SSHORT:
1744 {
1745 int16_t* ma;
1746 uint32_t* mb;
1747 uint32_t n;
1748 ma=(int16_t*)origdata;
1749 mb=data;
1750 for (n=0; n<count; n++)
1751 {
1752 if (tif->tif_flags&TIFF_SWAB)
1753 TIFFSwabShort((uint16_t*)ma);
1754 err=TIFFReadDirEntryCheckRangeLongSshort(*ma);
1755 if (err!=TIFFReadDirEntryErrOk)
1756 break;
1757 *mb++=(uint32_t)(*ma++);
1758 }
1759 }
1760 break;
1761 case TIFF_LONG8:
1762 {
1763 uint64_t* ma;
1764 uint32_t* mb;
1765 uint32_t n;
1766 ma=(uint64_t*)origdata;
1767 mb=data;
1768 for (n=0; n<count; n++)
1769 {
1770 if (tif->tif_flags&TIFF_SWAB)
1771 TIFFSwabLong8(ma);
1772 err=TIFFReadDirEntryCheckRangeLongLong8(*ma);
1773 if (err!=TIFFReadDirEntryErrOk)
1774 break;
1775 *mb++=(uint32_t)(*ma++);
1776 }
1777 }
1778 break;
1779 case TIFF_SLONG8:
1780 {
1781 int64_t* ma;
1782 uint32_t* mb;
1783 uint32_t n;
1784 ma=(int64_t*)origdata;
1785 mb=data;
1786 for (n=0; n<count; n++)
1787 {
1788 if (tif->tif_flags&TIFF_SWAB)
1789 TIFFSwabLong8((uint64_t*)ma);
1790 err=TIFFReadDirEntryCheckRangeLongSlong8(*ma);
1791 if (err!=TIFFReadDirEntryErrOk)
1792 break;
1793 *mb++=(uint32_t)(*ma++);
1794 }
1795 }
1796 break;
1797 }
1798 _TIFFfree(origdata);
1799 if (err!=TIFFReadDirEntryErrOk)
1800 {
1801 _TIFFfree(data);
1802 return(err);
1803 }
1804 *value=data;
1805 return(TIFFReadDirEntryErrOk);
1806 }
1807
TIFFReadDirEntrySlongArray(TIFF * tif,TIFFDirEntry * direntry,int32_t ** value)1808 static enum TIFFReadDirEntryErr TIFFReadDirEntrySlongArray(TIFF* tif, TIFFDirEntry* direntry, int32_t** value)
1809 {
1810 enum TIFFReadDirEntryErr err;
1811 uint32_t count;
1812 void* origdata;
1813 int32_t* data;
1814 switch (direntry->tdir_type)
1815 {
1816 case TIFF_BYTE:
1817 case TIFF_SBYTE:
1818 case TIFF_SHORT:
1819 case TIFF_SSHORT:
1820 case TIFF_LONG:
1821 case TIFF_SLONG:
1822 case TIFF_LONG8:
1823 case TIFF_SLONG8:
1824 break;
1825 default:
1826 return(TIFFReadDirEntryErrType);
1827 }
1828 err=TIFFReadDirEntryArray(tif,direntry,&count,4,&origdata);
1829 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1830 {
1831 *value=0;
1832 return(err);
1833 }
1834 switch (direntry->tdir_type)
1835 {
1836 case TIFF_LONG:
1837 {
1838 uint32_t* m;
1839 uint32_t n;
1840 m=(uint32_t*)origdata;
1841 for (n=0; n<count; n++)
1842 {
1843 if (tif->tif_flags&TIFF_SWAB)
1844 TIFFSwabLong((uint32_t*)m);
1845 err=TIFFReadDirEntryCheckRangeSlongLong(*m);
1846 if (err!=TIFFReadDirEntryErrOk)
1847 {
1848 _TIFFfree(origdata);
1849 return(err);
1850 }
1851 m++;
1852 }
1853 *value=(int32_t*)origdata;
1854 return(TIFFReadDirEntryErrOk);
1855 }
1856 case TIFF_SLONG:
1857 *value=(int32_t*)origdata;
1858 if (tif->tif_flags&TIFF_SWAB)
1859 TIFFSwabArrayOfLong((uint32_t*)(*value), count);
1860 return(TIFFReadDirEntryErrOk);
1861 }
1862 data=(int32_t*)_TIFFmalloc(count * 4);
1863 if (data==0)
1864 {
1865 _TIFFfree(origdata);
1866 return(TIFFReadDirEntryErrAlloc);
1867 }
1868 switch (direntry->tdir_type)
1869 {
1870 case TIFF_BYTE:
1871 {
1872 uint8_t* ma;
1873 int32_t* mb;
1874 uint32_t n;
1875 ma=(uint8_t*)origdata;
1876 mb=data;
1877 for (n=0; n<count; n++)
1878 *mb++=(int32_t)(*ma++);
1879 }
1880 break;
1881 case TIFF_SBYTE:
1882 {
1883 int8_t* ma;
1884 int32_t* mb;
1885 uint32_t n;
1886 ma=(int8_t*)origdata;
1887 mb=data;
1888 for (n=0; n<count; n++)
1889 *mb++=(int32_t)(*ma++);
1890 }
1891 break;
1892 case TIFF_SHORT:
1893 {
1894 uint16_t* ma;
1895 int32_t* mb;
1896 uint32_t n;
1897 ma=(uint16_t*)origdata;
1898 mb=data;
1899 for (n=0; n<count; n++)
1900 {
1901 if (tif->tif_flags&TIFF_SWAB)
1902 TIFFSwabShort(ma);
1903 *mb++=(int32_t)(*ma++);
1904 }
1905 }
1906 break;
1907 case TIFF_SSHORT:
1908 {
1909 int16_t* ma;
1910 int32_t* mb;
1911 uint32_t n;
1912 ma=(int16_t*)origdata;
1913 mb=data;
1914 for (n=0; n<count; n++)
1915 {
1916 if (tif->tif_flags&TIFF_SWAB)
1917 TIFFSwabShort((uint16_t*)ma);
1918 *mb++=(int32_t)(*ma++);
1919 }
1920 }
1921 break;
1922 case TIFF_LONG8:
1923 {
1924 uint64_t* ma;
1925 int32_t* mb;
1926 uint32_t n;
1927 ma=(uint64_t*)origdata;
1928 mb=data;
1929 for (n=0; n<count; n++)
1930 {
1931 if (tif->tif_flags&TIFF_SWAB)
1932 TIFFSwabLong8(ma);
1933 err=TIFFReadDirEntryCheckRangeSlongLong8(*ma);
1934 if (err!=TIFFReadDirEntryErrOk)
1935 break;
1936 *mb++=(int32_t)(*ma++);
1937 }
1938 }
1939 break;
1940 case TIFF_SLONG8:
1941 {
1942 int64_t* ma;
1943 int32_t* mb;
1944 uint32_t n;
1945 ma=(int64_t*)origdata;
1946 mb=data;
1947 for (n=0; n<count; n++)
1948 {
1949 if (tif->tif_flags&TIFF_SWAB)
1950 TIFFSwabLong8((uint64_t*)ma);
1951 err=TIFFReadDirEntryCheckRangeSlongSlong8(*ma);
1952 if (err!=TIFFReadDirEntryErrOk)
1953 break;
1954 *mb++=(int32_t)(*ma++);
1955 }
1956 }
1957 break;
1958 }
1959 _TIFFfree(origdata);
1960 if (err!=TIFFReadDirEntryErrOk)
1961 {
1962 _TIFFfree(data);
1963 return(err);
1964 }
1965 *value=data;
1966 return(TIFFReadDirEntryErrOk);
1967 }
1968
TIFFReadDirEntryLong8ArrayWithLimit(TIFF * tif,TIFFDirEntry * direntry,uint64_t ** value,uint64_t maxcount)1969 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8ArrayWithLimit(
1970 TIFF* tif, TIFFDirEntry* direntry, uint64_t** value, uint64_t maxcount)
1971 {
1972 enum TIFFReadDirEntryErr err;
1973 uint32_t count;
1974 void* origdata;
1975 uint64_t* data;
1976 switch (direntry->tdir_type)
1977 {
1978 case TIFF_BYTE:
1979 case TIFF_SBYTE:
1980 case TIFF_SHORT:
1981 case TIFF_SSHORT:
1982 case TIFF_LONG:
1983 case TIFF_SLONG:
1984 case TIFF_LONG8:
1985 case TIFF_SLONG8:
1986 break;
1987 default:
1988 return(TIFFReadDirEntryErrType);
1989 }
1990 err=TIFFReadDirEntryArrayWithLimit(tif,direntry,&count,8,&origdata,maxcount);
1991 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1992 {
1993 *value=0;
1994 return(err);
1995 }
1996 switch (direntry->tdir_type)
1997 {
1998 case TIFF_LONG8:
1999 *value=(uint64_t*)origdata;
2000 if (tif->tif_flags&TIFF_SWAB)
2001 TIFFSwabArrayOfLong8(*value,count);
2002 return(TIFFReadDirEntryErrOk);
2003 case TIFF_SLONG8:
2004 {
2005 int64_t* m;
2006 uint32_t n;
2007 m=(int64_t*)origdata;
2008 for (n=0; n<count; n++)
2009 {
2010 if (tif->tif_flags&TIFF_SWAB)
2011 TIFFSwabLong8((uint64_t*)m);
2012 err=TIFFReadDirEntryCheckRangeLong8Slong8(*m);
2013 if (err!=TIFFReadDirEntryErrOk)
2014 {
2015 _TIFFfree(origdata);
2016 return(err);
2017 }
2018 m++;
2019 }
2020 *value=(uint64_t*)origdata;
2021 return(TIFFReadDirEntryErrOk);
2022 }
2023 }
2024 data=(uint64_t*)_TIFFmalloc(count * 8);
2025 if (data==0)
2026 {
2027 _TIFFfree(origdata);
2028 return(TIFFReadDirEntryErrAlloc);
2029 }
2030 switch (direntry->tdir_type)
2031 {
2032 case TIFF_BYTE:
2033 {
2034 uint8_t* ma;
2035 uint64_t* mb;
2036 uint32_t n;
2037 ma=(uint8_t*)origdata;
2038 mb=data;
2039 for (n=0; n<count; n++)
2040 *mb++=(uint64_t)(*ma++);
2041 }
2042 break;
2043 case TIFF_SBYTE:
2044 {
2045 int8_t* ma;
2046 uint64_t* mb;
2047 uint32_t n;
2048 ma=(int8_t*)origdata;
2049 mb=data;
2050 for (n=0; n<count; n++)
2051 {
2052 err=TIFFReadDirEntryCheckRangeLong8Sbyte(*ma);
2053 if (err!=TIFFReadDirEntryErrOk)
2054 break;
2055 *mb++=(uint64_t)(*ma++);
2056 }
2057 }
2058 break;
2059 case TIFF_SHORT:
2060 {
2061 uint16_t* ma;
2062 uint64_t* mb;
2063 uint32_t n;
2064 ma=(uint16_t*)origdata;
2065 mb=data;
2066 for (n=0; n<count; n++)
2067 {
2068 if (tif->tif_flags&TIFF_SWAB)
2069 TIFFSwabShort(ma);
2070 *mb++=(uint64_t)(*ma++);
2071 }
2072 }
2073 break;
2074 case TIFF_SSHORT:
2075 {
2076 int16_t* ma;
2077 uint64_t* mb;
2078 uint32_t n;
2079 ma=(int16_t*)origdata;
2080 mb=data;
2081 for (n=0; n<count; n++)
2082 {
2083 if (tif->tif_flags&TIFF_SWAB)
2084 TIFFSwabShort((uint16_t*)ma);
2085 err=TIFFReadDirEntryCheckRangeLong8Sshort(*ma);
2086 if (err!=TIFFReadDirEntryErrOk)
2087 break;
2088 *mb++=(uint64_t)(*ma++);
2089 }
2090 }
2091 break;
2092 case TIFF_LONG:
2093 {
2094 uint32_t* ma;
2095 uint64_t* mb;
2096 uint32_t n;
2097 ma=(uint32_t*)origdata;
2098 mb=data;
2099 for (n=0; n<count; n++)
2100 {
2101 if (tif->tif_flags&TIFF_SWAB)
2102 TIFFSwabLong(ma);
2103 *mb++=(uint64_t)(*ma++);
2104 }
2105 }
2106 break;
2107 case TIFF_SLONG:
2108 {
2109 int32_t* ma;
2110 uint64_t* mb;
2111 uint32_t n;
2112 ma=(int32_t*)origdata;
2113 mb=data;
2114 for (n=0; n<count; n++)
2115 {
2116 if (tif->tif_flags&TIFF_SWAB)
2117 TIFFSwabLong((uint32_t*)ma);
2118 err=TIFFReadDirEntryCheckRangeLong8Slong(*ma);
2119 if (err!=TIFFReadDirEntryErrOk)
2120 break;
2121 *mb++=(uint64_t)(*ma++);
2122 }
2123 }
2124 break;
2125 }
2126 _TIFFfree(origdata);
2127 if (err!=TIFFReadDirEntryErrOk)
2128 {
2129 _TIFFfree(data);
2130 return(err);
2131 }
2132 *value=data;
2133 return(TIFFReadDirEntryErrOk);
2134 }
2135
TIFFReadDirEntryLong8Array(TIFF * tif,TIFFDirEntry * direntry,uint64_t ** value)2136 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEntry* direntry, uint64_t** value)
2137 {
2138 return TIFFReadDirEntryLong8ArrayWithLimit(tif, direntry, value, ~((uint64_t)0));
2139 }
2140
TIFFReadDirEntrySlong8Array(TIFF * tif,TIFFDirEntry * direntry,int64_t ** value)2141 static enum TIFFReadDirEntryErr TIFFReadDirEntrySlong8Array(TIFF* tif, TIFFDirEntry* direntry, int64_t** value)
2142 {
2143 enum TIFFReadDirEntryErr err;
2144 uint32_t count;
2145 void* origdata;
2146 int64_t* data;
2147 switch (direntry->tdir_type)
2148 {
2149 case TIFF_BYTE:
2150 case TIFF_SBYTE:
2151 case TIFF_SHORT:
2152 case TIFF_SSHORT:
2153 case TIFF_LONG:
2154 case TIFF_SLONG:
2155 case TIFF_LONG8:
2156 case TIFF_SLONG8:
2157 break;
2158 default:
2159 return(TIFFReadDirEntryErrType);
2160 }
2161 err=TIFFReadDirEntryArray(tif,direntry,&count,8,&origdata);
2162 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
2163 {
2164 *value=0;
2165 return(err);
2166 }
2167 switch (direntry->tdir_type)
2168 {
2169 case TIFF_LONG8:
2170 {
2171 uint64_t* m;
2172 uint32_t n;
2173 m=(uint64_t*)origdata;
2174 for (n=0; n<count; n++)
2175 {
2176 if (tif->tif_flags&TIFF_SWAB)
2177 TIFFSwabLong8(m);
2178 err=TIFFReadDirEntryCheckRangeSlong8Long8(*m);
2179 if (err!=TIFFReadDirEntryErrOk)
2180 {
2181 _TIFFfree(origdata);
2182 return(err);
2183 }
2184 m++;
2185 }
2186 *value=(int64_t*)origdata;
2187 return(TIFFReadDirEntryErrOk);
2188 }
2189 case TIFF_SLONG8:
2190 *value=(int64_t*)origdata;
2191 if (tif->tif_flags&TIFF_SWAB)
2192 TIFFSwabArrayOfLong8((uint64_t*)(*value), count);
2193 return(TIFFReadDirEntryErrOk);
2194 }
2195 data=(int64_t*)_TIFFmalloc(count * 8);
2196 if (data==0)
2197 {
2198 _TIFFfree(origdata);
2199 return(TIFFReadDirEntryErrAlloc);
2200 }
2201 switch (direntry->tdir_type)
2202 {
2203 case TIFF_BYTE:
2204 {
2205 uint8_t* ma;
2206 int64_t* mb;
2207 uint32_t n;
2208 ma=(uint8_t*)origdata;
2209 mb=data;
2210 for (n=0; n<count; n++)
2211 *mb++=(int64_t)(*ma++);
2212 }
2213 break;
2214 case TIFF_SBYTE:
2215 {
2216 int8_t* ma;
2217 int64_t* mb;
2218 uint32_t n;
2219 ma=(int8_t*)origdata;
2220 mb=data;
2221 for (n=0; n<count; n++)
2222 *mb++=(int64_t)(*ma++);
2223 }
2224 break;
2225 case TIFF_SHORT:
2226 {
2227 uint16_t* ma;
2228 int64_t* mb;
2229 uint32_t n;
2230 ma=(uint16_t*)origdata;
2231 mb=data;
2232 for (n=0; n<count; n++)
2233 {
2234 if (tif->tif_flags&TIFF_SWAB)
2235 TIFFSwabShort(ma);
2236 *mb++=(int64_t)(*ma++);
2237 }
2238 }
2239 break;
2240 case TIFF_SSHORT:
2241 {
2242 int16_t* ma;
2243 int64_t* mb;
2244 uint32_t n;
2245 ma=(int16_t*)origdata;
2246 mb=data;
2247 for (n=0; n<count; n++)
2248 {
2249 if (tif->tif_flags&TIFF_SWAB)
2250 TIFFSwabShort((uint16_t*)ma);
2251 *mb++=(int64_t)(*ma++);
2252 }
2253 }
2254 break;
2255 case TIFF_LONG:
2256 {
2257 uint32_t* ma;
2258 int64_t* mb;
2259 uint32_t n;
2260 ma=(uint32_t*)origdata;
2261 mb=data;
2262 for (n=0; n<count; n++)
2263 {
2264 if (tif->tif_flags&TIFF_SWAB)
2265 TIFFSwabLong(ma);
2266 *mb++=(int64_t)(*ma++);
2267 }
2268 }
2269 break;
2270 case TIFF_SLONG:
2271 {
2272 int32_t* ma;
2273 int64_t* mb;
2274 uint32_t n;
2275 ma=(int32_t*)origdata;
2276 mb=data;
2277 for (n=0; n<count; n++)
2278 {
2279 if (tif->tif_flags&TIFF_SWAB)
2280 TIFFSwabLong((uint32_t*)ma);
2281 *mb++=(int64_t)(*ma++);
2282 }
2283 }
2284 break;
2285 }
2286 _TIFFfree(origdata);
2287 *value=data;
2288 return(TIFFReadDirEntryErrOk);
2289 }
2290
TIFFReadDirEntryFloatArray(TIFF * tif,TIFFDirEntry * direntry,float ** value)2291 static enum TIFFReadDirEntryErr TIFFReadDirEntryFloatArray(TIFF* tif, TIFFDirEntry* direntry, float** value)
2292 {
2293 enum TIFFReadDirEntryErr err;
2294 uint32_t count;
2295 void* origdata;
2296 float* data;
2297 switch (direntry->tdir_type)
2298 {
2299 case TIFF_BYTE:
2300 case TIFF_SBYTE:
2301 case TIFF_SHORT:
2302 case TIFF_SSHORT:
2303 case TIFF_LONG:
2304 case TIFF_SLONG:
2305 case TIFF_LONG8:
2306 case TIFF_SLONG8:
2307 case TIFF_RATIONAL:
2308 case TIFF_SRATIONAL:
2309 case TIFF_FLOAT:
2310 case TIFF_DOUBLE:
2311 break;
2312 default:
2313 return(TIFFReadDirEntryErrType);
2314 }
2315 err=TIFFReadDirEntryArray(tif,direntry,&count,4,&origdata);
2316 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
2317 {
2318 *value=0;
2319 return(err);
2320 }
2321 switch (direntry->tdir_type)
2322 {
2323 case TIFF_FLOAT:
2324 if (tif->tif_flags&TIFF_SWAB)
2325 TIFFSwabArrayOfLong((uint32_t*)origdata, count);
2326 TIFFCvtIEEEDoubleToNative(tif,count,(float*)origdata);
2327 *value=(float*)origdata;
2328 return(TIFFReadDirEntryErrOk);
2329 }
2330 data=(float*)_TIFFmalloc(count*sizeof(float));
2331 if (data==0)
2332 {
2333 _TIFFfree(origdata);
2334 return(TIFFReadDirEntryErrAlloc);
2335 }
2336 switch (direntry->tdir_type)
2337 {
2338 case TIFF_BYTE:
2339 {
2340 uint8_t* ma;
2341 float* mb;
2342 uint32_t n;
2343 ma=(uint8_t*)origdata;
2344 mb=data;
2345 for (n=0; n<count; n++)
2346 *mb++=(float)(*ma++);
2347 }
2348 break;
2349 case TIFF_SBYTE:
2350 {
2351 int8_t* ma;
2352 float* mb;
2353 uint32_t n;
2354 ma=(int8_t*)origdata;
2355 mb=data;
2356 for (n=0; n<count; n++)
2357 *mb++=(float)(*ma++);
2358 }
2359 break;
2360 case TIFF_SHORT:
2361 {
2362 uint16_t* ma;
2363 float* mb;
2364 uint32_t n;
2365 ma=(uint16_t*)origdata;
2366 mb=data;
2367 for (n=0; n<count; n++)
2368 {
2369 if (tif->tif_flags&TIFF_SWAB)
2370 TIFFSwabShort(ma);
2371 *mb++=(float)(*ma++);
2372 }
2373 }
2374 break;
2375 case TIFF_SSHORT:
2376 {
2377 int16_t* ma;
2378 float* mb;
2379 uint32_t n;
2380 ma=(int16_t*)origdata;
2381 mb=data;
2382 for (n=0; n<count; n++)
2383 {
2384 if (tif->tif_flags&TIFF_SWAB)
2385 TIFFSwabShort((uint16_t*)ma);
2386 *mb++=(float)(*ma++);
2387 }
2388 }
2389 break;
2390 case TIFF_LONG:
2391 {
2392 uint32_t* ma;
2393 float* mb;
2394 uint32_t n;
2395 ma=(uint32_t*)origdata;
2396 mb=data;
2397 for (n=0; n<count; n++)
2398 {
2399 if (tif->tif_flags&TIFF_SWAB)
2400 TIFFSwabLong(ma);
2401 *mb++=(float)(*ma++);
2402 }
2403 }
2404 break;
2405 case TIFF_SLONG:
2406 {
2407 int32_t* ma;
2408 float* mb;
2409 uint32_t n;
2410 ma=(int32_t*)origdata;
2411 mb=data;
2412 for (n=0; n<count; n++)
2413 {
2414 if (tif->tif_flags&TIFF_SWAB)
2415 TIFFSwabLong((uint32_t*)ma);
2416 *mb++=(float)(*ma++);
2417 }
2418 }
2419 break;
2420 case TIFF_LONG8:
2421 {
2422 uint64_t* ma;
2423 float* mb;
2424 uint32_t n;
2425 ma=(uint64_t*)origdata;
2426 mb=data;
2427 for (n=0; n<count; n++)
2428 {
2429 if (tif->tif_flags&TIFF_SWAB)
2430 TIFFSwabLong8(ma);
2431 #if defined(__WIN32__) && (_MSC_VER < 1500)
2432 /*
2433 * XXX: MSVC 6.0 does not support
2434 * conversion of 64-bit integers into
2435 * floating point values.
2436 */
2437 *mb++ = _TIFFUInt64ToFloat(*ma++);
2438 #else
2439 *mb++ = (float)(*ma++);
2440 #endif
2441 }
2442 }
2443 break;
2444 case TIFF_SLONG8:
2445 {
2446 int64_t* ma;
2447 float* mb;
2448 uint32_t n;
2449 ma=(int64_t*)origdata;
2450 mb=data;
2451 for (n=0; n<count; n++)
2452 {
2453 if (tif->tif_flags&TIFF_SWAB)
2454 TIFFSwabLong8((uint64_t*)ma);
2455 *mb++=(float)(*ma++);
2456 }
2457 }
2458 break;
2459 case TIFF_RATIONAL:
2460 {
2461 uint32_t* ma;
2462 uint32_t maa;
2463 uint32_t mab;
2464 float* mb;
2465 uint32_t n;
2466 ma=(uint32_t*)origdata;
2467 mb=data;
2468 for (n=0; n<count; n++)
2469 {
2470 if (tif->tif_flags&TIFF_SWAB)
2471 TIFFSwabLong(ma);
2472 maa=*ma++;
2473 if (tif->tif_flags&TIFF_SWAB)
2474 TIFFSwabLong(ma);
2475 mab=*ma++;
2476 if (mab==0)
2477 *mb++=0.0;
2478 else
2479 *mb++=(float)maa/(float)mab;
2480 }
2481 }
2482 break;
2483 case TIFF_SRATIONAL:
2484 {
2485 uint32_t* ma;
2486 int32_t maa;
2487 uint32_t mab;
2488 float* mb;
2489 uint32_t n;
2490 ma=(uint32_t*)origdata;
2491 mb=data;
2492 for (n=0; n<count; n++)
2493 {
2494 if (tif->tif_flags&TIFF_SWAB)
2495 TIFFSwabLong(ma);
2496 maa=*(int32_t*)ma;
2497 ma++;
2498 if (tif->tif_flags&TIFF_SWAB)
2499 TIFFSwabLong(ma);
2500 mab=*ma++;
2501 if (mab==0)
2502 *mb++=0.0;
2503 else
2504 *mb++=(float)maa/(float)mab;
2505 }
2506 }
2507 break;
2508 case TIFF_DOUBLE:
2509 {
2510 double* ma;
2511 float* mb;
2512 uint32_t n;
2513 if (tif->tif_flags&TIFF_SWAB)
2514 TIFFSwabArrayOfLong8((uint64_t*)origdata, count);
2515 TIFFCvtIEEEDoubleToNative(tif,count,(double*)origdata);
2516 ma=(double*)origdata;
2517 mb=data;
2518 for (n=0; n<count; n++)
2519 {
2520 double val = *ma++;
2521 if( val > FLT_MAX )
2522 val = FLT_MAX;
2523 else if( val < -FLT_MAX )
2524 val = -FLT_MAX;
2525 *mb++=(float)val;
2526 }
2527 }
2528 break;
2529 }
2530 _TIFFfree(origdata);
2531 *value=data;
2532 return(TIFFReadDirEntryErrOk);
2533 }
2534
2535 static enum TIFFReadDirEntryErr
TIFFReadDirEntryDoubleArray(TIFF * tif,TIFFDirEntry * direntry,double ** value)2536 TIFFReadDirEntryDoubleArray(TIFF* tif, TIFFDirEntry* direntry, double** value)
2537 {
2538 enum TIFFReadDirEntryErr err;
2539 uint32_t count;
2540 void* origdata;
2541 double* data;
2542 switch (direntry->tdir_type)
2543 {
2544 case TIFF_BYTE:
2545 case TIFF_SBYTE:
2546 case TIFF_SHORT:
2547 case TIFF_SSHORT:
2548 case TIFF_LONG:
2549 case TIFF_SLONG:
2550 case TIFF_LONG8:
2551 case TIFF_SLONG8:
2552 case TIFF_RATIONAL:
2553 case TIFF_SRATIONAL:
2554 case TIFF_FLOAT:
2555 case TIFF_DOUBLE:
2556 break;
2557 default:
2558 return(TIFFReadDirEntryErrType);
2559 }
2560 err=TIFFReadDirEntryArray(tif,direntry,&count,8,&origdata);
2561 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
2562 {
2563 *value=0;
2564 return(err);
2565 }
2566 switch (direntry->tdir_type)
2567 {
2568 case TIFF_DOUBLE:
2569 if (tif->tif_flags&TIFF_SWAB)
2570 TIFFSwabArrayOfLong8((uint64_t*)origdata, count);
2571 TIFFCvtIEEEDoubleToNative(tif,count,(double*)origdata);
2572 *value=(double*)origdata;
2573 return(TIFFReadDirEntryErrOk);
2574 }
2575 data=(double*)_TIFFmalloc(count*sizeof(double));
2576 if (data==0)
2577 {
2578 _TIFFfree(origdata);
2579 return(TIFFReadDirEntryErrAlloc);
2580 }
2581 switch (direntry->tdir_type)
2582 {
2583 case TIFF_BYTE:
2584 {
2585 uint8_t* ma;
2586 double* mb;
2587 uint32_t n;
2588 ma=(uint8_t*)origdata;
2589 mb=data;
2590 for (n=0; n<count; n++)
2591 *mb++=(double)(*ma++);
2592 }
2593 break;
2594 case TIFF_SBYTE:
2595 {
2596 int8_t* ma;
2597 double* mb;
2598 uint32_t n;
2599 ma=(int8_t*)origdata;
2600 mb=data;
2601 for (n=0; n<count; n++)
2602 *mb++=(double)(*ma++);
2603 }
2604 break;
2605 case TIFF_SHORT:
2606 {
2607 uint16_t* ma;
2608 double* mb;
2609 uint32_t n;
2610 ma=(uint16_t*)origdata;
2611 mb=data;
2612 for (n=0; n<count; n++)
2613 {
2614 if (tif->tif_flags&TIFF_SWAB)
2615 TIFFSwabShort(ma);
2616 *mb++=(double)(*ma++);
2617 }
2618 }
2619 break;
2620 case TIFF_SSHORT:
2621 {
2622 int16_t* ma;
2623 double* mb;
2624 uint32_t n;
2625 ma=(int16_t*)origdata;
2626 mb=data;
2627 for (n=0; n<count; n++)
2628 {
2629 if (tif->tif_flags&TIFF_SWAB)
2630 TIFFSwabShort((uint16_t*)ma);
2631 *mb++=(double)(*ma++);
2632 }
2633 }
2634 break;
2635 case TIFF_LONG:
2636 {
2637 uint32_t* ma;
2638 double* mb;
2639 uint32_t n;
2640 ma=(uint32_t*)origdata;
2641 mb=data;
2642 for (n=0; n<count; n++)
2643 {
2644 if (tif->tif_flags&TIFF_SWAB)
2645 TIFFSwabLong(ma);
2646 *mb++=(double)(*ma++);
2647 }
2648 }
2649 break;
2650 case TIFF_SLONG:
2651 {
2652 int32_t* ma;
2653 double* mb;
2654 uint32_t n;
2655 ma=(int32_t*)origdata;
2656 mb=data;
2657 for (n=0; n<count; n++)
2658 {
2659 if (tif->tif_flags&TIFF_SWAB)
2660 TIFFSwabLong((uint32_t*)ma);
2661 *mb++=(double)(*ma++);
2662 }
2663 }
2664 break;
2665 case TIFF_LONG8:
2666 {
2667 uint64_t* ma;
2668 double* mb;
2669 uint32_t n;
2670 ma=(uint64_t*)origdata;
2671 mb=data;
2672 for (n=0; n<count; n++)
2673 {
2674 if (tif->tif_flags&TIFF_SWAB)
2675 TIFFSwabLong8(ma);
2676 #if defined(__WIN32__) && (_MSC_VER < 1500)
2677 /*
2678 * XXX: MSVC 6.0 does not support
2679 * conversion of 64-bit integers into
2680 * floating point values.
2681 */
2682 *mb++ = _TIFFUInt64ToDouble(*ma++);
2683 #else
2684 *mb++ = (double)(*ma++);
2685 #endif
2686 }
2687 }
2688 break;
2689 case TIFF_SLONG8:
2690 {
2691 int64_t* ma;
2692 double* mb;
2693 uint32_t n;
2694 ma=(int64_t*)origdata;
2695 mb=data;
2696 for (n=0; n<count; n++)
2697 {
2698 if (tif->tif_flags&TIFF_SWAB)
2699 TIFFSwabLong8((uint64_t*)ma);
2700 *mb++=(double)(*ma++);
2701 }
2702 }
2703 break;
2704 case TIFF_RATIONAL:
2705 {
2706 uint32_t* ma;
2707 uint32_t maa;
2708 uint32_t mab;
2709 double* mb;
2710 uint32_t n;
2711 ma=(uint32_t*)origdata;
2712 mb=data;
2713 for (n=0; n<count; n++)
2714 {
2715 if (tif->tif_flags&TIFF_SWAB)
2716 TIFFSwabLong(ma);
2717 maa=*ma++;
2718 if (tif->tif_flags&TIFF_SWAB)
2719 TIFFSwabLong(ma);
2720 mab=*ma++;
2721 if (mab==0)
2722 *mb++=0.0;
2723 else
2724 *mb++=(double)maa/(double)mab;
2725 }
2726 }
2727 break;
2728 case TIFF_SRATIONAL:
2729 {
2730 uint32_t* ma;
2731 int32_t maa;
2732 uint32_t mab;
2733 double* mb;
2734 uint32_t n;
2735 ma=(uint32_t*)origdata;
2736 mb=data;
2737 for (n=0; n<count; n++)
2738 {
2739 if (tif->tif_flags&TIFF_SWAB)
2740 TIFFSwabLong(ma);
2741 maa=*(int32_t*)ma;
2742 ma++;
2743 if (tif->tif_flags&TIFF_SWAB)
2744 TIFFSwabLong(ma);
2745 mab=*ma++;
2746 if (mab==0)
2747 *mb++=0.0;
2748 else
2749 *mb++=(double)maa/(double)mab;
2750 }
2751 }
2752 break;
2753 case TIFF_FLOAT:
2754 {
2755 float* ma;
2756 double* mb;
2757 uint32_t n;
2758 if (tif->tif_flags&TIFF_SWAB)
2759 TIFFSwabArrayOfLong((uint32_t*)origdata, count);
2760 TIFFCvtIEEEFloatToNative(tif,count,(float*)origdata);
2761 ma=(float*)origdata;
2762 mb=data;
2763 for (n=0; n<count; n++)
2764 *mb++=(double)(*ma++);
2765 }
2766 break;
2767 }
2768 _TIFFfree(origdata);
2769 *value=data;
2770 return(TIFFReadDirEntryErrOk);
2771 }
2772
TIFFReadDirEntryIfd8Array(TIFF * tif,TIFFDirEntry * direntry,uint64_t ** value)2773 static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8Array(TIFF* tif, TIFFDirEntry* direntry, uint64_t** value)
2774 {
2775 enum TIFFReadDirEntryErr err;
2776 uint32_t count;
2777 void* origdata;
2778 uint64_t* data;
2779 switch (direntry->tdir_type)
2780 {
2781 case TIFF_LONG:
2782 case TIFF_LONG8:
2783 case TIFF_IFD:
2784 case TIFF_IFD8:
2785 break;
2786 default:
2787 return(TIFFReadDirEntryErrType);
2788 }
2789 err=TIFFReadDirEntryArray(tif,direntry,&count,8,&origdata);
2790 if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
2791 {
2792 *value=0;
2793 return(err);
2794 }
2795 switch (direntry->tdir_type)
2796 {
2797 case TIFF_LONG8:
2798 case TIFF_IFD8:
2799 *value=(uint64_t*)origdata;
2800 if (tif->tif_flags&TIFF_SWAB)
2801 TIFFSwabArrayOfLong8(*value,count);
2802 return(TIFFReadDirEntryErrOk);
2803 }
2804 data=(uint64_t*)_TIFFmalloc(count * 8);
2805 if (data==0)
2806 {
2807 _TIFFfree(origdata);
2808 return(TIFFReadDirEntryErrAlloc);
2809 }
2810 switch (direntry->tdir_type)
2811 {
2812 case TIFF_LONG:
2813 case TIFF_IFD:
2814 {
2815 uint32_t* ma;
2816 uint64_t* mb;
2817 uint32_t n;
2818 ma=(uint32_t*)origdata;
2819 mb=data;
2820 for (n=0; n<count; n++)
2821 {
2822 if (tif->tif_flags&TIFF_SWAB)
2823 TIFFSwabLong(ma);
2824 *mb++=(uint64_t)(*ma++);
2825 }
2826 }
2827 break;
2828 }
2829 _TIFFfree(origdata);
2830 *value=data;
2831 return(TIFFReadDirEntryErrOk);
2832 }
2833
TIFFReadDirEntryPersampleShort(TIFF * tif,TIFFDirEntry * direntry,uint16_t * value)2834 static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleShort(TIFF* tif, TIFFDirEntry* direntry, uint16_t* value)
2835 {
2836 enum TIFFReadDirEntryErr err;
2837 uint16_t* m;
2838 uint16_t* na;
2839 uint16_t nb;
2840 if (direntry->tdir_count<(uint64_t)tif->tif_dir.td_samplesperpixel)
2841 return(TIFFReadDirEntryErrCount);
2842 err=TIFFReadDirEntryShortArray(tif,direntry,&m);
2843 if (err!=TIFFReadDirEntryErrOk || m == NULL)
2844 return(err);
2845 na=m;
2846 nb=tif->tif_dir.td_samplesperpixel;
2847 *value=*na++;
2848 nb--;
2849 while (nb>0)
2850 {
2851 if (*na++!=*value)
2852 {
2853 err=TIFFReadDirEntryErrPsdif;
2854 break;
2855 }
2856 nb--;
2857 }
2858 _TIFFfree(m);
2859 return(err);
2860 }
2861
2862 #if 0
2863 static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleDouble(TIFF* tif, TIFFDirEntry* direntry, double* value)
2864 {
2865 enum TIFFReadDirEntryErr err;
2866 double* m;
2867 double* na;
2868 uint16_t nb;
2869 if (direntry->tdir_count<(uint64_t)tif->tif_dir.td_samplesperpixel)
2870 return(TIFFReadDirEntryErrCount);
2871 err=TIFFReadDirEntryDoubleArray(tif,direntry,&m);
2872 if (err!=TIFFReadDirEntryErrOk)
2873 return(err);
2874 na=m;
2875 nb=tif->tif_dir.td_samplesperpixel;
2876 *value=*na++;
2877 nb--;
2878 while (nb>0)
2879 {
2880 if (*na++!=*value)
2881 {
2882 err=TIFFReadDirEntryErrPsdif;
2883 break;
2884 }
2885 nb--;
2886 }
2887 _TIFFfree(m);
2888 return(err);
2889 }
2890 #endif
2891
TIFFReadDirEntryCheckedByte(TIFF * tif,TIFFDirEntry * direntry,uint8_t * value)2892 static void TIFFReadDirEntryCheckedByte(TIFF* tif, TIFFDirEntry* direntry, uint8_t* value)
2893 {
2894 (void) tif;
2895 *value=*(uint8_t*)(&direntry->tdir_offset);
2896 }
2897
TIFFReadDirEntryCheckedSbyte(TIFF * tif,TIFFDirEntry * direntry,int8_t * value)2898 static void TIFFReadDirEntryCheckedSbyte(TIFF* tif, TIFFDirEntry* direntry, int8_t* value)
2899 {
2900 (void) tif;
2901 *value=*(int8_t*)(&direntry->tdir_offset);
2902 }
2903
TIFFReadDirEntryCheckedShort(TIFF * tif,TIFFDirEntry * direntry,uint16_t * value)2904 static void TIFFReadDirEntryCheckedShort(TIFF* tif, TIFFDirEntry* direntry, uint16_t* value)
2905 {
2906 *value = direntry->tdir_offset.toff_short;
2907 /* *value=*(uint16_t*)(&direntry->tdir_offset); */
2908 if (tif->tif_flags&TIFF_SWAB)
2909 TIFFSwabShort(value);
2910 }
2911
TIFFReadDirEntryCheckedSshort(TIFF * tif,TIFFDirEntry * direntry,int16_t * value)2912 static void TIFFReadDirEntryCheckedSshort(TIFF* tif, TIFFDirEntry* direntry, int16_t* value)
2913 {
2914 *value=*(int16_t*)(&direntry->tdir_offset);
2915 if (tif->tif_flags&TIFF_SWAB)
2916 TIFFSwabShort((uint16_t*)value);
2917 }
2918
TIFFReadDirEntryCheckedLong(TIFF * tif,TIFFDirEntry * direntry,uint32_t * value)2919 static void TIFFReadDirEntryCheckedLong(TIFF* tif, TIFFDirEntry* direntry, uint32_t* value)
2920 {
2921 *value=*(uint32_t*)(&direntry->tdir_offset);
2922 if (tif->tif_flags&TIFF_SWAB)
2923 TIFFSwabLong(value);
2924 }
2925
TIFFReadDirEntryCheckedSlong(TIFF * tif,TIFFDirEntry * direntry,int32_t * value)2926 static void TIFFReadDirEntryCheckedSlong(TIFF* tif, TIFFDirEntry* direntry, int32_t* value)
2927 {
2928 *value=*(int32_t*)(&direntry->tdir_offset);
2929 if (tif->tif_flags&TIFF_SWAB)
2930 TIFFSwabLong((uint32_t*)value);
2931 }
2932
TIFFReadDirEntryCheckedLong8(TIFF * tif,TIFFDirEntry * direntry,uint64_t * value)2933 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedLong8(TIFF* tif, TIFFDirEntry* direntry, uint64_t* value)
2934 {
2935 if (!(tif->tif_flags&TIFF_BIGTIFF))
2936 {
2937 enum TIFFReadDirEntryErr err;
2938 uint32_t offset = direntry->tdir_offset.toff_long;
2939 if (tif->tif_flags&TIFF_SWAB)
2940 TIFFSwabLong(&offset);
2941 err=TIFFReadDirEntryData(tif,offset,8,value);
2942 if (err!=TIFFReadDirEntryErrOk)
2943 return(err);
2944 }
2945 else
2946 *value = direntry->tdir_offset.toff_long8;
2947 if (tif->tif_flags&TIFF_SWAB)
2948 TIFFSwabLong8(value);
2949 return(TIFFReadDirEntryErrOk);
2950 }
2951
TIFFReadDirEntryCheckedSlong8(TIFF * tif,TIFFDirEntry * direntry,int64_t * value)2952 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSlong8(TIFF* tif, TIFFDirEntry* direntry, int64_t* value)
2953 {
2954 if (!(tif->tif_flags&TIFF_BIGTIFF))
2955 {
2956 enum TIFFReadDirEntryErr err;
2957 uint32_t offset = direntry->tdir_offset.toff_long;
2958 if (tif->tif_flags&TIFF_SWAB)
2959 TIFFSwabLong(&offset);
2960 err=TIFFReadDirEntryData(tif,offset,8,value);
2961 if (err!=TIFFReadDirEntryErrOk)
2962 return(err);
2963 }
2964 else
2965 *value=*(int64_t*)(&direntry->tdir_offset);
2966 if (tif->tif_flags&TIFF_SWAB)
2967 TIFFSwabLong8((uint64_t*)value);
2968 return(TIFFReadDirEntryErrOk);
2969 }
2970
TIFFReadDirEntryCheckedRational(TIFF * tif,TIFFDirEntry * direntry,double * value)2971 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFDirEntry* direntry, double* value)
2972 {
2973 UInt64Aligned_t m;
2974
2975 assert(sizeof(double)==8);
2976 assert(sizeof(uint64_t) == 8);
2977 assert(sizeof(uint32_t) == 4);
2978 if (!(tif->tif_flags&TIFF_BIGTIFF))
2979 {
2980 enum TIFFReadDirEntryErr err;
2981 uint32_t offset = direntry->tdir_offset.toff_long;
2982 if (tif->tif_flags&TIFF_SWAB)
2983 TIFFSwabLong(&offset);
2984 err=TIFFReadDirEntryData(tif,offset,8,m.i);
2985 if (err!=TIFFReadDirEntryErrOk)
2986 return(err);
2987 }
2988 else
2989 m.l = direntry->tdir_offset.toff_long8;
2990 if (tif->tif_flags&TIFF_SWAB)
2991 TIFFSwabArrayOfLong(m.i,2);
2992 /* Not completely sure what we should do when m.i[1]==0, but some */
2993 /* sanitizers do not like division by 0.0: */
2994 /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
2995 if (m.i[0]==0 || m.i[1]==0)
2996 *value=0.0;
2997 else
2998 *value=(double)m.i[0]/(double)m.i[1];
2999 return(TIFFReadDirEntryErrOk);
3000 }
3001
TIFFReadDirEntryCheckedSrational(TIFF * tif,TIFFDirEntry * direntry,double * value)3002 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFFDirEntry* direntry, double* value)
3003 {
3004 UInt64Aligned_t m;
3005 assert(sizeof(double)==8);
3006 assert(sizeof(uint64_t) == 8);
3007 assert(sizeof(int32_t) == 4);
3008 assert(sizeof(uint32_t) == 4);
3009 if (!(tif->tif_flags&TIFF_BIGTIFF))
3010 {
3011 enum TIFFReadDirEntryErr err;
3012 uint32_t offset = direntry->tdir_offset.toff_long;
3013 if (tif->tif_flags&TIFF_SWAB)
3014 TIFFSwabLong(&offset);
3015 err=TIFFReadDirEntryData(tif,offset,8,m.i);
3016 if (err!=TIFFReadDirEntryErrOk)
3017 return(err);
3018 }
3019 else
3020 m.l=direntry->tdir_offset.toff_long8;
3021 if (tif->tif_flags&TIFF_SWAB)
3022 TIFFSwabArrayOfLong(m.i,2);
3023 /* Not completely sure what we should do when m.i[1]==0, but some */
3024 /* sanitizers do not like division by 0.0: */
3025 /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
3026 if ((int32_t)m.i[0] == 0 || m.i[1] == 0)
3027 *value=0.0;
3028 else
3029 *value= (double)((int32_t)m.i[0]) / (double)m.i[1];
3030 return(TIFFReadDirEntryErrOk);
3031 }
3032
TIFFReadDirEntryCheckedFloat(TIFF * tif,TIFFDirEntry * direntry,float * value)3033 static void TIFFReadDirEntryCheckedFloat(TIFF* tif, TIFFDirEntry* direntry, float* value)
3034 {
3035 union
3036 {
3037 float f;
3038 uint32_t i;
3039 } float_union;
3040 assert(sizeof(float)==4);
3041 assert(sizeof(uint32_t) == 4);
3042 assert(sizeof(float_union)==4);
3043 float_union.i=*(uint32_t*)(&direntry->tdir_offset);
3044 *value=float_union.f;
3045 if (tif->tif_flags&TIFF_SWAB)
3046 TIFFSwabLong((uint32_t*)value);
3047 }
3048
TIFFReadDirEntryCheckedDouble(TIFF * tif,TIFFDirEntry * direntry,double * value)3049 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedDouble(TIFF* tif, TIFFDirEntry* direntry, double* value)
3050 {
3051 assert(sizeof(double)==8);
3052 assert(sizeof(uint64_t) == 8);
3053 assert(sizeof(UInt64Aligned_t)==8);
3054 if (!(tif->tif_flags&TIFF_BIGTIFF))
3055 {
3056 enum TIFFReadDirEntryErr err;
3057 uint32_t offset = direntry->tdir_offset.toff_long;
3058 if (tif->tif_flags&TIFF_SWAB)
3059 TIFFSwabLong(&offset);
3060 err=TIFFReadDirEntryData(tif,offset,8,value);
3061 if (err!=TIFFReadDirEntryErrOk)
3062 return(err);
3063 }
3064 else
3065 {
3066 UInt64Aligned_t uint64_union;
3067 uint64_union.l=direntry->tdir_offset.toff_long8;
3068 *value=uint64_union.d;
3069 }
3070 if (tif->tif_flags&TIFF_SWAB)
3071 TIFFSwabLong8((uint64_t*)value);
3072 return(TIFFReadDirEntryErrOk);
3073 }
3074
TIFFReadDirEntryCheckRangeByteSbyte(int8_t value)3075 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSbyte(int8_t value)
3076 {
3077 if (value<0)
3078 return(TIFFReadDirEntryErrRange);
3079 else
3080 return(TIFFReadDirEntryErrOk);
3081 }
3082
TIFFReadDirEntryCheckRangeByteShort(uint16_t value)3083 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteShort(uint16_t value)
3084 {
3085 if (value>0xFF)
3086 return(TIFFReadDirEntryErrRange);
3087 else
3088 return(TIFFReadDirEntryErrOk);
3089 }
3090
TIFFReadDirEntryCheckRangeByteSshort(int16_t value)3091 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSshort(int16_t value)
3092 {
3093 if ((value<0)||(value>0xFF))
3094 return(TIFFReadDirEntryErrRange);
3095 else
3096 return(TIFFReadDirEntryErrOk);
3097 }
3098
TIFFReadDirEntryCheckRangeByteLong(uint32_t value)3099 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteLong(uint32_t value)
3100 {
3101 if (value>0xFF)
3102 return(TIFFReadDirEntryErrRange);
3103 else
3104 return(TIFFReadDirEntryErrOk);
3105 }
3106
TIFFReadDirEntryCheckRangeByteSlong(int32_t value)3107 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSlong(int32_t value)
3108 {
3109 if ((value<0)||(value>0xFF))
3110 return(TIFFReadDirEntryErrRange);
3111 else
3112 return(TIFFReadDirEntryErrOk);
3113 }
3114
TIFFReadDirEntryCheckRangeByteLong8(uint64_t value)3115 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteLong8(uint64_t value)
3116 {
3117 if (value>0xFF)
3118 return(TIFFReadDirEntryErrRange);
3119 else
3120 return(TIFFReadDirEntryErrOk);
3121 }
3122
TIFFReadDirEntryCheckRangeByteSlong8(int64_t value)3123 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSlong8(int64_t value)
3124 {
3125 if ((value<0)||(value>0xFF))
3126 return(TIFFReadDirEntryErrRange);
3127 else
3128 return(TIFFReadDirEntryErrOk);
3129 }
3130
TIFFReadDirEntryCheckRangeSbyteByte(uint8_t value)3131 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteByte(uint8_t value)
3132 {
3133 if (value>0x7F)
3134 return(TIFFReadDirEntryErrRange);
3135 else
3136 return(TIFFReadDirEntryErrOk);
3137 }
3138
TIFFReadDirEntryCheckRangeSbyteShort(uint16_t value)3139 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteShort(uint16_t value)
3140 {
3141 if (value>0x7F)
3142 return(TIFFReadDirEntryErrRange);
3143 else
3144 return(TIFFReadDirEntryErrOk);
3145 }
3146
TIFFReadDirEntryCheckRangeSbyteSshort(int16_t value)3147 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSshort(int16_t value)
3148 {
3149 if ((value<-0x80)||(value>0x7F))
3150 return(TIFFReadDirEntryErrRange);
3151 else
3152 return(TIFFReadDirEntryErrOk);
3153 }
3154
TIFFReadDirEntryCheckRangeSbyteLong(uint32_t value)3155 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteLong(uint32_t value)
3156 {
3157 if (value>0x7F)
3158 return(TIFFReadDirEntryErrRange);
3159 else
3160 return(TIFFReadDirEntryErrOk);
3161 }
3162
TIFFReadDirEntryCheckRangeSbyteSlong(int32_t value)3163 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSlong(int32_t value)
3164 {
3165 if ((value<-0x80)||(value>0x7F))
3166 return(TIFFReadDirEntryErrRange);
3167 else
3168 return(TIFFReadDirEntryErrOk);
3169 }
3170
TIFFReadDirEntryCheckRangeSbyteLong8(uint64_t value)3171 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteLong8(uint64_t value)
3172 {
3173 if (value>0x7F)
3174 return(TIFFReadDirEntryErrRange);
3175 else
3176 return(TIFFReadDirEntryErrOk);
3177 }
3178
TIFFReadDirEntryCheckRangeSbyteSlong8(int64_t value)3179 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSlong8(int64_t value)
3180 {
3181 if ((value<-0x80)||(value>0x7F))
3182 return(TIFFReadDirEntryErrRange);
3183 else
3184 return(TIFFReadDirEntryErrOk);
3185 }
3186
TIFFReadDirEntryCheckRangeShortSbyte(int8_t value)3187 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSbyte(int8_t value)
3188 {
3189 if (value<0)
3190 return(TIFFReadDirEntryErrRange);
3191 else
3192 return(TIFFReadDirEntryErrOk);
3193 }
3194
TIFFReadDirEntryCheckRangeShortSshort(int16_t value)3195 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSshort(int16_t value)
3196 {
3197 if (value<0)
3198 return(TIFFReadDirEntryErrRange);
3199 else
3200 return(TIFFReadDirEntryErrOk);
3201 }
3202
TIFFReadDirEntryCheckRangeShortLong(uint32_t value)3203 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortLong(uint32_t value)
3204 {
3205 if (value>0xFFFF)
3206 return(TIFFReadDirEntryErrRange);
3207 else
3208 return(TIFFReadDirEntryErrOk);
3209 }
3210
TIFFReadDirEntryCheckRangeShortSlong(int32_t value)3211 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSlong(int32_t value)
3212 {
3213 if ((value<0)||(value>0xFFFF))
3214 return(TIFFReadDirEntryErrRange);
3215 else
3216 return(TIFFReadDirEntryErrOk);
3217 }
3218
TIFFReadDirEntryCheckRangeShortLong8(uint64_t value)3219 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortLong8(uint64_t value)
3220 {
3221 if (value>0xFFFF)
3222 return(TIFFReadDirEntryErrRange);
3223 else
3224 return(TIFFReadDirEntryErrOk);
3225 }
3226
TIFFReadDirEntryCheckRangeShortSlong8(int64_t value)3227 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSlong8(int64_t value)
3228 {
3229 if ((value<0)||(value>0xFFFF))
3230 return(TIFFReadDirEntryErrRange);
3231 else
3232 return(TIFFReadDirEntryErrOk);
3233 }
3234
TIFFReadDirEntryCheckRangeSshortShort(uint16_t value)3235 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortShort(uint16_t value)
3236 {
3237 if (value>0x7FFF)
3238 return(TIFFReadDirEntryErrRange);
3239 else
3240 return(TIFFReadDirEntryErrOk);
3241 }
3242
TIFFReadDirEntryCheckRangeSshortLong(uint32_t value)3243 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortLong(uint32_t value)
3244 {
3245 if (value>0x7FFF)
3246 return(TIFFReadDirEntryErrRange);
3247 else
3248 return(TIFFReadDirEntryErrOk);
3249 }
3250
TIFFReadDirEntryCheckRangeSshortSlong(int32_t value)3251 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortSlong(int32_t value)
3252 {
3253 if ((value<-0x8000)||(value>0x7FFF))
3254 return(TIFFReadDirEntryErrRange);
3255 else
3256 return(TIFFReadDirEntryErrOk);
3257 }
3258
TIFFReadDirEntryCheckRangeSshortLong8(uint64_t value)3259 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortLong8(uint64_t value)
3260 {
3261 if (value>0x7FFF)
3262 return(TIFFReadDirEntryErrRange);
3263 else
3264 return(TIFFReadDirEntryErrOk);
3265 }
3266
TIFFReadDirEntryCheckRangeSshortSlong8(int64_t value)3267 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortSlong8(int64_t value)
3268 {
3269 if ((value<-0x8000)||(value>0x7FFF))
3270 return(TIFFReadDirEntryErrRange);
3271 else
3272 return(TIFFReadDirEntryErrOk);
3273 }
3274
TIFFReadDirEntryCheckRangeLongSbyte(int8_t value)3275 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSbyte(int8_t value)
3276 {
3277 if (value<0)
3278 return(TIFFReadDirEntryErrRange);
3279 else
3280 return(TIFFReadDirEntryErrOk);
3281 }
3282
TIFFReadDirEntryCheckRangeLongSshort(int16_t value)3283 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSshort(int16_t value)
3284 {
3285 if (value<0)
3286 return(TIFFReadDirEntryErrRange);
3287 else
3288 return(TIFFReadDirEntryErrOk);
3289 }
3290
TIFFReadDirEntryCheckRangeLongSlong(int32_t value)3291 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSlong(int32_t value)
3292 {
3293 if (value<0)
3294 return(TIFFReadDirEntryErrRange);
3295 else
3296 return(TIFFReadDirEntryErrOk);
3297 }
3298
3299 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLongLong8(uint64_t value)3300 TIFFReadDirEntryCheckRangeLongLong8(uint64_t value)
3301 {
3302 if (value > UINT32_MAX)
3303 return(TIFFReadDirEntryErrRange);
3304 else
3305 return(TIFFReadDirEntryErrOk);
3306 }
3307
3308 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLongSlong8(int64_t value)3309 TIFFReadDirEntryCheckRangeLongSlong8(int64_t value)
3310 {
3311 if ((value < 0) || (value > (int64_t) UINT32_MAX))
3312 return(TIFFReadDirEntryErrRange);
3313 else
3314 return(TIFFReadDirEntryErrOk);
3315 }
3316
3317 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlongLong(uint32_t value)3318 TIFFReadDirEntryCheckRangeSlongLong(uint32_t value)
3319 {
3320 if (value > 0x7FFFFFFFUL)
3321 return(TIFFReadDirEntryErrRange);
3322 else
3323 return(TIFFReadDirEntryErrOk);
3324 }
3325
3326 /* Check that the 8-byte unsigned value can fit in a 4-byte unsigned range */
3327 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlongLong8(uint64_t value)3328 TIFFReadDirEntryCheckRangeSlongLong8(uint64_t value)
3329 {
3330 if (value > 0x7FFFFFFF)
3331 return(TIFFReadDirEntryErrRange);
3332 else
3333 return(TIFFReadDirEntryErrOk);
3334 }
3335
3336 /* Check that the 8-byte signed value can fit in a 4-byte signed range */
3337 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlongSlong8(int64_t value)3338 TIFFReadDirEntryCheckRangeSlongSlong8(int64_t value)
3339 {
3340 if ((value < 0-((int64_t) 0x7FFFFFFF + 1)) || (value > 0x7FFFFFFF))
3341 return(TIFFReadDirEntryErrRange);
3342 else
3343 return(TIFFReadDirEntryErrOk);
3344 }
3345
3346 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Sbyte(int8_t value)3347 TIFFReadDirEntryCheckRangeLong8Sbyte(int8_t value)
3348 {
3349 if (value < 0)
3350 return(TIFFReadDirEntryErrRange);
3351 else
3352 return(TIFFReadDirEntryErrOk);
3353 }
3354
3355 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Sshort(int16_t value)3356 TIFFReadDirEntryCheckRangeLong8Sshort(int16_t value)
3357 {
3358 if (value < 0)
3359 return(TIFFReadDirEntryErrRange);
3360 else
3361 return(TIFFReadDirEntryErrOk);
3362 }
3363
3364 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Slong(int32_t value)3365 TIFFReadDirEntryCheckRangeLong8Slong(int32_t value)
3366 {
3367 if (value < 0)
3368 return(TIFFReadDirEntryErrRange);
3369 else
3370 return(TIFFReadDirEntryErrOk);
3371 }
3372
3373 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Slong8(int64_t value)3374 TIFFReadDirEntryCheckRangeLong8Slong8(int64_t value)
3375 {
3376 if (value < 0)
3377 return(TIFFReadDirEntryErrRange);
3378 else
3379 return(TIFFReadDirEntryErrOk);
3380 }
3381
3382 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlong8Long8(uint64_t value)3383 TIFFReadDirEntryCheckRangeSlong8Long8(uint64_t value)
3384 {
3385 if (value > INT64_MAX)
3386 return(TIFFReadDirEntryErrRange);
3387 else
3388 return(TIFFReadDirEntryErrOk);
3389 }
3390
3391 static enum TIFFReadDirEntryErr
TIFFReadDirEntryData(TIFF * tif,uint64_t offset,tmsize_t size,void * dest)3392 TIFFReadDirEntryData(TIFF* tif, uint64_t offset, tmsize_t size, void* dest)
3393 {
3394 assert(size>0);
3395 if (!isMapped(tif)) {
3396 if (!SeekOK(tif,offset))
3397 return(TIFFReadDirEntryErrIo);
3398 if (!ReadOK(tif,dest,size))
3399 return(TIFFReadDirEntryErrIo);
3400 } else {
3401 size_t ma,mb;
3402 ma=(size_t)offset;
3403 if((uint64_t)ma != offset ||
3404 ma > (~(size_t)0) - (size_t)size )
3405 {
3406 return TIFFReadDirEntryErrIo;
3407 }
3408 mb=ma+size;
3409 if (mb > (uint64_t)tif->tif_size)
3410 return(TIFFReadDirEntryErrIo);
3411 _TIFFmemcpy(dest,tif->tif_base+ma,size);
3412 }
3413 return(TIFFReadDirEntryErrOk);
3414 }
3415
TIFFReadDirEntryOutputErr(TIFF * tif,enum TIFFReadDirEntryErr err,const char * module,const char * tagname,int recover)3416 static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, const char* module, const char* tagname, int recover)
3417 {
3418 if (!recover) {
3419 switch (err) {
3420 case TIFFReadDirEntryErrCount:
3421 TIFFErrorExt(tif->tif_clientdata, module,
3422 "Incorrect count for \"%s\"",
3423 tagname);
3424 break;
3425 case TIFFReadDirEntryErrType:
3426 TIFFErrorExt(tif->tif_clientdata, module,
3427 "Incompatible type for \"%s\"",
3428 tagname);
3429 break;
3430 case TIFFReadDirEntryErrIo:
3431 TIFFErrorExt(tif->tif_clientdata, module,
3432 "IO error during reading of \"%s\"",
3433 tagname);
3434 break;
3435 case TIFFReadDirEntryErrRange:
3436 TIFFErrorExt(tif->tif_clientdata, module,
3437 "Incorrect value for \"%s\"",
3438 tagname);
3439 break;
3440 case TIFFReadDirEntryErrPsdif:
3441 TIFFErrorExt(tif->tif_clientdata, module,
3442 "Cannot handle different values per sample for \"%s\"",
3443 tagname);
3444 break;
3445 case TIFFReadDirEntryErrSizesan:
3446 TIFFErrorExt(tif->tif_clientdata, module,
3447 "Sanity check on size of \"%s\" value failed",
3448 tagname);
3449 break;
3450 case TIFFReadDirEntryErrAlloc:
3451 TIFFErrorExt(tif->tif_clientdata, module,
3452 "Out of memory reading of \"%s\"",
3453 tagname);
3454 break;
3455 default:
3456 assert(0); /* we should never get here */
3457 break;
3458 }
3459 } else {
3460 switch (err) {
3461 case TIFFReadDirEntryErrCount:
3462 TIFFWarningExt(tif->tif_clientdata, module,
3463 "Incorrect count for \"%s\"; tag ignored",
3464 tagname);
3465 break;
3466 case TIFFReadDirEntryErrType:
3467 TIFFWarningExt(tif->tif_clientdata, module,
3468 "Incompatible type for \"%s\"; tag ignored",
3469 tagname);
3470 break;
3471 case TIFFReadDirEntryErrIo:
3472 TIFFWarningExt(tif->tif_clientdata, module,
3473 "IO error during reading of \"%s\"; tag ignored",
3474 tagname);
3475 break;
3476 case TIFFReadDirEntryErrRange:
3477 TIFFWarningExt(tif->tif_clientdata, module,
3478 "Incorrect value for \"%s\"; tag ignored",
3479 tagname);
3480 break;
3481 case TIFFReadDirEntryErrPsdif:
3482 TIFFWarningExt(tif->tif_clientdata, module,
3483 "Cannot handle different values per sample for \"%s\"; tag ignored",
3484 tagname);
3485 break;
3486 case TIFFReadDirEntryErrSizesan:
3487 TIFFWarningExt(tif->tif_clientdata, module,
3488 "Sanity check on size of \"%s\" value failed; tag ignored",
3489 tagname);
3490 break;
3491 case TIFFReadDirEntryErrAlloc:
3492 TIFFWarningExt(tif->tif_clientdata, module,
3493 "Out of memory reading of \"%s\"; tag ignored",
3494 tagname);
3495 break;
3496 default:
3497 assert(0); /* we should never get here */
3498 break;
3499 }
3500 }
3501 }
3502
3503 /*
3504 * Return the maximum number of color channels specified for a given photometric
3505 * type. 0 is returned if photometric type isn't supported or no default value
3506 * is defined by the specification.
3507 */
_TIFFGetMaxColorChannels(uint16_t photometric)3508 static int _TIFFGetMaxColorChannels(uint16_t photometric )
3509 {
3510 switch (photometric) {
3511 case PHOTOMETRIC_PALETTE:
3512 case PHOTOMETRIC_MINISWHITE:
3513 case PHOTOMETRIC_MINISBLACK:
3514 return 1;
3515 case PHOTOMETRIC_YCBCR:
3516 case PHOTOMETRIC_RGB:
3517 case PHOTOMETRIC_CIELAB:
3518 case PHOTOMETRIC_LOGLUV:
3519 case PHOTOMETRIC_ITULAB:
3520 case PHOTOMETRIC_ICCLAB:
3521 return 3;
3522 case PHOTOMETRIC_SEPARATED:
3523 case PHOTOMETRIC_MASK:
3524 return 4;
3525 case PHOTOMETRIC_LOGL:
3526 case PHOTOMETRIC_CFA:
3527 default:
3528 return 0;
3529 }
3530 }
3531
ByteCountLooksBad(TIFF * tif)3532 static int ByteCountLooksBad(TIFF* tif)
3533 {
3534 /*
3535 * Assume we have wrong StripByteCount value (in case
3536 * of single strip) in following cases:
3537 * - it is equal to zero along with StripOffset;
3538 * - it is larger than file itself (in case of uncompressed
3539 * image);
3540 * - it is smaller than the size of the bytes per row
3541 * multiplied on the number of rows. The last case should
3542 * not be checked in the case of writing new image,
3543 * because we may do not know the exact strip size
3544 * until the whole image will be written and directory
3545 * dumped out.
3546 */
3547 uint64_t bytecount = TIFFGetStrileByteCount(tif, 0);
3548 uint64_t offset = TIFFGetStrileOffset(tif, 0);
3549 uint64_t filesize;
3550
3551 if( offset == 0 )
3552 return 0;
3553 if (bytecount == 0)
3554 return 1;
3555 if ( tif->tif_dir.td_compression != COMPRESSION_NONE )
3556 return 0;
3557 filesize = TIFFGetFileSize(tif);
3558 if( offset <= filesize && bytecount > filesize - offset )
3559 return 1;
3560 if( tif->tif_mode == O_RDONLY )
3561 {
3562 uint64_t scanlinesize = TIFFScanlineSize64(tif);
3563 if( tif->tif_dir.td_imagelength > 0 &&
3564 scanlinesize > UINT64_MAX / tif->tif_dir.td_imagelength )
3565 {
3566 return 1;
3567 }
3568 if( bytecount < scanlinesize * tif->tif_dir.td_imagelength)
3569 return 1;
3570 }
3571 return 0;
3572 }
3573
3574
3575 /*
3576 * Read the next TIFF directory from a file and convert it to the internal
3577 * format. We read directories sequentially.
3578 */
3579 int
TIFFReadDirectory(TIFF * tif)3580 TIFFReadDirectory(TIFF* tif)
3581 {
3582 static const char module[] = "TIFFReadDirectory";
3583 TIFFDirEntry* dir;
3584 uint16_t dircount;
3585 TIFFDirEntry* dp;
3586 uint16_t di;
3587 const TIFFField* fip;
3588 uint32_t fii=FAILED_FII;
3589 toff_t nextdiroff;
3590 int bitspersample_read = FALSE;
3591 int color_channels;
3592
3593 tif->tif_diroff=tif->tif_nextdiroff;
3594 if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
3595 return 0; /* last offset or bad offset (IFD looping) */
3596 (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
3597 tif->tif_curdir++;
3598 nextdiroff = tif->tif_nextdiroff;
3599 dircount=TIFFFetchDirectory(tif,nextdiroff,&dir,&tif->tif_nextdiroff);
3600 if (!dircount)
3601 {
3602 TIFFErrorExt(tif->tif_clientdata,module,
3603 "Failed to read directory at offset %" PRIu64, nextdiroff);
3604 return 0;
3605 }
3606 TIFFReadDirectoryCheckOrder(tif,dir,dircount);
3607
3608 /*
3609 * Mark duplicates of any tag to be ignored (bugzilla 1994)
3610 * to avoid certain pathological problems.
3611 */
3612 {
3613 TIFFDirEntry* ma;
3614 uint16_t mb;
3615 for (ma=dir, mb=0; mb<dircount; ma++, mb++)
3616 {
3617 TIFFDirEntry* na;
3618 uint16_t nb;
3619 for (na=ma+1, nb=mb+1; nb<dircount; na++, nb++)
3620 {
3621 if (ma->tdir_tag == na->tdir_tag) {
3622 na->tdir_ignore = TRUE;
3623 }
3624 }
3625 }
3626 }
3627
3628 tif->tif_flags &= ~TIFF_BEENWRITING; /* reset before new dir */
3629 tif->tif_flags &= ~TIFF_BUF4WRITE; /* reset before new dir */
3630 tif->tif_flags &= ~TIFF_CHOPPEDUPARRAYS;
3631
3632 /* free any old stuff and reinit */
3633 TIFFFreeDirectory(tif);
3634 TIFFDefaultDirectory(tif);
3635 /*
3636 * Electronic Arts writes gray-scale TIFF files
3637 * without a PlanarConfiguration directory entry.
3638 * Thus we setup a default value here, even though
3639 * the TIFF spec says there is no default value.
3640 */
3641 TIFFSetField(tif,TIFFTAG_PLANARCONFIG,PLANARCONFIG_CONTIG);
3642 /*
3643 * Setup default value and then make a pass over
3644 * the fields to check type and tag information,
3645 * and to extract info required to size data
3646 * structures. A second pass is made afterwards
3647 * to read in everything not taken in the first pass.
3648 * But we must process the Compression tag first
3649 * in order to merge in codec-private tag definitions (otherwise
3650 * we may get complaints about unknown tags). However, the
3651 * Compression tag may be dependent on the SamplesPerPixel
3652 * tag value because older TIFF specs permitted Compression
3653 * to be written as a SamplesPerPixel-count tag entry.
3654 * Thus if we don't first figure out the correct SamplesPerPixel
3655 * tag value then we may end up ignoring the Compression tag
3656 * value because it has an incorrect count value (if the
3657 * true value of SamplesPerPixel is not 1).
3658 */
3659 dp=TIFFReadDirectoryFindEntry(tif,dir,dircount,TIFFTAG_SAMPLESPERPIXEL);
3660 if (dp)
3661 {
3662 if (!TIFFFetchNormalTag(tif,dp,0))
3663 goto bad;
3664 dp->tdir_ignore = TRUE;
3665 }
3666 dp=TIFFReadDirectoryFindEntry(tif,dir,dircount,TIFFTAG_COMPRESSION);
3667 if (dp)
3668 {
3669 /*
3670 * The 5.0 spec says the Compression tag has one value, while
3671 * earlier specs say it has one value per sample. Because of
3672 * this, we accept the tag if one value is supplied with either
3673 * count.
3674 */
3675 uint16_t value;
3676 enum TIFFReadDirEntryErr err;
3677 err=TIFFReadDirEntryShort(tif,dp,&value);
3678 if (err==TIFFReadDirEntryErrCount)
3679 err=TIFFReadDirEntryPersampleShort(tif,dp,&value);
3680 if (err!=TIFFReadDirEntryErrOk)
3681 {
3682 TIFFReadDirEntryOutputErr(tif,err,module,"Compression",0);
3683 goto bad;
3684 }
3685 if (!TIFFSetField(tif,TIFFTAG_COMPRESSION,value))
3686 goto bad;
3687 dp->tdir_ignore = TRUE;
3688 }
3689 else
3690 {
3691 if (!TIFFSetField(tif,TIFFTAG_COMPRESSION,COMPRESSION_NONE))
3692 goto bad;
3693 }
3694 /*
3695 * First real pass over the directory.
3696 */
3697 for (di=0, dp=dir; di<dircount; di++, dp++)
3698 {
3699 if (!dp->tdir_ignore)
3700 {
3701 TIFFReadDirectoryFindFieldInfo(tif,dp->tdir_tag,&fii);
3702 if (fii == FAILED_FII)
3703 {
3704 TIFFWarningExt(tif->tif_clientdata, module,
3705 "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered",
3706 dp->tdir_tag,dp->tdir_tag);
3707 /* the following knowingly leaks the
3708 anonymous field structure */
3709 if (!_TIFFMergeFields(tif,
3710 _TIFFCreateAnonField(tif,
3711 dp->tdir_tag,
3712 (TIFFDataType) dp->tdir_type),
3713 1)) {
3714 TIFFWarningExt(tif->tif_clientdata,
3715 module,
3716 "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
3717 dp->tdir_tag,
3718 dp->tdir_tag);
3719 dp->tdir_ignore = TRUE;
3720 } else {
3721 TIFFReadDirectoryFindFieldInfo(tif,dp->tdir_tag,&fii);
3722 assert(fii != FAILED_FII);
3723 }
3724 }
3725 }
3726 if (!dp->tdir_ignore)
3727 {
3728 fip=tif->tif_fields[fii];
3729 if (fip->field_bit==FIELD_IGNORE)
3730 dp->tdir_ignore = TRUE;
3731 else
3732 {
3733 switch (dp->tdir_tag)
3734 {
3735 case TIFFTAG_STRIPOFFSETS:
3736 case TIFFTAG_STRIPBYTECOUNTS:
3737 case TIFFTAG_TILEOFFSETS:
3738 case TIFFTAG_TILEBYTECOUNTS:
3739 TIFFSetFieldBit(tif,fip->field_bit);
3740 break;
3741 case TIFFTAG_IMAGEWIDTH:
3742 case TIFFTAG_IMAGELENGTH:
3743 case TIFFTAG_IMAGEDEPTH:
3744 case TIFFTAG_TILELENGTH:
3745 case TIFFTAG_TILEWIDTH:
3746 case TIFFTAG_TILEDEPTH:
3747 case TIFFTAG_PLANARCONFIG:
3748 case TIFFTAG_ROWSPERSTRIP:
3749 case TIFFTAG_EXTRASAMPLES:
3750 if (!TIFFFetchNormalTag(tif,dp,0))
3751 goto bad;
3752 dp->tdir_ignore = TRUE;
3753 break;
3754 default:
3755 if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
3756 dp->tdir_ignore = TRUE;
3757 break;
3758 }
3759 }
3760 }
3761 }
3762 /*
3763 * XXX: OJPEG hack.
3764 * If a) compression is OJPEG, b) planarconfig tag says it's separate,
3765 * c) strip offsets/bytecounts tag are both present and
3766 * d) both contain exactly one value, then we consistently find
3767 * that the buggy implementation of the buggy compression scheme
3768 * matches contig planarconfig best. So we 'fix-up' the tag here
3769 */
3770 if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
3771 (tif->tif_dir.td_planarconfig==PLANARCONFIG_SEPARATE))
3772 {
3773 if (!_TIFFFillStriles(tif))
3774 goto bad;
3775 dp=TIFFReadDirectoryFindEntry(tif,dir,dircount,TIFFTAG_STRIPOFFSETS);
3776 if ((dp!=0)&&(dp->tdir_count==1))
3777 {
3778 dp=TIFFReadDirectoryFindEntry(tif,dir,dircount,
3779 TIFFTAG_STRIPBYTECOUNTS);
3780 if ((dp!=0)&&(dp->tdir_count==1))
3781 {
3782 tif->tif_dir.td_planarconfig=PLANARCONFIG_CONTIG;
3783 TIFFWarningExt(tif->tif_clientdata,module,
3784 "Planarconfig tag value assumed incorrect, "
3785 "assuming data is contig instead of chunky");
3786 }
3787 }
3788 }
3789 /*
3790 * Allocate directory structure and setup defaults.
3791 */
3792 if (!TIFFFieldSet(tif,FIELD_IMAGEDIMENSIONS))
3793 {
3794 MissingRequired(tif,"ImageLength");
3795 goto bad;
3796 }
3797 /*
3798 * Setup appropriate structures (by strip or by tile)
3799 */
3800 if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
3801 tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
3802 tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
3803 tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
3804 tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
3805 tif->tif_flags &= ~TIFF_ISTILED;
3806 } else {
3807 tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
3808 tif->tif_flags |= TIFF_ISTILED;
3809 }
3810 if (!tif->tif_dir.td_nstrips) {
3811 TIFFErrorExt(tif->tif_clientdata, module,
3812 "Cannot handle zero number of %s",
3813 isTiled(tif) ? "tiles" : "strips");
3814 goto bad;
3815 }
3816 tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
3817 if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
3818 tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
3819 if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
3820 #ifdef OJPEG_SUPPORT
3821 if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
3822 (isTiled(tif)==0) &&
3823 (tif->tif_dir.td_nstrips==1)) {
3824 /*
3825 * XXX: OJPEG hack.
3826 * If a) compression is OJPEG, b) it's not a tiled TIFF,
3827 * and c) the number of strips is 1,
3828 * then we tolerate the absence of stripoffsets tag,
3829 * because, presumably, all required data is in the
3830 * JpegInterchangeFormat stream.
3831 */
3832 TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
3833 } else
3834 #endif
3835 {
3836 MissingRequired(tif,
3837 isTiled(tif) ? "TileOffsets" : "StripOffsets");
3838 goto bad;
3839 }
3840 }
3841 /*
3842 * Second pass: extract other information.
3843 */
3844 for (di=0, dp=dir; di<dircount; di++, dp++)
3845 {
3846 if (!dp->tdir_ignore) {
3847 switch (dp->tdir_tag)
3848 {
3849 case TIFFTAG_MINSAMPLEVALUE:
3850 case TIFFTAG_MAXSAMPLEVALUE:
3851 case TIFFTAG_BITSPERSAMPLE:
3852 case TIFFTAG_DATATYPE:
3853 case TIFFTAG_SAMPLEFORMAT:
3854 /*
3855 * The MinSampleValue, MaxSampleValue, BitsPerSample
3856 * DataType and SampleFormat tags are supposed to be
3857 * written as one value/sample, but some vendors
3858 * incorrectly write one value only -- so we accept
3859 * that as well (yuck). Other vendors write correct
3860 * value for NumberOfSamples, but incorrect one for
3861 * BitsPerSample and friends, and we will read this
3862 * too.
3863 */
3864 {
3865 uint16_t value;
3866 enum TIFFReadDirEntryErr err;
3867 err=TIFFReadDirEntryShort(tif,dp,&value);
3868 if (err==TIFFReadDirEntryErrCount)
3869 err=TIFFReadDirEntryPersampleShort(tif,dp,&value);
3870 if (err!=TIFFReadDirEntryErrOk)
3871 {
3872 fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3873 TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",0);
3874 goto bad;
3875 }
3876 if (!TIFFSetField(tif,dp->tdir_tag,value))
3877 goto bad;
3878 if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE )
3879 bitspersample_read = TRUE;
3880 }
3881 break;
3882 case TIFFTAG_SMINSAMPLEVALUE:
3883 case TIFFTAG_SMAXSAMPLEVALUE:
3884 {
3885
3886 double *data = NULL;
3887 enum TIFFReadDirEntryErr err;
3888 uint32_t saved_flags;
3889 int m;
3890 if (dp->tdir_count != (uint64_t)tif->tif_dir.td_samplesperpixel)
3891 err = TIFFReadDirEntryErrCount;
3892 else
3893 err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
3894 if (err!=TIFFReadDirEntryErrOk)
3895 {
3896 fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3897 TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",0);
3898 goto bad;
3899 }
3900 saved_flags = tif->tif_flags;
3901 tif->tif_flags |= TIFF_PERSAMPLE;
3902 m = TIFFSetField(tif,dp->tdir_tag,data);
3903 tif->tif_flags = saved_flags;
3904 _TIFFfree(data);
3905 if (!m)
3906 goto bad;
3907 }
3908 break;
3909 case TIFFTAG_STRIPOFFSETS:
3910 case TIFFTAG_TILEOFFSETS:
3911 switch( dp->tdir_type )
3912 {
3913 case TIFF_SHORT:
3914 case TIFF_LONG:
3915 case TIFF_LONG8:
3916 break;
3917 default:
3918 /* Warn except if directory typically created with TIFFDeferStrileArrayWriting() */
3919 if( !(tif->tif_mode == O_RDWR &&
3920 dp->tdir_count == 0 &&
3921 dp->tdir_type == 0 &&
3922 dp->tdir_offset.toff_long8 == 0) )
3923 {
3924 fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3925 TIFFWarningExt(tif->tif_clientdata,module,
3926 "Invalid data type for tag %s",
3927 fip ? fip->field_name : "unknown tagname");
3928 }
3929 break;
3930 }
3931 _TIFFmemcpy( &(tif->tif_dir.td_stripoffset_entry),
3932 dp, sizeof(TIFFDirEntry) );
3933 break;
3934 case TIFFTAG_STRIPBYTECOUNTS:
3935 case TIFFTAG_TILEBYTECOUNTS:
3936 switch( dp->tdir_type )
3937 {
3938 case TIFF_SHORT:
3939 case TIFF_LONG:
3940 case TIFF_LONG8:
3941 break;
3942 default:
3943 /* Warn except if directory typically created with TIFFDeferStrileArrayWriting() */
3944 if( !(tif->tif_mode == O_RDWR &&
3945 dp->tdir_count == 0 &&
3946 dp->tdir_type == 0 &&
3947 dp->tdir_offset.toff_long8 == 0) )
3948 {
3949 fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3950 TIFFWarningExt(tif->tif_clientdata,module,
3951 "Invalid data type for tag %s",
3952 fip ? fip->field_name : "unknown tagname");
3953 }
3954 break;
3955 }
3956 _TIFFmemcpy( &(tif->tif_dir.td_stripbytecount_entry),
3957 dp, sizeof(TIFFDirEntry) );
3958 break;
3959 case TIFFTAG_COLORMAP:
3960 case TIFFTAG_TRANSFERFUNCTION:
3961 {
3962 enum TIFFReadDirEntryErr err;
3963 uint32_t countpersample;
3964 uint32_t countrequired;
3965 uint32_t incrementpersample;
3966 uint16_t* value=NULL;
3967 /* It would be dangerous to instantiate those tag values */
3968 /* since if td_bitspersample has not yet been read (due to */
3969 /* unordered tags), it could be read afterwards with a */
3970 /* values greater than the default one (1), which may cause */
3971 /* crashes in user code */
3972 if( !bitspersample_read )
3973 {
3974 fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3975 TIFFWarningExt(tif->tif_clientdata,module,
3976 "Ignoring %s since BitsPerSample tag not found",
3977 fip ? fip->field_name : "unknown tagname");
3978 continue;
3979 }
3980 /* ColorMap or TransferFunction for high bit */
3981 /* depths do not make much sense and could be */
3982 /* used as a denial of service vector */
3983 if (tif->tif_dir.td_bitspersample > 24)
3984 {
3985 fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3986 TIFFWarningExt(tif->tif_clientdata,module,
3987 "Ignoring %s because BitsPerSample=%"PRIu16">24",
3988 fip ? fip->field_name : "unknown tagname",
3989 tif->tif_dir.td_bitspersample);
3990 continue;
3991 }
3992 countpersample=(1U<<tif->tif_dir.td_bitspersample);
3993 if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64_t)countpersample))
3994 {
3995 countrequired=countpersample;
3996 incrementpersample=0;
3997 }
3998 else
3999 {
4000 countrequired=3*countpersample;
4001 incrementpersample=countpersample;
4002 }
4003 if (dp->tdir_count!=(uint64_t)countrequired)
4004 err=TIFFReadDirEntryErrCount;
4005 else
4006 err=TIFFReadDirEntryShortArray(tif,dp,&value);
4007 if (err!=TIFFReadDirEntryErrOk)
4008 {
4009 fip = TIFFFieldWithTag(tif,dp->tdir_tag);
4010 TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",1);
4011 }
4012 else
4013 {
4014 TIFFSetField(tif,dp->tdir_tag,value,value+incrementpersample,value+2*incrementpersample);
4015 _TIFFfree(value);
4016 }
4017 }
4018 break;
4019 /* BEGIN REV 4.0 COMPATIBILITY */
4020 case TIFFTAG_OSUBFILETYPE:
4021 {
4022 uint16_t valueo;
4023 uint32_t value;
4024 if (TIFFReadDirEntryShort(tif,dp,&valueo)==TIFFReadDirEntryErrOk)
4025 {
4026 switch (valueo)
4027 {
4028 case OFILETYPE_REDUCEDIMAGE: value=FILETYPE_REDUCEDIMAGE; break;
4029 case OFILETYPE_PAGE: value=FILETYPE_PAGE; break;
4030 default: value=0; break;
4031 }
4032 if (value!=0)
4033 TIFFSetField(tif,TIFFTAG_SUBFILETYPE,value);
4034 }
4035 }
4036 break;
4037 /* END REV 4.0 COMPATIBILITY */
4038 default:
4039 (void) TIFFFetchNormalTag(tif, dp, TRUE);
4040 break;
4041 }
4042 } /* -- if (!dp->tdir_ignore) */
4043 } /* -- for-loop -- */
4044
4045 if( tif->tif_mode == O_RDWR &&
4046 tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
4047 tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
4048 tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
4049 tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
4050 tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
4051 tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
4052 tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
4053 tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
4054 {
4055 /* Directory typically created with TIFFDeferStrileArrayWriting() */
4056 TIFFSetupStrips(tif);
4057 }
4058 else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
4059 {
4060 if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
4061 {
4062 if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
4063 tif->tif_dir.td_nstrips,
4064 &tif->tif_dir.td_stripoffset_p))
4065 {
4066 goto bad;
4067 }
4068 }
4069 if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
4070 {
4071 if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
4072 tif->tif_dir.td_nstrips,
4073 &tif->tif_dir.td_stripbytecount_p))
4074 {
4075 goto bad;
4076 }
4077 }
4078 }
4079
4080 /*
4081 * OJPEG hack:
4082 * - If a) compression is OJPEG, and b) photometric tag is missing,
4083 * then we consistently find that photometric should be YCbCr
4084 * - If a) compression is OJPEG, and b) photometric tag says it's RGB,
4085 * then we consistently find that the buggy implementation of the
4086 * buggy compression scheme matches photometric YCbCr instead.
4087 * - If a) compression is OJPEG, and b) bitspersample tag is missing,
4088 * then we consistently find bitspersample should be 8.
4089 * - If a) compression is OJPEG, b) samplesperpixel tag is missing,
4090 * and c) photometric is RGB or YCbCr, then we consistently find
4091 * samplesperpixel should be 3
4092 * - If a) compression is OJPEG, b) samplesperpixel tag is missing,
4093 * and c) photometric is MINISWHITE or MINISBLACK, then we consistently
4094 * find samplesperpixel should be 3
4095 */
4096 if (tif->tif_dir.td_compression==COMPRESSION_OJPEG)
4097 {
4098 if (!TIFFFieldSet(tif,FIELD_PHOTOMETRIC))
4099 {
4100 TIFFWarningExt(tif->tif_clientdata, module,
4101 "Photometric tag is missing, assuming data is YCbCr");
4102 if (!TIFFSetField(tif,TIFFTAG_PHOTOMETRIC,PHOTOMETRIC_YCBCR))
4103 goto bad;
4104 }
4105 else if (tif->tif_dir.td_photometric==PHOTOMETRIC_RGB)
4106 {
4107 tif->tif_dir.td_photometric=PHOTOMETRIC_YCBCR;
4108 TIFFWarningExt(tif->tif_clientdata, module,
4109 "Photometric tag value assumed incorrect, "
4110 "assuming data is YCbCr instead of RGB");
4111 }
4112 if (!TIFFFieldSet(tif,FIELD_BITSPERSAMPLE))
4113 {
4114 TIFFWarningExt(tif->tif_clientdata,module,
4115 "BitsPerSample tag is missing, assuming 8 bits per sample");
4116 if (!TIFFSetField(tif,TIFFTAG_BITSPERSAMPLE,8))
4117 goto bad;
4118 }
4119 if (!TIFFFieldSet(tif,FIELD_SAMPLESPERPIXEL))
4120 {
4121 if (tif->tif_dir.td_photometric==PHOTOMETRIC_RGB)
4122 {
4123 TIFFWarningExt(tif->tif_clientdata,module,
4124 "SamplesPerPixel tag is missing, "
4125 "assuming correct SamplesPerPixel value is 3");
4126 if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,3))
4127 goto bad;
4128 }
4129 if (tif->tif_dir.td_photometric==PHOTOMETRIC_YCBCR)
4130 {
4131 TIFFWarningExt(tif->tif_clientdata,module,
4132 "SamplesPerPixel tag is missing, "
4133 "applying correct SamplesPerPixel value of 3");
4134 if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,3))
4135 goto bad;
4136 }
4137 else if ((tif->tif_dir.td_photometric==PHOTOMETRIC_MINISWHITE)
4138 || (tif->tif_dir.td_photometric==PHOTOMETRIC_MINISBLACK))
4139 {
4140 /*
4141 * SamplesPerPixel tag is missing, but is not required
4142 * by spec. Assume correct SamplesPerPixel value of 1.
4143 */
4144 if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1))
4145 goto bad;
4146 }
4147 }
4148 }
4149
4150 /*
4151 * Make sure all non-color channels are extrasamples.
4152 * If it's not the case, define them as such.
4153 */
4154 color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
4155 if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
4156 uint16_t old_extrasamples;
4157 uint16_t *new_sampleinfo;
4158
4159 TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
4160 "color channels and ExtraSamples doesn't match SamplesPerPixel. "
4161 "Defining non-color channels as ExtraSamples.");
4162
4163 old_extrasamples = tif->tif_dir.td_extrasamples;
4164 tif->tif_dir.td_extrasamples = (uint16_t) (tif->tif_dir.td_samplesperpixel - color_channels);
4165
4166 // sampleinfo should contain information relative to these new extra samples
4167 new_sampleinfo = (uint16_t*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16_t));
4168 if (!new_sampleinfo) {
4169 TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
4170 "temporary new sampleinfo array "
4171 "(%"PRIu16" 16 bit elements)",
4172 tif->tif_dir.td_extrasamples);
4173 goto bad;
4174 }
4175
4176 memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
4177 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
4178 _TIFFfree(new_sampleinfo);
4179 }
4180
4181 /*
4182 * Verify Palette image has a Colormap.
4183 */
4184 if (tif->tif_dir.td_photometric == PHOTOMETRIC_PALETTE &&
4185 !TIFFFieldSet(tif, FIELD_COLORMAP)) {
4186 if ( tif->tif_dir.td_bitspersample>=8 && tif->tif_dir.td_samplesperpixel==3)
4187 tif->tif_dir.td_photometric = PHOTOMETRIC_RGB;
4188 else if (tif->tif_dir.td_bitspersample>=8)
4189 tif->tif_dir.td_photometric = PHOTOMETRIC_MINISBLACK;
4190 else {
4191 MissingRequired(tif, "Colormap");
4192 goto bad;
4193 }
4194 }
4195 /*
4196 * OJPEG hack:
4197 * We do no further messing with strip/tile offsets/bytecounts in OJPEG
4198 * TIFFs
4199 */
4200 if (tif->tif_dir.td_compression!=COMPRESSION_OJPEG)
4201 {
4202 /*
4203 * Attempt to deal with a missing StripByteCounts tag.
4204 */
4205 if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
4206 /*
4207 * Some manufacturers violate the spec by not giving
4208 * the size of the strips. In this case, assume there
4209 * is one uncompressed strip of data.
4210 */
4211 if ((tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
4212 tif->tif_dir.td_nstrips > 1) ||
4213 (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE &&
4214 tif->tif_dir.td_nstrips != (uint32_t)tif->tif_dir.td_samplesperpixel)) {
4215 MissingRequired(tif, "StripByteCounts");
4216 goto bad;
4217 }
4218 TIFFWarningExt(tif->tif_clientdata, module,
4219 "TIFF directory is missing required "
4220 "\"StripByteCounts\" field, calculating from imagelength");
4221 if (EstimateStripByteCounts(tif, dir, dircount) < 0)
4222 goto bad;
4223
4224 } else if (tif->tif_dir.td_nstrips == 1
4225 && !(tif->tif_flags&TIFF_ISTILED)
4226 && ByteCountLooksBad(tif)) {
4227 /*
4228 * XXX: Plexus (and others) sometimes give a value of
4229 * zero for a tag when they don't know what the
4230 * correct value is! Try and handle the simple case
4231 * of estimating the size of a one strip image.
4232 */
4233 TIFFWarningExt(tif->tif_clientdata, module,
4234 "Bogus \"StripByteCounts\" field, ignoring and calculating from imagelength");
4235 if(EstimateStripByteCounts(tif, dir, dircount) < 0)
4236 goto bad;
4237
4238 } else if (!(tif->tif_flags&TIFF_DEFERSTRILELOAD)
4239 && tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG
4240 && tif->tif_dir.td_nstrips > 2
4241 && tif->tif_dir.td_compression == COMPRESSION_NONE
4242 && TIFFGetStrileByteCount(tif, 0) != TIFFGetStrileByteCount(tif, 1)
4243 && TIFFGetStrileByteCount(tif, 0) != 0
4244 && TIFFGetStrileByteCount(tif, 1) != 0 ) {
4245 /*
4246 * XXX: Some vendors fill StripByteCount array with
4247 * absolutely wrong values (it can be equal to
4248 * StripOffset array, for example). Catch this case
4249 * here.
4250 *
4251 * We avoid this check if deferring strile loading
4252 * as it would always force us to load the strip/tile
4253 * information.
4254 */
4255 TIFFWarningExt(tif->tif_clientdata, module,
4256 "Wrong \"StripByteCounts\" field, ignoring and calculating from imagelength");
4257 if (EstimateStripByteCounts(tif, dir, dircount) < 0)
4258 goto bad;
4259 }
4260 }
4261 if (dir)
4262 {
4263 _TIFFfree(dir);
4264 dir=NULL;
4265 }
4266 if (!TIFFFieldSet(tif, FIELD_MAXSAMPLEVALUE))
4267 {
4268 if (tif->tif_dir.td_bitspersample>=16)
4269 tif->tif_dir.td_maxsamplevalue=0xFFFF;
4270 else
4271 tif->tif_dir.td_maxsamplevalue = (uint16_t)((1L << tif->tif_dir.td_bitspersample) - 1);
4272 }
4273
4274 #ifdef STRIPBYTECOUNTSORTED_UNUSED
4275 /*
4276 * XXX: We can optimize checking for the strip bounds using the sorted
4277 * bytecounts array. See also comments for TIFFAppendToStrip()
4278 * function in tif_write.c.
4279 */
4280 if (!(tif->tif_flags&TIFF_DEFERSTRILELOAD) && tif->tif_dir.td_nstrips > 1) {
4281 uint32_t strip;
4282
4283 tif->tif_dir.td_stripbytecountsorted = 1;
4284 for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) {
4285 if (TIFFGetStrileOffset(tif, strip - 1) >
4286 TIFFGetStrileOffset(tif, strip)) {
4287 tif->tif_dir.td_stripbytecountsorted = 0;
4288 break;
4289 }
4290 }
4291 }
4292 #endif
4293
4294 /*
4295 * An opportunity for compression mode dependent tag fixup
4296 */
4297 (*tif->tif_fixuptags)(tif);
4298
4299 /*
4300 * Some manufacturers make life difficult by writing
4301 * large amounts of uncompressed data as a single strip.
4302 * This is contrary to the recommendations of the spec.
4303 * The following makes an attempt at breaking such images
4304 * into strips closer to the recommended 8k bytes. A
4305 * side effect, however, is that the RowsPerStrip tag
4306 * value may be changed.
4307 */
4308 if ((tif->tif_dir.td_planarconfig==PLANARCONFIG_CONTIG)&&
4309 (tif->tif_dir.td_nstrips==1)&&
4310 (tif->tif_dir.td_compression==COMPRESSION_NONE)&&
4311 ((tif->tif_flags&(TIFF_STRIPCHOP|TIFF_ISTILED))==TIFF_STRIPCHOP))
4312 {
4313 ChopUpSingleUncompressedStrip(tif);
4314 }
4315
4316 /* There are also uncompressed striped files with strips larger than */
4317 /* 2 GB, which make them unfriendly with a lot of code. If possible, */
4318 /* try to expose smaller "virtual" strips. */
4319 if( tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
4320 tif->tif_dir.td_compression == COMPRESSION_NONE &&
4321 (tif->tif_flags&(TIFF_STRIPCHOP|TIFF_ISTILED)) == TIFF_STRIPCHOP &&
4322 TIFFStripSize64(tif) > 0x7FFFFFFFUL )
4323 {
4324 TryChopUpUncompressedBigTiff(tif);
4325 }
4326
4327 /*
4328 * Clear the dirty directory flag.
4329 */
4330 tif->tif_flags &= ~TIFF_DIRTYDIRECT;
4331 tif->tif_flags &= ~TIFF_DIRTYSTRIP;
4332
4333 /*
4334 * Reinitialize i/o since we are starting on a new directory.
4335 */
4336 tif->tif_row = (uint32_t) -1;
4337 tif->tif_curstrip = (uint32_t) -1;
4338 tif->tif_col = (uint32_t) -1;
4339 tif->tif_curtile = (uint32_t) -1;
4340 tif->tif_tilesize = (tmsize_t) -1;
4341
4342 tif->tif_scanlinesize = TIFFScanlineSize(tif);
4343 if (!tif->tif_scanlinesize) {
4344 TIFFErrorExt(tif->tif_clientdata, module,
4345 "Cannot handle zero scanline size");
4346 return (0);
4347 }
4348
4349 if (isTiled(tif)) {
4350 tif->tif_tilesize = TIFFTileSize(tif);
4351 if (!tif->tif_tilesize) {
4352 TIFFErrorExt(tif->tif_clientdata, module,
4353 "Cannot handle zero tile size");
4354 return (0);
4355 }
4356 } else {
4357 if (!TIFFStripSize(tif)) {
4358 TIFFErrorExt(tif->tif_clientdata, module,
4359 "Cannot handle zero strip size");
4360 return (0);
4361 }
4362 }
4363 return (1);
4364 bad:
4365 if (dir)
4366 _TIFFfree(dir);
4367 return (0);
4368 }
4369
4370 static void
TIFFReadDirectoryCheckOrder(TIFF * tif,TIFFDirEntry * dir,uint16_t dircount)4371 TIFFReadDirectoryCheckOrder(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount)
4372 {
4373 static const char module[] = "TIFFReadDirectoryCheckOrder";
4374 uint16_t m;
4375 uint16_t n;
4376 TIFFDirEntry* o;
4377 m=0;
4378 for (n=0, o=dir; n<dircount; n++, o++)
4379 {
4380 if (o->tdir_tag<m)
4381 {
4382 TIFFWarningExt(tif->tif_clientdata,module,
4383 "Invalid TIFF directory; tags are not sorted in ascending order");
4384 break;
4385 }
4386 m=o->tdir_tag+1;
4387 }
4388 }
4389
4390 static TIFFDirEntry*
TIFFReadDirectoryFindEntry(TIFF * tif,TIFFDirEntry * dir,uint16_t dircount,uint16_t tagid)4391 TIFFReadDirectoryFindEntry(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount, uint16_t tagid)
4392 {
4393 TIFFDirEntry* m;
4394 uint16_t n;
4395 (void) tif;
4396 for (m=dir, n=0; n<dircount; m++, n++)
4397 {
4398 if (m->tdir_tag==tagid)
4399 return(m);
4400 }
4401 return(0);
4402 }
4403
4404 static void
TIFFReadDirectoryFindFieldInfo(TIFF * tif,uint16_t tagid,uint32_t * fii)4405 TIFFReadDirectoryFindFieldInfo(TIFF* tif, uint16_t tagid, uint32_t* fii)
4406 {
4407 int32_t ma,mb,mc;
4408 ma=-1;
4409 mc=(int32_t)tif->tif_nfields;
4410 while (1)
4411 {
4412 if (ma+1==mc)
4413 {
4414 *fii = FAILED_FII;
4415 return;
4416 }
4417 mb=(ma+mc)/2;
4418 if (tif->tif_fields[mb]->field_tag==(uint32_t)tagid)
4419 break;
4420 if (tif->tif_fields[mb]->field_tag<(uint32_t)tagid)
4421 ma=mb;
4422 else
4423 mc=mb;
4424 }
4425 while (1)
4426 {
4427 if (mb==0)
4428 break;
4429 if (tif->tif_fields[mb-1]->field_tag!=(uint32_t)tagid)
4430 break;
4431 mb--;
4432 }
4433 *fii=mb;
4434 }
4435
4436 /*
4437 * Read custom directory from the arbitrary offset.
4438 * The code is very similar to TIFFReadDirectory().
4439 */
4440 int
TIFFReadCustomDirectory(TIFF * tif,toff_t diroff,const TIFFFieldArray * infoarray)4441 TIFFReadCustomDirectory(TIFF* tif, toff_t diroff,
4442 const TIFFFieldArray* infoarray)
4443 {
4444 static const char module[] = "TIFFReadCustomDirectory";
4445 TIFFDirEntry* dir;
4446 uint16_t dircount;
4447 TIFFDirEntry* dp;
4448 uint16_t di;
4449 const TIFFField* fip;
4450 uint32_t fii;
4451 (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
4452 _TIFFSetupFields(tif, infoarray);
4453 dircount=TIFFFetchDirectory(tif,diroff,&dir,NULL);
4454 if (!dircount)
4455 {
4456 TIFFErrorExt(tif->tif_clientdata,module,
4457 "Failed to read custom directory at offset %" PRIu64,diroff);
4458 return 0;
4459 }
4460 TIFFFreeDirectory(tif);
4461 _TIFFmemset(&tif->tif_dir, 0, sizeof(TIFFDirectory));
4462 TIFFReadDirectoryCheckOrder(tif,dir,dircount);
4463 for (di=0, dp=dir; di<dircount; di++, dp++)
4464 {
4465 TIFFReadDirectoryFindFieldInfo(tif,dp->tdir_tag,&fii);
4466 if (fii == FAILED_FII)
4467 {
4468 TIFFWarningExt(tif->tif_clientdata, module,
4469 "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered",
4470 dp->tdir_tag, dp->tdir_tag);
4471 if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
4472 dp->tdir_tag,
4473 (TIFFDataType) dp->tdir_type),
4474 1)) {
4475 TIFFWarningExt(tif->tif_clientdata, module,
4476 "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
4477 dp->tdir_tag, dp->tdir_tag);
4478 dp->tdir_ignore = TRUE;
4479 } else {
4480 TIFFReadDirectoryFindFieldInfo(tif,dp->tdir_tag,&fii);
4481 assert( fii != FAILED_FII );
4482 }
4483 }
4484 if (!dp->tdir_ignore)
4485 {
4486 fip=tif->tif_fields[fii];
4487 if (fip->field_bit==FIELD_IGNORE)
4488 dp->tdir_ignore = TRUE;
4489 else
4490 {
4491 /* check data type */
4492 while ((fip->field_type!=TIFF_ANY)&&(fip->field_type!=dp->tdir_type))
4493 {
4494 fii++;
4495 if ((fii==tif->tif_nfields)||
4496 (tif->tif_fields[fii]->field_tag!=(uint32_t)dp->tdir_tag))
4497 {
4498 fii=0xFFFF;
4499 break;
4500 }
4501 fip=tif->tif_fields[fii];
4502 }
4503 if (fii==0xFFFF)
4504 {
4505 TIFFWarningExt(tif->tif_clientdata, module,
4506 "Wrong data type %"PRIu16" for \"%s\"; tag ignored",
4507 dp->tdir_type,fip->field_name);
4508 dp->tdir_ignore = TRUE;
4509 }
4510 else
4511 {
4512 /* check count if known in advance */
4513 if ((fip->field_readcount!=TIFF_VARIABLE)&&
4514 (fip->field_readcount!=TIFF_VARIABLE2))
4515 {
4516 uint32_t expected;
4517 if (fip->field_readcount==TIFF_SPP)
4518 expected=(uint32_t)tif->tif_dir.td_samplesperpixel;
4519 else
4520 expected=(uint32_t)fip->field_readcount;
4521 if (!CheckDirCount(tif,dp,expected))
4522 dp->tdir_ignore = TRUE;
4523 }
4524 }
4525 }
4526 if (!dp->tdir_ignore) {
4527 switch (dp->tdir_tag)
4528 {
4529 case EXIFTAG_SUBJECTDISTANCE:
4530 (void)TIFFFetchSubjectDistance(tif, dp);
4531 break;
4532 default:
4533 (void)TIFFFetchNormalTag(tif, dp, TRUE);
4534 break;
4535 }
4536 } /*-- if (!dp->tdir_ignore) */
4537 }
4538 }
4539 if (dir)
4540 _TIFFfree(dir);
4541 return 1;
4542 }
4543
4544 /*
4545 * EXIF is important special case of custom IFD, so we have a special
4546 * function to read it.
4547 */
4548 int
TIFFReadEXIFDirectory(TIFF * tif,toff_t diroff)4549 TIFFReadEXIFDirectory(TIFF* tif, toff_t diroff)
4550 {
4551 const TIFFFieldArray* exifFieldArray;
4552 exifFieldArray = _TIFFGetExifFields();
4553 return TIFFReadCustomDirectory(tif, diroff, exifFieldArray);
4554 }
4555
4556 /*
4557 *--: EXIF-GPS custom directory reading as another special case of custom IFD.
4558 */
4559 int
TIFFReadGPSDirectory(TIFF * tif,toff_t diroff)4560 TIFFReadGPSDirectory(TIFF* tif, toff_t diroff)
4561 {
4562 const TIFFFieldArray* gpsFieldArray;
4563 gpsFieldArray = _TIFFGetGpsFields();
4564 return TIFFReadCustomDirectory(tif, diroff, gpsFieldArray);
4565 }
4566
4567 static int
EstimateStripByteCounts(TIFF * tif,TIFFDirEntry * dir,uint16_t dircount)4568 EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount)
4569 {
4570 static const char module[] = "EstimateStripByteCounts";
4571
4572 TIFFDirEntry *dp;
4573 TIFFDirectory *td = &tif->tif_dir;
4574 uint32_t strip;
4575
4576 /* Do not try to load stripbytecount as we will compute it */
4577 if( !_TIFFFillStrilesInternal( tif, 0 ) )
4578 return -1;
4579
4580 if (td->td_stripbytecount_p)
4581 _TIFFfree(td->td_stripbytecount_p);
4582 td->td_stripbytecount_p = (uint64_t*)
4583 _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64_t),
4584 "for \"StripByteCounts\" array");
4585 if( td->td_stripbytecount_p == NULL )
4586 return -1;
4587
4588 if (td->td_compression != COMPRESSION_NONE) {
4589 uint64_t space;
4590 uint64_t filesize;
4591 uint16_t n;
4592 filesize = TIFFGetFileSize(tif);
4593 if (!(tif->tif_flags&TIFF_BIGTIFF))
4594 space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
4595 else
4596 space=sizeof(TIFFHeaderBig)+8+dircount*20+8;
4597 /* calculate amount of space used by indirect values */
4598 for (dp = dir, n = dircount; n > 0; n--, dp++)
4599 {
4600 uint32_t typewidth;
4601 uint64_t datasize;
4602 typewidth = TIFFDataWidth((TIFFDataType) dp->tdir_type);
4603 if (typewidth == 0) {
4604 TIFFErrorExt(tif->tif_clientdata, module,
4605 "Cannot determine size of unknown tag type %"PRIu16,
4606 dp->tdir_type);
4607 return -1;
4608 }
4609 if( dp->tdir_count > UINT64_MAX / typewidth )
4610 return -1;
4611 datasize= (uint64_t)typewidth * dp->tdir_count;
4612 if (!(tif->tif_flags&TIFF_BIGTIFF))
4613 {
4614 if (datasize<=4)
4615 datasize=0;
4616 }
4617 else
4618 {
4619 if (datasize<=8)
4620 datasize=0;
4621 }
4622 if( space > UINT64_MAX - datasize )
4623 return -1;
4624 space+=datasize;
4625 }
4626 if( filesize < space )
4627 /* we should perhaps return in error ? */
4628 space = filesize;
4629 else
4630 space = filesize - space;
4631 if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
4632 space /= td->td_samplesperpixel;
4633 for (strip = 0; strip < td->td_nstrips; strip++)
4634 td->td_stripbytecount_p[strip] = space;
4635 /*
4636 * This gross hack handles the case were the offset to
4637 * the last strip is past the place where we think the strip
4638 * should begin. Since a strip of data must be contiguous,
4639 * it's safe to assume that we've overestimated the amount
4640 * of data in the strip and trim this number back accordingly.
4641 */
4642 strip--;
4643 if (td->td_stripoffset_p[strip] > UINT64_MAX - td->td_stripbytecount_p[strip])
4644 return -1;
4645 if (td->td_stripoffset_p[strip]+td->td_stripbytecount_p[strip] > filesize) {
4646 if( td->td_stripoffset_p[strip] >= filesize ) {
4647 /* Not sure what we should in that case... */
4648 td->td_stripbytecount_p[strip] = 0;
4649 } else {
4650 td->td_stripbytecount_p[strip] = filesize - td->td_stripoffset_p[strip];
4651 }
4652 }
4653 } else if (isTiled(tif)) {
4654 uint64_t bytespertile = TIFFTileSize64(tif);
4655
4656 for (strip = 0; strip < td->td_nstrips; strip++)
4657 td->td_stripbytecount_p[strip] = bytespertile;
4658 } else {
4659 uint64_t rowbytes = TIFFScanlineSize64(tif);
4660 uint32_t rowsperstrip = td->td_imagelength / td->td_stripsperimage;
4661 for (strip = 0; strip < td->td_nstrips; strip++)
4662 {
4663 if( rowbytes > 0 && rowsperstrip > UINT64_MAX / rowbytes )
4664 return -1;
4665 td->td_stripbytecount_p[strip] = rowbytes * rowsperstrip;
4666 }
4667 }
4668 TIFFSetFieldBit(tif, FIELD_STRIPBYTECOUNTS);
4669 if (!TIFFFieldSet(tif, FIELD_ROWSPERSTRIP))
4670 td->td_rowsperstrip = td->td_imagelength;
4671 return 1;
4672 }
4673
4674 static void
MissingRequired(TIFF * tif,const char * tagname)4675 MissingRequired(TIFF* tif, const char* tagname)
4676 {
4677 static const char module[] = "MissingRequired";
4678
4679 TIFFErrorExt(tif->tif_clientdata, module,
4680 "TIFF directory is missing required \"%s\" field",
4681 tagname);
4682 }
4683
4684 /*
4685 * Check the directory offset against the list of already seen directory
4686 * offsets. This is a trick to prevent IFD looping. The one can create TIFF
4687 * file with looped directory pointers. We will maintain a list of already
4688 * seen directories and check every IFD offset against that list.
4689 */
4690 static int
TIFFCheckDirOffset(TIFF * tif,uint64_t diroff)4691 TIFFCheckDirOffset(TIFF* tif, uint64_t diroff)
4692 {
4693 uint16_t n;
4694
4695 if (diroff == 0) /* no more directories */
4696 return 0;
4697 if (tif->tif_dirnumber == 65535) {
4698 TIFFErrorExt(tif->tif_clientdata, "TIFFCheckDirOffset",
4699 "Cannot handle more than 65535 TIFF directories");
4700 return 0;
4701 }
4702
4703 for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlist; n++) {
4704 if (tif->tif_dirlist[n] == diroff)
4705 return 0;
4706 }
4707
4708 tif->tif_dirnumber++;
4709
4710 if (tif->tif_dirlist == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) {
4711 uint64_t* new_dirlist;
4712
4713 /*
4714 * XXX: Reduce memory allocation granularity of the dirlist
4715 * array.
4716 */
4717 new_dirlist = (uint64_t*)_TIFFCheckRealloc(tif, tif->tif_dirlist,
4718 tif->tif_dirnumber, 2 * sizeof(uint64_t), "for IFD list");
4719 if (!new_dirlist)
4720 return 0;
4721 if( tif->tif_dirnumber >= 32768 )
4722 tif->tif_dirlistsize = 65535;
4723 else
4724 tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
4725 tif->tif_dirlist = new_dirlist;
4726 }
4727
4728 tif->tif_dirlist[tif->tif_dirnumber - 1] = diroff;
4729
4730 return 1;
4731 }
4732
4733 /*
4734 * Check the count field of a directory entry against a known value. The
4735 * caller is expected to skip/ignore the tag if there is a mismatch.
4736 */
4737 static int
CheckDirCount(TIFF * tif,TIFFDirEntry * dir,uint32_t count)4738 CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32_t count)
4739 {
4740 if ((uint64_t)count > dir->tdir_count) {
4741 const TIFFField* fip = TIFFFieldWithTag(tif, dir->tdir_tag);
4742 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
4743 "incorrect count for field \"%s\" (%" PRIu64 ", expecting %"PRIu32"); tag ignored",
4744 fip ? fip->field_name : "unknown tagname",
4745 dir->tdir_count, count);
4746 return (0);
4747 } else if ((uint64_t)count < dir->tdir_count) {
4748 const TIFFField* fip = TIFFFieldWithTag(tif, dir->tdir_tag);
4749 TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
4750 "incorrect count for field \"%s\" (%" PRIu64 ", expecting %"PRIu32"); tag trimmed",
4751 fip ? fip->field_name : "unknown tagname",
4752 dir->tdir_count, count);
4753 dir->tdir_count = count;
4754 return (1);
4755 }
4756 return (1);
4757 }
4758
4759 /*
4760 * Read IFD structure from the specified offset. If the pointer to
4761 * nextdiroff variable has been specified, read it too. Function returns a
4762 * number of fields in the directory or 0 if failed.
4763 */
4764 static uint16_t
TIFFFetchDirectory(TIFF * tif,uint64_t diroff,TIFFDirEntry ** pdir,uint64_t * nextdiroff)4765 TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir,
4766 uint64_t *nextdiroff)
4767 {
4768 static const char module[] = "TIFFFetchDirectory";
4769
4770 void* origdir;
4771 uint16_t dircount16;
4772 uint32_t dirsize;
4773 TIFFDirEntry* dir;
4774 uint8_t* ma;
4775 TIFFDirEntry* mb;
4776 uint16_t n;
4777
4778 assert(pdir);
4779
4780 tif->tif_diroff = diroff;
4781 if (nextdiroff)
4782 *nextdiroff = 0;
4783 if (!isMapped(tif)) {
4784 if (!SeekOK(tif, tif->tif_diroff)) {
4785 TIFFErrorExt(tif->tif_clientdata, module,
4786 "%s: Seek error accessing TIFF directory",
4787 tif->tif_name);
4788 return 0;
4789 }
4790 if (!(tif->tif_flags&TIFF_BIGTIFF))
4791 {
4792 if (!ReadOK(tif, &dircount16, sizeof (uint16_t))) {
4793 TIFFErrorExt(tif->tif_clientdata, module,
4794 "%s: Can not read TIFF directory count",
4795 tif->tif_name);
4796 return 0;
4797 }
4798 if (tif->tif_flags & TIFF_SWAB)
4799 TIFFSwabShort(&dircount16);
4800 if (dircount16>4096)
4801 {
4802 TIFFErrorExt(tif->tif_clientdata, module,
4803 "Sanity check on directory count failed, this is probably not a valid IFD offset");
4804 return 0;
4805 }
4806 dirsize = 12;
4807 } else {
4808 uint64_t dircount64;
4809 if (!ReadOK(tif, &dircount64, sizeof (uint64_t))) {
4810 TIFFErrorExt(tif->tif_clientdata, module,
4811 "%s: Can not read TIFF directory count",
4812 tif->tif_name);
4813 return 0;
4814 }
4815 if (tif->tif_flags & TIFF_SWAB)
4816 TIFFSwabLong8(&dircount64);
4817 if (dircount64>4096)
4818 {
4819 TIFFErrorExt(tif->tif_clientdata, module,
4820 "Sanity check on directory count failed, this is probably not a valid IFD offset");
4821 return 0;
4822 }
4823 dircount16 = (uint16_t)dircount64;
4824 dirsize = 20;
4825 }
4826 origdir = _TIFFCheckMalloc(tif, dircount16,
4827 dirsize, "to read TIFF directory");
4828 if (origdir == NULL)
4829 return 0;
4830 if (!ReadOK(tif, origdir, (tmsize_t)(dircount16*dirsize))) {
4831 TIFFErrorExt(tif->tif_clientdata, module,
4832 "%.100s: Can not read TIFF directory",
4833 tif->tif_name);
4834 _TIFFfree(origdir);
4835 return 0;
4836 }
4837 /*
4838 * Read offset to next directory for sequential scans if
4839 * needed.
4840 */
4841 if (nextdiroff)
4842 {
4843 if (!(tif->tif_flags&TIFF_BIGTIFF))
4844 {
4845 uint32_t nextdiroff32;
4846 if (!ReadOK(tif, &nextdiroff32, sizeof(uint32_t)))
4847 nextdiroff32 = 0;
4848 if (tif->tif_flags&TIFF_SWAB)
4849 TIFFSwabLong(&nextdiroff32);
4850 *nextdiroff=nextdiroff32;
4851 } else {
4852 if (!ReadOK(tif, nextdiroff, sizeof(uint64_t)))
4853 *nextdiroff = 0;
4854 if (tif->tif_flags&TIFF_SWAB)
4855 TIFFSwabLong8(nextdiroff);
4856 }
4857 }
4858 } else {
4859 tmsize_t m;
4860 tmsize_t off;
4861 if (tif->tif_diroff > (uint64_t)INT64_MAX)
4862 {
4863 TIFFErrorExt(tif->tif_clientdata,module,"Can not read TIFF directory count");
4864 return(0);
4865 }
4866 off = (tmsize_t) tif->tif_diroff;
4867
4868 /*
4869 * Check for integer overflow when validating the dir_off,
4870 * otherwise a very high offset may cause an OOB read and
4871 * crash the client. Make two comparisons instead of
4872 *
4873 * off + sizeof(uint16_t) > tif->tif_size
4874 *
4875 * to avoid overflow.
4876 */
4877 if (!(tif->tif_flags&TIFF_BIGTIFF))
4878 {
4879 m=off+sizeof(uint16_t);
4880 if ((m<off) || (m<(tmsize_t)sizeof(uint16_t)) || (m > tif->tif_size)) {
4881 TIFFErrorExt(tif->tif_clientdata, module,
4882 "Can not read TIFF directory count");
4883 return 0;
4884 } else {
4885 _TIFFmemcpy(&dircount16, tif->tif_base + off,
4886 sizeof(uint16_t));
4887 }
4888 off += sizeof (uint16_t);
4889 if (tif->tif_flags & TIFF_SWAB)
4890 TIFFSwabShort(&dircount16);
4891 if (dircount16>4096)
4892 {
4893 TIFFErrorExt(tif->tif_clientdata, module,
4894 "Sanity check on directory count failed, this is probably not a valid IFD offset");
4895 return 0;
4896 }
4897 dirsize = 12;
4898 }
4899 else
4900 {
4901 uint64_t dircount64;
4902 m=off+sizeof(uint64_t);
4903 if ((m<off) || (m<(tmsize_t)sizeof(uint64_t)) || (m > tif->tif_size)) {
4904 TIFFErrorExt(tif->tif_clientdata, module,
4905 "Can not read TIFF directory count");
4906 return 0;
4907 } else {
4908 _TIFFmemcpy(&dircount64, tif->tif_base + off,
4909 sizeof(uint64_t));
4910 }
4911 off += sizeof (uint64_t);
4912 if (tif->tif_flags & TIFF_SWAB)
4913 TIFFSwabLong8(&dircount64);
4914 if (dircount64>4096)
4915 {
4916 TIFFErrorExt(tif->tif_clientdata, module,
4917 "Sanity check on directory count failed, this is probably not a valid IFD offset");
4918 return 0;
4919 }
4920 dircount16 = (uint16_t)dircount64;
4921 dirsize = 20;
4922 }
4923 if (dircount16 == 0 )
4924 {
4925 TIFFErrorExt(tif->tif_clientdata, module,
4926 "Sanity check on directory count failed, zero tag directories not supported");
4927 return 0;
4928 }
4929 origdir = _TIFFCheckMalloc(tif, dircount16,
4930 dirsize,
4931 "to read TIFF directory");
4932 if (origdir == NULL)
4933 return 0;
4934 m=off+dircount16*dirsize;
4935 if ((m<off)||(m<(tmsize_t)(dircount16*dirsize))||(m>tif->tif_size)) {
4936 TIFFErrorExt(tif->tif_clientdata, module,
4937 "Can not read TIFF directory");
4938 _TIFFfree(origdir);
4939 return 0;
4940 } else {
4941 _TIFFmemcpy(origdir, tif->tif_base + off,
4942 dircount16 * dirsize);
4943 }
4944 if (nextdiroff) {
4945 off += dircount16 * dirsize;
4946 if (!(tif->tif_flags&TIFF_BIGTIFF))
4947 {
4948 uint32_t nextdiroff32;
4949 m=off+sizeof(uint32_t);
4950 if ((m<off) || (m<(tmsize_t)sizeof(uint32_t)) || (m > tif->tif_size))
4951 nextdiroff32 = 0;
4952 else
4953 _TIFFmemcpy(&nextdiroff32, tif->tif_base + off,
4954 sizeof (uint32_t));
4955 if (tif->tif_flags&TIFF_SWAB)
4956 TIFFSwabLong(&nextdiroff32);
4957 *nextdiroff = nextdiroff32;
4958 }
4959 else
4960 {
4961 m=off+sizeof(uint64_t);
4962 if ((m<off) || (m<(tmsize_t)sizeof(uint64_t)) || (m > tif->tif_size))
4963 *nextdiroff = 0;
4964 else
4965 _TIFFmemcpy(nextdiroff, tif->tif_base + off,
4966 sizeof (uint64_t));
4967 if (tif->tif_flags&TIFF_SWAB)
4968 TIFFSwabLong8(nextdiroff);
4969 }
4970 }
4971 }
4972 dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
4973 sizeof(TIFFDirEntry),
4974 "to read TIFF directory");
4975 if (dir==0)
4976 {
4977 _TIFFfree(origdir);
4978 return 0;
4979 }
4980 ma=(uint8_t*)origdir;
4981 mb=dir;
4982 for (n=0; n<dircount16; n++)
4983 {
4984 mb->tdir_ignore = FALSE;
4985 if (tif->tif_flags&TIFF_SWAB)
4986 TIFFSwabShort((uint16_t*)ma);
4987 mb->tdir_tag=*(uint16_t*)ma;
4988 ma+=sizeof(uint16_t);
4989 if (tif->tif_flags&TIFF_SWAB)
4990 TIFFSwabShort((uint16_t*)ma);
4991 mb->tdir_type=*(uint16_t*)ma;
4992 ma+=sizeof(uint16_t);
4993 if (!(tif->tif_flags&TIFF_BIGTIFF))
4994 {
4995 if (tif->tif_flags&TIFF_SWAB)
4996 TIFFSwabLong((uint32_t*)ma);
4997 mb->tdir_count=(uint64_t)(*(uint32_t*)ma);
4998 ma+=sizeof(uint32_t);
4999 mb->tdir_offset.toff_long8=0;
5000 *(uint32_t*)(&mb->tdir_offset)=*(uint32_t*)ma;
5001 ma+=sizeof(uint32_t);
5002 }
5003 else
5004 {
5005 if (tif->tif_flags&TIFF_SWAB)
5006 TIFFSwabLong8((uint64_t*)ma);
5007 mb->tdir_count=TIFFReadUInt64(ma);
5008 ma+=sizeof(uint64_t);
5009 mb->tdir_offset.toff_long8=TIFFReadUInt64(ma);
5010 ma+=sizeof(uint64_t);
5011 }
5012 mb++;
5013 }
5014 _TIFFfree(origdir);
5015 *pdir = dir;
5016 return dircount16;
5017 }
5018
5019 /*
5020 * Fetch a tag that is not handled by special case code.
5021 */
5022 static int
TIFFFetchNormalTag(TIFF * tif,TIFFDirEntry * dp,int recover)5023 TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
5024 {
5025 static const char module[] = "TIFFFetchNormalTag";
5026 enum TIFFReadDirEntryErr err;
5027 uint32_t fii;
5028 const TIFFField* fip = NULL;
5029 TIFFReadDirectoryFindFieldInfo(tif,dp->tdir_tag,&fii);
5030 if( fii == FAILED_FII )
5031 {
5032 TIFFErrorExt(tif->tif_clientdata, "TIFFFetchNormalTag",
5033 "No definition found for tag %"PRIu16,
5034 dp->tdir_tag);
5035 return 0;
5036 }
5037 fip=tif->tif_fields[fii];
5038 assert(fip != NULL); /* should not happen */
5039 assert(fip->set_field_type!=TIFF_SETGET_OTHER); /* if so, we shouldn't arrive here but deal with this in specialized code */
5040 assert(fip->set_field_type!=TIFF_SETGET_INT); /* if so, we shouldn't arrive here as this is only the case for pseudo-tags */
5041 err=TIFFReadDirEntryErrOk;
5042 switch (fip->set_field_type)
5043 {
5044 case TIFF_SETGET_UNDEFINED:
5045 break;
5046 case TIFF_SETGET_ASCII:
5047 {
5048 uint8_t* data;
5049 assert(fip->field_passcount==0);
5050 err=TIFFReadDirEntryByteArray(tif,dp,&data);
5051 if (err==TIFFReadDirEntryErrOk)
5052 {
5053 uint32_t mb = 0;
5054 int n;
5055 if (data != NULL)
5056 {
5057 uint8_t* ma = data;
5058 while (mb<(uint32_t)dp->tdir_count)
5059 {
5060 if (*ma==0)
5061 break;
5062 ma++;
5063 mb++;
5064 }
5065 }
5066 if (mb+1<(uint32_t)dp->tdir_count)
5067 TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" contains null byte in value; value incorrectly truncated during reading due to implementation limitations",fip->field_name);
5068 else if (mb+1>(uint32_t)dp->tdir_count)
5069 {
5070 uint8_t* o;
5071 TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte",fip->field_name);
5072 if ((uint32_t)dp->tdir_count + 1 != dp->tdir_count + 1)
5073 o=NULL;
5074 else
5075 o=_TIFFmalloc((uint32_t)dp->tdir_count + 1);
5076 if (o==NULL)
5077 {
5078 if (data!=NULL)
5079 _TIFFfree(data);
5080 return(0);
5081 }
5082 _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
5083 o[(uint32_t)dp->tdir_count]=0;
5084 if (data!=0)
5085 _TIFFfree(data);
5086 data=o;
5087 }
5088 n=TIFFSetField(tif,dp->tdir_tag,data);
5089 if (data!=0)
5090 _TIFFfree(data);
5091 if (!n)
5092 return(0);
5093 }
5094 }
5095 break;
5096 case TIFF_SETGET_UINT8:
5097 {
5098 uint8_t data=0;
5099 assert(fip->field_readcount==1);
5100 assert(fip->field_passcount==0);
5101 err=TIFFReadDirEntryByte(tif,dp,&data);
5102 if (err==TIFFReadDirEntryErrOk)
5103 {
5104 if (!TIFFSetField(tif,dp->tdir_tag,data))
5105 return(0);
5106 }
5107 }
5108 break;
5109 case TIFF_SETGET_UINT16:
5110 {
5111 uint16_t data;
5112 assert(fip->field_readcount==1);
5113 assert(fip->field_passcount==0);
5114 err=TIFFReadDirEntryShort(tif,dp,&data);
5115 if (err==TIFFReadDirEntryErrOk)
5116 {
5117 if (!TIFFSetField(tif,dp->tdir_tag,data))
5118 return(0);
5119 }
5120 }
5121 break;
5122 case TIFF_SETGET_UINT32:
5123 {
5124 uint32_t data;
5125 assert(fip->field_readcount==1);
5126 assert(fip->field_passcount==0);
5127 err=TIFFReadDirEntryLong(tif,dp,&data);
5128 if (err==TIFFReadDirEntryErrOk)
5129 {
5130 if (!TIFFSetField(tif,dp->tdir_tag,data))
5131 return(0);
5132 }
5133 }
5134 break;
5135 case TIFF_SETGET_UINT64:
5136 {
5137 uint64_t data;
5138 assert(fip->field_readcount==1);
5139 assert(fip->field_passcount==0);
5140 err=TIFFReadDirEntryLong8(tif,dp,&data);
5141 if (err==TIFFReadDirEntryErrOk)
5142 {
5143 if (!TIFFSetField(tif,dp->tdir_tag,data))
5144 return(0);
5145 }
5146 }
5147 break;
5148 case TIFF_SETGET_FLOAT:
5149 {
5150 float data;
5151 assert(fip->field_readcount==1);
5152 assert(fip->field_passcount==0);
5153 err=TIFFReadDirEntryFloat(tif,dp,&data);
5154 if (err==TIFFReadDirEntryErrOk)
5155 {
5156 if (!TIFFSetField(tif,dp->tdir_tag,data))
5157 return(0);
5158 }
5159 }
5160 break;
5161 case TIFF_SETGET_DOUBLE:
5162 {
5163 double data;
5164 assert(fip->field_readcount==1);
5165 assert(fip->field_passcount==0);
5166 err=TIFFReadDirEntryDouble(tif,dp,&data);
5167 if (err==TIFFReadDirEntryErrOk)
5168 {
5169 if (!TIFFSetField(tif,dp->tdir_tag,data))
5170 return(0);
5171 }
5172 }
5173 break;
5174 case TIFF_SETGET_IFD8:
5175 {
5176 uint64_t data;
5177 assert(fip->field_readcount==1);
5178 assert(fip->field_passcount==0);
5179 err=TIFFReadDirEntryIfd8(tif,dp,&data);
5180 if (err==TIFFReadDirEntryErrOk)
5181 {
5182 if (!TIFFSetField(tif,dp->tdir_tag,data))
5183 return(0);
5184 }
5185 }
5186 break;
5187 case TIFF_SETGET_UINT16_PAIR:
5188 {
5189 uint16_t* data;
5190 assert(fip->field_readcount==2);
5191 assert(fip->field_passcount==0);
5192 if (dp->tdir_count!=2) {
5193 TIFFWarningExt(tif->tif_clientdata,module,
5194 "incorrect count for field \"%s\", expected 2, got %"PRIu64,
5195 fip->field_name, dp->tdir_count);
5196 return(0);
5197 }
5198 err=TIFFReadDirEntryShortArray(tif,dp,&data);
5199 if (err==TIFFReadDirEntryErrOk)
5200 {
5201 int m;
5202 assert(data); /* avoid CLang static Analyzer false positive */
5203 m=TIFFSetField(tif,dp->tdir_tag,data[0],data[1]);
5204 _TIFFfree(data);
5205 if (!m)
5206 return(0);
5207 }
5208 }
5209 break;
5210 case TIFF_SETGET_C0_UINT8:
5211 {
5212 uint8_t* data;
5213 assert(fip->field_readcount>=1);
5214 assert(fip->field_passcount==0);
5215 if (dp->tdir_count!=(uint64_t)fip->field_readcount) {
5216 TIFFWarningExt(tif->tif_clientdata,module,
5217 "incorrect count for field \"%s\", expected %d, got %"PRIu64,
5218 fip->field_name,(int) fip->field_readcount, dp->tdir_count);
5219 return 0;
5220 }
5221 else
5222 {
5223 err=TIFFReadDirEntryByteArray(tif,dp,&data);
5224 if (err==TIFFReadDirEntryErrOk)
5225 {
5226 int m;
5227 m=TIFFSetField(tif,dp->tdir_tag,data);
5228 if (data!=0)
5229 _TIFFfree(data);
5230 if (!m)
5231 return(0);
5232 }
5233 }
5234 }
5235 break;
5236 case TIFF_SETGET_C0_UINT16:
5237 {
5238 uint16_t* data;
5239 assert(fip->field_readcount>=1);
5240 assert(fip->field_passcount==0);
5241 if (dp->tdir_count!=(uint64_t)fip->field_readcount)
5242 /* corrupt file */;
5243 else
5244 {
5245 err=TIFFReadDirEntryShortArray(tif,dp,&data);
5246 if (err==TIFFReadDirEntryErrOk)
5247 {
5248 int m;
5249 m=TIFFSetField(tif,dp->tdir_tag,data);
5250 if (data!=0)
5251 _TIFFfree(data);
5252 if (!m)
5253 return(0);
5254 }
5255 }
5256 }
5257 break;
5258 case TIFF_SETGET_C0_UINT32:
5259 {
5260 uint32_t* data;
5261 assert(fip->field_readcount>=1);
5262 assert(fip->field_passcount==0);
5263 if (dp->tdir_count!=(uint64_t)fip->field_readcount)
5264 /* corrupt file */;
5265 else
5266 {
5267 err=TIFFReadDirEntryLongArray(tif,dp,&data);
5268 if (err==TIFFReadDirEntryErrOk)
5269 {
5270 int m;
5271 m=TIFFSetField(tif,dp->tdir_tag,data);
5272 if (data!=0)
5273 _TIFFfree(data);
5274 if (!m)
5275 return(0);
5276 }
5277 }
5278 }
5279 break;
5280 case TIFF_SETGET_C0_FLOAT:
5281 {
5282 float* data;
5283 assert(fip->field_readcount>=1);
5284 assert(fip->field_passcount==0);
5285 if (dp->tdir_count!=(uint64_t)fip->field_readcount)
5286 /* corrupt file */;
5287 else
5288 {
5289 err=TIFFReadDirEntryFloatArray(tif,dp,&data);
5290 if (err==TIFFReadDirEntryErrOk)
5291 {
5292 int m;
5293 m=TIFFSetField(tif,dp->tdir_tag,data);
5294 if (data!=0)
5295 _TIFFfree(data);
5296 if (!m)
5297 return(0);
5298 }
5299 }
5300 }
5301 break;
5302 /*--: Rational2Double: Extend for Double Arrays and Rational-Arrays read into Double-Arrays. */
5303 case TIFF_SETGET_C0_DOUBLE:
5304 {
5305 double* data;
5306 assert(fip->field_readcount>=1);
5307 assert(fip->field_passcount==0);
5308 if (dp->tdir_count!=(uint64_t)fip->field_readcount)
5309 /* corrupt file */;
5310 else
5311 {
5312 err=TIFFReadDirEntryDoubleArray(tif,dp,&data);
5313 if (err==TIFFReadDirEntryErrOk)
5314 {
5315 int m;
5316 m=TIFFSetField(tif,dp->tdir_tag,data);
5317 if (data!=0)
5318 _TIFFfree(data);
5319 if (!m)
5320 return(0);
5321 }
5322 }
5323 }
5324 break;
5325 case TIFF_SETGET_C16_ASCII:
5326 {
5327 uint8_t* data;
5328 assert(fip->field_readcount==TIFF_VARIABLE);
5329 assert(fip->field_passcount==1);
5330 if (dp->tdir_count>0xFFFF)
5331 err=TIFFReadDirEntryErrCount;
5332 else
5333 {
5334 err=TIFFReadDirEntryByteArray(tif,dp,&data);
5335 if (err==TIFFReadDirEntryErrOk)
5336 {
5337 int m;
5338 if( data != 0 && dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
5339 {
5340 TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
5341 data[dp->tdir_count-1] = '\0';
5342 }
5343 m=TIFFSetField(tif, dp->tdir_tag, (uint16_t)(dp->tdir_count), data);
5344 if (data!=0)
5345 _TIFFfree(data);
5346 if (!m)
5347 return(0);
5348 }
5349 }
5350 }
5351 break;
5352 case TIFF_SETGET_C16_UINT8:
5353 {
5354 uint8_t* data;
5355 assert(fip->field_readcount==TIFF_VARIABLE);
5356 assert(fip->field_passcount==1);
5357 if (dp->tdir_count>0xFFFF)
5358 err=TIFFReadDirEntryErrCount;
5359 else
5360 {
5361 err=TIFFReadDirEntryByteArray(tif,dp,&data);
5362 if (err==TIFFReadDirEntryErrOk)
5363 {
5364 int m;
5365 m=TIFFSetField(tif, dp->tdir_tag, (uint16_t)(dp->tdir_count), data);
5366 if (data!=0)
5367 _TIFFfree(data);
5368 if (!m)
5369 return(0);
5370 }
5371 }
5372 }
5373 break;
5374 case TIFF_SETGET_C16_UINT16:
5375 {
5376 uint16_t* data;
5377 assert(fip->field_readcount==TIFF_VARIABLE);
5378 assert(fip->field_passcount==1);
5379 if (dp->tdir_count>0xFFFF)
5380 err=TIFFReadDirEntryErrCount;
5381 else
5382 {
5383 err=TIFFReadDirEntryShortArray(tif,dp,&data);
5384 if (err==TIFFReadDirEntryErrOk)
5385 {
5386 int m;
5387 m=TIFFSetField(tif, dp->tdir_tag, (uint16_t)(dp->tdir_count), data);
5388 if (data!=0)
5389 _TIFFfree(data);
5390 if (!m)
5391 return(0);
5392 }
5393 }
5394 }
5395 break;
5396 case TIFF_SETGET_C16_UINT32:
5397 {
5398 uint32_t* data;
5399 assert(fip->field_readcount==TIFF_VARIABLE);
5400 assert(fip->field_passcount==1);
5401 if (dp->tdir_count>0xFFFF)
5402 err=TIFFReadDirEntryErrCount;
5403 else
5404 {
5405 err=TIFFReadDirEntryLongArray(tif,dp,&data);
5406 if (err==TIFFReadDirEntryErrOk)
5407 {
5408 int m;
5409 m=TIFFSetField(tif, dp->tdir_tag, (uint16_t)(dp->tdir_count), data);
5410 if (data!=0)
5411 _TIFFfree(data);
5412 if (!m)
5413 return(0);
5414 }
5415 }
5416 }
5417 break;
5418 case TIFF_SETGET_C16_UINT64:
5419 {
5420 uint64_t* data;
5421 assert(fip->field_readcount==TIFF_VARIABLE);
5422 assert(fip->field_passcount==1);
5423 if (dp->tdir_count>0xFFFF)
5424 err=TIFFReadDirEntryErrCount;
5425 else
5426 {
5427 err=TIFFReadDirEntryLong8Array(tif,dp,&data);
5428 if (err==TIFFReadDirEntryErrOk)
5429 {
5430 int m;
5431 m=TIFFSetField(tif, dp->tdir_tag, (uint16_t)(dp->tdir_count), data);
5432 if (data!=0)
5433 _TIFFfree(data);
5434 if (!m)
5435 return(0);
5436 }
5437 }
5438 }
5439 break;
5440 case TIFF_SETGET_C16_FLOAT:
5441 {
5442 float* data;
5443 assert(fip->field_readcount==TIFF_VARIABLE);
5444 assert(fip->field_passcount==1);
5445 if (dp->tdir_count>0xFFFF)
5446 err=TIFFReadDirEntryErrCount;
5447 else
5448 {
5449 err=TIFFReadDirEntryFloatArray(tif,dp,&data);
5450 if (err==TIFFReadDirEntryErrOk)
5451 {
5452 int m;
5453 m=TIFFSetField(tif, dp->tdir_tag, (uint16_t)(dp->tdir_count), data);
5454 if (data!=0)
5455 _TIFFfree(data);
5456 if (!m)
5457 return(0);
5458 }
5459 }
5460 }
5461 break;
5462 case TIFF_SETGET_C16_DOUBLE:
5463 {
5464 double* data;
5465 assert(fip->field_readcount==TIFF_VARIABLE);
5466 assert(fip->field_passcount==1);
5467 if (dp->tdir_count>0xFFFF)
5468 err=TIFFReadDirEntryErrCount;
5469 else
5470 {
5471 err=TIFFReadDirEntryDoubleArray(tif,dp,&data);
5472 if (err==TIFFReadDirEntryErrOk)
5473 {
5474 int m;
5475 m=TIFFSetField(tif, dp->tdir_tag, (uint16_t)(dp->tdir_count), data);
5476 if (data!=0)
5477 _TIFFfree(data);
5478 if (!m)
5479 return(0);
5480 }
5481 }
5482 }
5483 break;
5484 case TIFF_SETGET_C16_IFD8:
5485 {
5486 uint64_t* data;
5487 assert(fip->field_readcount==TIFF_VARIABLE);
5488 assert(fip->field_passcount==1);
5489 if (dp->tdir_count>0xFFFF)
5490 err=TIFFReadDirEntryErrCount;
5491 else
5492 {
5493 err=TIFFReadDirEntryIfd8Array(tif,dp,&data);
5494 if (err==TIFFReadDirEntryErrOk)
5495 {
5496 int m;
5497 m=TIFFSetField(tif, dp->tdir_tag, (uint16_t)(dp->tdir_count), data);
5498 if (data!=0)
5499 _TIFFfree(data);
5500 if (!m)
5501 return(0);
5502 }
5503 }
5504 }
5505 break;
5506 case TIFF_SETGET_C32_ASCII:
5507 {
5508 uint8_t* data;
5509 assert(fip->field_readcount==TIFF_VARIABLE2);
5510 assert(fip->field_passcount==1);
5511 err=TIFFReadDirEntryByteArray(tif,dp,&data);
5512 if (err==TIFFReadDirEntryErrOk)
5513 {
5514 int m;
5515 if( data != 0 && dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
5516 {
5517 TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
5518 data[dp->tdir_count-1] = '\0';
5519 }
5520 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5521 if (data!=0)
5522 _TIFFfree(data);
5523 if (!m)
5524 return(0);
5525 }
5526 }
5527 break;
5528 case TIFF_SETGET_C32_UINT8:
5529 {
5530 uint8_t* data;
5531 assert(fip->field_readcount==TIFF_VARIABLE2);
5532 assert(fip->field_passcount==1);
5533 err=TIFFReadDirEntryByteArray(tif,dp,&data);
5534 if (err==TIFFReadDirEntryErrOk)
5535 {
5536 int m;
5537 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5538 if (data!=0)
5539 _TIFFfree(data);
5540 if (!m)
5541 return(0);
5542 }
5543 }
5544 break;
5545 case TIFF_SETGET_C32_SINT8:
5546 {
5547 int8_t* data = NULL;
5548 assert(fip->field_readcount==TIFF_VARIABLE2);
5549 assert(fip->field_passcount==1);
5550 err=TIFFReadDirEntrySbyteArray(tif,dp,&data);
5551 if (err==TIFFReadDirEntryErrOk)
5552 {
5553 int m;
5554 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5555 if (data!=0)
5556 _TIFFfree(data);
5557 if (!m)
5558 return(0);
5559 }
5560 }
5561 break;
5562 case TIFF_SETGET_C32_UINT16:
5563 {
5564 uint16_t* data;
5565 assert(fip->field_readcount==TIFF_VARIABLE2);
5566 assert(fip->field_passcount==1);
5567 err=TIFFReadDirEntryShortArray(tif,dp,&data);
5568 if (err==TIFFReadDirEntryErrOk)
5569 {
5570 int m;
5571 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5572 if (data!=0)
5573 _TIFFfree(data);
5574 if (!m)
5575 return(0);
5576 }
5577 }
5578 break;
5579 case TIFF_SETGET_C32_SINT16:
5580 {
5581 int16_t* data = NULL;
5582 assert(fip->field_readcount==TIFF_VARIABLE2);
5583 assert(fip->field_passcount==1);
5584 err=TIFFReadDirEntrySshortArray(tif,dp,&data);
5585 if (err==TIFFReadDirEntryErrOk)
5586 {
5587 int m;
5588 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5589 if (data!=0)
5590 _TIFFfree(data);
5591 if (!m)
5592 return(0);
5593 }
5594 }
5595 break;
5596 case TIFF_SETGET_C32_UINT32:
5597 {
5598 uint32_t* data;
5599 assert(fip->field_readcount==TIFF_VARIABLE2);
5600 assert(fip->field_passcount==1);
5601 err=TIFFReadDirEntryLongArray(tif,dp,&data);
5602 if (err==TIFFReadDirEntryErrOk)
5603 {
5604 int m;
5605 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5606 if (data!=0)
5607 _TIFFfree(data);
5608 if (!m)
5609 return(0);
5610 }
5611 }
5612 break;
5613 case TIFF_SETGET_C32_SINT32:
5614 {
5615 int32_t* data = NULL;
5616 assert(fip->field_readcount==TIFF_VARIABLE2);
5617 assert(fip->field_passcount==1);
5618 err=TIFFReadDirEntrySlongArray(tif,dp,&data);
5619 if (err==TIFFReadDirEntryErrOk)
5620 {
5621 int m;
5622 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5623 if (data!=0)
5624 _TIFFfree(data);
5625 if (!m)
5626 return(0);
5627 }
5628 }
5629 break;
5630 case TIFF_SETGET_C32_UINT64:
5631 {
5632 uint64_t* data;
5633 assert(fip->field_readcount==TIFF_VARIABLE2);
5634 assert(fip->field_passcount==1);
5635 err=TIFFReadDirEntryLong8Array(tif,dp,&data);
5636 if (err==TIFFReadDirEntryErrOk)
5637 {
5638 int m;
5639 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5640 if (data!=0)
5641 _TIFFfree(data);
5642 if (!m)
5643 return(0);
5644 }
5645 }
5646 break;
5647 case TIFF_SETGET_C32_SINT64:
5648 {
5649 int64_t* data = NULL;
5650 assert(fip->field_readcount==TIFF_VARIABLE2);
5651 assert(fip->field_passcount==1);
5652 err=TIFFReadDirEntrySlong8Array(tif,dp,&data);
5653 if (err==TIFFReadDirEntryErrOk)
5654 {
5655 int m;
5656 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5657 if (data!=0)
5658 _TIFFfree(data);
5659 if (!m)
5660 return(0);
5661 }
5662 }
5663 break;
5664 case TIFF_SETGET_C32_FLOAT:
5665 {
5666 float* data;
5667 assert(fip->field_readcount==TIFF_VARIABLE2);
5668 assert(fip->field_passcount==1);
5669 err=TIFFReadDirEntryFloatArray(tif,dp,&data);
5670 if (err==TIFFReadDirEntryErrOk)
5671 {
5672 int m;
5673 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5674 if (data!=0)
5675 _TIFFfree(data);
5676 if (!m)
5677 return(0);
5678 }
5679 }
5680 break;
5681 case TIFF_SETGET_C32_DOUBLE:
5682 {
5683 double* data;
5684 assert(fip->field_readcount==TIFF_VARIABLE2);
5685 assert(fip->field_passcount==1);
5686 err=TIFFReadDirEntryDoubleArray(tif,dp,&data);
5687 if (err==TIFFReadDirEntryErrOk)
5688 {
5689 int m;
5690 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5691 if (data!=0)
5692 _TIFFfree(data);
5693 if (!m)
5694 return(0);
5695 }
5696 }
5697 break;
5698 case TIFF_SETGET_C32_IFD8:
5699 {
5700 uint64_t* data;
5701 assert(fip->field_readcount==TIFF_VARIABLE2);
5702 assert(fip->field_passcount==1);
5703 err=TIFFReadDirEntryIfd8Array(tif,dp,&data);
5704 if (err==TIFFReadDirEntryErrOk)
5705 {
5706 int m;
5707 m=TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count), data);
5708 if (data!=0)
5709 _TIFFfree(data);
5710 if (!m)
5711 return(0);
5712 }
5713 }
5714 break;
5715 default:
5716 assert(0); /* we should never get here */
5717 break;
5718 }
5719 if (err!=TIFFReadDirEntryErrOk)
5720 {
5721 TIFFReadDirEntryOutputErr(tif,err,module,fip->field_name,recover);
5722 return(0);
5723 }
5724 return(1);
5725 }
5726
5727 /*
5728 * Fetch a set of offsets or lengths.
5729 * While this routine says "strips", in fact it's also used for tiles.
5730 */
5731 static int
TIFFFetchStripThing(TIFF * tif,TIFFDirEntry * dir,uint32_t nstrips,uint64_t ** lpp)5732 TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** lpp)
5733 {
5734 static const char module[] = "TIFFFetchStripThing";
5735 enum TIFFReadDirEntryErr err;
5736 uint64_t* data;
5737 err=TIFFReadDirEntryLong8ArrayWithLimit(tif,dir,&data,nstrips);
5738 if (err!=TIFFReadDirEntryErrOk)
5739 {
5740 const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag);
5741 TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",0);
5742 return(0);
5743 }
5744 if (dir->tdir_count<(uint64_t)nstrips)
5745 {
5746 uint64_t* resizeddata;
5747 const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag);
5748 const char* pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT");
5749 uint32_t max_nstrips = 1000000;
5750 if( pszMax )
5751 max_nstrips = (uint32_t) atoi(pszMax);
5752 TIFFReadDirEntryOutputErr(tif,TIFFReadDirEntryErrCount,
5753 module,
5754 fip ? fip->field_name : "unknown tagname",
5755 ( nstrips <= max_nstrips ) );
5756
5757 if( nstrips > max_nstrips )
5758 {
5759 _TIFFfree(data);
5760 return(0);
5761 }
5762
5763 resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
5764 if (resizeddata==0) {
5765 _TIFFfree(data);
5766 return(0);
5767 }
5768 _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
5769 _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
5770 _TIFFfree(data);
5771 data=resizeddata;
5772 }
5773 *lpp=data;
5774 return(1);
5775 }
5776
5777 /*
5778 * Fetch and set the SubjectDistance EXIF tag.
5779 */
5780 static int
TIFFFetchSubjectDistance(TIFF * tif,TIFFDirEntry * dir)5781 TIFFFetchSubjectDistance(TIFF* tif, TIFFDirEntry* dir)
5782 {
5783 static const char module[] = "TIFFFetchSubjectDistance";
5784 enum TIFFReadDirEntryErr err;
5785 UInt64Aligned_t m;
5786 m.l=0;
5787 assert(sizeof(double)==8);
5788 assert(sizeof(uint64_t) == 8);
5789 assert(sizeof(uint32_t) == 4);
5790 if (dir->tdir_count!=1)
5791 err=TIFFReadDirEntryErrCount;
5792 else if (dir->tdir_type!=TIFF_RATIONAL)
5793 err=TIFFReadDirEntryErrType;
5794 else
5795 {
5796 if (!(tif->tif_flags&TIFF_BIGTIFF))
5797 {
5798 uint32_t offset;
5799 offset=*(uint32_t*)(&dir->tdir_offset);
5800 if (tif->tif_flags&TIFF_SWAB)
5801 TIFFSwabLong(&offset);
5802 err=TIFFReadDirEntryData(tif,offset,8,m.i);
5803 }
5804 else
5805 {
5806 m.l=dir->tdir_offset.toff_long8;
5807 err=TIFFReadDirEntryErrOk;
5808 }
5809 }
5810 if (err==TIFFReadDirEntryErrOk)
5811 {
5812 double n;
5813 if (tif->tif_flags&TIFF_SWAB)
5814 TIFFSwabArrayOfLong(m.i,2);
5815 if (m.i[0]==0)
5816 n=0.0;
5817 else if (m.i[0]==0xFFFFFFFF || m.i[1]==0)
5818 /*
5819 * XXX: Numerator 0xFFFFFFFF means that we have infinite
5820 * distance. Indicate that with a negative floating point
5821 * SubjectDistance value.
5822 */
5823 n=-1.0;
5824 else
5825 n=(double)m.i[0]/(double)m.i[1];
5826 return(TIFFSetField(tif,dir->tdir_tag,n));
5827 }
5828 else
5829 {
5830 TIFFReadDirEntryOutputErr(tif,err,module,"SubjectDistance",TRUE);
5831 return(0);
5832 }
5833 }
5834
allocChoppedUpStripArrays(TIFF * tif,uint32_t nstrips,uint64_t stripbytes,uint32_t rowsperstrip)5835 static void allocChoppedUpStripArrays(TIFF* tif, uint32_t nstrips,
5836 uint64_t stripbytes, uint32_t rowsperstrip)
5837 {
5838 TIFFDirectory *td = &tif->tif_dir;
5839 uint64_t bytecount;
5840 uint64_t offset;
5841 uint64_t last_offset;
5842 uint64_t last_bytecount;
5843 uint32_t i;
5844 uint64_t *newcounts;
5845 uint64_t *newoffsets;
5846
5847 offset = TIFFGetStrileOffset(tif, 0);
5848 last_offset = TIFFGetStrileOffset(tif, td->td_nstrips-1);
5849 last_bytecount = TIFFGetStrileByteCount(tif, td->td_nstrips-1);
5850 if( last_offset > UINT64_MAX - last_bytecount ||
5851 last_offset + last_bytecount < offset )
5852 {
5853 return;
5854 }
5855 bytecount = last_offset + last_bytecount - offset;
5856
5857 newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
5858 "for chopped \"StripByteCounts\" array");
5859 newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
5860 "for chopped \"StripOffsets\" array");
5861 if (newcounts == NULL || newoffsets == NULL) {
5862 /*
5863 * Unable to allocate new strip information, give up and use
5864 * the original one strip information.
5865 */
5866 if (newcounts != NULL)
5867 _TIFFfree(newcounts);
5868 if (newoffsets != NULL)
5869 _TIFFfree(newoffsets);
5870 return;
5871 }
5872
5873 /*
5874 * Fill the strip information arrays with new bytecounts and offsets
5875 * that reflect the broken-up format.
5876 */
5877 for (i = 0; i < nstrips; i++)
5878 {
5879 if (stripbytes > bytecount)
5880 stripbytes = bytecount;
5881 newcounts[i] = stripbytes;
5882 newoffsets[i] = stripbytes ? offset : 0;
5883 offset += stripbytes;
5884 bytecount -= stripbytes;
5885 }
5886
5887 /*
5888 * Replace old single strip info with multi-strip info.
5889 */
5890 td->td_stripsperimage = td->td_nstrips = nstrips;
5891 TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
5892
5893 _TIFFfree(td->td_stripbytecount_p);
5894 _TIFFfree(td->td_stripoffset_p);
5895 td->td_stripbytecount_p = newcounts;
5896 td->td_stripoffset_p = newoffsets;
5897 #ifdef STRIPBYTECOUNTSORTED_UNUSED
5898 td->td_stripbytecountsorted = 1;
5899 #endif
5900 tif->tif_flags |= TIFF_CHOPPEDUPARRAYS;
5901 }
5902
5903
5904 /*
5905 * Replace a single strip (tile) of uncompressed data by multiple strips
5906 * (tiles), each approximately STRIP_SIZE_DEFAULT bytes. This is useful for
5907 * dealing with large images or for dealing with machines with a limited
5908 * amount memory.
5909 */
5910 static void
ChopUpSingleUncompressedStrip(TIFF * tif)5911 ChopUpSingleUncompressedStrip(TIFF* tif)
5912 {
5913 register TIFFDirectory *td = &tif->tif_dir;
5914 uint64_t bytecount;
5915 uint64_t offset;
5916 uint32_t rowblock;
5917 uint64_t rowblockbytes;
5918 uint64_t stripbytes;
5919 uint32_t nstrips;
5920 uint32_t rowsperstrip;
5921
5922 bytecount = TIFFGetStrileByteCount(tif, 0);
5923 /* On a newly created file, just re-opened to be filled, we */
5924 /* don't want strip chop to trigger as it is going to cause issues */
5925 /* later ( StripOffsets and StripByteCounts improperly filled) . */
5926 if( bytecount == 0 && tif->tif_mode != O_RDONLY )
5927 return;
5928 offset = TIFFGetStrileByteCount(tif, 0);
5929 assert(td->td_planarconfig == PLANARCONFIG_CONTIG);
5930 if ((td->td_photometric == PHOTOMETRIC_YCBCR)&&
5931 (!isUpSampled(tif)))
5932 rowblock = td->td_ycbcrsubsampling[1];
5933 else
5934 rowblock = 1;
5935 rowblockbytes = TIFFVTileSize64(tif, rowblock);
5936 /*
5937 * Make the rows hold at least one scanline, but fill specified amount
5938 * of data if possible.
5939 */
5940 if (rowblockbytes > STRIP_SIZE_DEFAULT) {
5941 stripbytes = rowblockbytes;
5942 rowsperstrip = rowblock;
5943 } else if (rowblockbytes > 0 ) {
5944 uint32_t rowblocksperstrip;
5945 rowblocksperstrip = (uint32_t) (STRIP_SIZE_DEFAULT / rowblockbytes);
5946 rowsperstrip = rowblocksperstrip * rowblock;
5947 stripbytes = rowblocksperstrip * rowblockbytes;
5948 }
5949 else
5950 return;
5951
5952 /*
5953 * never increase the number of rows per strip
5954 */
5955 if (rowsperstrip >= td->td_rowsperstrip)
5956 return;
5957 nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
5958 if( nstrips == 0 )
5959 return;
5960
5961 /* If we are going to allocate a lot of memory, make sure that the */
5962 /* file is as big as needed */
5963 if( tif->tif_mode == O_RDONLY &&
5964 nstrips > 1000000 &&
5965 (offset >= TIFFGetFileSize(tif) ||
5966 stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
5967 {
5968 return;
5969 }
5970
5971 allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
5972 }
5973
5974
5975 /*
5976 * Replace a file with contiguous strips > 2 GB of uncompressed data by
5977 * multiple smaller strips. This is useful for
5978 * dealing with large images or for dealing with machines with a limited
5979 * amount memory.
5980 */
TryChopUpUncompressedBigTiff(TIFF * tif)5981 static void TryChopUpUncompressedBigTiff( TIFF* tif )
5982 {
5983 TIFFDirectory *td = &tif->tif_dir;
5984 uint32_t rowblock;
5985 uint64_t rowblockbytes;
5986 uint32_t i;
5987 uint64_t stripsize;
5988 uint32_t rowblocksperstrip;
5989 uint32_t rowsperstrip;
5990 uint64_t stripbytes;
5991 uint32_t nstrips;
5992
5993 stripsize = TIFFStripSize64(tif);
5994
5995 assert( tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG );
5996 assert( tif->tif_dir.td_compression == COMPRESSION_NONE );
5997 assert( (tif->tif_flags&(TIFF_STRIPCHOP|TIFF_ISTILED)) == TIFF_STRIPCHOP );
5998 assert( stripsize > 0x7FFFFFFFUL );
5999
6000 /* On a newly created file, just re-opened to be filled, we */
6001 /* don't want strip chop to trigger as it is going to cause issues */
6002 /* later ( StripOffsets and StripByteCounts improperly filled) . */
6003 if( TIFFGetStrileByteCount(tif, 0) == 0 && tif->tif_mode != O_RDONLY )
6004 return;
6005
6006 if ((td->td_photometric == PHOTOMETRIC_YCBCR)&&
6007 (!isUpSampled(tif)))
6008 rowblock = td->td_ycbcrsubsampling[1];
6009 else
6010 rowblock = 1;
6011 rowblockbytes = TIFFVStripSize64(tif, rowblock);
6012 if( rowblockbytes == 0 || rowblockbytes > 0x7FFFFFFFUL )
6013 {
6014 /* In case of file with gigantic width */
6015 return;
6016 }
6017
6018 /* Check that the strips are contiguous and of the expected size */
6019 for( i = 0; i < td->td_nstrips; i++ )
6020 {
6021 if( i == td->td_nstrips - 1 )
6022 {
6023 if( TIFFGetStrileByteCount(tif, i) < TIFFVStripSize64(
6024 tif, td->td_imagelength - i * td->td_rowsperstrip ) )
6025 {
6026 return;
6027 }
6028 }
6029 else
6030 {
6031 if( TIFFGetStrileByteCount(tif, i) != stripsize )
6032 {
6033 return;
6034 }
6035 if( i > 0 && TIFFGetStrileOffset(tif, i) !=
6036 TIFFGetStrileOffset(tif, i-1) + TIFFGetStrileByteCount(tif, i-1) )
6037 {
6038 return;
6039 }
6040 }
6041 }
6042
6043 /* Aim for 512 MB strips (that will still be manageable by 32 bit builds */
6044 rowblocksperstrip = (uint32_t) (512 * 1024 * 1024 / rowblockbytes);
6045 if( rowblocksperstrip == 0 )
6046 rowblocksperstrip = 1;
6047 rowsperstrip = rowblocksperstrip * rowblock;
6048 stripbytes = rowblocksperstrip * rowblockbytes;
6049 assert( stripbytes <= 0x7FFFFFFFUL );
6050
6051 nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
6052 if( nstrips == 0 )
6053 return;
6054
6055 /* If we are going to allocate a lot of memory, make sure that the */
6056 /* file is as big as needed */
6057 if( tif->tif_mode == O_RDONLY &&
6058 nstrips > 1000000 )
6059 {
6060 uint64_t last_offset = TIFFGetStrileOffset(tif, td->td_nstrips - 1);
6061 uint64_t filesize = TIFFGetFileSize(tif);
6062 uint64_t last_bytecount = TIFFGetStrileByteCount(tif, td->td_nstrips - 1);
6063 if( last_offset > filesize ||
6064 last_bytecount > filesize - last_offset )
6065 {
6066 return;
6067 }
6068 }
6069
6070 allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
6071 }
6072
6073
6074 TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
_TIFFUnsanitizedAddUInt64AndInt(uint64_t a,int b)6075 static uint64_t _TIFFUnsanitizedAddUInt64AndInt(uint64_t a, int b)
6076 {
6077 return a + b;
6078 }
6079
6080 /* Read the value of [Strip|Tile]Offset or [Strip|Tile]ByteCount around
6081 * strip/tile of number strile. Also fetch the neighbouring values using a
6082 * 4096 byte page size.
6083 */
6084 static
_TIFFPartialReadStripArray(TIFF * tif,TIFFDirEntry * dirent,int strile,uint64_t * panVals)6085 int _TIFFPartialReadStripArray(TIFF* tif, TIFFDirEntry* dirent,
6086 int strile, uint64_t* panVals )
6087 {
6088 static const char module[] = "_TIFFPartialReadStripArray";
6089 #define IO_CACHE_PAGE_SIZE 4096
6090
6091 size_t sizeofval;
6092 const int bSwab = (tif->tif_flags & TIFF_SWAB) != 0;
6093 int sizeofvalint;
6094 uint64_t nBaseOffset;
6095 uint64_t nOffset;
6096 uint64_t nOffsetStartPage;
6097 uint64_t nOffsetEndPage;
6098 tmsize_t nToRead;
6099 tmsize_t nRead;
6100 uint64_t nLastStripOffset;
6101 int iStartBefore;
6102 int i;
6103 const uint32_t arraySize = tif->tif_dir.td_stripoffsetbyteallocsize;
6104 unsigned char buffer[2 * IO_CACHE_PAGE_SIZE];
6105
6106 assert( dirent->tdir_count > 4 );
6107
6108 if( dirent->tdir_type == TIFF_SHORT )
6109 {
6110 sizeofval = sizeof(uint16_t);
6111 }
6112 else if( dirent->tdir_type == TIFF_LONG )
6113 {
6114 sizeofval = sizeof(uint32_t);
6115 }
6116 else if( dirent->tdir_type == TIFF_LONG8 )
6117 {
6118 sizeofval = sizeof(uint64_t);
6119 }
6120 else if( dirent->tdir_type == TIFF_SLONG8 )
6121 {
6122 /* Non conformant but used by some images as in */
6123 /* https://github.com/OSGeo/gdal/issues/2165 */
6124 sizeofval = sizeof(int64_t);
6125 }
6126 else
6127 {
6128 TIFFErrorExt(tif->tif_clientdata, module,
6129 "Invalid type for [Strip|Tile][Offset/ByteCount] tag");
6130 panVals[strile] = 0;
6131 return 0;
6132 }
6133 sizeofvalint = (int)(sizeofval);
6134
6135 if( tif->tif_flags&TIFF_BIGTIFF )
6136 {
6137 uint64_t offset = dirent->tdir_offset.toff_long8;
6138 if( bSwab )
6139 TIFFSwabLong8(&offset);
6140 nBaseOffset = offset;
6141 }
6142 else
6143 {
6144 uint32_t offset = dirent->tdir_offset.toff_long;
6145 if( bSwab )
6146 TIFFSwabLong(&offset);
6147 nBaseOffset = offset;
6148 }
6149 /* To avoid later unsigned integer overflows */
6150 if( nBaseOffset > (uint64_t)INT64_MAX )
6151 {
6152 TIFFErrorExt(tif->tif_clientdata, module,
6153 "Cannot read offset/size for strile %d", strile);
6154 panVals[strile] = 0;
6155 return 0;
6156 }
6157 nOffset = nBaseOffset + sizeofval * strile;
6158 nOffsetStartPage =
6159 (nOffset / IO_CACHE_PAGE_SIZE) * IO_CACHE_PAGE_SIZE;
6160 nOffsetEndPage = nOffsetStartPage + IO_CACHE_PAGE_SIZE;
6161
6162 if( nOffset + sizeofval > nOffsetEndPage )
6163 nOffsetEndPage += IO_CACHE_PAGE_SIZE;
6164 #undef IO_CACHE_PAGE_SIZE
6165
6166 nLastStripOffset = nBaseOffset + arraySize * sizeofval;
6167 if( nLastStripOffset < nOffsetEndPage )
6168 nOffsetEndPage = nLastStripOffset;
6169 if( nOffsetStartPage >= nOffsetEndPage )
6170 {
6171 TIFFErrorExt(tif->tif_clientdata, module,
6172 "Cannot read offset/size for strile %d", strile);
6173 panVals[strile] = 0;
6174 return 0;
6175 }
6176 if (!SeekOK(tif,nOffsetStartPage))
6177 {
6178 panVals[strile] = 0;
6179 return 0;
6180 }
6181
6182 nToRead = (tmsize_t)(nOffsetEndPage - nOffsetStartPage);
6183 nRead = TIFFReadFile(tif, buffer, nToRead);
6184 if( nRead < nToRead )
6185 {
6186 TIFFErrorExt(tif->tif_clientdata, module,
6187 "Cannot read offset/size for strile around ~%d", strile);
6188 return 0;
6189 }
6190 iStartBefore = -(int)((nOffset - nOffsetStartPage) / sizeofval);
6191 if( strile + iStartBefore < 0 )
6192 iStartBefore = -strile;
6193 for( i = iStartBefore;
6194 (uint32_t)(strile + i) < arraySize &&
6195 _TIFFUnsanitizedAddUInt64AndInt(nOffset, (i + 1) * sizeofvalint) <= nOffsetEndPage;
6196 ++i )
6197 {
6198 if( dirent->tdir_type == TIFF_SHORT )
6199 {
6200 uint16_t val;
6201 memcpy(&val,
6202 buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
6203 sizeof(val));
6204 if( bSwab )
6205 TIFFSwabShort(&val);
6206 panVals[strile + i] = val;
6207 }
6208 else if( dirent->tdir_type == TIFF_LONG )
6209 {
6210 uint32_t val;
6211 memcpy(&val,
6212 buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
6213 sizeof(val));
6214 if( bSwab )
6215 TIFFSwabLong(&val);
6216 panVals[strile + i] = val;
6217 }
6218 else if( dirent->tdir_type == TIFF_LONG8 )
6219 {
6220 uint64_t val;
6221 memcpy(&val,
6222 buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
6223 sizeof(val));
6224 if( bSwab )
6225 TIFFSwabLong8(&val);
6226 panVals[strile + i] = val;
6227 }
6228 else /* if( dirent->tdir_type == TIFF_SLONG8 ) */
6229 {
6230 /* Non conformant data type */
6231 int64_t val;
6232 memcpy(&val,
6233 buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
6234 sizeof(val));
6235 if( bSwab )
6236 TIFFSwabLong8((uint64_t*) &val);
6237 panVals[strile + i] = (uint64_t) val;
6238 }
6239 }
6240 return 1;
6241 }
6242
_TIFFFetchStrileValue(TIFF * tif,uint32_t strile,TIFFDirEntry * dirent,uint64_t ** parray)6243 static int _TIFFFetchStrileValue(TIFF* tif,
6244 uint32_t strile,
6245 TIFFDirEntry* dirent,
6246 uint64_t** parray)
6247 {
6248 static const char module[] = "_TIFFFetchStrileValue";
6249 TIFFDirectory *td = &tif->tif_dir;
6250 if( strile >= dirent->tdir_count )
6251 {
6252 return 0;
6253 }
6254 if( strile >= td->td_stripoffsetbyteallocsize )
6255 {
6256 uint32_t nStripArrayAllocBefore = td->td_stripoffsetbyteallocsize;
6257 uint32_t nStripArrayAllocNew;
6258 uint64_t nArraySize64;
6259 size_t nArraySize;
6260 uint64_t* offsetArray;
6261 uint64_t* bytecountArray;
6262
6263 if( strile > 1000000 )
6264 {
6265 uint64_t filesize = TIFFGetFileSize(tif);
6266 /* Avoid excessive memory allocation attempt */
6267 /* For such a big blockid we need at least a TIFF_LONG per strile */
6268 /* for the offset array. */
6269 if( strile > filesize / sizeof(uint32_t) )
6270 {
6271 TIFFErrorExt(tif->tif_clientdata, module, "File too short");
6272 return 0;
6273 }
6274 }
6275
6276 if( td->td_stripoffsetbyteallocsize == 0 &&
6277 td->td_nstrips < 1024 * 1024 )
6278 {
6279 nStripArrayAllocNew = td->td_nstrips;
6280 }
6281 else
6282 {
6283 #define TIFF_MAX(a,b) (((a)>(b)) ? (a) : (b))
6284 #define TIFF_MIN(a,b) (((a)<(b)) ? (a) : (b))
6285 nStripArrayAllocNew = TIFF_MAX(strile + 1, 1024U * 512U );
6286 if( nStripArrayAllocNew < 0xFFFFFFFFU / 2 )
6287 nStripArrayAllocNew *= 2;
6288 nStripArrayAllocNew = TIFF_MIN(nStripArrayAllocNew, td->td_nstrips);
6289 }
6290 assert( strile < nStripArrayAllocNew );
6291 nArraySize64 = (uint64_t)sizeof(uint64_t) * nStripArrayAllocNew;
6292 nArraySize = (size_t)(nArraySize64);
6293 #if SIZEOF_SIZE_T == 4
6294 if( nArraySize != nArraySize64 )
6295 {
6296 TIFFErrorExt(tif->tif_clientdata, module,
6297 "Cannot allocate strip offset and bytecount arrays");
6298 return 0;
6299 }
6300 #endif
6301 offsetArray = (uint64_t*)(
6302 _TIFFrealloc( td->td_stripoffset_p, nArraySize ) );
6303 bytecountArray = (uint64_t*)(
6304 _TIFFrealloc( td->td_stripbytecount_p, nArraySize ) );
6305 if( offsetArray )
6306 td->td_stripoffset_p = offsetArray;
6307 if( bytecountArray )
6308 td->td_stripbytecount_p = bytecountArray;
6309 if( offsetArray && bytecountArray )
6310 {
6311 td->td_stripoffsetbyteallocsize = nStripArrayAllocNew;
6312 /* Initialize new entries to ~0 / -1 */
6313 memset(td->td_stripoffset_p + nStripArrayAllocBefore,
6314 0xFF,
6315 (td->td_stripoffsetbyteallocsize - nStripArrayAllocBefore) * sizeof(uint64_t) );
6316 memset(td->td_stripbytecount_p + nStripArrayAllocBefore,
6317 0xFF,
6318 (td->td_stripoffsetbyteallocsize - nStripArrayAllocBefore) * sizeof(uint64_t) );
6319 }
6320 else
6321 {
6322 TIFFErrorExt(tif->tif_clientdata, module,
6323 "Cannot allocate strip offset and bytecount arrays");
6324 _TIFFfree(td->td_stripoffset_p);
6325 td->td_stripoffset_p = NULL;
6326 _TIFFfree(td->td_stripbytecount_p);
6327 td->td_stripbytecount_p = NULL;
6328 td->td_stripoffsetbyteallocsize = 0;
6329 }
6330 }
6331 if( *parray == NULL || strile >= td->td_stripoffsetbyteallocsize )
6332 return 0;
6333
6334 if( ~((*parray)[strile]) == 0 )
6335 {
6336 if( !_TIFFPartialReadStripArray( tif, dirent, strile, *parray ) )
6337 {
6338 (*parray)[strile] = 0;
6339 return 0;
6340 }
6341 }
6342
6343 return 1;
6344 }
6345
_TIFFGetStrileOffsetOrByteCountValue(TIFF * tif,uint32_t strile,TIFFDirEntry * dirent,uint64_t ** parray,int * pbErr)6346 static uint64_t _TIFFGetStrileOffsetOrByteCountValue(TIFF *tif, uint32_t strile,
6347 TIFFDirEntry* dirent,
6348 uint64_t** parray,
6349 int *pbErr)
6350 {
6351 TIFFDirectory *td = &tif->tif_dir;
6352 if( pbErr )
6353 *pbErr = 0;
6354 if( (tif->tif_flags&TIFF_DEFERSTRILELOAD) && !(tif->tif_flags&TIFF_CHOPPEDUPARRAYS) )
6355 {
6356 if( !(tif->tif_flags&TIFF_LAZYSTRILELOAD) ||
6357 /* If the values may fit in the toff_long/toff_long8 member */
6358 /* then use _TIFFFillStriles to simplify _TIFFFetchStrileValue */
6359 dirent->tdir_count <= 4 )
6360 {
6361 if( !_TIFFFillStriles(tif) )
6362 {
6363 if( pbErr )
6364 *pbErr = 1;
6365 /* Do not return, as we want this function to always */
6366 /* return the same value if called several times with */
6367 /* the same arguments */
6368 }
6369 }
6370 else
6371 {
6372 if( !_TIFFFetchStrileValue(tif, strile, dirent, parray) )
6373 {
6374 if( pbErr )
6375 *pbErr = 1;
6376 return 0;
6377 }
6378 }
6379 }
6380 if( *parray == NULL || strile >= td->td_nstrips )
6381 {
6382 if( pbErr )
6383 *pbErr = 1;
6384 return 0;
6385 }
6386 return (*parray)[strile];
6387 }
6388
6389 /* Return the value of the TileOffsets/StripOffsets array for the specified tile/strile */
TIFFGetStrileOffset(TIFF * tif,uint32_t strile)6390 uint64_t TIFFGetStrileOffset(TIFF *tif, uint32_t strile)
6391 {
6392 return TIFFGetStrileOffsetWithErr(tif, strile, NULL);
6393 }
6394
6395 /* Return the value of the TileOffsets/StripOffsets array for the specified tile/strile */
TIFFGetStrileOffsetWithErr(TIFF * tif,uint32_t strile,int * pbErr)6396 uint64_t TIFFGetStrileOffsetWithErr(TIFF *tif, uint32_t strile, int *pbErr)
6397 {
6398 TIFFDirectory *td = &tif->tif_dir;
6399 return _TIFFGetStrileOffsetOrByteCountValue(tif, strile,
6400 &(td->td_stripoffset_entry),
6401 &(td->td_stripoffset_p), pbErr);
6402 }
6403
6404 /* Return the value of the TileByteCounts/StripByteCounts array for the specified tile/strile */
TIFFGetStrileByteCount(TIFF * tif,uint32_t strile)6405 uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile)
6406 {
6407 return TIFFGetStrileByteCountWithErr(tif, strile, NULL);
6408 }
6409
6410 /* Return the value of the TileByteCounts/StripByteCounts array for the specified tile/strile */
TIFFGetStrileByteCountWithErr(TIFF * tif,uint32_t strile,int * pbErr)6411 uint64_t TIFFGetStrileByteCountWithErr(TIFF *tif, uint32_t strile, int *pbErr)
6412 {
6413 TIFFDirectory *td = &tif->tif_dir;
6414 return _TIFFGetStrileOffsetOrByteCountValue(tif, strile,
6415 &(td->td_stripbytecount_entry),
6416 &(td->td_stripbytecount_p), pbErr);
6417 }
6418
6419
_TIFFFillStriles(TIFF * tif)6420 int _TIFFFillStriles( TIFF *tif )
6421 {
6422 return _TIFFFillStrilesInternal( tif, 1 );
6423 }
6424
_TIFFFillStrilesInternal(TIFF * tif,int loadStripByteCount)6425 static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount )
6426 {
6427 register TIFFDirectory *td = &tif->tif_dir;
6428 int return_value = 1;
6429
6430 /* Do not do anything if TIFF_DEFERSTRILELOAD is not set */
6431 if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) || (tif->tif_flags&TIFF_CHOPPEDUPARRAYS) != 0 )
6432 return 1;
6433
6434 if( tif->tif_flags&TIFF_LAZYSTRILELOAD )
6435 {
6436 /* In case of lazy loading, reload completely the arrays */
6437 _TIFFfree(td->td_stripoffset_p);
6438 _TIFFfree(td->td_stripbytecount_p);
6439 td->td_stripoffset_p = NULL;
6440 td->td_stripbytecount_p = NULL;
6441 td->td_stripoffsetbyteallocsize = 0;
6442 tif->tif_flags &= ~TIFF_LAZYSTRILELOAD;
6443 }
6444
6445 /* If stripoffset array is already loaded, exit with success */
6446 if( td->td_stripoffset_p != NULL )
6447 return 1;
6448
6449 /* If tdir_count was canceled, then we already got there, but in error */
6450 if( td->td_stripoffset_entry.tdir_count == 0 )
6451 return 0;
6452
6453 if (!TIFFFetchStripThing(tif,&(td->td_stripoffset_entry),
6454 td->td_nstrips,&td->td_stripoffset_p))
6455 {
6456 return_value = 0;
6457 }
6458
6459 if (loadStripByteCount &&
6460 !TIFFFetchStripThing(tif,&(td->td_stripbytecount_entry),
6461 td->td_nstrips,&td->td_stripbytecount_p))
6462 {
6463 return_value = 0;
6464 }
6465
6466 _TIFFmemset( &(td->td_stripoffset_entry), 0, sizeof(TIFFDirEntry));
6467 _TIFFmemset( &(td->td_stripbytecount_entry), 0, sizeof(TIFFDirEntry));
6468
6469 #ifdef STRIPBYTECOUNTSORTED_UNUSED
6470 if (tif->tif_dir.td_nstrips > 1 && return_value == 1 ) {
6471 uint32_t strip;
6472
6473 tif->tif_dir.td_stripbytecountsorted = 1;
6474 for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) {
6475 if (tif->tif_dir.td_stripoffset_p[strip - 1] >
6476 tif->tif_dir.td_stripoffset_p[strip]) {
6477 tif->tif_dir.td_stripbytecountsorted = 0;
6478 break;
6479 }
6480 }
6481 }
6482 #endif
6483
6484 return return_value;
6485 }
6486
6487
6488 /* vim: set ts=8 sts=8 sw=8 noet: */
6489 /*
6490 * Local Variables:
6491 * mode: c
6492 * c-basic-offset: 8
6493 * fill-column: 78
6494 * End:
6495 */
6496