1 /* $Id: tif_read.c,v 1.66 2017-11-17 20:21:00 erouault Exp $ */ 2 3 /* 4 * Copyright (c) 1988-1997 Sam Leffler 5 * Copyright (c) 1991-1997 Silicon Graphics, Inc. 6 * 7 * Permission to use, copy, modify, distribute, and sell this software and 8 * its documentation for any purpose is hereby granted without fee, provided 9 * that (i) the above copyright notices and this permission notice appear in 10 * all copies of the software and related documentation, and (ii) the names of 11 * Sam Leffler and Silicon Graphics may not be used in any advertising or 12 * publicity relating to the software without the specific, prior written 13 * permission of Sam Leffler and Silicon Graphics. 14 * 15 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY 17 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 18 * 19 * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR 20 * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, 21 * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, 22 * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF 23 * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 24 * OF THIS SOFTWARE. 25 */ 26 27 /* 28 * TIFF Library. 29 * Scanline-oriented Read Support 30 */ 31 #include <precomp.h> 32 //#include <stdio.h> 33 34 #define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) 35 #define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) 36 37 int TIFFFillStrip(TIFF* tif, uint32 strip); 38 int TIFFFillTile(TIFF* tif, uint32 tile); 39 static int TIFFStartStrip(TIFF* tif, uint32 strip); 40 static int TIFFStartTile(TIFF* tif, uint32 tile); 41 static int TIFFCheckRead(TIFF*, int); 42 static tmsize_t 43 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module); 44 static tmsize_t 45 TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module); 46 47 #define NOSTRIP ((uint32)(-1)) /* undefined state */ 48 #define NOTILE ((uint32)(-1)) /* undefined state */ 49 50 #define INITIAL_THRESHOLD (1024 * 1024) 51 #define THRESHOLD_MULTIPLIER 10 52 #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) 53 54 /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' 55 * Returns 1 in case of success, 0 otherwise. */ 56 static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, 57 tmsize_t rawdata_offset, 58 int is_strip, uint32 strip_or_tile, 59 const char* module ) 60 { 61 #if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 62 tmsize_t threshold = INITIAL_THRESHOLD; 63 #endif 64 tmsize_t already_read = 0; 65 66 /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */ 67 /* so as to avoid allocating too much memory in case the file is too */ 68 /* short. We could ask for the file size, but this might be */ 69 /* expensive with some I/O layers (think of reading a gzipped file) */ 70 /* Restrict to 64 bit processes, so as to avoid reallocs() */ 71 /* on 32 bit processes where virtual memory is scarce. */ 72 while( already_read < size ) 73 { 74 tmsize_t bytes_read; 75 tmsize_t to_read = size - already_read; 76 #if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 77 if( to_read >= threshold && threshold < MAX_THRESHOLD && 78 already_read + to_read + rawdata_offset > tif->tif_rawdatasize ) 79 { 80 to_read = threshold; 81 threshold *= THRESHOLD_MULTIPLIER; 82 } 83 #endif 84 if (already_read + to_read + rawdata_offset > tif->tif_rawdatasize) { 85 uint8* new_rawdata; 86 assert((tif->tif_flags & TIFF_MYBUFFER) != 0); 87 tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64( 88 (uint64)already_read + to_read + rawdata_offset, 1024); 89 if (tif->tif_rawdatasize==0) { 90 TIFFErrorExt(tif->tif_clientdata, module, 91 "Invalid buffer size"); 92 return 0; 93 } 94 new_rawdata = (uint8*) _TIFFrealloc( 95 tif->tif_rawdata, tif->tif_rawdatasize); 96 if( new_rawdata == 0 ) 97 { 98 TIFFErrorExt(tif->tif_clientdata, module, 99 "No space for data buffer at scanline %lu", 100 (unsigned long) tif->tif_row); 101 _TIFFfree(tif->tif_rawdata); 102 tif->tif_rawdata = 0; 103 tif->tif_rawdatasize = 0; 104 return 0; 105 } 106 tif->tif_rawdata = new_rawdata; 107 } 108 109 bytes_read = TIFFReadFile(tif, 110 tif->tif_rawdata + rawdata_offset + already_read, to_read); 111 already_read += bytes_read; 112 if (bytes_read != to_read) { 113 memset( tif->tif_rawdata + rawdata_offset + already_read, 0, 114 tif->tif_rawdatasize - rawdata_offset - already_read ); 115 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 116 if( is_strip ) 117 { 118 TIFFErrorExt(tif->tif_clientdata, module, 119 "Read error at scanline %lu; got %I64u bytes, " 120 "expected %I64u", 121 (unsigned long) tif->tif_row, 122 (unsigned __int64) already_read, 123 (unsigned __int64) size); 124 } 125 else 126 { 127 TIFFErrorExt(tif->tif_clientdata, module, 128 "Read error at row %lu, col %lu, tile %lu; " 129 "got %I64u bytes, expected %I64u", 130 (unsigned long) tif->tif_row, 131 (unsigned long) tif->tif_col, 132 (unsigned long) strip_or_tile, 133 (unsigned __int64) already_read, 134 (unsigned __int64) size); 135 } 136 #else 137 if( is_strip ) 138 { 139 TIFFErrorExt(tif->tif_clientdata, module, 140 "Read error at scanline %lu; got %llu bytes, " 141 "expected %llu", 142 (unsigned long) tif->tif_row, 143 (unsigned long long) already_read, 144 (unsigned long long) size); 145 } 146 else 147 { 148 TIFFErrorExt(tif->tif_clientdata, module, 149 "Read error at row %lu, col %lu, tile %lu; " 150 "got %llu bytes, expected %llu", 151 (unsigned long) tif->tif_row, 152 (unsigned long) tif->tif_col, 153 (unsigned long) strip_or_tile, 154 (unsigned long long) already_read, 155 (unsigned long long) size); 156 } 157 #endif 158 return 0; 159 } 160 } 161 return 1; 162 } 163 164 165 static int 166 TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) 167 { 168 static const char module[] = "TIFFFillStripPartial"; 169 register TIFFDirectory *td = &tif->tif_dir; 170 tmsize_t unused_data; 171 uint64 read_offset; 172 tmsize_t to_read; 173 tmsize_t read_ahead_mod; 174 /* tmsize_t bytecountm; */ 175 176 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount) 177 return 0; 178 179 /* 180 * Expand raw data buffer, if needed, to hold data 181 * strip coming from file (perhaps should set upper 182 * bound on the size of a buffer we'll use?). 183 */ 184 185 /* bytecountm=(tmsize_t) td->td_stripbytecount[strip]; */ 186 187 /* Not completely sure where the * 2 comes from, but probably for */ 188 /* an exponentional growth strategy of tif_rawdatasize */ 189 if( read_ahead < TIFF_TMSIZE_T_MAX / 2 ) 190 read_ahead_mod = read_ahead * 2; 191 else 192 read_ahead_mod = read_ahead; 193 if (read_ahead_mod > tif->tif_rawdatasize) { 194 assert( restart ); 195 196 tif->tif_curstrip = NOSTRIP; 197 if ((tif->tif_flags & TIFF_MYBUFFER) == 0) { 198 TIFFErrorExt(tif->tif_clientdata, module, 199 "Data buffer too small to hold part of strip %lu", 200 (unsigned long) strip); 201 return (0); 202 } 203 } 204 205 if( restart ) 206 { 207 tif->tif_rawdataloaded = 0; 208 tif->tif_rawdataoff = 0; 209 } 210 211 /* 212 ** If we are reading more data, move any unused data to the 213 ** start of the buffer. 214 */ 215 if( tif->tif_rawdataloaded > 0 ) 216 unused_data = tif->tif_rawdataloaded - (tif->tif_rawcp - tif->tif_rawdata); 217 else 218 unused_data = 0; 219 220 if( unused_data > 0 ) 221 { 222 assert((tif->tif_flags&TIFF_BUFFERMMAP)==0); 223 memmove( tif->tif_rawdata, tif->tif_rawcp, unused_data ); 224 } 225 226 /* 227 ** Seek to the point in the file where more data should be read. 228 */ 229 read_offset = td->td_stripoffset[strip] 230 + tif->tif_rawdataoff + tif->tif_rawdataloaded; 231 232 if (!SeekOK(tif, read_offset)) { 233 TIFFErrorExt(tif->tif_clientdata, module, 234 "Seek error at scanline %lu, strip %lu", 235 (unsigned long) tif->tif_row, (unsigned long) strip); 236 return 0; 237 } 238 239 /* 240 ** How much do we want to read? 241 */ 242 if( read_ahead_mod > tif->tif_rawdatasize ) 243 to_read = read_ahead_mod - unused_data; 244 else 245 to_read = tif->tif_rawdatasize - unused_data; 246 if( (uint64) to_read > td->td_stripbytecount[strip] 247 - tif->tif_rawdataoff - tif->tif_rawdataloaded ) 248 { 249 to_read = (tmsize_t) td->td_stripbytecount[strip] 250 - tif->tif_rawdataoff - tif->tif_rawdataloaded; 251 } 252 253 assert((tif->tif_flags&TIFF_BUFFERMMAP)==0); 254 if( !TIFFReadAndRealloc( tif, to_read, unused_data, 255 1, /* is_strip */ 256 0, /* strip_or_tile */ 257 module) ) 258 { 259 return 0; 260 } 261 262 tif->tif_rawdataoff = tif->tif_rawdataoff + tif->tif_rawdataloaded - unused_data ; 263 tif->tif_rawdataloaded = unused_data + to_read; 264 265 tif->tif_rawcc = tif->tif_rawdataloaded; 266 tif->tif_rawcp = tif->tif_rawdata; 267 268 if (!isFillOrder(tif, td->td_fillorder) && 269 (tif->tif_flags & TIFF_NOBITREV) == 0) { 270 assert((tif->tif_flags&TIFF_BUFFERMMAP)==0); 271 TIFFReverseBits(tif->tif_rawdata + unused_data, to_read ); 272 } 273 274 /* 275 ** When starting a strip from the beginning we need to 276 ** restart the decoder. 277 */ 278 if( restart ) 279 { 280 281 #ifdef JPEG_SUPPORT 282 /* A bit messy since breaks the codec abstraction. Ultimately */ 283 /* there should be a function pointer for that, but it seems */ 284 /* only JPEG is affected. */ 285 /* For JPEG, if there are multiple scans (can generally be known */ 286 /* with the read_ahead used), we need to read the whole strip */ 287 if( tif->tif_dir.td_compression==COMPRESSION_JPEG && 288 (uint64)tif->tif_rawcc < td->td_stripbytecount[strip] ) 289 { 290 if( TIFFJPEGIsFullStripRequired(tif) ) 291 { 292 return TIFFFillStrip(tif, strip); 293 } 294 } 295 #endif 296 297 return TIFFStartStrip(tif, strip); 298 } 299 else 300 { 301 return 1; 302 } 303 } 304 305 /* 306 * Seek to a random row+sample in a file. 307 * 308 * Only used by TIFFReadScanline, and is only used on 309 * strip organized files. We do some tricky stuff to try 310 * and avoid reading the whole compressed raw data for big 311 * strips. 312 */ 313 static int 314 TIFFSeek(TIFF* tif, uint32 row, uint16 sample ) 315 { 316 register TIFFDirectory *td = &tif->tif_dir; 317 uint32 strip; 318 int whole_strip; 319 tmsize_t read_ahead = 0; 320 321 /* 322 ** Establish what strip we are working from. 323 */ 324 if (row >= td->td_imagelength) { /* out of range */ 325 TIFFErrorExt(tif->tif_clientdata, tif->tif_name, 326 "%lu: Row out of range, max %lu", 327 (unsigned long) row, 328 (unsigned long) td->td_imagelength); 329 return (0); 330 } 331 if (td->td_planarconfig == PLANARCONFIG_SEPARATE) { 332 if (sample >= td->td_samplesperpixel) { 333 TIFFErrorExt(tif->tif_clientdata, tif->tif_name, 334 "%lu: Sample out of range, max %lu", 335 (unsigned long) sample, (unsigned long) td->td_samplesperpixel); 336 return (0); 337 } 338 strip = (uint32)sample*td->td_stripsperimage + row/td->td_rowsperstrip; 339 } else 340 strip = row / td->td_rowsperstrip; 341 342 /* 343 * Do we want to treat this strip as one whole chunk or 344 * read it a few lines at a time? 345 */ 346 #if defined(CHUNKY_STRIP_READ_SUPPORT) 347 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount) 348 return 0; 349 whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10 350 || isMapped(tif); 351 #else 352 whole_strip = 1; 353 #endif 354 355 if( !whole_strip ) 356 { 357 /* 16 is for YCbCr mode where we may need to read 16 */ 358 /* lines at a time to get a decompressed line, and 5000 */ 359 /* is some constant value, for example for JPEG tables */ 360 if( tif->tif_scanlinesize < TIFF_TMSIZE_T_MAX / 16 && 361 tif->tif_scanlinesize * 16 < TIFF_TMSIZE_T_MAX - 5000 ) 362 { 363 read_ahead = tif->tif_scanlinesize * 16 + 5000; 364 } 365 else 366 { 367 read_ahead = tif->tif_scanlinesize; 368 } 369 } 370 371 /* 372 * If we haven't loaded this strip, do so now, possibly 373 * only reading the first part. 374 */ 375 if (strip != tif->tif_curstrip) { /* different strip, refill */ 376 377 if( whole_strip ) 378 { 379 if (!TIFFFillStrip(tif, strip)) 380 return (0); 381 } 382 else 383 { 384 if( !TIFFFillStripPartial(tif,strip,read_ahead,1) ) 385 return 0; 386 } 387 } 388 389 /* 390 ** If we already have some data loaded, do we need to read some more? 391 */ 392 else if( !whole_strip ) 393 { 394 if( ((tif->tif_rawdata + tif->tif_rawdataloaded) - tif->tif_rawcp) < read_ahead 395 && (uint64) tif->tif_rawdataoff+tif->tif_rawdataloaded < td->td_stripbytecount[strip] ) 396 { 397 if( !TIFFFillStripPartial(tif,strip,read_ahead,0) ) 398 return 0; 399 } 400 } 401 402 if (row < tif->tif_row) { 403 /* 404 * Moving backwards within the same strip: backup 405 * to the start and then decode forward (below). 406 * 407 * NB: If you're planning on lots of random access within a 408 * strip, it's better to just read and decode the entire 409 * strip, and then access the decoded data in a random fashion. 410 */ 411 412 if( tif->tif_rawdataoff != 0 ) 413 { 414 if( !TIFFFillStripPartial(tif,strip,read_ahead,1) ) 415 return 0; 416 } 417 else 418 { 419 if (!TIFFStartStrip(tif, strip)) 420 return (0); 421 } 422 } 423 424 if (row != tif->tif_row) { 425 /* 426 * Seek forward to the desired row. 427 */ 428 429 /* TODO: Will this really work with partial buffers? */ 430 431 if (!(*tif->tif_seek)(tif, row - tif->tif_row)) 432 return (0); 433 tif->tif_row = row; 434 } 435 436 return (1); 437 } 438 439 int 440 TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample) 441 { 442 int e; 443 444 if (!TIFFCheckRead(tif, 0)) 445 return (-1); 446 if( (e = TIFFSeek(tif, row, sample)) != 0) { 447 /* 448 * Decompress desired row into user buffer. 449 */ 450 e = (*tif->tif_decoderow) 451 (tif, (uint8*) buf, tif->tif_scanlinesize, sample); 452 453 /* we are now poised at the beginning of the next row */ 454 tif->tif_row = row + 1; 455 456 if (e) 457 (*tif->tif_postdecode)(tif, (uint8*) buf, 458 tif->tif_scanlinesize); 459 } 460 return (e > 0 ? 1 : -1); 461 } 462 463 /* 464 * Calculate the strip size according to the number of 465 * rows in the strip (check for truncated last strip on any 466 * of the separations). 467 */ 468 static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane) 469 { 470 static const char module[] = "TIFFReadEncodedStrip"; 471 TIFFDirectory *td = &tif->tif_dir; 472 uint32 rowsperstrip; 473 uint32 stripsperplane; 474 uint32 stripinplane; 475 uint32 rows; 476 tmsize_t stripsize; 477 if (!TIFFCheckRead(tif,0)) 478 return((tmsize_t)(-1)); 479 if (strip>=td->td_nstrips) 480 { 481 TIFFErrorExt(tif->tif_clientdata,module, 482 "%lu: Strip out of range, max %lu",(unsigned long)strip, 483 (unsigned long)td->td_nstrips); 484 return((tmsize_t)(-1)); 485 } 486 487 rowsperstrip=td->td_rowsperstrip; 488 if (rowsperstrip>td->td_imagelength) 489 rowsperstrip=td->td_imagelength; 490 stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); 491 stripinplane=(strip%stripsperplane); 492 if( pplane ) *pplane=(uint16)(strip/stripsperplane); 493 rows=td->td_imagelength-stripinplane*rowsperstrip; 494 if (rows>rowsperstrip) 495 rows=rowsperstrip; 496 stripsize=TIFFVStripSize(tif,rows); 497 if (stripsize==0) 498 return((tmsize_t)(-1)); 499 return stripsize; 500 } 501 502 /* 503 * Read a strip of data and decompress the specified 504 * amount into the user-supplied buffer. 505 */ 506 tmsize_t 507 TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) 508 { 509 static const char module[] = "TIFFReadEncodedStrip"; 510 TIFFDirectory *td = &tif->tif_dir; 511 tmsize_t stripsize; 512 uint16 plane; 513 514 stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane); 515 if (stripsize==((tmsize_t)(-1))) 516 return((tmsize_t)(-1)); 517 518 /* shortcut to avoid an extra memcpy() */ 519 if( td->td_compression == COMPRESSION_NONE && 520 size!=(tmsize_t)(-1) && size >= stripsize && 521 !isMapped(tif) && 522 ((tif->tif_flags&TIFF_NOREADRAW)==0) ) 523 { 524 if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize) 525 return ((tmsize_t)(-1)); 526 527 if (!isFillOrder(tif, td->td_fillorder) && 528 (tif->tif_flags & TIFF_NOBITREV) == 0) 529 TIFFReverseBits(buf,stripsize); 530 531 (*tif->tif_postdecode)(tif,buf,stripsize); 532 return (stripsize); 533 } 534 535 if ((size!=(tmsize_t)(-1))&&(size<stripsize)) 536 stripsize=size; 537 if (!TIFFFillStrip(tif,strip)) 538 return((tmsize_t)(-1)); 539 if ((*tif->tif_decodestrip)(tif,buf,stripsize,plane)<=0) 540 return((tmsize_t)(-1)); 541 (*tif->tif_postdecode)(tif,buf,stripsize); 542 return(stripsize); 543 } 544 545 /* Variant of TIFFReadEncodedStrip() that does 546 * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has 547 * succeeded. This avoid excessive memory allocation in case of truncated 548 * file. 549 * * calls regular TIFFReadEncodedStrip() if *buf != NULL 550 */ 551 tmsize_t 552 _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, 553 void **buf, tmsize_t bufsizetoalloc, 554 tmsize_t size_to_read) 555 { 556 tmsize_t this_stripsize; 557 uint16 plane; 558 559 if( *buf != NULL ) 560 { 561 return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read); 562 } 563 564 this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane); 565 if (this_stripsize==((tmsize_t)(-1))) 566 return((tmsize_t)(-1)); 567 568 if ((size_to_read!=(tmsize_t)(-1))&&(size_to_read<this_stripsize)) 569 this_stripsize=size_to_read; 570 if (!TIFFFillStrip(tif,strip)) 571 return((tmsize_t)(-1)); 572 573 *buf = _TIFFmalloc(bufsizetoalloc); 574 if (*buf == NULL) { 575 TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); 576 return((tmsize_t)(-1)); 577 } 578 _TIFFmemset(*buf, 0, bufsizetoalloc); 579 580 if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0) 581 return((tmsize_t)(-1)); 582 (*tif->tif_postdecode)(tif,*buf,this_stripsize); 583 return(this_stripsize); 584 585 586 } 587 588 static tmsize_t 589 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, 590 const char* module) 591 { 592 TIFFDirectory *td = &tif->tif_dir; 593 594 if (!_TIFFFillStriles( tif )) 595 return ((tmsize_t)(-1)); 596 597 assert((tif->tif_flags&TIFF_NOREADRAW)==0); 598 if (!isMapped(tif)) { 599 tmsize_t cc; 600 601 if (!SeekOK(tif, td->td_stripoffset[strip])) { 602 TIFFErrorExt(tif->tif_clientdata, module, 603 "Seek error at scanline %lu, strip %lu", 604 (unsigned long) tif->tif_row, (unsigned long) strip); 605 return ((tmsize_t)(-1)); 606 } 607 cc = TIFFReadFile(tif, buf, size); 608 if (cc != size) { 609 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 610 TIFFErrorExt(tif->tif_clientdata, module, 611 "Read error at scanline %lu; got %I64u bytes, expected %I64u", 612 (unsigned long) tif->tif_row, 613 (unsigned __int64) cc, 614 (unsigned __int64) size); 615 #else 616 TIFFErrorExt(tif->tif_clientdata, module, 617 "Read error at scanline %lu; got %llu bytes, expected %llu", 618 (unsigned long) tif->tif_row, 619 (unsigned long long) cc, 620 (unsigned long long) size); 621 #endif 622 return ((tmsize_t)(-1)); 623 } 624 } else { 625 tmsize_t ma = 0; 626 tmsize_t n; 627 if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)|| 628 ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size)) 629 { 630 n=0; 631 } 632 else if( ma > TIFF_TMSIZE_T_MAX - size ) 633 { 634 n=0; 635 } 636 else 637 { 638 tmsize_t mb=ma+size; 639 if (mb>tif->tif_size) 640 n=tif->tif_size-ma; 641 else 642 n=size; 643 } 644 if (n!=size) { 645 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 646 TIFFErrorExt(tif->tif_clientdata, module, 647 "Read error at scanline %lu, strip %lu; got %I64u bytes, expected %I64u", 648 (unsigned long) tif->tif_row, 649 (unsigned long) strip, 650 (unsigned __int64) n, 651 (unsigned __int64) size); 652 #else 653 TIFFErrorExt(tif->tif_clientdata, module, 654 "Read error at scanline %lu, strip %lu; got %llu bytes, expected %llu", 655 (unsigned long) tif->tif_row, 656 (unsigned long) strip, 657 (unsigned long long) n, 658 (unsigned long long) size); 659 #endif 660 return ((tmsize_t)(-1)); 661 } 662 _TIFFmemcpy(buf, tif->tif_base + ma, 663 size); 664 } 665 return (size); 666 } 667 668 static tmsize_t 669 TIFFReadRawStripOrTile2(TIFF* tif, uint32 strip_or_tile, int is_strip, 670 tmsize_t size, const char* module) 671 { 672 TIFFDirectory *td = &tif->tif_dir; 673 674 assert( !isMapped(tif) ); 675 assert((tif->tif_flags&TIFF_NOREADRAW)==0); 676 677 if (!SeekOK(tif, td->td_stripoffset[strip_or_tile])) { 678 if( is_strip ) 679 { 680 TIFFErrorExt(tif->tif_clientdata, module, 681 "Seek error at scanline %lu, strip %lu", 682 (unsigned long) tif->tif_row, 683 (unsigned long) strip_or_tile); 684 } 685 else 686 { 687 TIFFErrorExt(tif->tif_clientdata, module, 688 "Seek error at row %lu, col %lu, tile %lu", 689 (unsigned long) tif->tif_row, 690 (unsigned long) tif->tif_col, 691 (unsigned long) strip_or_tile); 692 } 693 return ((tmsize_t)(-1)); 694 } 695 696 if( !TIFFReadAndRealloc( tif, size, 0, is_strip, 697 strip_or_tile, module ) ) 698 { 699 return ((tmsize_t)(-1)); 700 } 701 702 return (size); 703 } 704 705 /* 706 * Read a strip of data from the file. 707 */ 708 tmsize_t 709 TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) 710 { 711 static const char module[] = "TIFFReadRawStrip"; 712 TIFFDirectory *td = &tif->tif_dir; 713 uint64 bytecount; 714 tmsize_t bytecountm; 715 716 if (!TIFFCheckRead(tif, 0)) 717 return ((tmsize_t)(-1)); 718 if (strip >= td->td_nstrips) { 719 TIFFErrorExt(tif->tif_clientdata, module, 720 "%lu: Strip out of range, max %lu", 721 (unsigned long) strip, 722 (unsigned long) td->td_nstrips); 723 return ((tmsize_t)(-1)); 724 } 725 if (tif->tif_flags&TIFF_NOREADRAW) 726 { 727 TIFFErrorExt(tif->tif_clientdata, module, 728 "Compression scheme does not support access to raw uncompressed data"); 729 return ((tmsize_t)(-1)); 730 } 731 bytecount = td->td_stripbytecount[strip]; 732 if ((int64)bytecount <= 0) { 733 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 734 TIFFErrorExt(tif->tif_clientdata, module, 735 "%I64u: Invalid strip byte count, strip %lu", 736 (unsigned __int64) bytecount, 737 (unsigned long) strip); 738 #else 739 TIFFErrorExt(tif->tif_clientdata, module, 740 "%llu: Invalid strip byte count, strip %lu", 741 (unsigned long long) bytecount, 742 (unsigned long) strip); 743 #endif 744 return ((tmsize_t)(-1)); 745 } 746 bytecountm = (tmsize_t)bytecount; 747 if ((uint64)bytecountm!=bytecount) { 748 TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow"); 749 return ((tmsize_t)(-1)); 750 } 751 if (size != (tmsize_t)(-1) && size < bytecountm) 752 bytecountm = size; 753 return (TIFFReadRawStrip1(tif, strip, buf, bytecountm, module)); 754 } 755 756 /* 757 * Read the specified strip and setup for decoding. The data buffer is 758 * expanded, as necessary, to hold the strip's data. 759 */ 760 int 761 TIFFFillStrip(TIFF* tif, uint32 strip) 762 { 763 static const char module[] = "TIFFFillStrip"; 764 TIFFDirectory *td = &tif->tif_dir; 765 766 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount) 767 return 0; 768 769 if ((tif->tif_flags&TIFF_NOREADRAW)==0) 770 { 771 uint64 bytecount = td->td_stripbytecount[strip]; 772 if ((int64)bytecount <= 0) { 773 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 774 TIFFErrorExt(tif->tif_clientdata, module, 775 "Invalid strip byte count %I64u, strip %lu", 776 (unsigned __int64) bytecount, 777 (unsigned long) strip); 778 #else 779 TIFFErrorExt(tif->tif_clientdata, module, 780 "Invalid strip byte count %llu, strip %lu", 781 (unsigned long long) bytecount, 782 (unsigned long) strip); 783 #endif 784 return (0); 785 } 786 787 /* To avoid excessive memory allocations: */ 788 /* Byte count should normally not be larger than a number of */ 789 /* times the uncompressed size plus some margin */ 790 if( bytecount > 1024 * 1024 ) 791 { 792 /* 10 and 4096 are just values that could be adjusted. */ 793 /* Hopefully they are safe enough for all codecs */ 794 tmsize_t stripsize = TIFFStripSize(tif); 795 if( stripsize != 0 && 796 (bytecount - 4096) / 10 > (uint64)stripsize ) 797 { 798 uint64 newbytecount = (uint64)stripsize * 10 + 4096; 799 if( (int64)newbytecount >= 0 ) 800 { 801 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 802 TIFFWarningExt(tif->tif_clientdata, module, 803 "Too large strip byte count %I64u, strip %lu. Limiting to %I64u", 804 (unsigned __int64) bytecount, 805 (unsigned long) strip, 806 (unsigned __int64) newbytecount); 807 #else 808 TIFFErrorExt(tif->tif_clientdata, module, 809 "Too large strip byte count %llu, strip %lu. Limiting to %llu", 810 (unsigned long long) bytecount, 811 (unsigned long) strip, 812 (unsigned long long) newbytecount); 813 #endif 814 bytecount = newbytecount; 815 } 816 } 817 } 818 819 if (isMapped(tif)) { 820 /* 821 * We must check for overflow, potentially causing 822 * an OOB read. Instead of simple 823 * 824 * td->td_stripoffset[strip]+bytecount > tif->tif_size 825 * 826 * comparison (which can overflow) we do the following 827 * two comparisons: 828 */ 829 if (bytecount > (uint64)tif->tif_size || 830 td->td_stripoffset[strip] > (uint64)tif->tif_size - bytecount) { 831 /* 832 * This error message might seem strange, but 833 * it's what would happen if a read were done 834 * instead. 835 */ 836 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 837 TIFFErrorExt(tif->tif_clientdata, module, 838 839 "Read error on strip %lu; " 840 "got %I64u bytes, expected %I64u", 841 (unsigned long) strip, 842 (unsigned __int64) tif->tif_size - td->td_stripoffset[strip], 843 (unsigned __int64) bytecount); 844 #else 845 TIFFErrorExt(tif->tif_clientdata, module, 846 847 "Read error on strip %lu; " 848 "got %llu bytes, expected %llu", 849 (unsigned long) strip, 850 (unsigned long long) tif->tif_size - td->td_stripoffset[strip], 851 (unsigned long long) bytecount); 852 #endif 853 tif->tif_curstrip = NOSTRIP; 854 return (0); 855 } 856 } 857 858 if (isMapped(tif) && 859 (isFillOrder(tif, td->td_fillorder) 860 || (tif->tif_flags & TIFF_NOBITREV))) { 861 /* 862 * The image is mapped into memory and we either don't 863 * need to flip bits or the compression routine is 864 * going to handle this operation itself. In this 865 * case, avoid copying the raw data and instead just 866 * reference the data from the memory mapped file 867 * image. This assumes that the decompression 868 * routines do not modify the contents of the raw data 869 * buffer (if they try to, the application will get a 870 * fault since the file is mapped read-only). 871 */ 872 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) { 873 _TIFFfree(tif->tif_rawdata); 874 tif->tif_rawdata = NULL; 875 tif->tif_rawdatasize = 0; 876 } 877 tif->tif_flags &= ~TIFF_MYBUFFER; 878 tif->tif_rawdatasize = (tmsize_t)bytecount; 879 tif->tif_rawdata = tif->tif_base + (tmsize_t)td->td_stripoffset[strip]; 880 tif->tif_rawdataoff = 0; 881 tif->tif_rawdataloaded = (tmsize_t) bytecount; 882 883 /* 884 * When we have tif_rawdata reference directly into the memory mapped file 885 * we need to be pretty careful about how we use the rawdata. It is not 886 * a general purpose working buffer as it normally otherwise is. So we 887 * keep track of this fact to avoid using it improperly. 888 */ 889 tif->tif_flags |= TIFF_BUFFERMMAP; 890 } else { 891 /* 892 * Expand raw data buffer, if needed, to hold data 893 * strip coming from file (perhaps should set upper 894 * bound on the size of a buffer we'll use?). 895 */ 896 tmsize_t bytecountm; 897 bytecountm=(tmsize_t)bytecount; 898 if ((uint64)bytecountm!=bytecount) 899 { 900 TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); 901 return(0); 902 } 903 if (bytecountm > tif->tif_rawdatasize) { 904 tif->tif_curstrip = NOSTRIP; 905 if ((tif->tif_flags & TIFF_MYBUFFER) == 0) { 906 TIFFErrorExt(tif->tif_clientdata, module, 907 "Data buffer too small to hold strip %lu", 908 (unsigned long) strip); 909 return (0); 910 } 911 } 912 if (tif->tif_flags&TIFF_BUFFERMMAP) { 913 tif->tif_curstrip = NOSTRIP; 914 tif->tif_rawdata = NULL; 915 tif->tif_rawdatasize = 0; 916 tif->tif_flags &= ~TIFF_BUFFERMMAP; 917 } 918 919 if( isMapped(tif) ) 920 { 921 if (bytecountm > tif->tif_rawdatasize && 922 !TIFFReadBufferSetup(tif, 0, bytecountm)) 923 { 924 return (0); 925 } 926 if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata, 927 bytecountm, module) != bytecountm) 928 { 929 return (0); 930 } 931 } 932 else 933 { 934 if (TIFFReadRawStripOrTile2(tif, strip, 1, 935 bytecountm, module) != bytecountm) 936 { 937 return (0); 938 } 939 } 940 941 942 tif->tif_rawdataoff = 0; 943 tif->tif_rawdataloaded = bytecountm; 944 945 if (!isFillOrder(tif, td->td_fillorder) && 946 (tif->tif_flags & TIFF_NOBITREV) == 0) 947 TIFFReverseBits(tif->tif_rawdata, bytecountm); 948 } 949 } 950 return (TIFFStartStrip(tif, strip)); 951 } 952 953 /* 954 * Tile-oriented Read Support 955 * Contributed by Nancy Cam (Silicon Graphics). 956 */ 957 958 /* 959 * Read and decompress a tile of data. The 960 * tile is selected by the (x,y,z,s) coordinates. 961 */ 962 tmsize_t 963 TIFFReadTile(TIFF* tif, void* buf, uint32 x, uint32 y, uint32 z, uint16 s) 964 { 965 if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s)) 966 return ((tmsize_t)(-1)); 967 return (TIFFReadEncodedTile(tif, 968 TIFFComputeTile(tif, x, y, z, s), buf, (tmsize_t)(-1))); 969 } 970 971 /* 972 * Read a tile of data and decompress the specified 973 * amount into the user-supplied buffer. 974 */ 975 tmsize_t 976 TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) 977 { 978 static const char module[] = "TIFFReadEncodedTile"; 979 TIFFDirectory *td = &tif->tif_dir; 980 tmsize_t tilesize = tif->tif_tilesize; 981 982 if (!TIFFCheckRead(tif, 1)) 983 return ((tmsize_t)(-1)); 984 if (tile >= td->td_nstrips) { 985 TIFFErrorExt(tif->tif_clientdata, module, 986 "%lu: Tile out of range, max %lu", 987 (unsigned long) tile, (unsigned long) td->td_nstrips); 988 return ((tmsize_t)(-1)); 989 } 990 991 /* shortcut to avoid an extra memcpy() */ 992 if( td->td_compression == COMPRESSION_NONE && 993 size!=(tmsize_t)(-1) && size >= tilesize && 994 !isMapped(tif) && 995 ((tif->tif_flags&TIFF_NOREADRAW)==0) ) 996 { 997 if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize) 998 return ((tmsize_t)(-1)); 999 1000 if (!isFillOrder(tif, td->td_fillorder) && 1001 (tif->tif_flags & TIFF_NOBITREV) == 0) 1002 TIFFReverseBits(buf,tilesize); 1003 1004 (*tif->tif_postdecode)(tif,buf,tilesize); 1005 return (tilesize); 1006 } 1007 1008 if (size == (tmsize_t)(-1)) 1009 size = tilesize; 1010 else if (size > tilesize) 1011 size = tilesize; 1012 if (TIFFFillTile(tif, tile) && (*tif->tif_decodetile)(tif, 1013 (uint8*) buf, size, (uint16)(tile/td->td_stripsperimage))) { 1014 (*tif->tif_postdecode)(tif, (uint8*) buf, size); 1015 return (size); 1016 } else 1017 return ((tmsize_t)(-1)); 1018 } 1019 1020 /* Variant of TIFFReadTile() that does 1021 * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has 1022 * succeeded. This avoid excessive memory allocation in case of truncated 1023 * file. 1024 * * calls regular TIFFReadEncodedTile() if *buf != NULL 1025 */ 1026 tmsize_t 1027 _TIFFReadTileAndAllocBuffer(TIFF* tif, 1028 void **buf, tmsize_t bufsizetoalloc, 1029 uint32 x, uint32 y, uint32 z, uint16 s) 1030 { 1031 if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s)) 1032 return ((tmsize_t)(-1)); 1033 return (_TIFFReadEncodedTileAndAllocBuffer(tif, 1034 TIFFComputeTile(tif, x, y, z, s), 1035 buf, bufsizetoalloc, 1036 (tmsize_t)(-1))); 1037 } 1038 1039 /* Variant of TIFFReadEncodedTile() that does 1040 * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has 1041 * succeeded. This avoid excessive memory allocation in case of truncated 1042 * file. 1043 * * calls regular TIFFReadEncodedTile() if *buf != NULL 1044 */ 1045 tmsize_t 1046 _TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile, 1047 void **buf, tmsize_t bufsizetoalloc, 1048 tmsize_t size_to_read) 1049 { 1050 static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer"; 1051 TIFFDirectory *td = &tif->tif_dir; 1052 tmsize_t tilesize = tif->tif_tilesize; 1053 1054 if( *buf != NULL ) 1055 { 1056 return TIFFReadEncodedTile(tif, tile, *buf, size_to_read); 1057 } 1058 1059 if (!TIFFCheckRead(tif, 1)) 1060 return ((tmsize_t)(-1)); 1061 if (tile >= td->td_nstrips) { 1062 TIFFErrorExt(tif->tif_clientdata, module, 1063 "%lu: Tile out of range, max %lu", 1064 (unsigned long) tile, (unsigned long) td->td_nstrips); 1065 return ((tmsize_t)(-1)); 1066 } 1067 1068 if (!TIFFFillTile(tif,tile)) 1069 return((tmsize_t)(-1)); 1070 1071 *buf = _TIFFmalloc(bufsizetoalloc); 1072 if (*buf == NULL) { 1073 TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), 1074 "No space for tile buffer"); 1075 return((tmsize_t)(-1)); 1076 } 1077 _TIFFmemset(*buf, 0, bufsizetoalloc); 1078 1079 if (size_to_read == (tmsize_t)(-1)) 1080 size_to_read = tilesize; 1081 else if (size_to_read > tilesize) 1082 size_to_read = tilesize; 1083 if( (*tif->tif_decodetile)(tif, 1084 (uint8*) *buf, size_to_read, (uint16)(tile/td->td_stripsperimage))) { 1085 (*tif->tif_postdecode)(tif, (uint8*) *buf, size_to_read); 1086 return (size_to_read); 1087 } else 1088 return ((tmsize_t)(-1)); 1089 } 1090 1091 static tmsize_t 1092 TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module) 1093 { 1094 TIFFDirectory *td = &tif->tif_dir; 1095 1096 if (!_TIFFFillStriles( tif )) 1097 return ((tmsize_t)(-1)); 1098 1099 assert((tif->tif_flags&TIFF_NOREADRAW)==0); 1100 if (!isMapped(tif)) { 1101 tmsize_t cc; 1102 1103 if (!SeekOK(tif, td->td_stripoffset[tile])) { 1104 TIFFErrorExt(tif->tif_clientdata, module, 1105 "Seek error at row %lu, col %lu, tile %lu", 1106 (unsigned long) tif->tif_row, 1107 (unsigned long) tif->tif_col, 1108 (unsigned long) tile); 1109 return ((tmsize_t)(-1)); 1110 } 1111 cc = TIFFReadFile(tif, buf, size); 1112 if (cc != size) { 1113 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 1114 TIFFErrorExt(tif->tif_clientdata, module, 1115 "Read error at row %lu, col %lu; got %I64u bytes, expected %I64u", 1116 (unsigned long) tif->tif_row, 1117 (unsigned long) tif->tif_col, 1118 (unsigned __int64) cc, 1119 (unsigned __int64) size); 1120 #else 1121 TIFFErrorExt(tif->tif_clientdata, module, 1122 "Read error at row %lu, col %lu; got %llu bytes, expected %llu", 1123 (unsigned long) tif->tif_row, 1124 (unsigned long) tif->tif_col, 1125 (unsigned long long) cc, 1126 (unsigned long long) size); 1127 #endif 1128 return ((tmsize_t)(-1)); 1129 } 1130 } else { 1131 tmsize_t ma,mb; 1132 tmsize_t n; 1133 ma=(tmsize_t)td->td_stripoffset[tile]; 1134 mb=ma+size; 1135 if ((td->td_stripoffset[tile] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) 1136 n=0; 1137 else if ((mb<ma)||(mb<size)||(mb>tif->tif_size)) 1138 n=tif->tif_size-ma; 1139 else 1140 n=size; 1141 if (n!=size) { 1142 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 1143 TIFFErrorExt(tif->tif_clientdata, module, 1144 "Read error at row %lu, col %lu, tile %lu; got %I64u bytes, expected %I64u", 1145 (unsigned long) tif->tif_row, 1146 (unsigned long) tif->tif_col, 1147 (unsigned long) tile, 1148 (unsigned __int64) n, 1149 (unsigned __int64) size); 1150 #else 1151 TIFFErrorExt(tif->tif_clientdata, module, 1152 "Read error at row %lu, col %lu, tile %lu; got %llu bytes, expected %llu", 1153 (unsigned long) tif->tif_row, 1154 (unsigned long) tif->tif_col, 1155 (unsigned long) tile, 1156 (unsigned long long) n, 1157 (unsigned long long) size); 1158 #endif 1159 return ((tmsize_t)(-1)); 1160 } 1161 _TIFFmemcpy(buf, tif->tif_base + ma, size); 1162 } 1163 return (size); 1164 } 1165 1166 /* 1167 * Read a tile of data from the file. 1168 */ 1169 tmsize_t 1170 TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) 1171 { 1172 static const char module[] = "TIFFReadRawTile"; 1173 TIFFDirectory *td = &tif->tif_dir; 1174 uint64 bytecount64; 1175 tmsize_t bytecountm; 1176 1177 if (!TIFFCheckRead(tif, 1)) 1178 return ((tmsize_t)(-1)); 1179 if (tile >= td->td_nstrips) { 1180 TIFFErrorExt(tif->tif_clientdata, module, 1181 "%lu: Tile out of range, max %lu", 1182 (unsigned long) tile, (unsigned long) td->td_nstrips); 1183 return ((tmsize_t)(-1)); 1184 } 1185 if (tif->tif_flags&TIFF_NOREADRAW) 1186 { 1187 TIFFErrorExt(tif->tif_clientdata, module, 1188 "Compression scheme does not support access to raw uncompressed data"); 1189 return ((tmsize_t)(-1)); 1190 } 1191 bytecount64 = td->td_stripbytecount[tile]; 1192 if (size != (tmsize_t)(-1) && (uint64)size < bytecount64) 1193 bytecount64 = (uint64)size; 1194 bytecountm = (tmsize_t)bytecount64; 1195 if ((uint64)bytecountm!=bytecount64) 1196 { 1197 TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); 1198 return ((tmsize_t)(-1)); 1199 } 1200 return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module)); 1201 } 1202 1203 /* 1204 * Read the specified tile and setup for decoding. The data buffer is 1205 * expanded, as necessary, to hold the tile's data. 1206 */ 1207 int 1208 TIFFFillTile(TIFF* tif, uint32 tile) 1209 { 1210 static const char module[] = "TIFFFillTile"; 1211 TIFFDirectory *td = &tif->tif_dir; 1212 1213 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount) 1214 return 0; 1215 1216 if ((tif->tif_flags&TIFF_NOREADRAW)==0) 1217 { 1218 uint64 bytecount = td->td_stripbytecount[tile]; 1219 if ((int64)bytecount <= 0) { 1220 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 1221 TIFFErrorExt(tif->tif_clientdata, module, 1222 "%I64u: Invalid tile byte count, tile %lu", 1223 (unsigned __int64) bytecount, 1224 (unsigned long) tile); 1225 #else 1226 TIFFErrorExt(tif->tif_clientdata, module, 1227 "%llu: Invalid tile byte count, tile %lu", 1228 (unsigned long long) bytecount, 1229 (unsigned long) tile); 1230 #endif 1231 return (0); 1232 } 1233 1234 /* To avoid excessive memory allocations: */ 1235 /* Byte count should normally not be larger than a number of */ 1236 /* times the uncompressed size plus some margin */ 1237 if( bytecount > 1024 * 1024 ) 1238 { 1239 /* 10 and 4096 are just values that could be adjusted. */ 1240 /* Hopefully they are safe enough for all codecs */ 1241 tmsize_t stripsize = TIFFTileSize(tif); 1242 if( stripsize != 0 && 1243 (bytecount - 4096) / 10 > (uint64)stripsize ) 1244 { 1245 uint64 newbytecount = (uint64)stripsize * 10 + 4096; 1246 if( (int64)newbytecount >= 0 ) 1247 { 1248 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 1249 TIFFWarningExt(tif->tif_clientdata, module, 1250 "Too large tile byte count %I64u, tile %lu. Limiting to %I64u", 1251 (unsigned __int64) bytecount, 1252 (unsigned long) tile, 1253 (unsigned __int64) newbytecount); 1254 #else 1255 TIFFErrorExt(tif->tif_clientdata, module, 1256 "Too large tile byte count %llu, tile %lu. Limiting to %llu", 1257 (unsigned long long) bytecount, 1258 (unsigned long) tile, 1259 (unsigned long long) newbytecount); 1260 #endif 1261 bytecount = newbytecount; 1262 } 1263 } 1264 } 1265 1266 if (isMapped(tif)) { 1267 /* 1268 * We must check for overflow, potentially causing 1269 * an OOB read. Instead of simple 1270 * 1271 * td->td_stripoffset[tile]+bytecount > tif->tif_size 1272 * 1273 * comparison (which can overflow) we do the following 1274 * two comparisons: 1275 */ 1276 if (bytecount > (uint64)tif->tif_size || 1277 td->td_stripoffset[tile] > (uint64)tif->tif_size - bytecount) { 1278 tif->tif_curtile = NOTILE; 1279 return (0); 1280 } 1281 } 1282 1283 if (isMapped(tif) && 1284 (isFillOrder(tif, td->td_fillorder) 1285 || (tif->tif_flags & TIFF_NOBITREV))) { 1286 /* 1287 * The image is mapped into memory and we either don't 1288 * need to flip bits or the compression routine is 1289 * going to handle this operation itself. In this 1290 * case, avoid copying the raw data and instead just 1291 * reference the data from the memory mapped file 1292 * image. This assumes that the decompression 1293 * routines do not modify the contents of the raw data 1294 * buffer (if they try to, the application will get a 1295 * fault since the file is mapped read-only). 1296 */ 1297 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) { 1298 _TIFFfree(tif->tif_rawdata); 1299 tif->tif_rawdata = NULL; 1300 tif->tif_rawdatasize = 0; 1301 } 1302 tif->tif_flags &= ~TIFF_MYBUFFER; 1303 1304 tif->tif_rawdatasize = (tmsize_t)bytecount; 1305 tif->tif_rawdata = 1306 tif->tif_base + (tmsize_t)td->td_stripoffset[tile]; 1307 tif->tif_rawdataoff = 0; 1308 tif->tif_rawdataloaded = (tmsize_t) bytecount; 1309 tif->tif_flags |= TIFF_BUFFERMMAP; 1310 } else { 1311 /* 1312 * Expand raw data buffer, if needed, to hold data 1313 * tile coming from file (perhaps should set upper 1314 * bound on the size of a buffer we'll use?). 1315 */ 1316 tmsize_t bytecountm; 1317 bytecountm=(tmsize_t)bytecount; 1318 if ((uint64)bytecountm!=bytecount) 1319 { 1320 TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); 1321 return(0); 1322 } 1323 if (bytecountm > tif->tif_rawdatasize) { 1324 tif->tif_curtile = NOTILE; 1325 if ((tif->tif_flags & TIFF_MYBUFFER) == 0) { 1326 TIFFErrorExt(tif->tif_clientdata, module, 1327 "Data buffer too small to hold tile %lu", 1328 (unsigned long) tile); 1329 return (0); 1330 } 1331 } 1332 if (tif->tif_flags&TIFF_BUFFERMMAP) { 1333 tif->tif_curtile = NOTILE; 1334 tif->tif_rawdata = NULL; 1335 tif->tif_rawdatasize = 0; 1336 tif->tif_flags &= ~TIFF_BUFFERMMAP; 1337 } 1338 1339 if( isMapped(tif) ) 1340 { 1341 if (bytecountm > tif->tif_rawdatasize && 1342 !TIFFReadBufferSetup(tif, 0, bytecountm)) 1343 { 1344 return (0); 1345 } 1346 if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata, 1347 bytecountm, module) != bytecountm) 1348 { 1349 return (0); 1350 } 1351 } 1352 else 1353 { 1354 if (TIFFReadRawStripOrTile2(tif, tile, 0, 1355 bytecountm, module) != bytecountm) 1356 { 1357 return (0); 1358 } 1359 } 1360 1361 1362 tif->tif_rawdataoff = 0; 1363 tif->tif_rawdataloaded = bytecountm; 1364 1365 if (!isFillOrder(tif, td->td_fillorder) && 1366 (tif->tif_flags & TIFF_NOBITREV) == 0) 1367 TIFFReverseBits(tif->tif_rawdata, 1368 tif->tif_rawdataloaded); 1369 } 1370 } 1371 return (TIFFStartTile(tif, tile)); 1372 } 1373 1374 /* 1375 * Setup the raw data buffer in preparation for 1376 * reading a strip of raw data. If the buffer 1377 * is specified as zero, then a buffer of appropriate 1378 * size is allocated by the library. Otherwise, 1379 * the client must guarantee that the buffer is 1380 * large enough to hold any individual strip of 1381 * raw data. 1382 */ 1383 int 1384 TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size) 1385 { 1386 static const char module[] = "TIFFReadBufferSetup"; 1387 1388 assert((tif->tif_flags&TIFF_NOREADRAW)==0); 1389 tif->tif_flags &= ~TIFF_BUFFERMMAP; 1390 1391 if (tif->tif_rawdata) { 1392 if (tif->tif_flags & TIFF_MYBUFFER) 1393 _TIFFfree(tif->tif_rawdata); 1394 tif->tif_rawdata = NULL; 1395 tif->tif_rawdatasize = 0; 1396 } 1397 if (bp) { 1398 tif->tif_rawdatasize = size; 1399 tif->tif_rawdata = (uint8*) bp; 1400 tif->tif_flags &= ~TIFF_MYBUFFER; 1401 } else { 1402 tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64((uint64)size, 1024); 1403 if (tif->tif_rawdatasize==0) { 1404 TIFFErrorExt(tif->tif_clientdata, module, 1405 "Invalid buffer size"); 1406 return (0); 1407 } 1408 /* Initialize to zero to avoid uninitialized buffers in case of */ 1409 /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */ 1410 tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); 1411 tif->tif_flags |= TIFF_MYBUFFER; 1412 } 1413 if (tif->tif_rawdata == NULL) { 1414 TIFFErrorExt(tif->tif_clientdata, module, 1415 "No space for data buffer at scanline %lu", 1416 (unsigned long) tif->tif_row); 1417 tif->tif_rawdatasize = 0; 1418 return (0); 1419 } 1420 return (1); 1421 } 1422 1423 /* 1424 * Set state to appear as if a 1425 * strip has just been read in. 1426 */ 1427 static int 1428 TIFFStartStrip(TIFF* tif, uint32 strip) 1429 { 1430 TIFFDirectory *td = &tif->tif_dir; 1431 1432 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount) 1433 return 0; 1434 1435 if ((tif->tif_flags & TIFF_CODERSETUP) == 0) { 1436 if (!(*tif->tif_setupdecode)(tif)) 1437 return (0); 1438 tif->tif_flags |= TIFF_CODERSETUP; 1439 } 1440 tif->tif_curstrip = strip; 1441 tif->tif_row = (strip % td->td_stripsperimage) * td->td_rowsperstrip; 1442 tif->tif_flags &= ~TIFF_BUF4WRITE; 1443 1444 if (tif->tif_flags&TIFF_NOREADRAW) 1445 { 1446 tif->tif_rawcp = NULL; 1447 tif->tif_rawcc = 0; 1448 } 1449 else 1450 { 1451 tif->tif_rawcp = tif->tif_rawdata; 1452 if( tif->tif_rawdataloaded > 0 ) 1453 tif->tif_rawcc = tif->tif_rawdataloaded; 1454 else 1455 tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[strip]; 1456 } 1457 return ((*tif->tif_predecode)(tif, 1458 (uint16)(strip / td->td_stripsperimage))); 1459 } 1460 1461 /* 1462 * Set state to appear as if a 1463 * tile has just been read in. 1464 */ 1465 static int 1466 TIFFStartTile(TIFF* tif, uint32 tile) 1467 { 1468 static const char module[] = "TIFFStartTile"; 1469 TIFFDirectory *td = &tif->tif_dir; 1470 uint32 howmany32; 1471 1472 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount) 1473 return 0; 1474 1475 if ((tif->tif_flags & TIFF_CODERSETUP) == 0) { 1476 if (!(*tif->tif_setupdecode)(tif)) 1477 return (0); 1478 tif->tif_flags |= TIFF_CODERSETUP; 1479 } 1480 tif->tif_curtile = tile; 1481 howmany32=TIFFhowmany_32(td->td_imagewidth, td->td_tilewidth); 1482 if (howmany32 == 0) { 1483 TIFFErrorExt(tif->tif_clientdata,module,"Zero tiles"); 1484 return 0; 1485 } 1486 tif->tif_row = (tile % howmany32) * td->td_tilelength; 1487 howmany32=TIFFhowmany_32(td->td_imagelength, td->td_tilelength); 1488 if (howmany32 == 0) { 1489 TIFFErrorExt(tif->tif_clientdata,module,"Zero tiles"); 1490 return 0; 1491 } 1492 tif->tif_col = (tile % howmany32) * td->td_tilewidth; 1493 tif->tif_flags &= ~TIFF_BUF4WRITE; 1494 if (tif->tif_flags&TIFF_NOREADRAW) 1495 { 1496 tif->tif_rawcp = NULL; 1497 tif->tif_rawcc = 0; 1498 } 1499 else 1500 { 1501 tif->tif_rawcp = tif->tif_rawdata; 1502 if( tif->tif_rawdataloaded > 0 ) 1503 tif->tif_rawcc = tif->tif_rawdataloaded; 1504 else 1505 tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile]; 1506 } 1507 return ((*tif->tif_predecode)(tif, 1508 (uint16)(tile/td->td_stripsperimage))); 1509 } 1510 1511 static int 1512 TIFFCheckRead(TIFF* tif, int tiles) 1513 { 1514 if (tif->tif_mode == O_WRONLY) { 1515 TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "File not open for reading"); 1516 return (0); 1517 } 1518 if (tiles ^ isTiled(tif)) { 1519 TIFFErrorExt(tif->tif_clientdata, tif->tif_name, tiles ? 1520 "Can not read tiles from a stripped image" : 1521 "Can not read scanlines from a tiled image"); 1522 return (0); 1523 } 1524 return (1); 1525 } 1526 1527 void 1528 _TIFFNoPostDecode(TIFF* tif, uint8* buf, tmsize_t cc) 1529 { 1530 (void) tif; (void) buf; (void) cc; 1531 } 1532 1533 void 1534 _TIFFSwab16BitData(TIFF* tif, uint8* buf, tmsize_t cc) 1535 { 1536 (void) tif; 1537 assert((cc & 1) == 0); 1538 TIFFSwabArrayOfShort((uint16*) buf, cc/2); 1539 } 1540 1541 void 1542 _TIFFSwab24BitData(TIFF* tif, uint8* buf, tmsize_t cc) 1543 { 1544 (void) tif; 1545 assert((cc % 3) == 0); 1546 TIFFSwabArrayOfTriples((uint8*) buf, cc/3); 1547 } 1548 1549 void 1550 _TIFFSwab32BitData(TIFF* tif, uint8* buf, tmsize_t cc) 1551 { 1552 (void) tif; 1553 assert((cc & 3) == 0); 1554 TIFFSwabArrayOfLong((uint32*) buf, cc/4); 1555 } 1556 1557 void 1558 _TIFFSwab64BitData(TIFF* tif, uint8* buf, tmsize_t cc) 1559 { 1560 (void) tif; 1561 assert((cc & 7) == 0); 1562 TIFFSwabArrayOfDouble((double*) buf, cc/8); 1563 } 1564 1565 /* vim: set ts=8 sts=8 sw=8 noet: */ 1566 /* 1567 * Local Variables: 1568 * mode: c 1569 * c-basic-offset: 8 1570 * fill-column: 78 1571 * End: 1572 */ 1573