1 /* $Id: tif_read.c,v 1.66 2017-11-17 20:21:00 erouault Exp $ */
2
3 /*
4 * Copyright (c) 1988-1997 Sam Leffler
5 * Copyright (c) 1991-1997 Silicon Graphics, Inc.
6 *
7 * Permission to use, copy, modify, distribute, and sell this software and
8 * its documentation for any purpose is hereby granted without fee, provided
9 * that (i) the above copyright notices and this permission notice appear in
10 * all copies of the software and related documentation, and (ii) the names of
11 * Sam Leffler and Silicon Graphics may not be used in any advertising or
12 * publicity relating to the software without the specific, prior written
13 * permission of Sam Leffler and Silicon Graphics.
14 *
15 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
17 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
18 *
19 * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
20 * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
21 * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
22 * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
23 * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
24 * OF THIS SOFTWARE.
25 */
26
27 /*
28 * TIFF Library.
29 * Scanline-oriented Read Support
30 */
31 #include "tiffiop.h"
32 #include <stdio.h>
33
34 #define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
35 #define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
36
37 int TIFFFillStrip(TIFF* tif, uint32 strip);
38 int TIFFFillTile(TIFF* tif, uint32 tile);
39 static int TIFFStartStrip(TIFF* tif, uint32 strip);
40 static int TIFFStartTile(TIFF* tif, uint32 tile);
41 static int TIFFCheckRead(TIFF*, int);
42 static tmsize_t
43 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module);
44 static tmsize_t
45 TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module);
46
47 #define NOSTRIP ((uint32)(-1)) /* undefined state */
48 #define NOTILE ((uint32)(-1)) /* undefined state */
49
50 #define INITIAL_THRESHOLD (1024 * 1024)
51 #define THRESHOLD_MULTIPLIER 10
52 #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
53
54 /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
55 * Returns 1 in case of success, 0 otherwise. */
TIFFReadAndRealloc(TIFF * tif,tmsize_t size,tmsize_t rawdata_offset,int is_strip,uint32 strip_or_tile,const char * module)56 static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
57 tmsize_t rawdata_offset,
58 int is_strip, uint32 strip_or_tile,
59 const char* module )
60 {
61 #if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8
62 tmsize_t threshold = INITIAL_THRESHOLD;
63 #endif
64 tmsize_t already_read = 0;
65
66 /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
67 /* so as to avoid allocating too much memory in case the file is too */
68 /* short. We could ask for the file size, but this might be */
69 /* expensive with some I/O layers (think of reading a gzipped file) */
70 /* Restrict to 64 bit processes, so as to avoid reallocs() */
71 /* on 32 bit processes where virtual memory is scarce. */
72 while( already_read < size )
73 {
74 tmsize_t bytes_read;
75 tmsize_t to_read = size - already_read;
76 #if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8
77 if( to_read >= threshold && threshold < MAX_THRESHOLD &&
78 already_read + to_read + rawdata_offset > tif->tif_rawdatasize )
79 {
80 to_read = threshold;
81 threshold *= THRESHOLD_MULTIPLIER;
82 }
83 #endif
84 if (already_read + to_read + rawdata_offset > tif->tif_rawdatasize) {
85 uint8* new_rawdata;
86 assert((tif->tif_flags & TIFF_MYBUFFER) != 0);
87 tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64(
88 (uint64)already_read + to_read + rawdata_offset, 1024);
89 if (tif->tif_rawdatasize==0) {
90 TIFFErrorExt(tif->tif_clientdata, module,
91 "Invalid buffer size");
92 return 0;
93 }
94 new_rawdata = (uint8*) _TIFFrealloc(
95 tif->tif_rawdata, tif->tif_rawdatasize);
96 if( new_rawdata == 0 )
97 {
98 TIFFErrorExt(tif->tif_clientdata, module,
99 "No space for data buffer at scanline %lu",
100 (unsigned long) tif->tif_row);
101 _TIFFfree(tif->tif_rawdata);
102 tif->tif_rawdata = 0;
103 tif->tif_rawdatasize = 0;
104 return 0;
105 }
106 tif->tif_rawdata = new_rawdata;
107 }
108
109 bytes_read = TIFFReadFile(tif,
110 tif->tif_rawdata + rawdata_offset + already_read, to_read);
111 already_read += bytes_read;
112 if (bytes_read != to_read) {
113 memset( tif->tif_rawdata + rawdata_offset + already_read, 0,
114 tif->tif_rawdatasize - rawdata_offset - already_read );
115 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
116 if( is_strip )
117 {
118 TIFFErrorExt(tif->tif_clientdata, module,
119 "Read error at scanline %lu; got %I64u bytes, "
120 "expected %I64u",
121 (unsigned long) tif->tif_row,
122 (unsigned __int64) already_read,
123 (unsigned __int64) size);
124 }
125 else
126 {
127 TIFFErrorExt(tif->tif_clientdata, module,
128 "Read error at row %lu, col %lu, tile %lu; "
129 "got %I64u bytes, expected %I64u",
130 (unsigned long) tif->tif_row,
131 (unsigned long) tif->tif_col,
132 (unsigned long) strip_or_tile,
133 (unsigned __int64) already_read,
134 (unsigned __int64) size);
135 }
136 #else
137 if( is_strip )
138 {
139 TIFFErrorExt(tif->tif_clientdata, module,
140 "Read error at scanline %lu; got %llu bytes, "
141 "expected %llu",
142 (unsigned long) tif->tif_row,
143 (unsigned long long) already_read,
144 (unsigned long long) size);
145 }
146 else
147 {
148 TIFFErrorExt(tif->tif_clientdata, module,
149 "Read error at row %lu, col %lu, tile %lu; "
150 "got %llu bytes, expected %llu",
151 (unsigned long) tif->tif_row,
152 (unsigned long) tif->tif_col,
153 (unsigned long) strip_or_tile,
154 (unsigned long long) already_read,
155 (unsigned long long) size);
156 }
157 #endif
158 return 0;
159 }
160 }
161 return 1;
162 }
163
164
165 static int
TIFFFillStripPartial(TIFF * tif,int strip,tmsize_t read_ahead,int restart)166 TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
167 {
168 static const char module[] = "TIFFFillStripPartial";
169 register TIFFDirectory *td = &tif->tif_dir;
170 tmsize_t unused_data;
171 uint64 read_offset;
172 tmsize_t to_read;
173 tmsize_t read_ahead_mod;
174 /* tmsize_t bytecountm; */
175
176 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
177 return 0;
178
179 /*
180 * Expand raw data buffer, if needed, to hold data
181 * strip coming from file (perhaps should set upper
182 * bound on the size of a buffer we'll use?).
183 */
184
185 /* bytecountm=(tmsize_t) td->td_stripbytecount[strip]; */
186
187 /* Not completely sure where the * 2 comes from, but probably for */
188 /* an exponentional growth strategy of tif_rawdatasize */
189 if( read_ahead < TIFF_TMSIZE_T_MAX / 2 )
190 read_ahead_mod = read_ahead * 2;
191 else
192 read_ahead_mod = read_ahead;
193 if (read_ahead_mod > tif->tif_rawdatasize) {
194 assert( restart );
195
196 tif->tif_curstrip = NOSTRIP;
197 if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
198 TIFFErrorExt(tif->tif_clientdata, module,
199 "Data buffer too small to hold part of strip %lu",
200 (unsigned long) strip);
201 return (0);
202 }
203 }
204
205 if( restart )
206 {
207 tif->tif_rawdataloaded = 0;
208 tif->tif_rawdataoff = 0;
209 }
210
211 /*
212 ** If we are reading more data, move any unused data to the
213 ** start of the buffer.
214 */
215 if( tif->tif_rawdataloaded > 0 )
216 unused_data = tif->tif_rawdataloaded - (tif->tif_rawcp - tif->tif_rawdata);
217 else
218 unused_data = 0;
219
220 if( unused_data > 0 )
221 {
222 assert((tif->tif_flags&TIFF_BUFFERMMAP)==0);
223 memmove( tif->tif_rawdata, tif->tif_rawcp, unused_data );
224 }
225
226 /*
227 ** Seek to the point in the file where more data should be read.
228 */
229 read_offset = td->td_stripoffset[strip]
230 + tif->tif_rawdataoff + tif->tif_rawdataloaded;
231
232 if (!SeekOK(tif, read_offset)) {
233 TIFFErrorExt(tif->tif_clientdata, module,
234 "Seek error at scanline %lu, strip %lu",
235 (unsigned long) tif->tif_row, (unsigned long) strip);
236 return 0;
237 }
238
239 /*
240 ** How much do we want to read?
241 */
242 if( read_ahead_mod > tif->tif_rawdatasize )
243 to_read = read_ahead_mod - unused_data;
244 else
245 to_read = tif->tif_rawdatasize - unused_data;
246 if( (uint64) to_read > td->td_stripbytecount[strip]
247 - tif->tif_rawdataoff - tif->tif_rawdataloaded )
248 {
249 to_read = (tmsize_t) td->td_stripbytecount[strip]
250 - tif->tif_rawdataoff - tif->tif_rawdataloaded;
251 }
252
253 assert((tif->tif_flags&TIFF_BUFFERMMAP)==0);
254 if( !TIFFReadAndRealloc( tif, to_read, unused_data,
255 1, /* is_strip */
256 0, /* strip_or_tile */
257 module) )
258 {
259 return 0;
260 }
261
262 tif->tif_rawdataoff = tif->tif_rawdataoff + tif->tif_rawdataloaded - unused_data ;
263 tif->tif_rawdataloaded = unused_data + to_read;
264
265 tif->tif_rawcc = tif->tif_rawdataloaded;
266 tif->tif_rawcp = tif->tif_rawdata;
267
268 if (!isFillOrder(tif, td->td_fillorder) &&
269 (tif->tif_flags & TIFF_NOBITREV) == 0) {
270 assert((tif->tif_flags&TIFF_BUFFERMMAP)==0);
271 TIFFReverseBits(tif->tif_rawdata + unused_data, to_read );
272 }
273
274 /*
275 ** When starting a strip from the beginning we need to
276 ** restart the decoder.
277 */
278 if( restart )
279 {
280
281 #ifdef JPEG_SUPPORT
282 /* A bit messy since breaks the codec abstraction. Ultimately */
283 /* there should be a function pointer for that, but it seems */
284 /* only JPEG is affected. */
285 /* For JPEG, if there are multiple scans (can generally be known */
286 /* with the read_ahead used), we need to read the whole strip */
287 if( tif->tif_dir.td_compression==COMPRESSION_JPEG &&
288 (uint64)tif->tif_rawcc < td->td_stripbytecount[strip] )
289 {
290 if( TIFFJPEGIsFullStripRequired(tif) )
291 {
292 return TIFFFillStrip(tif, strip);
293 }
294 }
295 #endif
296
297 return TIFFStartStrip(tif, strip);
298 }
299 else
300 {
301 return 1;
302 }
303 }
304
305 /*
306 * Seek to a random row+sample in a file.
307 *
308 * Only used by TIFFReadScanline, and is only used on
309 * strip organized files. We do some tricky stuff to try
310 * and avoid reading the whole compressed raw data for big
311 * strips.
312 */
313 static int
TIFFSeek(TIFF * tif,uint32 row,uint16 sample)314 TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
315 {
316 register TIFFDirectory *td = &tif->tif_dir;
317 uint32 strip;
318 int whole_strip;
319 tmsize_t read_ahead = 0;
320
321 /*
322 ** Establish what strip we are working from.
323 */
324 if (row >= td->td_imagelength) { /* out of range */
325 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
326 "%lu: Row out of range, max %lu",
327 (unsigned long) row,
328 (unsigned long) td->td_imagelength);
329 return (0);
330 }
331 if (td->td_planarconfig == PLANARCONFIG_SEPARATE) {
332 if (sample >= td->td_samplesperpixel) {
333 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
334 "%lu: Sample out of range, max %lu",
335 (unsigned long) sample, (unsigned long) td->td_samplesperpixel);
336 return (0);
337 }
338 strip = (uint32)sample*td->td_stripsperimage + row/td->td_rowsperstrip;
339 } else
340 strip = row / td->td_rowsperstrip;
341
342 /*
343 * Do we want to treat this strip as one whole chunk or
344 * read it a few lines at a time?
345 */
346 #if defined(CHUNKY_STRIP_READ_SUPPORT)
347 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
348 return 0;
349 whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
350 || isMapped(tif);
351 #else
352 whole_strip = 1;
353 #endif
354
355 if( !whole_strip )
356 {
357 /* 16 is for YCbCr mode where we may need to read 16 */
358 /* lines at a time to get a decompressed line, and 5000 */
359 /* is some constant value, for example for JPEG tables */
360 if( tif->tif_scanlinesize < TIFF_TMSIZE_T_MAX / 16 &&
361 tif->tif_scanlinesize * 16 < TIFF_TMSIZE_T_MAX - 5000 )
362 {
363 read_ahead = tif->tif_scanlinesize * 16 + 5000;
364 }
365 else
366 {
367 read_ahead = tif->tif_scanlinesize;
368 }
369 }
370
371 /*
372 * If we haven't loaded this strip, do so now, possibly
373 * only reading the first part.
374 */
375 if (strip != tif->tif_curstrip) { /* different strip, refill */
376
377 if( whole_strip )
378 {
379 if (!TIFFFillStrip(tif, strip))
380 return (0);
381 }
382 else
383 {
384 if( !TIFFFillStripPartial(tif,strip,read_ahead,1) )
385 return 0;
386 }
387 }
388
389 /*
390 ** If we already have some data loaded, do we need to read some more?
391 */
392 else if( !whole_strip )
393 {
394 if( ((tif->tif_rawdata + tif->tif_rawdataloaded) - tif->tif_rawcp) < read_ahead
395 && (uint64) tif->tif_rawdataoff+tif->tif_rawdataloaded < td->td_stripbytecount[strip] )
396 {
397 if( !TIFFFillStripPartial(tif,strip,read_ahead,0) )
398 return 0;
399 }
400 }
401
402 if (row < tif->tif_row) {
403 /*
404 * Moving backwards within the same strip: backup
405 * to the start and then decode forward (below).
406 *
407 * NB: If you're planning on lots of random access within a
408 * strip, it's better to just read and decode the entire
409 * strip, and then access the decoded data in a random fashion.
410 */
411
412 if( tif->tif_rawdataoff != 0 )
413 {
414 if( !TIFFFillStripPartial(tif,strip,read_ahead,1) )
415 return 0;
416 }
417 else
418 {
419 if (!TIFFStartStrip(tif, strip))
420 return (0);
421 }
422 }
423
424 if (row != tif->tif_row) {
425 /*
426 * Seek forward to the desired row.
427 */
428
429 /* TODO: Will this really work with partial buffers? */
430
431 if (!(*tif->tif_seek)(tif, row - tif->tif_row))
432 return (0);
433 tif->tif_row = row;
434 }
435
436 return (1);
437 }
438
439 int
TIFFReadScanline(TIFF * tif,void * buf,uint32 row,uint16 sample)440 TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample)
441 {
442 int e;
443
444 if (!TIFFCheckRead(tif, 0))
445 return (-1);
446 if( (e = TIFFSeek(tif, row, sample)) != 0) {
447 /*
448 * Decompress desired row into user buffer.
449 */
450 e = (*tif->tif_decoderow)
451 (tif, (uint8*) buf, tif->tif_scanlinesize, sample);
452
453 /* we are now poised at the beginning of the next row */
454 tif->tif_row = row + 1;
455
456 if (e)
457 (*tif->tif_postdecode)(tif, (uint8*) buf,
458 tif->tif_scanlinesize);
459 }
460 return (e > 0 ? 1 : -1);
461 }
462
463 /*
464 * Calculate the strip size according to the number of
465 * rows in the strip (check for truncated last strip on any
466 * of the separations).
467 */
TIFFReadEncodedStripGetStripSize(TIFF * tif,uint32 strip,uint16 * pplane)468 static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane)
469 {
470 static const char module[] = "TIFFReadEncodedStrip";
471 TIFFDirectory *td = &tif->tif_dir;
472 uint32 rowsperstrip;
473 uint32 stripsperplane;
474 uint32 stripinplane;
475 uint32 rows;
476 tmsize_t stripsize;
477 if (!TIFFCheckRead(tif,0))
478 return((tmsize_t)(-1));
479 if (strip>=td->td_nstrips)
480 {
481 TIFFErrorExt(tif->tif_clientdata,module,
482 "%lu: Strip out of range, max %lu",(unsigned long)strip,
483 (unsigned long)td->td_nstrips);
484 return((tmsize_t)(-1));
485 }
486
487 rowsperstrip=td->td_rowsperstrip;
488 if (rowsperstrip>td->td_imagelength)
489 rowsperstrip=td->td_imagelength;
490 stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
491 stripinplane=(strip%stripsperplane);
492 if( pplane ) *pplane=(uint16)(strip/stripsperplane);
493 rows=td->td_imagelength-stripinplane*rowsperstrip;
494 if (rows>rowsperstrip)
495 rows=rowsperstrip;
496 stripsize=TIFFVStripSize(tif,rows);
497 if (stripsize==0)
498 return((tmsize_t)(-1));
499 return stripsize;
500 }
501
502 /*
503 * Read a strip of data and decompress the specified
504 * amount into the user-supplied buffer.
505 */
506 tmsize_t
TIFFReadEncodedStrip(TIFF * tif,uint32 strip,void * buf,tmsize_t size)507 TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
508 {
509 static const char module[] = "TIFFReadEncodedStrip";
510 TIFFDirectory *td = &tif->tif_dir;
511 tmsize_t stripsize;
512 uint16 plane;
513
514 stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
515 if (stripsize==((tmsize_t)(-1)))
516 return((tmsize_t)(-1));
517
518 /* shortcut to avoid an extra memcpy() */
519 if( td->td_compression == COMPRESSION_NONE &&
520 size!=(tmsize_t)(-1) && size >= stripsize &&
521 !isMapped(tif) &&
522 ((tif->tif_flags&TIFF_NOREADRAW)==0) )
523 {
524 if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize)
525 return ((tmsize_t)(-1));
526
527 if (!isFillOrder(tif, td->td_fillorder) &&
528 (tif->tif_flags & TIFF_NOBITREV) == 0)
529 TIFFReverseBits(buf,stripsize);
530
531 (*tif->tif_postdecode)(tif,buf,stripsize);
532 return (stripsize);
533 }
534
535 if ((size!=(tmsize_t)(-1))&&(size<stripsize))
536 stripsize=size;
537 if (!TIFFFillStrip(tif,strip))
538 return((tmsize_t)(-1));
539 if ((*tif->tif_decodestrip)(tif,buf,stripsize,plane)<=0)
540 return((tmsize_t)(-1));
541 (*tif->tif_postdecode)(tif,buf,stripsize);
542 return(stripsize);
543 }
544
545 /* Variant of TIFFReadEncodedStrip() that does
546 * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has
547 * succeeded. This avoid excessive memory allocation in case of truncated
548 * file.
549 * * calls regular TIFFReadEncodedStrip() if *buf != NULL
550 */
551 tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF * tif,uint32 strip,void ** buf,tmsize_t bufsizetoalloc,tmsize_t size_to_read)552 _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
553 void **buf, tmsize_t bufsizetoalloc,
554 tmsize_t size_to_read)
555 {
556 tmsize_t this_stripsize;
557 uint16 plane;
558
559 if( *buf != NULL )
560 {
561 return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read);
562 }
563
564 this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
565 if (this_stripsize==((tmsize_t)(-1)))
566 return((tmsize_t)(-1));
567
568 if ((size_to_read!=(tmsize_t)(-1))&&(size_to_read<this_stripsize))
569 this_stripsize=size_to_read;
570 if (!TIFFFillStrip(tif,strip))
571 return((tmsize_t)(-1));
572
573 *buf = _TIFFmalloc(bufsizetoalloc);
574 if (*buf == NULL) {
575 TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
576 return((tmsize_t)(-1));
577 }
578 _TIFFmemset(*buf, 0, bufsizetoalloc);
579
580 if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0)
581 return((tmsize_t)(-1));
582 (*tif->tif_postdecode)(tif,*buf,this_stripsize);
583 return(this_stripsize);
584
585
586 }
587
588 static tmsize_t
TIFFReadRawStrip1(TIFF * tif,uint32 strip,void * buf,tmsize_t size,const char * module)589 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
590 const char* module)
591 {
592 TIFFDirectory *td = &tif->tif_dir;
593
594 if (!_TIFFFillStriles( tif ))
595 return ((tmsize_t)(-1));
596
597 assert((tif->tif_flags&TIFF_NOREADRAW)==0);
598 if (!isMapped(tif)) {
599 tmsize_t cc;
600
601 if (!SeekOK(tif, td->td_stripoffset[strip])) {
602 TIFFErrorExt(tif->tif_clientdata, module,
603 "Seek error at scanline %lu, strip %lu",
604 (unsigned long) tif->tif_row, (unsigned long) strip);
605 return ((tmsize_t)(-1));
606 }
607 cc = TIFFReadFile(tif, buf, size);
608 if (cc != size) {
609 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
610 TIFFErrorExt(tif->tif_clientdata, module,
611 "Read error at scanline %lu; got %I64u bytes, expected %I64u",
612 (unsigned long) tif->tif_row,
613 (unsigned __int64) cc,
614 (unsigned __int64) size);
615 #else
616 TIFFErrorExt(tif->tif_clientdata, module,
617 "Read error at scanline %lu; got %llu bytes, expected %llu",
618 (unsigned long) tif->tif_row,
619 (unsigned long long) cc,
620 (unsigned long long) size);
621 #endif
622 return ((tmsize_t)(-1));
623 }
624 } else {
625 tmsize_t ma = 0;
626 tmsize_t n;
627 if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
628 ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
629 {
630 n=0;
631 }
632 else if( ma > TIFF_TMSIZE_T_MAX - size )
633 {
634 n=0;
635 }
636 else
637 {
638 tmsize_t mb=ma+size;
639 if (mb>tif->tif_size)
640 n=tif->tif_size-ma;
641 else
642 n=size;
643 }
644 if (n!=size) {
645 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
646 TIFFErrorExt(tif->tif_clientdata, module,
647 "Read error at scanline %lu, strip %lu; got %I64u bytes, expected %I64u",
648 (unsigned long) tif->tif_row,
649 (unsigned long) strip,
650 (unsigned __int64) n,
651 (unsigned __int64) size);
652 #else
653 TIFFErrorExt(tif->tif_clientdata, module,
654 "Read error at scanline %lu, strip %lu; got %llu bytes, expected %llu",
655 (unsigned long) tif->tif_row,
656 (unsigned long) strip,
657 (unsigned long long) n,
658 (unsigned long long) size);
659 #endif
660 return ((tmsize_t)(-1));
661 }
662 _TIFFmemcpy(buf, tif->tif_base + ma,
663 size);
664 }
665 return (size);
666 }
667
668 static tmsize_t
TIFFReadRawStripOrTile2(TIFF * tif,uint32 strip_or_tile,int is_strip,tmsize_t size,const char * module)669 TIFFReadRawStripOrTile2(TIFF* tif, uint32 strip_or_tile, int is_strip,
670 tmsize_t size, const char* module)
671 {
672 TIFFDirectory *td = &tif->tif_dir;
673
674 assert( !isMapped(tif) );
675 assert((tif->tif_flags&TIFF_NOREADRAW)==0);
676
677 if (!SeekOK(tif, td->td_stripoffset[strip_or_tile])) {
678 if( is_strip )
679 {
680 TIFFErrorExt(tif->tif_clientdata, module,
681 "Seek error at scanline %lu, strip %lu",
682 (unsigned long) tif->tif_row,
683 (unsigned long) strip_or_tile);
684 }
685 else
686 {
687 TIFFErrorExt(tif->tif_clientdata, module,
688 "Seek error at row %lu, col %lu, tile %lu",
689 (unsigned long) tif->tif_row,
690 (unsigned long) tif->tif_col,
691 (unsigned long) strip_or_tile);
692 }
693 return ((tmsize_t)(-1));
694 }
695
696 if( !TIFFReadAndRealloc( tif, size, 0, is_strip,
697 strip_or_tile, module ) )
698 {
699 return ((tmsize_t)(-1));
700 }
701
702 return (size);
703 }
704
705 /*
706 * Read a strip of data from the file.
707 */
708 tmsize_t
TIFFReadRawStrip(TIFF * tif,uint32 strip,void * buf,tmsize_t size)709 TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
710 {
711 static const char module[] = "TIFFReadRawStrip";
712 TIFFDirectory *td = &tif->tif_dir;
713 uint64 bytecount;
714 tmsize_t bytecountm;
715
716 if (!TIFFCheckRead(tif, 0))
717 return ((tmsize_t)(-1));
718 if (strip >= td->td_nstrips) {
719 TIFFErrorExt(tif->tif_clientdata, module,
720 "%lu: Strip out of range, max %lu",
721 (unsigned long) strip,
722 (unsigned long) td->td_nstrips);
723 return ((tmsize_t)(-1));
724 }
725 if (tif->tif_flags&TIFF_NOREADRAW)
726 {
727 TIFFErrorExt(tif->tif_clientdata, module,
728 "Compression scheme does not support access to raw uncompressed data");
729 return ((tmsize_t)(-1));
730 }
731 bytecount = td->td_stripbytecount[strip];
732 if ((int64)bytecount <= 0) {
733 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
734 TIFFErrorExt(tif->tif_clientdata, module,
735 "%I64u: Invalid strip byte count, strip %lu",
736 (unsigned __int64) bytecount,
737 (unsigned long) strip);
738 #else
739 TIFFErrorExt(tif->tif_clientdata, module,
740 "%llu: Invalid strip byte count, strip %lu",
741 (unsigned long long) bytecount,
742 (unsigned long) strip);
743 #endif
744 return ((tmsize_t)(-1));
745 }
746 bytecountm = (tmsize_t)bytecount;
747 if ((uint64)bytecountm!=bytecount) {
748 TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
749 return ((tmsize_t)(-1));
750 }
751 if (size != (tmsize_t)(-1) && size < bytecountm)
752 bytecountm = size;
753 return (TIFFReadRawStrip1(tif, strip, buf, bytecountm, module));
754 }
755
756 /*
757 * Read the specified strip and setup for decoding. The data buffer is
758 * expanded, as necessary, to hold the strip's data.
759 */
760 int
TIFFFillStrip(TIFF * tif,uint32 strip)761 TIFFFillStrip(TIFF* tif, uint32 strip)
762 {
763 static const char module[] = "TIFFFillStrip";
764 TIFFDirectory *td = &tif->tif_dir;
765
766 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
767 return 0;
768
769 if ((tif->tif_flags&TIFF_NOREADRAW)==0)
770 {
771 uint64 bytecount = td->td_stripbytecount[strip];
772 if ((int64)bytecount <= 0) {
773 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
774 TIFFErrorExt(tif->tif_clientdata, module,
775 "Invalid strip byte count %I64u, strip %lu",
776 (unsigned __int64) bytecount,
777 (unsigned long) strip);
778 #else
779 TIFFErrorExt(tif->tif_clientdata, module,
780 "Invalid strip byte count %llu, strip %lu",
781 (unsigned long long) bytecount,
782 (unsigned long) strip);
783 #endif
784 return (0);
785 }
786
787 /* To avoid excessive memory allocations: */
788 /* Byte count should normally not be larger than a number of */
789 /* times the uncompressed size plus some margin */
790 if( bytecount > 1024 * 1024 )
791 {
792 /* 10 and 4096 are just values that could be adjusted. */
793 /* Hopefully they are safe enough for all codecs */
794 tmsize_t stripsize = TIFFStripSize(tif);
795 if( stripsize != 0 &&
796 (bytecount - 4096) / 10 > (uint64)stripsize )
797 {
798 uint64 newbytecount = (uint64)stripsize * 10 + 4096;
799 if( (int64)newbytecount >= 0 )
800 {
801 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
802 TIFFWarningExt(tif->tif_clientdata, module,
803 "Too large strip byte count %I64u, strip %lu. Limiting to %I64u",
804 (unsigned __int64) bytecount,
805 (unsigned long) strip,
806 (unsigned __int64) newbytecount);
807 #else
808 TIFFErrorExt(tif->tif_clientdata, module,
809 "Too large strip byte count %llu, strip %lu. Limiting to %llu",
810 (unsigned long long) bytecount,
811 (unsigned long) strip,
812 (unsigned long long) newbytecount);
813 #endif
814 bytecount = newbytecount;
815 }
816 }
817 }
818
819 if (isMapped(tif)) {
820 /*
821 * We must check for overflow, potentially causing
822 * an OOB read. Instead of simple
823 *
824 * td->td_stripoffset[strip]+bytecount > tif->tif_size
825 *
826 * comparison (which can overflow) we do the following
827 * two comparisons:
828 */
829 if (bytecount > (uint64)tif->tif_size ||
830 td->td_stripoffset[strip] > (uint64)tif->tif_size - bytecount) {
831 /*
832 * This error message might seem strange, but
833 * it's what would happen if a read were done
834 * instead.
835 */
836 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
837 TIFFErrorExt(tif->tif_clientdata, module,
838
839 "Read error on strip %lu; "
840 "got %I64u bytes, expected %I64u",
841 (unsigned long) strip,
842 (unsigned __int64) tif->tif_size - td->td_stripoffset[strip],
843 (unsigned __int64) bytecount);
844 #else
845 TIFFErrorExt(tif->tif_clientdata, module,
846
847 "Read error on strip %lu; "
848 "got %llu bytes, expected %llu",
849 (unsigned long) strip,
850 (unsigned long long) tif->tif_size - td->td_stripoffset[strip],
851 (unsigned long long) bytecount);
852 #endif
853 tif->tif_curstrip = NOSTRIP;
854 return (0);
855 }
856 }
857
858 if (isMapped(tif) &&
859 (isFillOrder(tif, td->td_fillorder)
860 || (tif->tif_flags & TIFF_NOBITREV))) {
861 /*
862 * The image is mapped into memory and we either don't
863 * need to flip bits or the compression routine is
864 * going to handle this operation itself. In this
865 * case, avoid copying the raw data and instead just
866 * reference the data from the memory mapped file
867 * image. This assumes that the decompression
868 * routines do not modify the contents of the raw data
869 * buffer (if they try to, the application will get a
870 * fault since the file is mapped read-only).
871 */
872 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) {
873 _TIFFfree(tif->tif_rawdata);
874 tif->tif_rawdata = NULL;
875 tif->tif_rawdatasize = 0;
876 }
877 tif->tif_flags &= ~TIFF_MYBUFFER;
878 tif->tif_rawdatasize = (tmsize_t)bytecount;
879 tif->tif_rawdata = tif->tif_base + (tmsize_t)td->td_stripoffset[strip];
880 tif->tif_rawdataoff = 0;
881 tif->tif_rawdataloaded = (tmsize_t) bytecount;
882
883 /*
884 * When we have tif_rawdata reference directly into the memory mapped file
885 * we need to be pretty careful about how we use the rawdata. It is not
886 * a general purpose working buffer as it normally otherwise is. So we
887 * keep track of this fact to avoid using it improperly.
888 */
889 tif->tif_flags |= TIFF_BUFFERMMAP;
890 } else {
891 /*
892 * Expand raw data buffer, if needed, to hold data
893 * strip coming from file (perhaps should set upper
894 * bound on the size of a buffer we'll use?).
895 */
896 tmsize_t bytecountm;
897 bytecountm=(tmsize_t)bytecount;
898 if ((uint64)bytecountm!=bytecount)
899 {
900 TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
901 return(0);
902 }
903 if (bytecountm > tif->tif_rawdatasize) {
904 tif->tif_curstrip = NOSTRIP;
905 if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
906 TIFFErrorExt(tif->tif_clientdata, module,
907 "Data buffer too small to hold strip %lu",
908 (unsigned long) strip);
909 return (0);
910 }
911 }
912 if (tif->tif_flags&TIFF_BUFFERMMAP) {
913 tif->tif_curstrip = NOSTRIP;
914 tif->tif_rawdata = NULL;
915 tif->tif_rawdatasize = 0;
916 tif->tif_flags &= ~TIFF_BUFFERMMAP;
917 }
918
919 if( isMapped(tif) )
920 {
921 if (bytecountm > tif->tif_rawdatasize &&
922 !TIFFReadBufferSetup(tif, 0, bytecountm))
923 {
924 return (0);
925 }
926 if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata,
927 bytecountm, module) != bytecountm)
928 {
929 return (0);
930 }
931 }
932 else
933 {
934 if (TIFFReadRawStripOrTile2(tif, strip, 1,
935 bytecountm, module) != bytecountm)
936 {
937 return (0);
938 }
939 }
940
941
942 tif->tif_rawdataoff = 0;
943 tif->tif_rawdataloaded = bytecountm;
944
945 if (!isFillOrder(tif, td->td_fillorder) &&
946 (tif->tif_flags & TIFF_NOBITREV) == 0)
947 TIFFReverseBits(tif->tif_rawdata, bytecountm);
948 }
949 }
950 return (TIFFStartStrip(tif, strip));
951 }
952
953 /*
954 * Tile-oriented Read Support
955 * Contributed by Nancy Cam (Silicon Graphics).
956 */
957
958 /*
959 * Read and decompress a tile of data. The
960 * tile is selected by the (x,y,z,s) coordinates.
961 */
962 tmsize_t
TIFFReadTile(TIFF * tif,void * buf,uint32 x,uint32 y,uint32 z,uint16 s)963 TIFFReadTile(TIFF* tif, void* buf, uint32 x, uint32 y, uint32 z, uint16 s)
964 {
965 if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
966 return ((tmsize_t)(-1));
967 return (TIFFReadEncodedTile(tif,
968 TIFFComputeTile(tif, x, y, z, s), buf, (tmsize_t)(-1)));
969 }
970
971 /*
972 * Read a tile of data and decompress the specified
973 * amount into the user-supplied buffer.
974 */
975 tmsize_t
TIFFReadEncodedTile(TIFF * tif,uint32 tile,void * buf,tmsize_t size)976 TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
977 {
978 static const char module[] = "TIFFReadEncodedTile";
979 TIFFDirectory *td = &tif->tif_dir;
980 tmsize_t tilesize = tif->tif_tilesize;
981
982 if (!TIFFCheckRead(tif, 1))
983 return ((tmsize_t)(-1));
984 if (tile >= td->td_nstrips) {
985 TIFFErrorExt(tif->tif_clientdata, module,
986 "%lu: Tile out of range, max %lu",
987 (unsigned long) tile, (unsigned long) td->td_nstrips);
988 return ((tmsize_t)(-1));
989 }
990
991 /* shortcut to avoid an extra memcpy() */
992 if( td->td_compression == COMPRESSION_NONE &&
993 size!=(tmsize_t)(-1) && size >= tilesize &&
994 !isMapped(tif) &&
995 ((tif->tif_flags&TIFF_NOREADRAW)==0) )
996 {
997 if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize)
998 return ((tmsize_t)(-1));
999
1000 if (!isFillOrder(tif, td->td_fillorder) &&
1001 (tif->tif_flags & TIFF_NOBITREV) == 0)
1002 TIFFReverseBits(buf,tilesize);
1003
1004 (*tif->tif_postdecode)(tif,buf,tilesize);
1005 return (tilesize);
1006 }
1007
1008 if (size == (tmsize_t)(-1))
1009 size = tilesize;
1010 else if (size > tilesize)
1011 size = tilesize;
1012 if (TIFFFillTile(tif, tile) && (*tif->tif_decodetile)(tif,
1013 (uint8*) buf, size, (uint16)(tile/td->td_stripsperimage))) {
1014 (*tif->tif_postdecode)(tif, (uint8*) buf, size);
1015 return (size);
1016 } else
1017 return ((tmsize_t)(-1));
1018 }
1019
1020 /* Variant of TIFFReadTile() that does
1021 * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
1022 * succeeded. This avoid excessive memory allocation in case of truncated
1023 * file.
1024 * * calls regular TIFFReadEncodedTile() if *buf != NULL
1025 */
1026 tmsize_t
_TIFFReadTileAndAllocBuffer(TIFF * tif,void ** buf,tmsize_t bufsizetoalloc,uint32 x,uint32 y,uint32 z,uint16 s)1027 _TIFFReadTileAndAllocBuffer(TIFF* tif,
1028 void **buf, tmsize_t bufsizetoalloc,
1029 uint32 x, uint32 y, uint32 z, uint16 s)
1030 {
1031 if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
1032 return ((tmsize_t)(-1));
1033 return (_TIFFReadEncodedTileAndAllocBuffer(tif,
1034 TIFFComputeTile(tif, x, y, z, s),
1035 buf, bufsizetoalloc,
1036 (tmsize_t)(-1)));
1037 }
1038
1039 /* Variant of TIFFReadEncodedTile() that does
1040 * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
1041 * succeeded. This avoid excessive memory allocation in case of truncated
1042 * file.
1043 * * calls regular TIFFReadEncodedTile() if *buf != NULL
1044 */
1045 tmsize_t
_TIFFReadEncodedTileAndAllocBuffer(TIFF * tif,uint32 tile,void ** buf,tmsize_t bufsizetoalloc,tmsize_t size_to_read)1046 _TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile,
1047 void **buf, tmsize_t bufsizetoalloc,
1048 tmsize_t size_to_read)
1049 {
1050 static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer";
1051 TIFFDirectory *td = &tif->tif_dir;
1052 tmsize_t tilesize = tif->tif_tilesize;
1053
1054 if( *buf != NULL )
1055 {
1056 return TIFFReadEncodedTile(tif, tile, *buf, size_to_read);
1057 }
1058
1059 if (!TIFFCheckRead(tif, 1))
1060 return ((tmsize_t)(-1));
1061 if (tile >= td->td_nstrips) {
1062 TIFFErrorExt(tif->tif_clientdata, module,
1063 "%lu: Tile out of range, max %lu",
1064 (unsigned long) tile, (unsigned long) td->td_nstrips);
1065 return ((tmsize_t)(-1));
1066 }
1067
1068 if (!TIFFFillTile(tif,tile))
1069 return((tmsize_t)(-1));
1070
1071 *buf = _TIFFmalloc(bufsizetoalloc);
1072 if (*buf == NULL) {
1073 TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
1074 "No space for tile buffer");
1075 return((tmsize_t)(-1));
1076 }
1077 _TIFFmemset(*buf, 0, bufsizetoalloc);
1078
1079 if (size_to_read == (tmsize_t)(-1))
1080 size_to_read = tilesize;
1081 else if (size_to_read > tilesize)
1082 size_to_read = tilesize;
1083 if( (*tif->tif_decodetile)(tif,
1084 (uint8*) *buf, size_to_read, (uint16)(tile/td->td_stripsperimage))) {
1085 (*tif->tif_postdecode)(tif, (uint8*) *buf, size_to_read);
1086 return (size_to_read);
1087 } else
1088 return ((tmsize_t)(-1));
1089 }
1090
1091 static tmsize_t
TIFFReadRawTile1(TIFF * tif,uint32 tile,void * buf,tmsize_t size,const char * module)1092 TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module)
1093 {
1094 TIFFDirectory *td = &tif->tif_dir;
1095
1096 if (!_TIFFFillStriles( tif ))
1097 return ((tmsize_t)(-1));
1098
1099 assert((tif->tif_flags&TIFF_NOREADRAW)==0);
1100 if (!isMapped(tif)) {
1101 tmsize_t cc;
1102
1103 if (!SeekOK(tif, td->td_stripoffset[tile])) {
1104 TIFFErrorExt(tif->tif_clientdata, module,
1105 "Seek error at row %lu, col %lu, tile %lu",
1106 (unsigned long) tif->tif_row,
1107 (unsigned long) tif->tif_col,
1108 (unsigned long) tile);
1109 return ((tmsize_t)(-1));
1110 }
1111 cc = TIFFReadFile(tif, buf, size);
1112 if (cc != size) {
1113 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
1114 TIFFErrorExt(tif->tif_clientdata, module,
1115 "Read error at row %lu, col %lu; got %I64u bytes, expected %I64u",
1116 (unsigned long) tif->tif_row,
1117 (unsigned long) tif->tif_col,
1118 (unsigned __int64) cc,
1119 (unsigned __int64) size);
1120 #else
1121 TIFFErrorExt(tif->tif_clientdata, module,
1122 "Read error at row %lu, col %lu; got %llu bytes, expected %llu",
1123 (unsigned long) tif->tif_row,
1124 (unsigned long) tif->tif_col,
1125 (unsigned long long) cc,
1126 (unsigned long long) size);
1127 #endif
1128 return ((tmsize_t)(-1));
1129 }
1130 } else {
1131 tmsize_t ma,mb;
1132 tmsize_t n;
1133 ma=(tmsize_t)td->td_stripoffset[tile];
1134 mb=ma+size;
1135 if ((td->td_stripoffset[tile] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
1136 n=0;
1137 else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
1138 n=tif->tif_size-ma;
1139 else
1140 n=size;
1141 if (n!=size) {
1142 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
1143 TIFFErrorExt(tif->tif_clientdata, module,
1144 "Read error at row %lu, col %lu, tile %lu; got %I64u bytes, expected %I64u",
1145 (unsigned long) tif->tif_row,
1146 (unsigned long) tif->tif_col,
1147 (unsigned long) tile,
1148 (unsigned __int64) n,
1149 (unsigned __int64) size);
1150 #else
1151 TIFFErrorExt(tif->tif_clientdata, module,
1152 "Read error at row %lu, col %lu, tile %lu; got %llu bytes, expected %llu",
1153 (unsigned long) tif->tif_row,
1154 (unsigned long) tif->tif_col,
1155 (unsigned long) tile,
1156 (unsigned long long) n,
1157 (unsigned long long) size);
1158 #endif
1159 return ((tmsize_t)(-1));
1160 }
1161 _TIFFmemcpy(buf, tif->tif_base + ma, size);
1162 }
1163 return (size);
1164 }
1165
1166 /*
1167 * Read a tile of data from the file.
1168 */
1169 tmsize_t
TIFFReadRawTile(TIFF * tif,uint32 tile,void * buf,tmsize_t size)1170 TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
1171 {
1172 static const char module[] = "TIFFReadRawTile";
1173 TIFFDirectory *td = &tif->tif_dir;
1174 uint64 bytecount64;
1175 tmsize_t bytecountm;
1176
1177 if (!TIFFCheckRead(tif, 1))
1178 return ((tmsize_t)(-1));
1179 if (tile >= td->td_nstrips) {
1180 TIFFErrorExt(tif->tif_clientdata, module,
1181 "%lu: Tile out of range, max %lu",
1182 (unsigned long) tile, (unsigned long) td->td_nstrips);
1183 return ((tmsize_t)(-1));
1184 }
1185 if (tif->tif_flags&TIFF_NOREADRAW)
1186 {
1187 TIFFErrorExt(tif->tif_clientdata, module,
1188 "Compression scheme does not support access to raw uncompressed data");
1189 return ((tmsize_t)(-1));
1190 }
1191 bytecount64 = td->td_stripbytecount[tile];
1192 if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
1193 bytecount64 = (uint64)size;
1194 bytecountm = (tmsize_t)bytecount64;
1195 if ((uint64)bytecountm!=bytecount64)
1196 {
1197 TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
1198 return ((tmsize_t)(-1));
1199 }
1200 return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
1201 }
1202
1203 /*
1204 * Read the specified tile and setup for decoding. The data buffer is
1205 * expanded, as necessary, to hold the tile's data.
1206 */
1207 int
TIFFFillTile(TIFF * tif,uint32 tile)1208 TIFFFillTile(TIFF* tif, uint32 tile)
1209 {
1210 static const char module[] = "TIFFFillTile";
1211 TIFFDirectory *td = &tif->tif_dir;
1212
1213 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
1214 return 0;
1215
1216 if ((tif->tif_flags&TIFF_NOREADRAW)==0)
1217 {
1218 uint64 bytecount = td->td_stripbytecount[tile];
1219 if ((int64)bytecount <= 0) {
1220 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
1221 TIFFErrorExt(tif->tif_clientdata, module,
1222 "%I64u: Invalid tile byte count, tile %lu",
1223 (unsigned __int64) bytecount,
1224 (unsigned long) tile);
1225 #else
1226 TIFFErrorExt(tif->tif_clientdata, module,
1227 "%llu: Invalid tile byte count, tile %lu",
1228 (unsigned long long) bytecount,
1229 (unsigned long) tile);
1230 #endif
1231 return (0);
1232 }
1233
1234 /* To avoid excessive memory allocations: */
1235 /* Byte count should normally not be larger than a number of */
1236 /* times the uncompressed size plus some margin */
1237 if( bytecount > 1024 * 1024 )
1238 {
1239 /* 10 and 4096 are just values that could be adjusted. */
1240 /* Hopefully they are safe enough for all codecs */
1241 tmsize_t stripsize = TIFFTileSize(tif);
1242 if( stripsize != 0 &&
1243 (bytecount - 4096) / 10 > (uint64)stripsize )
1244 {
1245 uint64 newbytecount = (uint64)stripsize * 10 + 4096;
1246 if( (int64)newbytecount >= 0 )
1247 {
1248 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
1249 TIFFWarningExt(tif->tif_clientdata, module,
1250 "Too large tile byte count %I64u, tile %lu. Limiting to %I64u",
1251 (unsigned __int64) bytecount,
1252 (unsigned long) tile,
1253 (unsigned __int64) newbytecount);
1254 #else
1255 TIFFErrorExt(tif->tif_clientdata, module,
1256 "Too large tile byte count %llu, tile %lu. Limiting to %llu",
1257 (unsigned long long) bytecount,
1258 (unsigned long) tile,
1259 (unsigned long long) newbytecount);
1260 #endif
1261 bytecount = newbytecount;
1262 }
1263 }
1264 }
1265
1266 if (isMapped(tif)) {
1267 /*
1268 * We must check for overflow, potentially causing
1269 * an OOB read. Instead of simple
1270 *
1271 * td->td_stripoffset[tile]+bytecount > tif->tif_size
1272 *
1273 * comparison (which can overflow) we do the following
1274 * two comparisons:
1275 */
1276 if (bytecount > (uint64)tif->tif_size ||
1277 td->td_stripoffset[tile] > (uint64)tif->tif_size - bytecount) {
1278 tif->tif_curtile = NOTILE;
1279 return (0);
1280 }
1281 }
1282
1283 if (isMapped(tif) &&
1284 (isFillOrder(tif, td->td_fillorder)
1285 || (tif->tif_flags & TIFF_NOBITREV))) {
1286 /*
1287 * The image is mapped into memory and we either don't
1288 * need to flip bits or the compression routine is
1289 * going to handle this operation itself. In this
1290 * case, avoid copying the raw data and instead just
1291 * reference the data from the memory mapped file
1292 * image. This assumes that the decompression
1293 * routines do not modify the contents of the raw data
1294 * buffer (if they try to, the application will get a
1295 * fault since the file is mapped read-only).
1296 */
1297 if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) {
1298 _TIFFfree(tif->tif_rawdata);
1299 tif->tif_rawdata = NULL;
1300 tif->tif_rawdatasize = 0;
1301 }
1302 tif->tif_flags &= ~TIFF_MYBUFFER;
1303
1304 tif->tif_rawdatasize = (tmsize_t)bytecount;
1305 tif->tif_rawdata =
1306 tif->tif_base + (tmsize_t)td->td_stripoffset[tile];
1307 tif->tif_rawdataoff = 0;
1308 tif->tif_rawdataloaded = (tmsize_t) bytecount;
1309 tif->tif_flags |= TIFF_BUFFERMMAP;
1310 } else {
1311 /*
1312 * Expand raw data buffer, if needed, to hold data
1313 * tile coming from file (perhaps should set upper
1314 * bound on the size of a buffer we'll use?).
1315 */
1316 tmsize_t bytecountm;
1317 bytecountm=(tmsize_t)bytecount;
1318 if ((uint64)bytecountm!=bytecount)
1319 {
1320 TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
1321 return(0);
1322 }
1323 if (bytecountm > tif->tif_rawdatasize) {
1324 tif->tif_curtile = NOTILE;
1325 if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
1326 TIFFErrorExt(tif->tif_clientdata, module,
1327 "Data buffer too small to hold tile %lu",
1328 (unsigned long) tile);
1329 return (0);
1330 }
1331 }
1332 if (tif->tif_flags&TIFF_BUFFERMMAP) {
1333 tif->tif_curtile = NOTILE;
1334 tif->tif_rawdata = NULL;
1335 tif->tif_rawdatasize = 0;
1336 tif->tif_flags &= ~TIFF_BUFFERMMAP;
1337 }
1338
1339 if( isMapped(tif) )
1340 {
1341 if (bytecountm > tif->tif_rawdatasize &&
1342 !TIFFReadBufferSetup(tif, 0, bytecountm))
1343 {
1344 return (0);
1345 }
1346 if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata,
1347 bytecountm, module) != bytecountm)
1348 {
1349 return (0);
1350 }
1351 }
1352 else
1353 {
1354 if (TIFFReadRawStripOrTile2(tif, tile, 0,
1355 bytecountm, module) != bytecountm)
1356 {
1357 return (0);
1358 }
1359 }
1360
1361
1362 tif->tif_rawdataoff = 0;
1363 tif->tif_rawdataloaded = bytecountm;
1364
1365 if (!isFillOrder(tif, td->td_fillorder) &&
1366 (tif->tif_flags & TIFF_NOBITREV) == 0)
1367 TIFFReverseBits(tif->tif_rawdata,
1368 tif->tif_rawdataloaded);
1369 }
1370 }
1371 return (TIFFStartTile(tif, tile));
1372 }
1373
1374 /*
1375 * Setup the raw data buffer in preparation for
1376 * reading a strip of raw data. If the buffer
1377 * is specified as zero, then a buffer of appropriate
1378 * size is allocated by the library. Otherwise,
1379 * the client must guarantee that the buffer is
1380 * large enough to hold any individual strip of
1381 * raw data.
1382 */
1383 int
TIFFReadBufferSetup(TIFF * tif,void * bp,tmsize_t size)1384 TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
1385 {
1386 static const char module[] = "TIFFReadBufferSetup";
1387
1388 assert((tif->tif_flags&TIFF_NOREADRAW)==0);
1389 tif->tif_flags &= ~TIFF_BUFFERMMAP;
1390
1391 if (tif->tif_rawdata) {
1392 if (tif->tif_flags & TIFF_MYBUFFER)
1393 _TIFFfree(tif->tif_rawdata);
1394 tif->tif_rawdata = NULL;
1395 tif->tif_rawdatasize = 0;
1396 }
1397 if (bp) {
1398 tif->tif_rawdatasize = size;
1399 tif->tif_rawdata = (uint8*) bp;
1400 tif->tif_flags &= ~TIFF_MYBUFFER;
1401 } else {
1402 tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64((uint64)size, 1024);
1403 if (tif->tif_rawdatasize==0) {
1404 TIFFErrorExt(tif->tif_clientdata, module,
1405 "Invalid buffer size");
1406 return (0);
1407 }
1408 /* Initialize to zero to avoid uninitialized buffers in case of */
1409 /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
1410 tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
1411 tif->tif_flags |= TIFF_MYBUFFER;
1412 }
1413 if (tif->tif_rawdata == NULL) {
1414 TIFFErrorExt(tif->tif_clientdata, module,
1415 "No space for data buffer at scanline %lu",
1416 (unsigned long) tif->tif_row);
1417 tif->tif_rawdatasize = 0;
1418 return (0);
1419 }
1420 return (1);
1421 }
1422
1423 /*
1424 * Set state to appear as if a
1425 * strip has just been read in.
1426 */
1427 static int
TIFFStartStrip(TIFF * tif,uint32 strip)1428 TIFFStartStrip(TIFF* tif, uint32 strip)
1429 {
1430 TIFFDirectory *td = &tif->tif_dir;
1431
1432 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
1433 return 0;
1434
1435 if ((tif->tif_flags & TIFF_CODERSETUP) == 0) {
1436 if (!(*tif->tif_setupdecode)(tif))
1437 return (0);
1438 tif->tif_flags |= TIFF_CODERSETUP;
1439 }
1440 tif->tif_curstrip = strip;
1441 tif->tif_row = (strip % td->td_stripsperimage) * td->td_rowsperstrip;
1442 tif->tif_flags &= ~TIFF_BUF4WRITE;
1443
1444 if (tif->tif_flags&TIFF_NOREADRAW)
1445 {
1446 tif->tif_rawcp = NULL;
1447 tif->tif_rawcc = 0;
1448 }
1449 else
1450 {
1451 tif->tif_rawcp = tif->tif_rawdata;
1452 if( tif->tif_rawdataloaded > 0 )
1453 tif->tif_rawcc = tif->tif_rawdataloaded;
1454 else
1455 tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[strip];
1456 }
1457 return ((*tif->tif_predecode)(tif,
1458 (uint16)(strip / td->td_stripsperimage)));
1459 }
1460
1461 /*
1462 * Set state to appear as if a
1463 * tile has just been read in.
1464 */
1465 static int
TIFFStartTile(TIFF * tif,uint32 tile)1466 TIFFStartTile(TIFF* tif, uint32 tile)
1467 {
1468 static const char module[] = "TIFFStartTile";
1469 TIFFDirectory *td = &tif->tif_dir;
1470 uint32 howmany32;
1471
1472 if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
1473 return 0;
1474
1475 if ((tif->tif_flags & TIFF_CODERSETUP) == 0) {
1476 if (!(*tif->tif_setupdecode)(tif))
1477 return (0);
1478 tif->tif_flags |= TIFF_CODERSETUP;
1479 }
1480 tif->tif_curtile = tile;
1481 howmany32=TIFFhowmany_32(td->td_imagewidth, td->td_tilewidth);
1482 if (howmany32 == 0) {
1483 TIFFErrorExt(tif->tif_clientdata,module,"Zero tiles");
1484 return 0;
1485 }
1486 tif->tif_row = (tile % howmany32) * td->td_tilelength;
1487 howmany32=TIFFhowmany_32(td->td_imagelength, td->td_tilelength);
1488 if (howmany32 == 0) {
1489 TIFFErrorExt(tif->tif_clientdata,module,"Zero tiles");
1490 return 0;
1491 }
1492 tif->tif_col = (tile % howmany32) * td->td_tilewidth;
1493 tif->tif_flags &= ~TIFF_BUF4WRITE;
1494 if (tif->tif_flags&TIFF_NOREADRAW)
1495 {
1496 tif->tif_rawcp = NULL;
1497 tif->tif_rawcc = 0;
1498 }
1499 else
1500 {
1501 tif->tif_rawcp = tif->tif_rawdata;
1502 if( tif->tif_rawdataloaded > 0 )
1503 tif->tif_rawcc = tif->tif_rawdataloaded;
1504 else
1505 tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile];
1506 }
1507 return ((*tif->tif_predecode)(tif,
1508 (uint16)(tile/td->td_stripsperimage)));
1509 }
1510
1511 static int
TIFFCheckRead(TIFF * tif,int tiles)1512 TIFFCheckRead(TIFF* tif, int tiles)
1513 {
1514 if (tif->tif_mode == O_WRONLY) {
1515 TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "File not open for reading");
1516 return (0);
1517 }
1518 if (tiles ^ isTiled(tif)) {
1519 TIFFErrorExt(tif->tif_clientdata, tif->tif_name, tiles ?
1520 "Can not read tiles from a stripped image" :
1521 "Can not read scanlines from a tiled image");
1522 return (0);
1523 }
1524 return (1);
1525 }
1526
1527 void
_TIFFNoPostDecode(TIFF * tif,uint8 * buf,tmsize_t cc)1528 _TIFFNoPostDecode(TIFF* tif, uint8* buf, tmsize_t cc)
1529 {
1530 (void) tif; (void) buf; (void) cc;
1531 }
1532
1533 void
_TIFFSwab16BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1534 _TIFFSwab16BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1535 {
1536 (void) tif;
1537 assert((cc & 1) == 0);
1538 TIFFSwabArrayOfShort((uint16*) buf, cc/2);
1539 }
1540
1541 void
_TIFFSwab24BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1542 _TIFFSwab24BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1543 {
1544 (void) tif;
1545 assert((cc % 3) == 0);
1546 TIFFSwabArrayOfTriples((uint8*) buf, cc/3);
1547 }
1548
1549 void
_TIFFSwab32BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1550 _TIFFSwab32BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1551 {
1552 (void) tif;
1553 assert((cc & 3) == 0);
1554 TIFFSwabArrayOfLong((uint32*) buf, cc/4);
1555 }
1556
1557 void
_TIFFSwab64BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1558 _TIFFSwab64BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1559 {
1560 (void) tif;
1561 assert((cc & 7) == 0);
1562 TIFFSwabArrayOfDouble((double*) buf, cc/8);
1563 }
1564
1565 /* vim: set ts=8 sts=8 sw=8 noet: */
1566 /*
1567 * Local Variables:
1568 * mode: c
1569 * c-basic-offset: 8
1570 * fill-column: 78
1571 * End:
1572 */
1573