Attachment #182215 for bug #216658

View | Details | Raw Unified | Return to bug 216658
Collapse All | Expand All

Lines 591-597 static copyFunc pickCopyFunc(TIFF, TIFF, uint16, uint16); Link Here

(-)tools/tiffcp.c (-2 / +22 lines)
591	static int	591	static int
592	tiffcp(TIFF* in, TIFF* out)	592	tiffcp(TIFF* in, TIFF* out)
593	{	593	{
594	uint16 bitspersample, samplesperpixel = 1;	594	uint16 bitspersample = 1, samplesperpixel = 1;
595	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;	595	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
596	copyFunc cf;	596	copyFunc cf;
597	uint32 width, length;	597	uint32 width, length;
Lines 1067-1072 DECLAREcpFunc(cpContig2SeparateByRow) Link Here
1067	register uint32 n;	1067	register uint32 n;
1068	uint32 row;	1068	uint32 row;
1069	tsample_t s;	1069	tsample_t s;
		1070	uint16 bps = 0;
		1071
		1072	(void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
		1073	if( bps != 8 )
		1074	{
		1075	TIFFError(TIFFFileName(in),
		1076	"Error, can only handle BitsPerSample=8 in %s",
		1077	"cpContig2SeparateByRow");
		1078	return 0;
		1079	}
1070		1080
1071	inbuf = _TIFFmalloc(scanlinesizein);	1081	inbuf = _TIFFmalloc(scanlinesizein);
1072	outbuf = _TIFFmalloc(scanlinesizeout);	1082	outbuf = _TIFFmalloc(scanlinesizeout);
Lines 1120-1125 DECLAREcpFunc(cpSeparate2ContigByRow) Link Here
1120	register uint32 n;	1130	register uint32 n;
1121	uint32 row;	1131	uint32 row;
1122	tsample_t s;	1132	tsample_t s;
		1133	uint16 bps = 0;
		1134
		1135	(void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
		1136	if( bps != 8 )
		1137	{
		1138	TIFFError(TIFFFileName(in),
		1139	"Error, can only handle BitsPerSample=8 in %s",
		1140	"cpSeparate2ContigByRow");
		1141	return 0;
		1142	}
1123		1143
1124	inbuf = _TIFFmalloc(scanlinesizein);	1144	inbuf = _TIFFmalloc(scanlinesizein);
1125	outbuf = _TIFFmalloc(scanlinesizeout);	1145	outbuf = _TIFFmalloc(scanlinesizeout);
Lines 1784-1790 pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel) Link Here
1784	uint32 w, l, tw, tl;	1804	uint32 w, l, tw, tl;
1785	int bychunk;	1805	int bychunk;
1786		1806
1787	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);	1807	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
1788	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {	1808	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
1789	fprintf(stderr,	1809	fprintf(stderr,
1790	"%s: Cannot handle different planar configuration w/ bits/sample != 8\n",	1810	"%s: Cannot handle different planar configuration w/ bits/sample != 8\n",

Lines 1302-1308 DECLAREContigPutFunc(putagreytile) Link Here

(-)libtiff/tif_getimage.c (-1 / +1 lines)
1302	while (h-- > 0) {	1302	while (h-- > 0) {
1303	for (x = w; x-- > 0;)	1303	for (x = w; x-- > 0;)
1304	{	1304	{
1305	cp++ = BWmap[pp][0] & (*(pp+1) << 24 \| ~A1);	1305	cp++ = BWmap[pp][0] & ((uint32)*(pp+1) << 24 \| ~A1);
1306	pp += samplesperpixel;	1306	pp += samplesperpixel;
1307	}	1307	}
1308	cp += toskew;	1308	cp += toskew;

Lines 985-991 TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size) Link Here

(-)libtiff/tif_read.c (-1 / +3 lines)
985	"Invalid buffer size");	985	"Invalid buffer size");
986	return (0);	986	return (0);
987	}	987	}
988	tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);	988	/* Initialize to zero to avoid uninitialized buffers in case of */
		989	/* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
		990	tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
989	tif->tif_flags \|= TIFF_MYBUFFER;	991	tif->tif_flags \|= TIFF_MYBUFFER;
990	}	992	}
991	if (tif->tif_rawdata == NULL) {	993	if (tif->tif_rawdata == NULL) {

Lines 316-321 _TIFFmalloc(tmsize_t s) Link Here

(-)libtiff/tif_unix.c (+8 lines)
316	return (malloc((size_t) s));	316	return (malloc((size_t) s));
317	}	317	}
318		318
		319	void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
		320	{
		321	if( nmemb == 0 \|\| siz == 0 )
		322	return ((void *) NULL);
		323
		324	return calloc((size_t) nmemb, (size_t)siz);
		325	}
		326
319	void	327	void
320	_TIFFfree(void* p)	328	_TIFFfree(void* p)
321	{	329	{

Lines 360-365 _TIFFmalloc(tmsize_t s) Link Here

(-)libtiff/tif_win32.c (+8 lines)
360	return (malloc((size_t) s));	360	return (malloc((size_t) s));
361	}	361	}
362		362
		363	void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
		364	{
		365	if( nmemb == 0 \|\| siz == 0 )
		366	return ((void *) NULL);
		367
		368	return calloc((size_t) nmemb, (size_t)siz);
		369	}
		370
363	void	371	void
364	_TIFFfree(void* p)	372	_TIFFfree(void* p)
365	{	373	{

Lines 293-298 extern TIFFCodec* TIFFGetConfiguredCODECs(void); Link Here

(-)libtiff/tiffio.h (+1 lines)
293	*/	293	*/
294		294
295	extern void* _TIFFmalloc(tmsize_t s);	295	extern void* _TIFFmalloc(tmsize_t s);
		296	extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
296	extern void* _TIFFrealloc(void* p, tmsize_t s);	297	extern void* _TIFFrealloc(void* p, tmsize_t s);
297	extern void _TIFFmemset(void* p, int v, tmsize_t c);	298	extern void _TIFFmemset(void* p, int v, tmsize_t c);
298	extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);	299	extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);

Lines 1918-1924 OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif) Link Here

(-)libtiff/tif_ojpeg.c (+3 lines)
1918	rb[sizeof(uint32)+5+n]=o[n];	1918	rb[sizeof(uint32)+5+n]=o[n];
1919	p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);	1919	p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
1920	if (p!=q)	1920	if (p!=q)
		1921	{
		1922	_TIFFfree(rb);
1921	return(0);	1923	return(0);
		1924	}
1922	sp->actable[m]=rb;	1925	sp->actable[m]=rb;
1923	sp->sos_tda[m]=(sp->sos_tda[m]\|m);	1926	sp->sos_tda[m]=(sp->sos_tda[m]\|m);
1924	}	1927	}

Lines 1790-1796 OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif) Link Here

(-)libtiff/tif_ojpeg.c (+6 lines)
1790	TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);	1790	TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);
1791	p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);	1791	p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
1792	if (p!=64)	1792	if (p!=64)
		1793	{
		1794	_TIFFfree(ob);
1793	return(0);	1795	return(0);
		1796	}
1794	sp->qtable[m]=ob;	1797	sp->qtable[m]=ob;
1795	sp->sof_tq[m]=m;	1798	sp->sof_tq[m]=m;
1796	}	1799	}
Lines 1854-1860 OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif) Link Here
1854	rb[sizeof(uint32)+5+n]=o[n];	1857	rb[sizeof(uint32)+5+n]=o[n];
1855	p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);	1858	p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
1856	if (p!=q)	1859	if (p!=q)
		1860	{
		1861	_TIFFfree(rb);
1857	return(0);	1862	return(0);
		1863	}
1858	sp->dctable[m]=rb;	1864	sp->dctable[m]=rb;
1859	sp->sos_tda[m]=(m<<4);	1865	sp->sos_tda[m]=(m<<4);
1860	}	1866	}

Lines 1626-1631 JPEGSetupEncode(TIFF* tif) Link Here

(-)libtiff/tif_jpeg.c (+7 lines)
1626	case PHOTOMETRIC_YCBCR:	1626	case PHOTOMETRIC_YCBCR:
1627	sp->h_sampling = td->td_ycbcrsubsampling[0];	1627	sp->h_sampling = td->td_ycbcrsubsampling[0];
1628	sp->v_sampling = td->td_ycbcrsubsampling[1];	1628	sp->v_sampling = td->td_ycbcrsubsampling[1];
		1629	if( sp->h_sampling == 0 \|\| sp->v_sampling == 0 )
		1630	{
		1631	TIFFErrorExt(tif->tif_clientdata, module,
		1632	"Invalig horizontal/vertical sampling value");
		1633	return (0);
		1634	}
		1635
1629	/*	1636	/*
1630	* A ReferenceBlackWhite field must be present since the	1637	* A ReferenceBlackWhite field must be present since the
1631	* default value is inappropriate for YCbCr. Fill in the	1638	* default value is inappropriate for YCbCr. Fill in the

Lines 31-36 Link Here

(-)libtiff/tif_dir.c (-4 / +14 lines)
31	* (and also some miscellaneous stuff)	31	* (and also some miscellaneous stuff)
32	*/	32	*/
33	#include "tiffiop.h"	33	#include "tiffiop.h"
		34	#include <float.h>
34		35
35	/*	36	/*
36	* These are used in the backwards compatibility code...	37	* These are used in the backwards compatibility code...
Lines 154-159 Link Here
154	return (0);	155	return (0);
155	}	156	}
156		157
		158	static float TIFFClampDoubleToFloat( double val )
		159	{
		160	if( val > FLT_MAX )
		161	return FLT_MAX;
		162	if( val < -FLT_MAX )
		163	return -FLT_MAX;
		164	return (float)val;
		165	}
		166
157	static int	167	static int
158	_TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)	168	_TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
159	{	169	{
Lines 312-324 Link Here
312	dblval = va_arg(ap, double);	322	dblval = va_arg(ap, double);
313	if( dblval < 0 )	323	if( dblval < 0 )
314	goto badvaluedouble;	324	goto badvaluedouble;
315	td->td_xresolution = (float) dblval;	325	td->td_xresolution = TIFFClampDoubleToFloat( dblval );
316	break;	326	break;
317	case TIFFTAG_YRESOLUTION:	327	case TIFFTAG_YRESOLUTION:
318	dblval = va_arg(ap, double);	328	dblval = va_arg(ap, double);
319	if( dblval < 0 )	329	if( dblval < 0 )
320	goto badvaluedouble;	330	goto badvaluedouble;
321	td->td_yresolution = (float) dblval;	331	td->td_yresolution = TIFFClampDoubleToFloat( dblval );
322	break;	332	break;
323	case TIFFTAG_PLANARCONFIG:	333	case TIFFTAG_PLANARCONFIG:
324	v = (uint16) va_arg(ap, uint16_vap);	334	v = (uint16) va_arg(ap, uint16_vap);
Lines 327-336 Link Here
327	td->td_planarconfig = (uint16) v;	337	td->td_planarconfig = (uint16) v;
328	break;	338	break;
329	case TIFFTAG_XPOSITION:	339	case TIFFTAG_XPOSITION:
330	td->td_xposition = (float) va_arg(ap, double);	340	td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
331	break;	341	break;
332	case TIFFTAG_YPOSITION:	342	case TIFFTAG_YPOSITION:
333	td->td_yposition = (float) va_arg(ap, double);	343	td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
334	break;	344	break;
335	case TIFFTAG_RESOLUTIONUNIT:	345	case TIFFTAG_RESOLUTIONUNIT:
336	v = (uint16) va_arg(ap, uint16_vap);	346	v = (uint16) va_arg(ap, uint16_vap);

Lines 40-45 Link Here

(-)libtiff/tif_dirread.c (-1 / +9 lines)
40	*/	40	*/
41		41
42	#include "tiffiop.h"	42	#include "tiffiop.h"
		43	#include <float.h>
43		44
44	#define IGNORE 0 /* tag placeholder used below */	45	#define IGNORE 0 /* tag placeholder used below */
45	#define FAILED_FII ((uint32) -1)	46	#define FAILED_FII ((uint32) -1)
Lines 2406-2412 Link Here
2406	ma=(double*)origdata;	2407	ma=(double*)origdata;
2407	mb=data;	2408	mb=data;
2408	for (n=0; n<count; n++)	2409	for (n=0; n<count; n++)
2409	mb++=(float)(ma++);	2410	{
		2411	double val = *ma++;
		2412	if( val > FLT_MAX )
		2413	val = FLT_MAX;
		2414	else if( val < -FLT_MAX )
		2415	val = -FLT_MAX;
		2416	*mb++=(float)val;
		2417	}
2410	}	2418	}
2411	break;	2419	break;
2412	}	2420	}




 * Directory Write Support Routines.
 */
#include "tiffiop.h"
#include <float.h>

#ifdef HAVE_IEEEFP
#define TIFFCvtNativeToIEEEFloat(tif, n, fp)

	return(0);
}

static float TIFFClampDoubleToFloat( double val )
{
    if( val > FLT_MAX )
        return FLT_MAX;
    if( val < -FLT_MAX )
        return -FLT_MAX;
    return (float)val;
}

static int8 TIFFClampDoubleToInt8( double val )
{
    if( val > 127 )
        return 127;
    if( val < -128 || val != val )
        return -128;
    return (int8)val;
}

static int16 TIFFClampDoubleToInt16( double val )
{
    if( val > 32767 )
        return 32767;
    if( val < -32768 || val != val )
        return -32768;
    return (int16)val;
}

static int32 TIFFClampDoubleToInt32( double val )
{
    if( val > 0x7FFFFFFF )
        return 0x7FFFFFFF;
    if( val < -0x7FFFFFFF-1 || val != val )
        return -0x7FFFFFFF-1;
    return (int32)val;
}

static uint8 TIFFClampDoubleToUInt8( double val )
{
    if( val < 0 )
        return 0;
    if( val > 255 || val != val )
        return 255;
    return (uint8)val;
}

static uint16 TIFFClampDoubleToUInt16( double val )
{
    if( val < 0 )
        return 0;
    if( val > 65535 || val != val )
        return 65535;
    return (uint16)val;
}

static uint32 TIFFClampDoubleToUInt32( double val )
{
    if( val < 0 )
        return 0;
    if( val > 0xFFFFFFFFU || val != val )
        return 0xFFFFFFFFU;
    return (uint32)val;
}

static int
TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
{

			if (tif->tif_dir.td_bitspersample<=32)
			{
				for (i = 0; i < count; ++i)
					((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
				ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
			}
			else

			if (tif->tif_dir.td_bitspersample<=8)
			{
				for (i = 0; i < count; ++i)
					((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
				ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
			}
			else if (tif->tif_dir.td_bitspersample<=16)
			{
				for (i = 0; i < count; ++i)
					((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
				ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
			}
			else
			{
				for (i = 0; i < count; ++i)
					((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
				ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
			}
			break;

			if (tif->tif_dir.td_bitspersample<=8)
			{
				for (i = 0; i < count; ++i)
					((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
				ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
			}
			else if (tif->tif_dir.td_bitspersample<=16)
			{
				for (i = 0; i < count; ++i)
					((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
				ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
			}
			else
			{
				for (i = 0; i < count; ++i)
					((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
				ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
			}
			break;

static int
TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
{
	static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
	uint32 m[2];
	assert(value>=0.0);
	assert(sizeof(uint32)==4);
	if( value < 0 )
	{
	    TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
	    return 0;
	}
	else if( value != value )
	{
	    TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
	    return 0;
	}
	else if (value==0.0)
	{
		m[0]=0;
		m[1]=1;
	}
	else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
	{
		m[0]=(uint32)value;
		m[1]=1;

	}
	for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
	{
		if (*na<=0.0 || *na != *na)
		{
			nb[0]=0;
			nb[1]=1;
		}
		else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
				  *na==(float)(uint32)(*na))
		{
			nb[0]=(uint32)(*na);
			nb[1]=1;

Lines 7986-7992 Link Here

(-)tools/tiffcrop.c (-1 lines)
7986	if (!TIFFWriteDirectory(out))	7986	if (!TIFFWriteDirectory(out))
7987	{	7987	{
7988	TIFFError("","Failed to write IFD for page number %d", pagenum);	7988	TIFFError("","Failed to write IFD for page number %d", pagenum);
7989	TIFFClose(out);
7990	return (-1);	7989	return (-1);
7991	}	7990	}
7992		7991

Lines 2872-2878 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFD Link Here

(-)libtiff/tif_dirread.c (-2 / +8 lines)
2872	m.l = direntry->tdir_offset.toff_long8;	2872	m.l = direntry->tdir_offset.toff_long8;
2873	if (tif->tif_flags&TIFF_SWAB)	2873	if (tif->tif_flags&TIFF_SWAB)
2874	TIFFSwabArrayOfLong(m.i,2);	2874	TIFFSwabArrayOfLong(m.i,2);
2875	if (m.i[0]==0)	2875	/* Not completely sure what we should do when m.i[1]==0, but some */
		2876	/* sanitizers do not like division by 0.0: */
		2877	/* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
		2878	if (m.i[0]==0 \|\| m.i[1]==0)
2876	*value=0.0;	2879	*value=0.0;
2877	else	2880	else
2878	*value=(double)m.i[0]/(double)m.i[1];	2881	*value=(double)m.i[0]/(double)m.i[1];
Lines 2900-2906 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFF Link Here
2900	m.l=direntry->tdir_offset.toff_long8;	2903	m.l=direntry->tdir_offset.toff_long8;
2901	if (tif->tif_flags&TIFF_SWAB)	2904	if (tif->tif_flags&TIFF_SWAB)
2902	TIFFSwabArrayOfLong(m.i,2);	2905	TIFFSwabArrayOfLong(m.i,2);
2903	if ((int32)m.i[0]==0)	2906	/* Not completely sure what we should do when m.i[1]==0, but some */
		2907	/* sanitizers do not like division by 0.0: */
		2908	/* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
		2909	if ((int32)m.i[0]==0 \|\| m.i[1]==0)
2904	*value=0.0;	2910	*value=0.0;
2905	else	2911	else
2906	*value=(double)((int32)m.i[0])/(double)m.i[1];	2912	*value=(double)((int32)m.i[0])/(double)m.i[1];

Lines 1632-1637 JPEGSetupEncode(TIFF* tif) Link Here

(-)libtiff/tif_jpeg.c (+7 lines)
1632	"Invalig horizontal/vertical sampling value");	1632	"Invalig horizontal/vertical sampling value");
1633	return (0);	1633	return (0);
1634	}	1634	}
		1635	if( td->td_bitspersample > 16 )
		1636	{
		1637	TIFFErrorExt(tif->tif_clientdata, module,
		1638	"BitsPerSample %d not allowed for JPEG",
		1639	td->td_bitspersample);
		1640	return (0);
		1641	}
1635		1642
1636	/*	1643	/*
1637	* A ReferenceBlackWhite field must be present since the	1644	* A ReferenceBlackWhite field must be present since the




			return ((tmsize_t)(-1));
		}
	} else {
		tmsize_t ma;
		tmsize_t n;
		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
                    ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
                {
                    n=0;
                }
                else if( ma > TIFF_TMSIZE_T_MAX - size )
                {
                    n=0;
                }
                else
                {
                    tmsize_t mb=ma+size;
                    if (mb>tif->tif_size)
                            n=tif->tif_size-ma;
                    else
                            n=size;
                }
		if (n!=size) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
			TIFFErrorExt(tif->tif_clientdata, module,




2017-01-12 Even Rouault <even.rouault at spatialys.com>

	* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable,
	OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
	when read fails.
	Patch by Nicolás Peña.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=265

2017-01-11 Even Rouault <even.rouault at spatialys.com>

	* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
	cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
	http://bugzilla.maptools.org/show_bug.cgi?id=2657

2017-01-11 Even Rouault <even.rouault at spatialys.com>

	* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
	avoid UndefinedBehaviorSanitizer warning.
	Patch by Nicolás Peña.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658

2017-01-11 Even Rouault <even.rouault at spatialys.com>

	* libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc()

	* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
	initialize tif_rawdata.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651

2017-01-11 Even Rouault <even.rouault at spatialys.com>

	* libtiff/tif_jpeg.c: avoid integer division by zero in
	JPEGSetupEncode() when horizontal or vertical sampling is set to 0.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653

2017-01-11 Even Rouault <even.rouault at spatialys.com>

	* libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
	of double to other data types to avoid undefined behaviour if the output range
	isn't big enough to hold the input value.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
	http://bugzilla.maptools.org/show_bug.cgi?id=2642
	http://bugzilla.maptools.org/show_bug.cgi?id=2646
	http://bugzilla.maptools.org/show_bug.cgi?id=2647

2017-01-11 Even Rouault <even.rouault at spatialys.com>

	* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace
	assertion by runtime check to error out if passed value is strictly
	negative.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535

	* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
	caused double free.
	Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535

2017-01-11 Even Rouault <even.rouault at spatialys.com>

	* libtiff/tif_dirread.c: avoid division by floating point 0 in
	TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
	and return 0 in that case (instead of infinity as before presumably)
	Apparently some sanitizers do not like those divisions by zero.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=264

2017-01-11 Even Rouault <even.rouault at spatialys.com>

	* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
	undefined behaviour caused by invalid shift exponent.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648

2017-01-11 Even Rouault <even.rouault at spatialys.com>

	* libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
	addition in TIFFReadRawStrip1() in isMapped() case.
	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650

2016-11-19  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>

	* libtiff 4.0.7 released.

Return to bug 216658

Lines 30-35 Link Here

(-)libtiff/tif_dirwrite.c (-12 / +87 lines)
30	* Directory Write Support Routines.	30	* Directory Write Support Routines.
31	*/	31	*/
32	#include "tiffiop.h"	32	#include "tiffiop.h"
		33	#include <float.h>
33		34
34	#ifdef HAVE_IEEEFP	35	#ifdef HAVE_IEEEFP
35	#define TIFFCvtNativeToIEEEFloat(tif, n, fp)	36	#define TIFFCvtNativeToIEEEFloat(tif, n, fp)
Lines 939-944 Link Here
939	return(0);	940	return(0);
940	}	941	}
941		942
		943	static float TIFFClampDoubleToFloat( double val )
		944	{
		945	if( val > FLT_MAX )
		946	return FLT_MAX;
		947	if( val < -FLT_MAX )
		948	return -FLT_MAX;
		949	return (float)val;
		950	}
		951
		952	static int8 TIFFClampDoubleToInt8( double val )
		953	{
		954	if( val > 127 )
		955	return 127;
		956	if( val < -128 \|\| val != val )
		957	return -128;
		958	return (int8)val;
		959	}
		960
		961	static int16 TIFFClampDoubleToInt16( double val )
		962	{
		963	if( val > 32767 )
		964	return 32767;
		965	if( val < -32768 \|\| val != val )
		966	return -32768;
		967	return (int16)val;
		968	}
		969
		970	static int32 TIFFClampDoubleToInt32( double val )
		971	{
		972	if( val > 0x7FFFFFFF )
		973	return 0x7FFFFFFF;
		974	if( val < -0x7FFFFFFF-1 \|\| val != val )
		975	return -0x7FFFFFFF-1;
		976	return (int32)val;
		977	}
		978
		979	static uint8 TIFFClampDoubleToUInt8( double val )
		980	{
		981	if( val < 0 )
		982	return 0;
		983	if( val > 255 \|\| val != val )
		984	return 255;
		985	return (uint8)val;
		986	}
		987
		988	static uint16 TIFFClampDoubleToUInt16( double val )
		989	{
		990	if( val < 0 )
		991	return 0;
		992	if( val > 65535 \|\| val != val )
		993	return 65535;
		994	return (uint16)val;
		995	}
		996
		997	static uint32 TIFFClampDoubleToUInt32( double val )
		998	{
		999	if( val < 0 )
		1000	return 0;
		1001	if( val > 0xFFFFFFFFU \|\| val != val )
		1002	return 0xFFFFFFFFU;
		1003	return (uint32)val;
		1004	}
		1005
942	static int	1006	static int
943	TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)	1007	TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
944	{	1008	{
Lines 959-965 Link Here
959	if (tif->tif_dir.td_bitspersample<=32)	1023	if (tif->tif_dir.td_bitspersample<=32)
960	{	1024	{
961	for (i = 0; i < count; ++i)	1025	for (i = 0; i < count; ++i)
962	((float*)conv)[i] = (float)value[i];	1026	((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
963	ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);	1027	ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
964	}	1028	}
965	else	1029	else
Lines 971-989 Link Here
971	if (tif->tif_dir.td_bitspersample<=8)	1035	if (tif->tif_dir.td_bitspersample<=8)
972	{	1036	{
973	for (i = 0; i < count; ++i)	1037	for (i = 0; i < count; ++i)
974	((int8*)conv)[i] = (int8)value[i];	1038	((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
975	ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);	1039	ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
976	}	1040	}
977	else if (tif->tif_dir.td_bitspersample<=16)	1041	else if (tif->tif_dir.td_bitspersample<=16)
978	{	1042	{
979	for (i = 0; i < count; ++i)	1043	for (i = 0; i < count; ++i)
980	((int16*)conv)[i] = (int16)value[i];	1044	((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
981	ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);	1045	ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
982	}	1046	}
983	else	1047	else
984	{	1048	{
985	for (i = 0; i < count; ++i)	1049	for (i = 0; i < count; ++i)
986	((int32*)conv)[i] = (int32)value[i];	1050	((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
987	ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);	1051	ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
988	}	1052	}
989	break;	1053	break;
Lines 991-1009 Link Here
991	if (tif->tif_dir.td_bitspersample<=8)	1055	if (tif->tif_dir.td_bitspersample<=8)
992	{	1056	{
993	for (i = 0; i < count; ++i)	1057	for (i = 0; i < count; ++i)
994	((uint8*)conv)[i] = (uint8)value[i];	1058	((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
995	ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);	1059	ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
996	}	1060	}
997	else if (tif->tif_dir.td_bitspersample<=16)	1061	else if (tif->tif_dir.td_bitspersample<=16)
998	{	1062	{
999	for (i = 0; i < count; ++i)	1063	for (i = 0; i < count; ++i)
1000	((uint16*)conv)[i] = (uint16)value[i];	1064	((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
1001	ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);	1065	ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
1002	}	1066	}
1003	else	1067	else
1004	{	1068	{
1005	for (i = 0; i < count; ++i)	1069	for (i = 0; i < count; ++i)
1006	((uint32*)conv)[i] = (uint32)value[i];	1070	((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
1007	ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);	1071	ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
1008	}	1072	}
1009	break;	1073	break;
Lines 2094-2108 Link Here
2094	static int	2158	static int
2095	TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)	2159	TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
2096	{	2160	{
		2161	static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
2097	uint32 m[2];	2162	uint32 m[2];
2098	assert(value>=0.0);
2099	assert(sizeof(uint32)==4);	2163	assert(sizeof(uint32)==4);
2100	if (value<=0.0)	2164	if( value < 0 )
		2165	{
		2166	TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
		2167	return 0;
		2168	}
		2169	else if( value != value )
		2170	{
		2171	TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
		2172	return 0;
		2173	}
		2174	else if (value==0.0)
2101	{	2175	{
2102	m[0]=0;	2176	m[0]=0;
2103	m[1]=1;	2177	m[1]=1;
2104	}	2178	}
2105	else if (value==(double)(uint32)value)	2179	else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
2106	{	2180	{
2107	m[0]=(uint32)value;	2181	m[0]=(uint32)value;
2108	m[1]=1;	2182	m[1]=1;
Lines 2143-2154 Link Here
2143	}	2217	}
2144	for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)	2218	for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
2145	{	2219	{
2146	if (*na<=0.0)	2220	if (na<=0.0 \|\| na != *na)
2147	{	2221	{
2148	nb[0]=0;	2222	nb[0]=0;
2149	nb[1]=1;	2223	nb[1]=1;
2150	}	2224	}
2151	else if (na==(float)(uint32)(na))	2225	else if (na >= 0 && na <= (float)0xFFFFFFFFU &&
		2226	na==(float)(uint32)(na))
2152	{	2227	{
2153	nb[0]=(uint32)(*na);	2228	nb[0]=(uint32)(*na);
2154	nb[1]=1;	2229	nb[1]=1;

Lines 420-435 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, Link Here

(-)libtiff/tif_read.c (-9 / +18 lines)
420	return ((tmsize_t)(-1));	420	return ((tmsize_t)(-1));
421	}	421	}
422	} else {	422	} else {
423	tmsize_t ma,mb;	423	tmsize_t ma;
424	tmsize_t n;	424	tmsize_t n;
425	ma=(tmsize_t)td->td_stripoffset[strip];	425	if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)\|\|
426	mb=ma+size;	426	((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
427	if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)\|\|(ma>tif->tif_size))	427	{
428	n=0;	428	n=0;
429	else if ((mb<ma)\|\|(mb<size)\|\|(mb>tif->tif_size))	429	}
430	n=tif->tif_size-ma;	430	else if( ma > TIFF_TMSIZE_T_MAX - size )
431	else	431	{
432	n=size;	432	n=0;
		433	}
		434	else
		435	{
		436	tmsize_t mb=ma+size;
		437	if (mb>tif->tif_size)
		438	n=tif->tif_size-ma;
		439	else
		440	n=size;
		441	}
433	if (n!=size) {	442	if (n!=size) {
434	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))	443	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
435	TIFFErrorExt(tif->tif_clientdata, module,	444	TIFFErrorExt(tif->tif_clientdata, module,

Lines 1-3 Link Here

(-)ChangeLog (+77 lines)
		1	2017-01-12 Even Rouault <even.rouault at spatialys.com>
		2
		3	* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable,
		4	OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
		5	when read fails.
		6	Patch by Nicolás Peña.
		7	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=265
		8
		9	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		10
		11	* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
		12	cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
		13	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
		14	http://bugzilla.maptools.org/show_bug.cgi?id=2657
		15
		16	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		17
		18	* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
		19	avoid UndefinedBehaviorSanitizer warning.
		20	Patch by Nicolás Peña.
		21	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
		22
		23	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		24
		25	* libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc()
		26
		27	* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
		28	initialize tif_rawdata.
		29	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
		30
		31	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		32
		33	* libtiff/tif_jpeg.c: avoid integer division by zero in
		34	JPEGSetupEncode() when horizontal or vertical sampling is set to 0.
		35	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
		36
		37	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		38
		39	* libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
		40	of double to other data types to avoid undefined behaviour if the output range
		41	isn't big enough to hold the input value.
		42	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
		43	http://bugzilla.maptools.org/show_bug.cgi?id=2642
		44	http://bugzilla.maptools.org/show_bug.cgi?id=2646
		45	http://bugzilla.maptools.org/show_bug.cgi?id=2647
		46
		47	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		48
		49	* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace
		50	assertion by runtime check to error out if passed value is strictly
		51	negative.
		52	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535
		53
		54	* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
		55	caused double free.
		56	Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
		57
		58	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		59
		60	* libtiff/tif_dirread.c: avoid division by floating point 0 in
		61	TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
		62	and return 0 in that case (instead of infinity as before presumably)
		63	Apparently some sanitizers do not like those divisions by zero.
		64	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=264
65
66	2017-01-11 Even Rouault <even.rouault at spatialys.com>
67
68	* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
69	undefined behaviour caused by invalid shift exponent.
70	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
71
72	2017-01-11 Even Rouault <even.rouault at spatialys.com>
73
74	* libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
75	addition in TIFFReadRawStrip1() in isMapped() case.
76	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
77
1	2016-11-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>	78	2016-11-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
2		79
3	* libtiff 4.0.7 released.	80	* libtiff 4.0.7 released.