diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2017-05-12 20:16:37 +0000 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2017-05-12 20:16:37 +0000 |
| commit | 76084fb83112917e81aa4aa786d1e0c3e83638b3 (patch) | |
| tree | 9c40822170abec3c8983e9b46262abfd661bc6c4 | |
| parent | 80ee713d88a6f4d3a340eb3c8161c674e278c0c3 (diff) | |
| download | libtiff-git-76084fb83112917e81aa4aa786d1e0c3e83638b3.tar.gz | |
* libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(),
avoid potential integer overflows with read_ahead in
CHUNKY_STRIP_READ_SUPPORT mode. Should
especially occur on 32 bit platforms.
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | libtiff/tif_read.c | 27 |
2 files changed, 30 insertions, 4 deletions
@@ -1,3 +1,10 @@ +2017-05-12 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(), + avoid potential integer overflows with read_ahead in + CHUNKY_STRIP_READ_SUPPORT mode. Should + especially occur on 32 bit platforms. + 2017-05-10 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile(): diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index b54a6370..392e7a42 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -1,4 +1,4 @@ -/* $Id: tif_read.c,v 1.56 2017-05-10 19:54:54 erouault Exp $ */ +/* $Id: tif_read.c,v 1.57 2017-05-12 20:16:37 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -55,6 +55,7 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) tmsize_t unused_data; uint64 read_offset; tmsize_t cc, to_read; + tmsize_t read_ahead_mod; /* tmsize_t bytecountm; */ if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount) @@ -67,7 +68,14 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) */ /* bytecountm=(tmsize_t) td->td_stripbytecount[strip]; */ - if (read_ahead*2 > tif->tif_rawdatasize) { + + /* Not completely sure where the * 2 comes from, but probably for */ + /* an exponentional growth strategy of tif_rawdatasize */ + if( read_ahead < TIFF_TMSIZE_T_MAX / 2 ) + read_ahead_mod = read_ahead * 2; + else + read_ahead_mod = read_ahead; + if (read_ahead_mod > tif->tif_rawdatasize) { assert( restart ); tif->tif_curstrip = NOSTRIP; @@ -77,7 +85,7 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart ) (unsigned long) strip); return (0); } - if (!TIFFReadBufferSetup(tif, 0, read_ahead*2)) + if (!TIFFReadBufferSetup(tif, 0, read_ahead_mod)) return (0); } @@ -219,7 +227,18 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample ) if( !whole_strip ) { - read_ahead = tif->tif_scanlinesize * 16 + 5000; + /* 16 is for YCbCr mode where we may need to read 16 */ + /* lines at a time to get a decompressed line, and 5000 */ + /* is some constant value, for example for JPEG tables */ + if( tif->tif_scanlinesize < TIFF_TMSIZE_T_MAX / 16 && + tif->tif_scanlinesize * 16 < TIFF_TMSIZE_T_MAX - 5000 ) + { + read_ahead = tif->tif_scanlinesize * 16 + 5000; + } + else + { + read_ahead = tif->tif_scanlinesize; + } } /* |