Line data Source code
1 : /*
2 : * Copyright (c) 1988-1997 Sam Leffler
3 : * Copyright (c) 1991-1997 Silicon Graphics, Inc.
4 : *
5 : * Permission to use, copy, modify, distribute, and sell this software and
6 : * its documentation for any purpose is hereby granted without fee, provided
7 : * that (i) the above copyright notices and this permission notice appear in
8 : * all copies of the software and related documentation, and (ii) the names of
9 : * Sam Leffler and Silicon Graphics may not be used in any advertising or
10 : * publicity relating to the software without the specific, prior written
11 : * permission of Sam Leffler and Silicon Graphics.
12 : *
13 : * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
14 : * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
15 : * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
16 : *
17 : * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
18 : * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
19 : * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
20 : * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
21 : * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
22 : * OF THIS SOFTWARE.
23 : */
24 :
25 : /*
26 : * TIFF Library.
27 : * Scanline-oriented Read Support
28 : */
29 : #include "tiffiop.h"
30 : #include <stdio.h>
31 :
32 : int TIFFFillStrip(TIFF *tif, uint32_t strip);
33 : int TIFFFillTile(TIFF *tif, uint32_t tile);
34 : static int TIFFStartStrip(TIFF *tif, uint32_t strip);
35 : static int TIFFStartTile(TIFF *tif, uint32_t tile);
36 : static int TIFFCheckRead(TIFF *, int);
37 : static tmsize_t TIFFReadRawStrip1(TIFF *tif, uint32_t strip, void *buf,
38 : tmsize_t size, const char *module);
39 : static tmsize_t TIFFReadRawTile1(TIFF *tif, uint32_t tile, void *buf,
40 : tmsize_t size, const char *module);
41 :
42 : #define NOSTRIP ((uint32_t)(-1)) /* undefined state */
43 : #define NOTILE ((uint32_t)(-1)) /* undefined state */
44 :
45 : #define INITIAL_THRESHOLD (1024 * 1024)
46 : #define THRESHOLD_MULTIPLIER 10
47 : #define MAX_THRESHOLD \
48 : (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * \
49 : INITIAL_THRESHOLD)
50 :
51 : #define TIFF_INT64_MAX ((((int64_t)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
52 :
53 : /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
54 : * Returns 1 in case of success, 0 otherwise. */
55 15389 : static int TIFFReadAndRealloc(TIFF *tif, tmsize_t size, tmsize_t rawdata_offset,
56 : int is_strip, uint32_t strip_or_tile,
57 : const char *module)
58 : {
59 : #if SIZEOF_SIZE_T == 8
60 15389 : tmsize_t threshold = INITIAL_THRESHOLD;
61 : #endif
62 15389 : tmsize_t already_read = 0;
63 :
64 : #if SIZEOF_SIZE_T != 8
65 : /* On 32 bit processes, if the request is large enough, check against */
66 : /* file size */
67 : if (size > 1000 * 1000 * 1000)
68 : {
69 : uint64_t filesize = TIFFGetFileSize(tif);
70 : if ((uint64_t)size >= filesize)
71 : {
72 : TIFFErrorExtR(tif, module,
73 : "Chunk size requested is larger than file size.");
74 : return 0;
75 : }
76 : }
77 : #endif
78 :
79 : /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
80 : /* so as to avoid allocating too much memory in case the file is too */
81 : /* short. We could ask for the file size, but this might be */
82 : /* expensive with some I/O layers (think of reading a gzipped file) */
83 : /* Restrict to 64 bit processes, so as to avoid reallocs() */
84 : /* on 32 bit processes where virtual memory is scarce. */
85 30751 : while (already_read < size)
86 : {
87 : tmsize_t bytes_read;
88 15391 : tmsize_t to_read = size - already_read;
89 : #if SIZEOF_SIZE_T == 8
90 15391 : if (to_read >= threshold && threshold < MAX_THRESHOLD &&
91 3 : already_read + to_read + rawdata_offset > tif->tif_rawdatasize)
92 : {
93 3 : to_read = threshold;
94 3 : threshold *= THRESHOLD_MULTIPLIER;
95 : }
96 : #endif
97 15391 : if (already_read + to_read + rawdata_offset > tif->tif_rawdatasize)
98 : {
99 : uint8_t *new_rawdata;
100 1502 : assert((tif->tif_flags & TIFF_MYBUFFER) != 0);
101 1502 : tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64(
102 : (uint64_t)already_read + to_read + rawdata_offset, 1024);
103 1502 : if (tif->tif_rawdatasize == 0)
104 : {
105 0 : TIFFErrorExtR(tif, module, "Invalid buffer size");
106 0 : return 0;
107 : }
108 1502 : new_rawdata = (uint8_t *)_TIFFreallocExt(tif, tif->tif_rawdata,
109 : tif->tif_rawdatasize);
110 1502 : if (new_rawdata == 0)
111 : {
112 0 : TIFFErrorExtR(tif, module,
113 : "No space for data buffer at scanline %" PRIu32,
114 : tif->tif_row);
115 0 : _TIFFfreeExt(tif, tif->tif_rawdata);
116 0 : tif->tif_rawdata = 0;
117 0 : tif->tif_rawdatasize = 0;
118 0 : return 0;
119 : }
120 1502 : tif->tif_rawdata = new_rawdata;
121 : }
122 15391 : if (tif->tif_rawdata == NULL)
123 : {
124 : /* should not happen in practice but helps CoverityScan */
125 0 : return 0;
126 : }
127 :
128 15391 : bytes_read = TIFFReadFile(
129 : tif, tif->tif_rawdata + rawdata_offset + already_read, to_read);
130 15391 : already_read += bytes_read;
131 15391 : if (bytes_read != to_read)
132 : {
133 29 : memset(tif->tif_rawdata + rawdata_offset + already_read, 0,
134 29 : tif->tif_rawdatasize - rawdata_offset - already_read);
135 29 : if (is_strip)
136 : {
137 2 : TIFFErrorExtR(tif, module,
138 : "Read error at scanline %" PRIu32
139 : "; got %" TIFF_SSIZE_FORMAT " bytes, "
140 : "expected %" TIFF_SSIZE_FORMAT,
141 : tif->tif_row, already_read, size);
142 : }
143 : else
144 : {
145 27 : TIFFErrorExtR(tif, module,
146 : "Read error at row %" PRIu32 ", col %" PRIu32
147 : ", tile %" PRIu32 "; "
148 : "got %" TIFF_SSIZE_FORMAT
149 : " bytes, expected %" TIFF_SSIZE_FORMAT "",
150 : tif->tif_row, tif->tif_col, strip_or_tile,
151 : already_read, size);
152 : }
153 29 : return 0;
154 : }
155 : }
156 15360 : return 1;
157 : }
158 :
159 59 : static int TIFFFillStripPartial(TIFF *tif, int strip, tmsize_t read_ahead,
160 : int restart)
161 : {
162 : static const char module[] = "TIFFFillStripPartial";
163 59 : register TIFFDirectory *td = &tif->tif_dir;
164 : tmsize_t unused_data;
165 : uint64_t read_offset;
166 : tmsize_t to_read;
167 : tmsize_t read_ahead_mod;
168 : /* tmsize_t bytecountm; */
169 :
170 : /*
171 : * Expand raw data buffer, if needed, to hold data
172 : * strip coming from file (perhaps should set upper
173 : * bound on the size of a buffer we'll use?).
174 : */
175 :
176 : /* bytecountm=(tmsize_t) TIFFGetStrileByteCount(tif, strip); */
177 :
178 : /* Not completely sure where the * 2 comes from, but probably for */
179 : /* an exponentional growth strategy of tif_rawdatasize */
180 59 : if (read_ahead < TIFF_TMSIZE_T_MAX / 2)
181 59 : read_ahead_mod = read_ahead * 2;
182 : else
183 0 : read_ahead_mod = read_ahead;
184 59 : if (read_ahead_mod > tif->tif_rawdatasize)
185 : {
186 34 : assert(restart);
187 :
188 34 : tif->tif_curstrip = NOSTRIP;
189 34 : if ((tif->tif_flags & TIFF_MYBUFFER) == 0)
190 : {
191 0 : TIFFErrorExtR(tif, module,
192 : "Data buffer too small to hold part of strip %d",
193 : strip);
194 0 : return (0);
195 : }
196 : }
197 :
198 59 : if (restart)
199 : {
200 34 : tif->tif_rawdataloaded = 0;
201 34 : tif->tif_rawdataoff = 0;
202 : }
203 :
204 : /*
205 : ** If we are reading more data, move any unused data to the
206 : ** start of the buffer.
207 : */
208 59 : if (tif->tif_rawdataloaded > 0)
209 23 : unused_data =
210 23 : tif->tif_rawdataloaded - (tif->tif_rawcp - tif->tif_rawdata);
211 : else
212 36 : unused_data = 0;
213 :
214 59 : if (unused_data > 0)
215 : {
216 23 : assert((tif->tif_flags & TIFF_BUFFERMMAP) == 0);
217 23 : memmove(tif->tif_rawdata, tif->tif_rawcp, unused_data);
218 : }
219 :
220 : /*
221 : ** Seek to the point in the file where more data should be read.
222 : */
223 59 : read_offset = TIFFGetStrileOffset(tif, strip) + tif->tif_rawdataoff +
224 59 : tif->tif_rawdataloaded;
225 :
226 59 : if (!SeekOK(tif, read_offset))
227 : {
228 0 : TIFFErrorExtR(tif, module,
229 : "Seek error at scanline %" PRIu32 ", strip %d",
230 : tif->tif_row, strip);
231 0 : return 0;
232 : }
233 :
234 : /*
235 : ** How much do we want to read?
236 : */
237 59 : if (read_ahead_mod > tif->tif_rawdatasize)
238 34 : to_read = read_ahead_mod - unused_data;
239 : else
240 25 : to_read = tif->tif_rawdatasize - unused_data;
241 59 : if ((uint64_t)to_read > TIFFGetStrileByteCount(tif, strip) -
242 59 : tif->tif_rawdataoff - tif->tif_rawdataloaded)
243 : {
244 33 : to_read = (tmsize_t)TIFFGetStrileByteCount(tif, strip) -
245 33 : tif->tif_rawdataoff - tif->tif_rawdataloaded;
246 : }
247 :
248 59 : assert((tif->tif_flags & TIFF_BUFFERMMAP) == 0);
249 59 : if (!TIFFReadAndRealloc(tif, to_read, unused_data, 1, /* is_strip */
250 : 0, /* strip_or_tile */
251 : module))
252 : {
253 0 : return 0;
254 : }
255 :
256 59 : tif->tif_rawdataoff =
257 59 : tif->tif_rawdataoff + tif->tif_rawdataloaded - unused_data;
258 59 : tif->tif_rawdataloaded = unused_data + to_read;
259 :
260 59 : tif->tif_rawcc = tif->tif_rawdataloaded;
261 59 : tif->tif_rawcp = tif->tif_rawdata;
262 :
263 59 : if (!isFillOrder(tif, td->td_fillorder) &&
264 0 : (tif->tif_flags & TIFF_NOBITREV) == 0)
265 : {
266 0 : assert((tif->tif_flags & TIFF_BUFFERMMAP) == 0);
267 0 : TIFFReverseBits(tif->tif_rawdata + unused_data, to_read);
268 : }
269 :
270 : /*
271 : ** When starting a strip from the beginning we need to
272 : ** restart the decoder.
273 : */
274 59 : if (restart)
275 : {
276 :
277 : #ifdef JPEG_SUPPORT
278 : /* A bit messy since breaks the codec abstraction. Ultimately */
279 : /* there should be a function pointer for that, but it seems */
280 : /* only JPEG is affected. */
281 : /* For JPEG, if there are multiple scans (can generally be known */
282 : /* with the read_ahead used), we need to read the whole strip */
283 36 : if (tif->tif_dir.td_compression == COMPRESSION_JPEG &&
284 2 : (uint64_t)tif->tif_rawcc < TIFFGetStrileByteCount(tif, strip))
285 : {
286 2 : if (TIFFJPEGIsFullStripRequired(tif))
287 : {
288 2 : return TIFFFillStrip(tif, strip);
289 : }
290 : }
291 : #endif
292 :
293 32 : return TIFFStartStrip(tif, strip);
294 : }
295 : else
296 : {
297 25 : return 1;
298 : }
299 : }
300 :
301 : /*
302 : * Seek to a random row+sample in a file.
303 : *
304 : * Only used by TIFFReadScanline, and is only used on
305 : * strip organized files. We do some tricky stuff to try
306 : * and avoid reading the whole compressed raw data for big
307 : * strips.
308 : */
309 153234 : static int TIFFSeek(TIFF *tif, uint32_t row, uint16_t sample)
310 : {
311 153234 : register TIFFDirectory *td = &tif->tif_dir;
312 : uint32_t strip;
313 : int whole_strip;
314 153234 : tmsize_t read_ahead = 0;
315 :
316 : /*
317 : ** Establish what strip we are working from.
318 : */
319 153234 : if (row >= td->td_imagelength)
320 : { /* out of range */
321 0 : TIFFErrorExtR(tif, tif->tif_name,
322 : "%" PRIu32 ": Row out of range, max %" PRIu32 "", row,
323 : td->td_imagelength);
324 0 : return (0);
325 : }
326 153234 : if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
327 : {
328 64244 : if (sample >= td->td_samplesperpixel)
329 : {
330 0 : TIFFErrorExtR(tif, tif->tif_name,
331 : "%" PRIu16 ": Sample out of range, max %" PRIu16 "",
332 0 : sample, td->td_samplesperpixel);
333 0 : return (0);
334 : }
335 64244 : strip = (uint32_t)sample * td->td_stripsperimage +
336 64244 : row / td->td_rowsperstrip;
337 : }
338 : else
339 88990 : strip = row / td->td_rowsperstrip;
340 :
341 : /*
342 : * Do we want to treat this strip as one whole chunk or
343 : * read it a few lines at a time?
344 : */
345 : #if defined(CHUNKY_STRIP_READ_SUPPORT)
346 153234 : whole_strip = TIFFGetStrileByteCount(tif, strip) < 10 || isMapped(tif);
347 153234 : if (td->td_compression == COMPRESSION_LERC ||
348 153234 : td->td_compression == COMPRESSION_JBIG)
349 : {
350 : /* Ideally plugins should have a way to declare they don't support
351 : * chunk strip */
352 0 : whole_strip = 1;
353 : }
354 : #else
355 : whole_strip = 1;
356 : #endif
357 :
358 153234 : if (!whole_strip)
359 : {
360 : /* 16 is for YCbCr mode where we may need to read 16 */
361 : /* lines at a time to get a decompressed line, and 5000 */
362 : /* is some constant value, for example for JPEG tables */
363 153233 : if (tif->tif_scanlinesize < TIFF_TMSIZE_T_MAX / 16 &&
364 153233 : tif->tif_scanlinesize * 16 < TIFF_TMSIZE_T_MAX - 5000)
365 : {
366 153233 : read_ahead = tif->tif_scanlinesize * 16 + 5000;
367 : }
368 : else
369 : {
370 0 : read_ahead = tif->tif_scanlinesize;
371 : }
372 : }
373 :
374 : /*
375 : * If we haven't loaded this strip, do so now, possibly
376 : * only reading the first part.
377 : */
378 153234 : if (strip != tif->tif_curstrip)
379 : { /* different strip, refill */
380 :
381 35 : if (whole_strip)
382 : {
383 1 : if (!TIFFFillStrip(tif, strip))
384 1 : return (0);
385 : }
386 : else
387 : {
388 34 : if (!TIFFFillStripPartial(tif, strip, read_ahead, 1))
389 2 : return 0;
390 : }
391 : }
392 :
393 : /*
394 : ** If we already have some data loaded, do we need to read some more?
395 : */
396 153199 : else if (!whole_strip)
397 : {
398 153199 : if (((tif->tif_rawdata + tif->tif_rawdataloaded) - tif->tif_rawcp) <
399 148298 : read_ahead &&
400 148298 : (uint64_t)tif->tif_rawdataoff + tif->tif_rawdataloaded <
401 148298 : TIFFGetStrileByteCount(tif, strip))
402 : {
403 25 : if (!TIFFFillStripPartial(tif, strip, read_ahead, 0))
404 0 : return 0;
405 : }
406 : }
407 :
408 153231 : if (row < tif->tif_row)
409 : {
410 : /*
411 : * Moving backwards within the same strip: backup
412 : * to the start and then decode forward (below).
413 : *
414 : * NB: If you're planning on lots of random access within a
415 : * strip, it's better to just read and decode the entire
416 : * strip, and then access the decoded data in a random fashion.
417 : */
418 :
419 25 : if (tif->tif_rawdataoff != 0)
420 : {
421 0 : if (!TIFFFillStripPartial(tif, strip, read_ahead, 1))
422 0 : return 0;
423 : }
424 : else
425 : {
426 25 : if (!TIFFStartStrip(tif, strip))
427 0 : return (0);
428 : }
429 : }
430 :
431 153231 : if (row != tif->tif_row)
432 : {
433 : /*
434 : * Seek forward to the desired row.
435 : */
436 :
437 : /* TODO: Will this really work with partial buffers? */
438 :
439 0 : if (!(*tif->tif_seek)(tif, row - tif->tif_row))
440 0 : return (0);
441 0 : tif->tif_row = row;
442 : }
443 :
444 153231 : return (1);
445 : }
446 :
447 153234 : int TIFFReadScanline(TIFF *tif, void *buf, uint32_t row, uint16_t sample)
448 : {
449 : int e;
450 :
451 153234 : if (!TIFFCheckRead(tif, 0))
452 0 : return (-1);
453 153234 : if ((e = TIFFSeek(tif, row, sample)) != 0)
454 : {
455 : /*
456 : * Decompress desired row into user buffer.
457 : */
458 153231 : e = (*tif->tif_decoderow)(tif, (uint8_t *)buf, tif->tif_scanlinesize,
459 : sample);
460 :
461 : /* we are now poised at the beginning of the next row */
462 153231 : tif->tif_row = row + 1;
463 :
464 153231 : if (e)
465 153229 : (*tif->tif_postdecode)(tif, (uint8_t *)buf, tif->tif_scanlinesize);
466 : }
467 153234 : return (e > 0 ? 1 : -1);
468 : }
469 :
470 : /*
471 : * Calculate the strip size according to the number of
472 : * rows in the strip (check for truncated last strip on any
473 : * of the separations).
474 : */
475 2070280 : static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF *tif, uint32_t strip,
476 : uint16_t *pplane)
477 : {
478 : static const char module[] = "TIFFReadEncodedStrip";
479 2070280 : TIFFDirectory *td = &tif->tif_dir;
480 : uint32_t rowsperstrip;
481 : uint32_t stripsperplane;
482 : uint32_t stripinplane;
483 : uint32_t rows;
484 : tmsize_t stripsize;
485 2070280 : if (!TIFFCheckRead(tif, 0))
486 0 : return ((tmsize_t)(-1));
487 2070280 : if (strip >= td->td_nstrips)
488 : {
489 0 : TIFFErrorExtR(tif, module,
490 : "%" PRIu32 ": Strip out of range, max %" PRIu32, strip,
491 : td->td_nstrips);
492 0 : return ((tmsize_t)(-1));
493 : }
494 :
495 2070280 : rowsperstrip = td->td_rowsperstrip;
496 2070280 : if (rowsperstrip > td->td_imagelength)
497 16 : rowsperstrip = td->td_imagelength;
498 2070280 : if (rowsperstrip == 0)
499 : {
500 0 : TIFFErrorExtR(tif, module, "rowsperstrip is zero");
501 0 : return ((tmsize_t)(-1));
502 : }
503 2070280 : stripsperplane =
504 2070280 : TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
505 2070280 : stripinplane = (strip % stripsperplane);
506 2070280 : if (pplane)
507 2070280 : *pplane = (uint16_t)(strip / stripsperplane);
508 2070280 : rows = td->td_imagelength - stripinplane * rowsperstrip;
509 2070280 : if (rows > rowsperstrip)
510 2060170 : rows = rowsperstrip;
511 2070280 : stripsize = TIFFVStripSize(tif, rows);
512 2070280 : if (stripsize == 0)
513 0 : return ((tmsize_t)(-1));
514 2070280 : return stripsize;
515 : }
516 :
517 : /*
518 : * Read a strip of data and decompress the specified
519 : * amount into the user-supplied buffer.
520 : */
521 2070230 : tmsize_t TIFFReadEncodedStrip(TIFF *tif, uint32_t strip, void *buf,
522 : tmsize_t size)
523 : {
524 : static const char module[] = "TIFFReadEncodedStrip";
525 2070230 : TIFFDirectory *td = &tif->tif_dir;
526 : tmsize_t stripsize;
527 : uint16_t plane;
528 :
529 2070230 : stripsize = TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
530 2070230 : if (stripsize == ((tmsize_t)(-1)))
531 0 : return ((tmsize_t)(-1));
532 :
533 : /* shortcut to avoid an extra memcpy() */
534 2070230 : if (td->td_compression == COMPRESSION_NONE && size != (tmsize_t)(-1) &&
535 2060290 : size >= stripsize && !isMapped(tif) &&
536 2060290 : ((tif->tif_flags & TIFF_NOREADRAW) == 0))
537 : {
538 2060290 : if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize)
539 59 : return ((tmsize_t)(-1));
540 :
541 2060230 : if (!isFillOrder(tif, td->td_fillorder) &&
542 0 : (tif->tif_flags & TIFF_NOBITREV) == 0)
543 0 : TIFFReverseBits(buf, stripsize);
544 :
545 2060230 : (*tif->tif_postdecode)(tif, buf, stripsize);
546 2060230 : return (stripsize);
547 : }
548 :
549 9938 : if ((size != (tmsize_t)(-1)) && (size < stripsize))
550 0 : stripsize = size;
551 9938 : if (!TIFFFillStrip(tif, strip))
552 5 : return ((tmsize_t)(-1));
553 9933 : if ((*tif->tif_decodestrip)(tif, buf, stripsize, plane) <= 0)
554 4 : return ((tmsize_t)(-1));
555 9929 : (*tif->tif_postdecode)(tif, buf, stripsize);
556 9929 : return (stripsize);
557 : }
558 :
559 : /* Variant of TIFFReadEncodedStrip() that does
560 : * * if *buf == NULL, *buf = _TIFFmallocExt(tif, bufsizetoalloc) only after
561 : * TIFFFillStrip() has succeeded. This avoid excessive memory allocation in case
562 : * of truncated file.
563 : * * calls regular TIFFReadEncodedStrip() if *buf != NULL
564 : */
565 53 : tmsize_t _TIFFReadEncodedStripAndAllocBuffer(TIFF *tif, uint32_t strip,
566 : void **buf,
567 : tmsize_t bufsizetoalloc,
568 : tmsize_t size_to_read)
569 : {
570 : tmsize_t this_stripsize;
571 : uint16_t plane;
572 :
573 53 : if (*buf != NULL)
574 : {
575 0 : return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read);
576 : }
577 :
578 53 : this_stripsize = TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
579 53 : if (this_stripsize == ((tmsize_t)(-1)))
580 0 : return ((tmsize_t)(-1));
581 :
582 53 : if ((size_to_read != (tmsize_t)(-1)) && (size_to_read < this_stripsize))
583 0 : this_stripsize = size_to_read;
584 53 : if (!TIFFFillStrip(tif, strip))
585 0 : return ((tmsize_t)(-1));
586 :
587 53 : *buf = _TIFFmallocExt(tif, bufsizetoalloc);
588 53 : if (*buf == NULL)
589 : {
590 0 : TIFFErrorExtR(tif, TIFFFileName(tif), "No space for strip buffer");
591 0 : return ((tmsize_t)(-1));
592 : }
593 53 : _TIFFmemset(*buf, 0, bufsizetoalloc);
594 :
595 53 : if ((*tif->tif_decodestrip)(tif, *buf, this_stripsize, plane) <= 0)
596 0 : return ((tmsize_t)(-1));
597 53 : (*tif->tif_postdecode)(tif, *buf, this_stripsize);
598 53 : return (this_stripsize);
599 : }
600 :
601 2060290 : static tmsize_t TIFFReadRawStrip1(TIFF *tif, uint32_t strip, void *buf,
602 : tmsize_t size, const char *module)
603 : {
604 2060290 : assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
605 2060290 : if (!isMapped(tif))
606 : {
607 : tmsize_t cc;
608 :
609 2060290 : if (!SeekOK(tif, TIFFGetStrileOffset(tif, strip)))
610 : {
611 0 : TIFFErrorExtR(tif, module,
612 : "Seek error at scanline %" PRIu32 ", strip %" PRIu32,
613 : tif->tif_row, strip);
614 0 : return ((tmsize_t)(-1));
615 : }
616 2060290 : cc = TIFFReadFile(tif, buf, size);
617 2060290 : if (cc != size)
618 : {
619 59 : TIFFErrorExtR(tif, module,
620 : "Read error at scanline %" PRIu32
621 : "; got %" TIFF_SSIZE_FORMAT
622 : " bytes, expected %" TIFF_SSIZE_FORMAT,
623 : tif->tif_row, cc, size);
624 59 : return ((tmsize_t)(-1));
625 : }
626 : }
627 : else
628 : {
629 1 : tmsize_t ma = 0;
630 : tmsize_t n;
631 1 : if ((TIFFGetStrileOffset(tif, strip) > (uint64_t)TIFF_TMSIZE_T_MAX) ||
632 0 : ((ma = (tmsize_t)TIFFGetStrileOffset(tif, strip)) > tif->tif_size))
633 : {
634 0 : n = 0;
635 : }
636 0 : else if (ma > TIFF_TMSIZE_T_MAX - size)
637 : {
638 0 : n = 0;
639 : }
640 : else
641 : {
642 0 : tmsize_t mb = ma + size;
643 0 : if (mb > tif->tif_size)
644 0 : n = tif->tif_size - ma;
645 : else
646 0 : n = size;
647 : }
648 0 : if (n != size)
649 : {
650 0 : TIFFErrorExtR(tif, module,
651 : "Read error at scanline %" PRIu32 ", strip %" PRIu32
652 : "; got %" TIFF_SSIZE_FORMAT
653 : " bytes, expected %" TIFF_SSIZE_FORMAT,
654 : tif->tif_row, strip, n, size);
655 0 : return ((tmsize_t)(-1));
656 : }
657 0 : _TIFFmemcpy(buf, tif->tif_base + ma, size);
658 : }
659 2060230 : return (size);
660 : }
661 :
662 15330 : static tmsize_t TIFFReadRawStripOrTile2(TIFF *tif, uint32_t strip_or_tile,
663 : int is_strip, tmsize_t size,
664 : const char *module)
665 : {
666 15330 : assert(!isMapped(tif));
667 15330 : assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
668 :
669 15330 : if (!SeekOK(tif, TIFFGetStrileOffset(tif, strip_or_tile)))
670 : {
671 0 : if (is_strip)
672 : {
673 0 : TIFFErrorExtR(tif, module,
674 : "Seek error at scanline %" PRIu32 ", strip %" PRIu32,
675 : tif->tif_row, strip_or_tile);
676 : }
677 : else
678 : {
679 0 : TIFFErrorExtR(tif, module,
680 : "Seek error at row %" PRIu32 ", col %" PRIu32
681 : ", tile %" PRIu32,
682 : tif->tif_row, tif->tif_col, strip_or_tile);
683 : }
684 0 : return ((tmsize_t)(-1));
685 : }
686 :
687 15330 : if (!TIFFReadAndRealloc(tif, size, 0, is_strip, strip_or_tile, module))
688 : {
689 29 : return ((tmsize_t)(-1));
690 : }
691 :
692 15301 : return (size);
693 : }
694 :
695 : /*
696 : * Read a strip of data from the file.
697 : */
698 4 : tmsize_t TIFFReadRawStrip(TIFF *tif, uint32_t strip, void *buf, tmsize_t size)
699 : {
700 : static const char module[] = "TIFFReadRawStrip";
701 4 : TIFFDirectory *td = &tif->tif_dir;
702 : uint64_t bytecount64;
703 : tmsize_t bytecountm;
704 :
705 4 : if (!TIFFCheckRead(tif, 0))
706 0 : return ((tmsize_t)(-1));
707 4 : if (strip >= td->td_nstrips)
708 : {
709 0 : TIFFErrorExtR(tif, module,
710 : "%" PRIu32 ": Strip out of range, max %" PRIu32, strip,
711 : td->td_nstrips);
712 0 : return ((tmsize_t)(-1));
713 : }
714 4 : if (tif->tif_flags & TIFF_NOREADRAW)
715 : {
716 0 : TIFFErrorExtR(tif, module,
717 : "Compression scheme does not support access to raw "
718 : "uncompressed data");
719 0 : return ((tmsize_t)(-1));
720 : }
721 4 : bytecount64 = TIFFGetStrileByteCount(tif, strip);
722 4 : if (size != (tmsize_t)(-1) && (uint64_t)size <= bytecount64)
723 4 : bytecountm = size;
724 : else
725 0 : bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
726 4 : if (bytecountm == 0)
727 : {
728 0 : return ((tmsize_t)(-1));
729 : }
730 4 : return (TIFFReadRawStrip1(tif, strip, buf, bytecountm, module));
731 : }
732 :
733 : TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
734 2 : static uint64_t NoSanitizeSubUInt64(uint64_t a, uint64_t b) { return a - b; }
735 :
736 : /*
737 : * Read the specified strip and setup for decoding. The data buffer is
738 : * expanded, as necessary, to hold the strip's data.
739 : */
740 9994 : int TIFFFillStrip(TIFF *tif, uint32_t strip)
741 : {
742 : static const char module[] = "TIFFFillStrip";
743 9994 : TIFFDirectory *td = &tif->tif_dir;
744 :
745 9994 : if ((tif->tif_flags & TIFF_NOREADRAW) == 0)
746 : {
747 9994 : uint64_t bytecount = TIFFGetStrileByteCount(tif, strip);
748 9994 : if (bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX)
749 : {
750 1 : TIFFErrorExtR(tif, module,
751 : "Invalid strip byte count %" PRIu64
752 : ", strip %" PRIu32,
753 : bytecount, strip);
754 1 : return (0);
755 : }
756 :
757 : /* To avoid excessive memory allocations: */
758 : /* Byte count should normally not be larger than a number of */
759 : /* times the uncompressed size plus some margin */
760 9993 : if (bytecount > 1024 * 1024)
761 : {
762 : /* 10 and 4096 are just values that could be adjusted. */
763 : /* Hopefully they are safe enough for all codecs */
764 3 : tmsize_t stripsize = TIFFStripSize(tif);
765 3 : if (stripsize != 0 && (bytecount - 4096) / 10 > (uint64_t)stripsize)
766 : {
767 1 : uint64_t newbytecount = (uint64_t)stripsize * 10 + 4096;
768 1 : TIFFErrorExtR(tif, module,
769 : "Too large strip byte count %" PRIu64
770 : ", strip %" PRIu32 ". Limiting to %" PRIu64,
771 : bytecount, strip, newbytecount);
772 1 : bytecount = newbytecount;
773 : }
774 : }
775 :
776 9993 : if (isMapped(tif))
777 : {
778 : /*
779 : * We must check for overflow, potentially causing
780 : * an OOB read. Instead of simple
781 : *
782 : * TIFFGetStrileOffset(tif, strip)+bytecount > tif->tif_size
783 : *
784 : * comparison (which can overflow) we do the following
785 : * two comparisons:
786 : */
787 4 : if (bytecount > (uint64_t)tif->tif_size ||
788 4 : TIFFGetStrileOffset(tif, strip) >
789 4 : (uint64_t)tif->tif_size - bytecount)
790 : {
791 : /*
792 : * This error message might seem strange, but
793 : * it's what would happen if a read were done
794 : * instead.
795 : */
796 4 : TIFFErrorExtR(
797 : tif, module,
798 :
799 : "Read error on strip %" PRIu32 "; "
800 : "got %" PRIu64 " bytes, expected %" PRIu64,
801 : strip,
802 2 : NoSanitizeSubUInt64(tif->tif_size,
803 : TIFFGetStrileOffset(tif, strip)),
804 : bytecount);
805 2 : tif->tif_curstrip = NOSTRIP;
806 2 : return (0);
807 : }
808 : }
809 :
810 9991 : if (isMapped(tif) && (isFillOrder(tif, td->td_fillorder) ||
811 0 : (tif->tif_flags & TIFF_NOBITREV)))
812 : {
813 : /*
814 : * The image is mapped into memory and we either don't
815 : * need to flip bits or the compression routine is
816 : * going to handle this operation itself. In this
817 : * case, avoid copying the raw data and instead just
818 : * reference the data from the memory mapped file
819 : * image. This assumes that the decompression
820 : * routines do not modify the contents of the raw data
821 : * buffer (if they try to, the application will get a
822 : * fault since the file is mapped read-only).
823 : */
824 2 : if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
825 : {
826 0 : _TIFFfreeExt(tif, tif->tif_rawdata);
827 0 : tif->tif_rawdata = NULL;
828 0 : tif->tif_rawdatasize = 0;
829 : }
830 2 : tif->tif_flags &= ~TIFF_MYBUFFER;
831 2 : tif->tif_rawdatasize = (tmsize_t)bytecount;
832 2 : tif->tif_rawdata =
833 2 : tif->tif_base + (tmsize_t)TIFFGetStrileOffset(tif, strip);
834 2 : tif->tif_rawdataoff = 0;
835 2 : tif->tif_rawdataloaded = (tmsize_t)bytecount;
836 :
837 : /*
838 : * When we have tif_rawdata reference directly into the memory
839 : * mapped file we need to be pretty careful about how we use the
840 : * rawdata. It is not a general purpose working buffer as it
841 : * normally otherwise is. So we keep track of this fact to avoid
842 : * using it improperly.
843 : */
844 2 : tif->tif_flags |= TIFF_BUFFERMMAP;
845 : }
846 : else
847 : {
848 : /*
849 : * Expand raw data buffer, if needed, to hold data
850 : * strip coming from file (perhaps should set upper
851 : * bound on the size of a buffer we'll use?).
852 : */
853 : tmsize_t bytecountm;
854 9989 : bytecountm = (tmsize_t)bytecount;
855 9989 : if ((uint64_t)bytecountm != bytecount)
856 : {
857 0 : TIFFErrorExtR(tif, module, "Integer overflow");
858 0 : return (0);
859 : }
860 9989 : if (bytecountm > tif->tif_rawdatasize)
861 : {
862 747 : tif->tif_curstrip = NOSTRIP;
863 747 : if ((tif->tif_flags & TIFF_MYBUFFER) == 0)
864 : {
865 0 : TIFFErrorExtR(
866 : tif, module,
867 : "Data buffer too small to hold strip %" PRIu32, strip);
868 0 : return (0);
869 : }
870 : }
871 9989 : if (tif->tif_flags & TIFF_BUFFERMMAP)
872 : {
873 0 : tif->tif_curstrip = NOSTRIP;
874 0 : tif->tif_rawdata = NULL;
875 0 : tif->tif_rawdatasize = 0;
876 0 : tif->tif_flags &= ~TIFF_BUFFERMMAP;
877 : }
878 :
879 9989 : if (isMapped(tif))
880 : {
881 0 : if (bytecountm > tif->tif_rawdatasize &&
882 0 : !TIFFReadBufferSetup(tif, 0, bytecountm))
883 : {
884 0 : return (0);
885 : }
886 0 : if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata, bytecountm,
887 : module) != bytecountm)
888 : {
889 0 : return (0);
890 : }
891 : }
892 : else
893 : {
894 9989 : if (TIFFReadRawStripOrTile2(tif, strip, 1, bytecountm,
895 : module) != bytecountm)
896 : {
897 2 : return (0);
898 : }
899 : }
900 :
901 9987 : tif->tif_rawdataoff = 0;
902 9987 : tif->tif_rawdataloaded = bytecountm;
903 :
904 9987 : if (!isFillOrder(tif, td->td_fillorder) &&
905 0 : (tif->tif_flags & TIFF_NOBITREV) == 0)
906 0 : TIFFReverseBits(tif->tif_rawdata, bytecountm);
907 : }
908 : }
909 9989 : return (TIFFStartStrip(tif, strip));
910 : }
911 :
912 : /*
913 : * Tile-oriented Read Support
914 : * Contributed by Nancy Cam (Silicon Graphics).
915 : */
916 :
917 : /*
918 : * Read and decompress a tile of data. The
919 : * tile is selected by the (x,y,z,s) coordinates.
920 : */
921 2 : tmsize_t TIFFReadTile(TIFF *tif, void *buf, uint32_t x, uint32_t y, uint32_t z,
922 : uint16_t s)
923 : {
924 2 : if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
925 0 : return ((tmsize_t)(-1));
926 2 : return (TIFFReadEncodedTile(tif, TIFFComputeTile(tif, x, y, z, s), buf,
927 : (tmsize_t)(-1)));
928 : }
929 :
930 : /*
931 : * Read a tile of data and decompress the specified
932 : * amount into the user-supplied buffer.
933 : */
934 26988 : tmsize_t TIFFReadEncodedTile(TIFF *tif, uint32_t tile, void *buf, tmsize_t size)
935 : {
936 : static const char module[] = "TIFFReadEncodedTile";
937 26988 : TIFFDirectory *td = &tif->tif_dir;
938 26988 : tmsize_t tilesize = tif->tif_tilesize;
939 :
940 26988 : if (!TIFFCheckRead(tif, 1))
941 0 : return ((tmsize_t)(-1));
942 26986 : if (tile >= td->td_nstrips)
943 : {
944 0 : TIFFErrorExtR(tif, module,
945 : "%" PRIu32 ": Tile out of range, max %" PRIu32, tile,
946 : td->td_nstrips);
947 0 : return ((tmsize_t)(-1));
948 : }
949 :
950 : /* shortcut to avoid an extra memcpy() */
951 26986 : if (td->td_compression == COMPRESSION_NONE && size != (tmsize_t)(-1) &&
952 21642 : size >= tilesize && !isMapped(tif) &&
953 21642 : ((tif->tif_flags & TIFF_NOREADRAW) == 0))
954 : {
955 21642 : if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize)
956 1 : return ((tmsize_t)(-1));
957 :
958 21644 : if (!isFillOrder(tif, td->td_fillorder) &&
959 0 : (tif->tif_flags & TIFF_NOBITREV) == 0)
960 0 : TIFFReverseBits(buf, tilesize);
961 :
962 21644 : (*tif->tif_postdecode)(tif, buf, tilesize);
963 21639 : return (tilesize);
964 : }
965 :
966 5344 : if (size == (tmsize_t)(-1))
967 2 : size = tilesize;
968 5342 : else if (size > tilesize)
969 0 : size = tilesize;
970 10657 : if (TIFFFillTile(tif, tile) &&
971 5313 : (*tif->tif_decodetile)(tif, (uint8_t *)buf, size,
972 5313 : (uint16_t)(tile / td->td_stripsperimage)))
973 : {
974 5313 : (*tif->tif_postdecode)(tif, (uint8_t *)buf, size);
975 5313 : return (size);
976 : }
977 : else
978 30 : return ((tmsize_t)(-1));
979 : }
980 :
981 : /* Variant of TIFFReadTile() that does
982 : * * if *buf == NULL, *buf = _TIFFmallocExt(tif, bufsizetoalloc) only after
983 : * TIFFFillTile() has succeeded. This avoid excessive memory allocation in case
984 : * of truncated file.
985 : * * calls regular TIFFReadEncodedTile() if *buf != NULL
986 : */
987 4 : tmsize_t _TIFFReadTileAndAllocBuffer(TIFF *tif, void **buf,
988 : tmsize_t bufsizetoalloc, uint32_t x,
989 : uint32_t y, uint32_t z, uint16_t s)
990 : {
991 4 : if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
992 0 : return ((tmsize_t)(-1));
993 4 : return (_TIFFReadEncodedTileAndAllocBuffer(
994 : tif, TIFFComputeTile(tif, x, y, z, s), buf, bufsizetoalloc,
995 : (tmsize_t)(-1)));
996 : }
997 :
998 : /* Variant of TIFFReadEncodedTile() that does
999 : * * if *buf == NULL, *buf = _TIFFmallocExt(tif, bufsizetoalloc) only after
1000 : * TIFFFillTile() has succeeded. This avoid excessive memory allocation in case
1001 : * of truncated file.
1002 : * * calls regular TIFFReadEncodedTile() if *buf != NULL
1003 : */
1004 4 : tmsize_t _TIFFReadEncodedTileAndAllocBuffer(TIFF *tif, uint32_t tile,
1005 : void **buf, tmsize_t bufsizetoalloc,
1006 : tmsize_t size_to_read)
1007 : {
1008 : static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer";
1009 4 : TIFFDirectory *td = &tif->tif_dir;
1010 4 : tmsize_t tilesize = tif->tif_tilesize;
1011 :
1012 4 : if (*buf != NULL)
1013 : {
1014 0 : return TIFFReadEncodedTile(tif, tile, *buf, size_to_read);
1015 : }
1016 :
1017 4 : if (!TIFFCheckRead(tif, 1))
1018 0 : return ((tmsize_t)(-1));
1019 4 : if (tile >= td->td_nstrips)
1020 : {
1021 0 : TIFFErrorExtR(tif, module,
1022 : "%" PRIu32 ": Tile out of range, max %" PRIu32, tile,
1023 : td->td_nstrips);
1024 0 : return ((tmsize_t)(-1));
1025 : }
1026 :
1027 4 : if (!TIFFFillTile(tif, tile))
1028 1 : return ((tmsize_t)(-1));
1029 :
1030 : /* Sanity checks to avoid excessive memory allocation */
1031 : /* Cf https://gitlab.com/libtiff/libtiff/-/issues/479 */
1032 3 : if (td->td_compression == COMPRESSION_NONE)
1033 : {
1034 2 : if (tif->tif_rawdatasize != tilesize)
1035 : {
1036 0 : TIFFErrorExtR(tif, TIFFFileName(tif),
1037 : "Invalid tile byte count for tile %u. "
1038 : "Expected %" PRIu64 ", got %" PRIu64,
1039 : tile, (uint64_t)tilesize,
1040 0 : (uint64_t)tif->tif_rawdatasize);
1041 0 : return ((tmsize_t)(-1));
1042 : }
1043 : }
1044 : else
1045 : {
1046 : /* Max compression ratio experimentally determined. Might be fragile...
1047 : * Only apply this heuristics to situations where the memory allocation
1048 : * would be big, to avoid breaking nominal use cases.
1049 : */
1050 1 : const int maxCompressionRatio =
1051 1 : td->td_compression == COMPRESSION_ZSTD ? 33000
1052 2 : : td->td_compression == COMPRESSION_JXL
1053 : ?
1054 : /* Evaluated on a 8000x8000 tile */
1055 0 : 25000 * (td->td_planarconfig == PLANARCONFIG_CONTIG
1056 0 : ? td->td_samplesperpixel
1057 0 : : 1)
1058 1 : : td->td_compression == COMPRESSION_LZMA ? 7000 : 1000;
1059 1 : if (bufsizetoalloc > 100 * 1000 * 1000 &&
1060 0 : tif->tif_rawdatasize < tilesize / maxCompressionRatio)
1061 : {
1062 0 : TIFFErrorExtR(tif, TIFFFileName(tif),
1063 : "Likely invalid tile byte count for tile %u. "
1064 : "Uncompressed tile size is %" PRIu64 ", "
1065 : "compressed one is %" PRIu64,
1066 : tile, (uint64_t)tilesize,
1067 0 : (uint64_t)tif->tif_rawdatasize);
1068 0 : return ((tmsize_t)(-1));
1069 : }
1070 : }
1071 :
1072 3 : *buf = _TIFFmallocExt(tif, bufsizetoalloc);
1073 3 : if (*buf == NULL)
1074 : {
1075 0 : TIFFErrorExtR(tif, TIFFFileName(tif), "No space for tile buffer");
1076 0 : return ((tmsize_t)(-1));
1077 : }
1078 3 : _TIFFmemset(*buf, 0, bufsizetoalloc);
1079 :
1080 3 : if (size_to_read == (tmsize_t)(-1))
1081 3 : size_to_read = tilesize;
1082 0 : else if (size_to_read > tilesize)
1083 0 : size_to_read = tilesize;
1084 3 : if ((*tif->tif_decodetile)(tif, (uint8_t *)*buf, size_to_read,
1085 3 : (uint16_t)(tile / td->td_stripsperimage)))
1086 : {
1087 3 : (*tif->tif_postdecode)(tif, (uint8_t *)*buf, size_to_read);
1088 3 : return (size_to_read);
1089 : }
1090 : else
1091 0 : return ((tmsize_t)(-1));
1092 : }
1093 :
1094 21645 : static tmsize_t TIFFReadRawTile1(TIFF *tif, uint32_t tile, void *buf,
1095 : tmsize_t size, const char *module)
1096 : {
1097 21645 : assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
1098 21645 : if (!isMapped(tif))
1099 : {
1100 : tmsize_t cc;
1101 :
1102 21645 : if (!SeekOK(tif, TIFFGetStrileOffset(tif, tile)))
1103 : {
1104 0 : TIFFErrorExtR(tif, module,
1105 : "Seek error at row %" PRIu32 ", col %" PRIu32
1106 : ", tile %" PRIu32,
1107 : tif->tif_row, tif->tif_col, tile);
1108 0 : return ((tmsize_t)(-1));
1109 : }
1110 21648 : cc = TIFFReadFile(tif, buf, size);
1111 21648 : if (cc != size)
1112 : {
1113 1 : TIFFErrorExtR(tif, module,
1114 : "Read error at row %" PRIu32 ", col %" PRIu32
1115 : "; got %" TIFF_SSIZE_FORMAT
1116 : " bytes, expected %" TIFF_SSIZE_FORMAT,
1117 : tif->tif_row, tif->tif_col, cc, size);
1118 1 : return ((tmsize_t)(-1));
1119 : }
1120 : }
1121 : else
1122 : {
1123 : tmsize_t ma, mb;
1124 : tmsize_t n;
1125 0 : ma = (tmsize_t)TIFFGetStrileOffset(tif, tile);
1126 0 : mb = ma + size;
1127 0 : if ((TIFFGetStrileOffset(tif, tile) > (uint64_t)TIFF_TMSIZE_T_MAX) ||
1128 0 : (ma > tif->tif_size))
1129 0 : n = 0;
1130 0 : else if ((mb < ma) || (mb < size) || (mb > tif->tif_size))
1131 0 : n = tif->tif_size - ma;
1132 : else
1133 0 : n = size;
1134 0 : if (n != size)
1135 : {
1136 0 : TIFFErrorExtR(tif, module,
1137 : "Read error at row %" PRIu32 ", col %" PRIu32
1138 : ", tile %" PRIu32 "; got %" TIFF_SSIZE_FORMAT
1139 : " bytes, expected %" TIFF_SSIZE_FORMAT,
1140 : tif->tif_row, tif->tif_col, tile, n, size);
1141 0 : return ((tmsize_t)(-1));
1142 : }
1143 0 : _TIFFmemcpy(buf, tif->tif_base + ma, size);
1144 : }
1145 21645 : return (size);
1146 : }
1147 :
1148 : /*
1149 : * Read a tile of data from the file.
1150 : */
1151 3 : tmsize_t TIFFReadRawTile(TIFF *tif, uint32_t tile, void *buf, tmsize_t size)
1152 : {
1153 : static const char module[] = "TIFFReadRawTile";
1154 3 : TIFFDirectory *td = &tif->tif_dir;
1155 : uint64_t bytecount64;
1156 : tmsize_t bytecountm;
1157 :
1158 3 : if (!TIFFCheckRead(tif, 1))
1159 0 : return ((tmsize_t)(-1));
1160 3 : if (tile >= td->td_nstrips)
1161 : {
1162 0 : TIFFErrorExtR(tif, module,
1163 : "%" PRIu32 ": Tile out of range, max %" PRIu32, tile,
1164 : td->td_nstrips);
1165 0 : return ((tmsize_t)(-1));
1166 : }
1167 3 : if (tif->tif_flags & TIFF_NOREADRAW)
1168 : {
1169 0 : TIFFErrorExtR(tif, module,
1170 : "Compression scheme does not support access to raw "
1171 : "uncompressed data");
1172 0 : return ((tmsize_t)(-1));
1173 : }
1174 3 : bytecount64 = TIFFGetStrileByteCount(tif, tile);
1175 3 : if (size != (tmsize_t)(-1) && (uint64_t)size <= bytecount64)
1176 3 : bytecountm = size;
1177 : else
1178 0 : bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
1179 3 : if (bytecountm == 0)
1180 : {
1181 0 : return ((tmsize_t)(-1));
1182 : }
1183 3 : return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
1184 : }
1185 :
1186 : /*
1187 : * Read the specified tile and setup for decoding. The data buffer is
1188 : * expanded, as necessary, to hold the tile's data.
1189 : */
1190 5347 : int TIFFFillTile(TIFF *tif, uint32_t tile)
1191 : {
1192 : static const char module[] = "TIFFFillTile";
1193 5347 : TIFFDirectory *td = &tif->tif_dir;
1194 :
1195 5347 : if ((tif->tif_flags & TIFF_NOREADRAW) == 0)
1196 : {
1197 5345 : uint64_t bytecount = TIFFGetStrileByteCount(tif, tile);
1198 5345 : if (bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX)
1199 : {
1200 0 : TIFFErrorExtR(tif, module,
1201 : "%" PRIu64 ": Invalid tile byte count, tile %" PRIu32,
1202 : bytecount, tile);
1203 0 : return (0);
1204 : }
1205 :
1206 : /* To avoid excessive memory allocations: */
1207 : /* Byte count should normally not be larger than a number of */
1208 : /* times the uncompressed size plus some margin */
1209 5345 : if (bytecount > 1024 * 1024)
1210 : {
1211 : /* 10 and 4096 are just values that could be adjusted. */
1212 : /* Hopefully they are safe enough for all codecs */
1213 2 : tmsize_t stripsize = TIFFTileSize(tif);
1214 2 : if (stripsize != 0 && (bytecount - 4096) / 10 > (uint64_t)stripsize)
1215 : {
1216 1 : uint64_t newbytecount = (uint64_t)stripsize * 10 + 4096;
1217 1 : TIFFErrorExtR(tif, module,
1218 : "Too large tile byte count %" PRIu64
1219 : ", tile %" PRIu32 ". Limiting to %" PRIu64,
1220 : bytecount, tile, newbytecount);
1221 1 : bytecount = newbytecount;
1222 : }
1223 : }
1224 :
1225 5345 : if (isMapped(tif))
1226 : {
1227 : /*
1228 : * We must check for overflow, potentially causing
1229 : * an OOB read. Instead of simple
1230 : *
1231 : * TIFFGetStrileOffset(tif, tile)+bytecount > tif->tif_size
1232 : *
1233 : * comparison (which can overflow) we do the following
1234 : * two comparisons:
1235 : */
1236 4 : if (bytecount > (uint64_t)tif->tif_size ||
1237 4 : TIFFGetStrileOffset(tif, tile) >
1238 4 : (uint64_t)tif->tif_size - bytecount)
1239 : {
1240 2 : tif->tif_curtile = NOTILE;
1241 2 : return (0);
1242 : }
1243 : }
1244 :
1245 5343 : if (isMapped(tif) && (isFillOrder(tif, td->td_fillorder) ||
1246 0 : (tif->tif_flags & TIFF_NOBITREV)))
1247 : {
1248 : /*
1249 : * The image is mapped into memory and we either don't
1250 : * need to flip bits or the compression routine is
1251 : * going to handle this operation itself. In this
1252 : * case, avoid copying the raw data and instead just
1253 : * reference the data from the memory mapped file
1254 : * image. This assumes that the decompression
1255 : * routines do not modify the contents of the raw data
1256 : * buffer (if they try to, the application will get a
1257 : * fault since the file is mapped read-only).
1258 : */
1259 2 : if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
1260 : {
1261 0 : _TIFFfreeExt(tif, tif->tif_rawdata);
1262 0 : tif->tif_rawdata = NULL;
1263 0 : tif->tif_rawdatasize = 0;
1264 : }
1265 2 : tif->tif_flags &= ~TIFF_MYBUFFER;
1266 :
1267 2 : tif->tif_rawdatasize = (tmsize_t)bytecount;
1268 2 : tif->tif_rawdata =
1269 2 : tif->tif_base + (tmsize_t)TIFFGetStrileOffset(tif, tile);
1270 2 : tif->tif_rawdataoff = 0;
1271 2 : tif->tif_rawdataloaded = (tmsize_t)bytecount;
1272 2 : tif->tif_flags |= TIFF_BUFFERMMAP;
1273 : }
1274 : else
1275 : {
1276 : /*
1277 : * Expand raw data buffer, if needed, to hold data
1278 : * tile coming from file (perhaps should set upper
1279 : * bound on the size of a buffer we'll use?).
1280 : */
1281 : tmsize_t bytecountm;
1282 5341 : bytecountm = (tmsize_t)bytecount;
1283 5341 : if ((uint64_t)bytecountm != bytecount)
1284 : {
1285 0 : TIFFErrorExtR(tif, module, "Integer overflow");
1286 0 : return (0);
1287 : }
1288 5341 : if (bytecountm > tif->tif_rawdatasize)
1289 : {
1290 738 : tif->tif_curtile = NOTILE;
1291 738 : if ((tif->tif_flags & TIFF_MYBUFFER) == 0)
1292 : {
1293 0 : TIFFErrorExtR(tif, module,
1294 : "Data buffer too small to hold tile %" PRIu32,
1295 : tile);
1296 0 : return (0);
1297 : }
1298 : }
1299 5341 : if (tif->tif_flags & TIFF_BUFFERMMAP)
1300 : {
1301 0 : tif->tif_curtile = NOTILE;
1302 0 : tif->tif_rawdata = NULL;
1303 0 : tif->tif_rawdatasize = 0;
1304 0 : tif->tif_flags &= ~TIFF_BUFFERMMAP;
1305 : }
1306 :
1307 5341 : if (isMapped(tif))
1308 : {
1309 0 : if (bytecountm > tif->tif_rawdatasize &&
1310 0 : !TIFFReadBufferSetup(tif, 0, bytecountm))
1311 : {
1312 0 : return (0);
1313 : }
1314 0 : if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata, bytecountm,
1315 : module) != bytecountm)
1316 : {
1317 0 : return (0);
1318 : }
1319 : }
1320 : else
1321 : {
1322 5341 : if (TIFFReadRawStripOrTile2(tif, tile, 0, bytecountm, module) !=
1323 : bytecountm)
1324 : {
1325 27 : return (0);
1326 : }
1327 : }
1328 :
1329 5314 : tif->tif_rawdataoff = 0;
1330 5314 : tif->tif_rawdataloaded = bytecountm;
1331 :
1332 5314 : if (tif->tif_rawdata != NULL &&
1333 5314 : !isFillOrder(tif, td->td_fillorder) &&
1334 0 : (tif->tif_flags & TIFF_NOBITREV) == 0)
1335 0 : TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdataloaded);
1336 : }
1337 : }
1338 5318 : return (TIFFStartTile(tif, tile));
1339 : }
1340 :
1341 : /*
1342 : * Setup the raw data buffer in preparation for
1343 : * reading a strip of raw data. If the buffer
1344 : * is specified as zero, then a buffer of appropriate
1345 : * size is allocated by the library. Otherwise,
1346 : * the client must guarantee that the buffer is
1347 : * large enough to hold any individual strip of
1348 : * raw data.
1349 : */
1350 0 : int TIFFReadBufferSetup(TIFF *tif, void *bp, tmsize_t size)
1351 : {
1352 : static const char module[] = "TIFFReadBufferSetup";
1353 :
1354 0 : assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
1355 0 : tif->tif_flags &= ~TIFF_BUFFERMMAP;
1356 :
1357 0 : if (tif->tif_rawdata)
1358 : {
1359 0 : if (tif->tif_flags & TIFF_MYBUFFER)
1360 0 : _TIFFfreeExt(tif, tif->tif_rawdata);
1361 0 : tif->tif_rawdata = NULL;
1362 0 : tif->tif_rawdatasize = 0;
1363 : }
1364 0 : if (bp)
1365 : {
1366 0 : tif->tif_rawdatasize = size;
1367 0 : tif->tif_rawdata = (uint8_t *)bp;
1368 0 : tif->tif_flags &= ~TIFF_MYBUFFER;
1369 : }
1370 : else
1371 : {
1372 0 : tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64((uint64_t)size, 1024);
1373 0 : if (tif->tif_rawdatasize == 0)
1374 : {
1375 0 : TIFFErrorExtR(tif, module, "Invalid buffer size");
1376 0 : return (0);
1377 : }
1378 : /* Initialize to zero to avoid uninitialized buffers in case of */
1379 : /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
1380 0 : tif->tif_rawdata =
1381 0 : (uint8_t *)_TIFFcallocExt(tif, 1, tif->tif_rawdatasize);
1382 0 : tif->tif_flags |= TIFF_MYBUFFER;
1383 : }
1384 0 : if (tif->tif_rawdata == NULL)
1385 : {
1386 0 : TIFFErrorExtR(tif, module,
1387 : "No space for data buffer at scanline %" PRIu32,
1388 : tif->tif_row);
1389 0 : tif->tif_rawdatasize = 0;
1390 0 : return (0);
1391 : }
1392 0 : return (1);
1393 : }
1394 :
1395 : /*
1396 : * Set state to appear as if a
1397 : * strip has just been read in.
1398 : */
1399 12402 : static int TIFFStartStrip(TIFF *tif, uint32_t strip)
1400 : {
1401 12402 : TIFFDirectory *td = &tif->tif_dir;
1402 :
1403 12402 : if ((tif->tif_flags & TIFF_CODERSETUP) == 0)
1404 : {
1405 3028 : if (!(*tif->tif_setupdecode)(tif))
1406 1 : return (0);
1407 3027 : tif->tif_flags |= TIFF_CODERSETUP;
1408 : }
1409 12401 : tif->tif_curstrip = strip;
1410 12401 : tif->tif_row = (strip % td->td_stripsperimage) * td->td_rowsperstrip;
1411 12401 : tif->tif_flags &= ~TIFF_BUF4WRITE;
1412 :
1413 12401 : if (tif->tif_flags & TIFF_NOREADRAW)
1414 : {
1415 0 : tif->tif_rawcp = NULL;
1416 0 : tif->tif_rawcc = 0;
1417 : }
1418 : else
1419 : {
1420 12401 : tif->tif_rawcp = tif->tif_rawdata;
1421 12401 : if (tif->tif_rawdataloaded > 0)
1422 12400 : tif->tif_rawcc = tif->tif_rawdataloaded;
1423 : else
1424 1 : tif->tif_rawcc = (tmsize_t)TIFFGetStrileByteCount(tif, strip);
1425 : }
1426 12400 : if ((*tif->tif_predecode)(tif, (uint16_t)(strip / td->td_stripsperimage)) ==
1427 : 0)
1428 : {
1429 : /* Needed for example for scanline access, if tif_predecode */
1430 : /* fails, and we try to read the same strip again. Without invalidating
1431 : */
1432 : /* tif_curstrip, we'd call tif_decoderow() on a possibly invalid */
1433 : /* codec state. */
1434 2 : tif->tif_curstrip = NOSTRIP;
1435 2 : return 0;
1436 : }
1437 12398 : return 1;
1438 : }
1439 :
1440 : /*
1441 : * Set state to appear as if a
1442 : * tile has just been read in.
1443 : */
1444 5532 : static int TIFFStartTile(TIFF *tif, uint32_t tile)
1445 : {
1446 : static const char module[] = "TIFFStartTile";
1447 5532 : TIFFDirectory *td = &tif->tif_dir;
1448 : uint32_t howmany32;
1449 :
1450 5532 : if ((tif->tif_flags & TIFF_CODERSETUP) == 0)
1451 : {
1452 776 : if (!(*tif->tif_setupdecode)(tif))
1453 0 : return (0);
1454 776 : tif->tif_flags |= TIFF_CODERSETUP;
1455 : }
1456 5532 : tif->tif_curtile = tile;
1457 5532 : if (td->td_tilewidth == 0)
1458 : {
1459 0 : TIFFErrorExtR(tif, module, "Zero tilewidth");
1460 0 : return 0;
1461 : }
1462 5532 : howmany32 = TIFFhowmany_32(td->td_imagewidth, td->td_tilewidth);
1463 5532 : if (howmany32 == 0)
1464 : {
1465 0 : TIFFErrorExtR(tif, module, "Zero tiles");
1466 0 : return 0;
1467 : }
1468 5532 : tif->tif_row = (tile % howmany32) * td->td_tilelength;
1469 5532 : howmany32 = TIFFhowmany_32(td->td_imagelength, td->td_tilelength);
1470 5532 : if (howmany32 == 0)
1471 : {
1472 0 : TIFFErrorExtR(tif, module, "Zero tiles");
1473 0 : return 0;
1474 : }
1475 5532 : tif->tif_col = (tile % howmany32) * td->td_tilewidth;
1476 5532 : tif->tif_flags &= ~TIFF_BUF4WRITE;
1477 5532 : if (tif->tif_flags & TIFF_NOREADRAW)
1478 : {
1479 2 : tif->tif_rawcp = NULL;
1480 2 : tif->tif_rawcc = 0;
1481 : }
1482 : else
1483 : {
1484 5530 : tif->tif_rawcp = tif->tif_rawdata;
1485 5530 : if (tif->tif_rawdataloaded > 0)
1486 5530 : tif->tif_rawcc = tif->tif_rawdataloaded;
1487 : else
1488 0 : tif->tif_rawcc = (tmsize_t)TIFFGetStrileByteCount(tif, tile);
1489 : }
1490 : return (
1491 5532 : (*tif->tif_predecode)(tif, (uint16_t)(tile / td->td_stripsperimage)));
1492 : }
1493 :
1494 2250510 : static int TIFFCheckRead(TIFF *tif, int tiles)
1495 : {
1496 2250510 : if (tif->tif_mode == O_WRONLY)
1497 : {
1498 0 : TIFFErrorExtR(tif, tif->tif_name, "File not open for reading");
1499 0 : return (0);
1500 : }
1501 2250510 : if (tiles ^ isTiled(tif))
1502 : {
1503 0 : TIFFErrorExtR(tif, tif->tif_name,
1504 : tiles ? "Can not read tiles from a striped image"
1505 : : "Can not read scanlines from a tiled image");
1506 0 : return (0);
1507 : }
1508 2250510 : return (1);
1509 : }
1510 :
1511 : /* Use the provided input buffer (inbuf, insize) and decompress it into
1512 : * (outbuf, outsize).
1513 : * This function replaces the use of
1514 : * TIFFReadEncodedStrip()/TIFFReadEncodedTile() when the user can provide the
1515 : * buffer for the input data, for example when he wants to avoid libtiff to read
1516 : * the strile offset/count values from the [Strip|Tile][Offsets/ByteCounts]
1517 : * array. inbuf content must be writable (if bit reversal is needed) Returns 1
1518 : * in case of success, 0 otherwise.
1519 : */
1520 2564 : int TIFFReadFromUserBuffer(TIFF *tif, uint32_t strile, void *inbuf,
1521 : tmsize_t insize, void *outbuf, tmsize_t outsize)
1522 : {
1523 : static const char module[] = "TIFFReadFromUserBuffer";
1524 2564 : TIFFDirectory *td = &tif->tif_dir;
1525 2564 : int ret = 1;
1526 2564 : uint32_t old_tif_flags = tif->tif_flags;
1527 2564 : tmsize_t old_rawdatasize = tif->tif_rawdatasize;
1528 2564 : void *old_rawdata = tif->tif_rawdata;
1529 :
1530 2564 : if (tif->tif_mode == O_WRONLY)
1531 : {
1532 0 : TIFFErrorExtR(tif, tif->tif_name, "File not open for reading");
1533 0 : return 0;
1534 : }
1535 2564 : if (tif->tif_flags & TIFF_NOREADRAW)
1536 : {
1537 0 : TIFFErrorExtR(tif, module,
1538 : "Compression scheme does not support access to raw "
1539 : "uncompressed data");
1540 0 : return 0;
1541 : }
1542 :
1543 2564 : tif->tif_flags &= ~TIFF_MYBUFFER;
1544 2564 : tif->tif_flags |= TIFF_BUFFERMMAP;
1545 2564 : tif->tif_rawdatasize = insize;
1546 2564 : tif->tif_rawdata = inbuf;
1547 2564 : tif->tif_rawdataoff = 0;
1548 2564 : tif->tif_rawdataloaded = insize;
1549 :
1550 2564 : if (!isFillOrder(tif, td->td_fillorder) &&
1551 0 : (tif->tif_flags & TIFF_NOBITREV) == 0)
1552 : {
1553 0 : TIFFReverseBits(inbuf, insize);
1554 : }
1555 :
1556 2564 : if (TIFFIsTiled(tif))
1557 : {
1558 430 : if (!TIFFStartTile(tif, strile) ||
1559 214 : !(*tif->tif_decodetile)(tif, (uint8_t *)outbuf, outsize,
1560 214 : (uint16_t)(strile / td->td_stripsperimage)))
1561 : {
1562 0 : ret = 0;
1563 : }
1564 : }
1565 : else
1566 : {
1567 2339 : uint32_t rowsperstrip = td->td_rowsperstrip;
1568 : uint32_t stripsperplane;
1569 2339 : if (rowsperstrip > td->td_imagelength)
1570 0 : rowsperstrip = td->td_imagelength;
1571 2339 : if (rowsperstrip == 0)
1572 : {
1573 0 : TIFFErrorExtR(tif, module, "rowsperstrip is zero");
1574 0 : ret = 0;
1575 : }
1576 : else
1577 : {
1578 2339 : stripsperplane =
1579 2339 : TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
1580 4693 : if (!TIFFStartStrip(tif, strile) ||
1581 2350 : !(*tif->tif_decodestrip)(tif, (uint8_t *)outbuf, outsize,
1582 2350 : (uint16_t)(strile / stripsperplane)))
1583 : {
1584 0 : ret = 0;
1585 : }
1586 : }
1587 : }
1588 2571 : if (ret)
1589 : {
1590 2565 : (*tif->tif_postdecode)(tif, (uint8_t *)outbuf, outsize);
1591 : }
1592 :
1593 2571 : if (!isFillOrder(tif, td->td_fillorder) &&
1594 0 : (tif->tif_flags & TIFF_NOBITREV) == 0)
1595 : {
1596 0 : TIFFReverseBits(inbuf, insize);
1597 : }
1598 :
1599 2565 : tif->tif_flags = (old_tif_flags & (TIFF_MYBUFFER | TIFF_BUFFERMMAP)) |
1600 2565 : (tif->tif_flags & ~(TIFF_MYBUFFER | TIFF_BUFFERMMAP));
1601 2565 : tif->tif_rawdatasize = old_rawdatasize;
1602 2565 : tif->tif_rawdata = old_rawdata;
1603 2565 : tif->tif_rawdataoff = 0;
1604 2565 : tif->tif_rawdataloaded = 0;
1605 :
1606 2565 : return ret;
1607 : }
1608 :
1609 2473900 : void _TIFFNoPostDecode(TIFF *tif, uint8_t *buf, tmsize_t cc)
1610 : {
1611 : (void)tif;
1612 : (void)buf;
1613 : (void)cc;
1614 2473900 : }
1615 :
1616 1943 : void _TIFFSwab16BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1617 : {
1618 : (void)tif;
1619 1943 : assert((cc & 1) == 0);
1620 1943 : TIFFSwabArrayOfShort((uint16_t *)buf, cc / 2);
1621 1943 : }
1622 :
1623 0 : void _TIFFSwab24BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1624 : {
1625 : (void)tif;
1626 0 : assert((cc % 3) == 0);
1627 0 : TIFFSwabArrayOfTriples((uint8_t *)buf, cc / 3);
1628 0 : }
1629 :
1630 188 : void _TIFFSwab32BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1631 : {
1632 : (void)tif;
1633 188 : assert((cc & 3) == 0);
1634 188 : TIFFSwabArrayOfLong((uint32_t *)buf, cc / 4);
1635 188 : }
1636 :
1637 4 : void _TIFFSwab64BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1638 : {
1639 : (void)tif;
1640 4 : assert((cc & 7) == 0);
1641 4 : TIFFSwabArrayOfDouble((double *)buf, cc / 8);
1642 4 : }
|