cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'issue-46' into 'master'

Browse Source 
fix decoding of fax4 images

Closes #46

See merge request libtiff/libtiff!110
This commit is contained in:
Even Rouault 2020-03-01 10:39:07 +00:00
commit 18ca4b4276
2 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
libtiff/tif_fax3.c
View File

@ -73,6 +73,7 @@ typedef struct {
int EOLcnt; /* count of EOL codes recognized */ int EOLcnt; /* count of EOL codes recognized */
TIFFFaxFillFunc fill; /* fill routine */ TIFFFaxFillFunc fill; /* fill routine */
uint32* runs; /* b&w runs for current/previous row */ uint32* runs; /* b&w runs for current/previous row */
uint32 nruns; /* size of the refruns / curruns arrays */
uint32* refruns; /* runs for reference line */ uint32* refruns; /* runs for reference line */
uint32* curruns; /* runs for current line */ uint32* curruns; /* runs for current line */
@ -506,7 +507,7 @@ Fax3SetupState(TIFF* tif)
int needsRefLine; int needsRefLine;
Fax3CodecState* dsp = (Fax3CodecState*) Fax3State(tif); Fax3CodecState* dsp = (Fax3CodecState*) Fax3State(tif);
tmsize_t rowbytes; tmsize_t rowbytes;
uint32 rowpixels, nruns; uint32 rowpixels;
if (td->td_bitspersample != 1) { if (td->td_bitspersample != 1) {
TIFFErrorExt(tif->tif_clientdata, module, TIFFErrorExt(tif->tif_clientdata, module,
@ -539,26 +540,26 @@ Fax3SetupState(TIFF* tif)
TIFFroundup and TIFFSafeMultiply return zero on integer overflow TIFFroundup and TIFFSafeMultiply return zero on integer overflow
*/ */
dsp->runs=(uint32*) NULL; dsp->runs=(uint32*) NULL;
nruns = TIFFroundup_32(rowpixels,32); dsp->nruns = TIFFroundup_32(rowpixels,32);
if (needsRefLine) { if (needsRefLine) {
nruns = TIFFSafeMultiply(uint32,nruns,2); dsp->nruns = TIFFSafeMultiply(uint32,dsp->nruns,2);
} }
if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) { if ((dsp->nruns == 0) || (TIFFSafeMultiply(uint32,dsp->nruns,2) == 0)) {
TIFFErrorExt(tif->tif_clientdata, tif->tif_name, TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
"Row pixels integer overflow (rowpixels %u)", "Row pixels integer overflow (rowpixels %u)",
rowpixels); rowpixels);
return (0); return (0);
} }
dsp->runs = (uint32*) _TIFFCheckMalloc(tif, dsp->runs = (uint32*) _TIFFCheckMalloc(tif,
TIFFSafeMultiply(uint32,nruns,2), TIFFSafeMultiply(uint32,dsp->nruns,2),
sizeof (uint32), sizeof (uint32),
"for Group 3/4 run arrays"); "for Group 3/4 run arrays");
if (dsp->runs == NULL) if (dsp->runs == NULL)
return (0); return (0);
memset( dsp->runs, 0, TIFFSafeMultiply(uint32,nruns,2)*sizeof(uint32)); memset( dsp->runs, 0, TIFFSafeMultiply(uint32,dsp->nruns,2)*sizeof(uint32));
dsp->curruns = dsp->runs; dsp->curruns = dsp->runs;
if (needsRefLine) if (needsRefLine)
dsp->refruns = dsp->runs + nruns; dsp->refruns = dsp->runs + dsp->nruns;
else else
dsp->refruns = NULL; dsp->refruns = NULL;
if (td->td_compression == COMPRESSION_CCITTFAX3 if (td->td_compression == COMPRESSION_CCITTFAX3

13
libtiff/tif_fax3.h
View File

@ -387,6 +387,11 @@ done1d: \
*/ */
#define EXPAND2D(eoflab) do { \ #define EXPAND2D(eoflab) do { \
while (a0 < lastx) { \ while (a0 < lastx) { \
if (pa >= thisrun + sp->nruns) { \
TIFFErrorExt(tif->tif_clientdata, module, "Buffer overflow at line %u of %s %u", \
sp->line, isTiled(tif) ? "tile" : "strip", isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip); \
break; \
} \
LOOKUP8(7, TIFFFaxMainTable, eof2d); \ LOOKUP8(7, TIFFFaxMainTable, eof2d); \
switch (TabEnt->State) { \ switch (TabEnt->State) { \
case S_Pass: \ case S_Pass: \
@ -478,11 +483,9 @@ done1d: \
break; \ break; \
case S_VL: \ case S_VL: \
CHECK_b1; \ CHECK_b1; \
if (b1 <= (int) (a0 + TabEnt->Param)) { \ if (b1 < (int) (a0 + TabEnt->Param)) { \
if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \ unexpected("VL", a0); \
unexpected("VL", a0); \ goto eol2d; \
goto eol2d; \
} \
} \ } \
SETVALUE(b1 - a0 - TabEnt->Param); \ SETVALUE(b1 - a0 - TabEnt->Param); \
b1 -= *--pb; \ b1 -= *--pb; \