* libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(),
avoid potential integer overflows with read_ahead in CHUNKY_STRIP_READ_SUPPORT mode. Should especially occur on 32 bit platforms.
This commit is contained in:
Even Rouault
parent
80ee713d88
commit
76084fb831
@ -1,3 +1,10 @@
|
|||||||
|
2017-05-12 Even Rouault <even.rouault at spatialys.com>
|
||||||
|
|
||||||
|
* libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(),
|
||||||
|
avoid potential integer overflows with read_ahead in
|
||||||
|
CHUNKY_STRIP_READ_SUPPORT mode. Should
|
||||||
|
especially occur on 32 bit platforms.
|
||||||
|
|
||||||
2017-05-10 Even Rouault <even.rouault at spatialys.com>
|
2017-05-10 Even Rouault <even.rouault at spatialys.com>
|
||||||
|
|
||||||
* libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile():
|
* libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile():
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
/* $Id: tif_read.c,v 1.56 2017-05-10 19:54:54 erouault Exp $ */
|
/* $Id: tif_read.c,v 1.57 2017-05-12 20:16:37 erouault Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1988-1997 Sam Leffler
|
* Copyright (c) 1988-1997 Sam Leffler
|
||||||
@ -55,6 +55,7 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
|
|||||||
tmsize_t unused_data;
|
tmsize_t unused_data;
|
||||||
uint64 read_offset;
|
uint64 read_offset;
|
||||||
tmsize_t cc, to_read;
|
tmsize_t cc, to_read;
|
||||||
|
tmsize_t read_ahead_mod;
|
||||||
/* tmsize_t bytecountm; */
|
/* tmsize_t bytecountm; */
|
||||||
|
|
||||||
if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
|
if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
|
||||||
@ -67,7 +68,14 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
/* bytecountm=(tmsize_t) td->td_stripbytecount[strip]; */
|
/* bytecountm=(tmsize_t) td->td_stripbytecount[strip]; */
|
||||||
if (read_ahead*2 > tif->tif_rawdatasize) {
|
|
||||||
|
/* Not completely sure where the * 2 comes from, but probably for */
|
||||||
|
/* an exponentional growth strategy of tif_rawdatasize */
|
||||||
|
if( read_ahead < TIFF_TMSIZE_T_MAX / 2 )
|
||||||
|
read_ahead_mod = read_ahead * 2;
|
||||||
|
else
|
||||||
|
read_ahead_mod = read_ahead;
|
||||||
|
if (read_ahead_mod > tif->tif_rawdatasize) {
|
||||||
assert( restart );
|
assert( restart );
|
||||||
|
|
||||||
tif->tif_curstrip = NOSTRIP;
|
tif->tif_curstrip = NOSTRIP;
|
||||||
@ -77,7 +85,7 @@ TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
|
|||||||
(unsigned long) strip);
|
(unsigned long) strip);
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
if (!TIFFReadBufferSetup(tif, 0, read_ahead*2))
|
if (!TIFFReadBufferSetup(tif, 0, read_ahead_mod))
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -218,9 +226,20 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
if( !whole_strip )
|
if( !whole_strip )
|
||||||
|
{
|
||||||
|
/* 16 is for YCbCr mode where we may need to read 16 */
|
||||||
|
/* lines at a time to get a decompressed line, and 5000 */
|
||||||
|
/* is some constant value, for example for JPEG tables */
|
||||||
|
if( tif->tif_scanlinesize < TIFF_TMSIZE_T_MAX / 16 &&
|
||||||
|
tif->tif_scanlinesize * 16 < TIFF_TMSIZE_T_MAX - 5000 )
|
||||||
{
|
{
|
||||||
read_ahead = tif->tif_scanlinesize * 16 + 5000;
|
read_ahead = tif->tif_scanlinesize * 16 + 5000;
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
read_ahead = tif->tif_scanlinesize;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If we haven't loaded this strip, do so now, possibly
|
* If we haven't loaded this strip, do so now, possibly
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user