Made JPEGDecodeRaw() check for buffer overruns. Made so that when working

with downsampled images a stub function reporting an error is used for tif_decoderow. We cannot meaningfully support reading scanlines in this situation. (#1936)
2009-12-04 01:37:57 +00:00 · 2009-12-04 01:37:57 +00:00 · bbef7fb9cb
commit bbef7fb9cb
parent e1b49e08af
2 changed files with 28 additions and 2 deletions
--- a/5
+++ b/5
@ -1,5 +1,10 @@
 2009-12-03  Frank Warmerdam  <warmerdam@pobox.com>

+	* libtiff/tif_jpeg.c: Made JPEGDecodeRaw() check for buffer overruns.
+	Made so that when working with downsampled images a stub function 
+	reporting an error is used for tif_decoderow.  We cannot meaningfully
+	support reading scanlines in this situation.  (#1936)
+
 	* libtiff/tif_jpeg.c: Ensure that tif_scanlinesize is computed after
 	resetting of the upsampling values (gdal:#3259).
 	http://bugzilla.maptools.org/show_bug.cgi?id=1936
--- a/libtiff/tif_jpeg.c
+++ b/libtiff/tif_jpeg.c
@ -1,4 +1,4 @@
-/* $Id: tif_jpeg.c,v 1.85 2009-12-04 01:21:52 fwarmerdam Exp $ */
+/* $Id: tif_jpeg.c,v 1.86 2009-12-04 01:37:58 fwarmerdam Exp $ */

 /*
 * Copyright (c) 1994-1997 Sam Leffler
@ -184,6 +184,7 @@ static int JPEGDecodeRaw(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s);
 static int JPEGEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s);
 static int JPEGEncodeRaw(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s);
 static int JPEGInitializeLibJPEG(TIFF * tif, int decode );
+static int DecodeRowError(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s);

 #define	FIELD_JPEGTABLES	(FIELD_CODEC+0)

@ -1166,7 +1167,7 @@ JPEGPreDecode(TIFF* tif, uint16 s)
 	if (downsampled_output) {
 		/* Need to use raw-data interface to libjpeg */
 		sp->cinfo.d.raw_data_out = TRUE;
-		tif->tif_decoderow = JPEGDecodeRaw;
+		tif->tif_decoderow = DecodeRowError;
 		tif->tif_decodestrip = JPEGDecodeRaw;
 		tif->tif_decodetile = JPEGDecodeRaw;
 	} else {
@ -1293,6 +1294,19 @@ JPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
 	    || TIFFjpeg_finish_decompress(sp);
 }

+/*ARGSUSED*/ static int
+DecodeRowError(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
+
+{
+    (void) buf;
+    (void) cc;
+    (void) s;
+
+    TIFFErrorExt(tif->tif_clientdata, "TIFFReadScanline",
+                 "scanline oriented access is not supported for downsampled JPEG compressed images, consider enabling TIFF_JPEGCOLORMODE as JPEGCOLORMODE_RGB." );
+    return 0;
+}
+
 /*
 * Decode a chunk of pixels.
 * Returned data is downsampled per sampling factors.
@ -1306,6 +1320,7 @@ JPEGDecodeRaw(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)

 	/* data is expected to be read in multiples of a scanline */
 	if ( (nrows = sp->cinfo.d.image_height) ) {
+
 		/* Cb,Cr both have sampling factors 1, so this is correct */
 		JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width;            
 		int samples_per_clump = sp->samplesperclump;
@ -1320,6 +1335,12 @@ JPEGDecodeRaw(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
 			jpeg_component_info *compptr;
 			int ci, clumpoffset;

+                        if( cc < sp->bytesperline * sp->v_sampling ) {
+                            TIFFErrorExt(tif->tif_clientdata, "JPEGDecodeRaw",
+                                         "application buffer not large enough for all data.");
+                            return 0;
+                        }
+
 			/* Reload downsampled-data buffer if needed */
 			if (sp->scancount >= DCTSIZE) {
 				int n = sp->cinfo.d.max_v_samp_factor * DCTSIZE;