cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TIFFReadDirEntryArrayWithLimit(): properly read from offline tag value when we clamp the number of strips to 1.

Browse Source 
Fixes regression of commit 7057734d98 on reading
a file with StripByteCounts with 1 element (broken) and StripOffsets with
896 elements, and where StripOffsets[0] is correct

$ tiffdump foo.tif
Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF>
Directory 0: offset 25725448 (0x1888a08) next 0 (0)
SubFileType (254) LONG (4) 1<0>
ImageWidth (256) LONG (4) 1<640>
ImageLength (257) LONG (4) 1<20098>
BitsPerSample (258) SHORT (3) 1<16>
Photometric (262) SHORT (3) 1<1>
SamplesPerPixel (277) SHORT (3) 1<1>
ResolutionUnit (296) SHORT (3) 1<2>
StripByteCounts (279) LONG (4) 1<1806>
StripOffsets (273) LONG (4) 896<8 648 1288 1928 2568 3208 3848 4488 5128 5768 6408 7048 7688 8328 8968 9608 10248 10888 11528 12168 12808 13448 14088 14728 ...>
This commit is contained in:
Even Rouault 2020-12-08 16:09:17 +01:00
parent 4ca3e42517
commit f13cf46b6e
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libtiff/tif_dirread.c
View File

@ -838,6 +838,7 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
uint32 datasize; uint32 datasize;
void* data; void* data;
uint64 target_count64; uint64 target_count64;
int original_datasize_clamped;
typesize=TIFFDataWidth(direntry->tdir_type); typesize=TIFFDataWidth(direntry->tdir_type);
target_count64 = (direntry->tdir_count > maxcount) ? target_count64 = (direntry->tdir_count > maxcount) ?
@ -850,6 +851,12 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
} }
(void) desttypesize; (void) desttypesize;
/* We just want to know if the original tag size is more than 4 bytes
* (classic TIFF) or 8 bytes (BigTIFF)
*/
original_datasize_clamped =
((direntry->tdir_count > 10) ? 10 : (int)direntry->tdir_count) * typesize;
/* /*
* As a sanity check, make sure we have no more than a 2GB tag array * As a sanity check, make sure we have no more than a 2GB tag array
* in either the current data type or the dest data type. This also * in either the current data type or the dest data type. This also
@ -881,7 +888,7 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
} }
if (!(tif->tif_flags&TIFF_BIGTIFF)) if (!(tif->tif_flags&TIFF_BIGTIFF))
{ {
if (datasize<=4) if (original_datasize_clamped<=4)
_TIFFmemcpy(data,&direntry->tdir_offset,datasize); _TIFFmemcpy(data,&direntry->tdir_offset,datasize);
else else
{ {
@ -902,7 +909,7 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
} }
else else
{ {
if (datasize<=8) if (original_datasize_clamped<=8)
_TIFFmemcpy(data,&direntry->tdir_offset,datasize); _TIFFmemcpy(data,&direntry->tdir_offset,datasize);
else else
{ {