1 /* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
2 
3 /*
4  * Copyright (c) 1988-1997 Sam Leffler
5  * Copyright (c) 1991-1997 Silicon Graphics, Inc.
6  *
7  * Permission to use, copy, modify, distribute, and sell this software and
8  * its documentation for any purpose is hereby granted without fee, provided
9  * that (i) the above copyright notices and this permission notice appear in
10  * all copies of the software and related documentation, and (ii) the names of
11  * Sam Leffler and Silicon Graphics may not be used in any advertising or
12  * publicity relating to the software without the specific, prior written
13  * permission of Sam Leffler and Silicon Graphics.
14  *
15  * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
17  * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
18  *
19  * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
20  * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
21  * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
22  * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
23  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
24  * OF THIS SOFTWARE.
25  */
26 
27 /*
28  * TIFF Library.
29  *
30  * Directory Read Support Routines.
31  */
32 
33 /* Suggested pending improvements:
34  * - add a field 'ignore' to the TIFFDirEntry structure, to flag status,
35  *   eliminating current use of the IGNORE value, and therefore eliminating
36  *   current irrational behaviour on tags with tag id code 0
37  * - add a field 'field_info' to the TIFFDirEntry structure, and set that with
38  *   the pointer to the appropriate TIFFField structure early on in
39  *   TIFFReadDirectory, so as to eliminate current possibly repetitive lookup.
40  */
41 
42 #include "tiffiop.h"
43 #include <float.h>
44 #include <limits.h>
45 
46 #define IGNORE 0          /* tag placeholder used below */
47 #define FAILED_FII    ((uint32) -1)
48 
49 #ifdef HAVE_IEEEFP
50 # define TIFFCvtIEEEFloatToNative(tif, n, fp)
51 # define TIFFCvtIEEEDoubleToNative(tif, n, dp)
52 #else
53 extern void TIFFCvtIEEEFloatToNative(TIFF*, uint32, float*);
54 extern void TIFFCvtIEEEDoubleToNative(TIFF*, uint32, double*);
55 #endif
56 
57 enum TIFFReadDirEntryErr {
58 	TIFFReadDirEntryErrOk = 0,
59 	TIFFReadDirEntryErrCount = 1,
60 	TIFFReadDirEntryErrType = 2,
61 	TIFFReadDirEntryErrIo = 3,
62 	TIFFReadDirEntryErrRange = 4,
63 	TIFFReadDirEntryErrPsdif = 5,
64 	TIFFReadDirEntryErrSizesan = 6,
65 	TIFFReadDirEntryErrAlloc = 7,
66 };
67 
68 static enum TIFFReadDirEntryErr TIFFReadDirEntryByte(TIFF* tif, TIFFDirEntry* direntry, uint8* value);
69 static enum TIFFReadDirEntryErr TIFFReadDirEntryShort(TIFF* tif, TIFFDirEntry* direntry, uint16* value);
70 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong(TIFF* tif, TIFFDirEntry* direntry, uint32* value);
71 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8(TIFF* tif, TIFFDirEntry* direntry, uint64* value);
72 static enum TIFFReadDirEntryErr TIFFReadDirEntryFloat(TIFF* tif, TIFFDirEntry* direntry, float* value);
73 static enum TIFFReadDirEntryErr TIFFReadDirEntryDouble(TIFF* tif, TIFFDirEntry* direntry, double* value);
74 static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8(TIFF* tif, TIFFDirEntry* direntry, uint64* value);
75 
76 static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value);
77 static enum TIFFReadDirEntryErr TIFFReadDirEntryByteArray(TIFF* tif, TIFFDirEntry* direntry, uint8** value);
78 static enum TIFFReadDirEntryErr TIFFReadDirEntrySbyteArray(TIFF* tif, TIFFDirEntry* direntry, int8** value);
79 static enum TIFFReadDirEntryErr TIFFReadDirEntryShortArray(TIFF* tif, TIFFDirEntry* direntry, uint16** value);
80 static enum TIFFReadDirEntryErr TIFFReadDirEntrySshortArray(TIFF* tif, TIFFDirEntry* direntry, int16** value);
81 static enum TIFFReadDirEntryErr TIFFReadDirEntryLongArray(TIFF* tif, TIFFDirEntry* direntry, uint32** value);
82 static enum TIFFReadDirEntryErr TIFFReadDirEntrySlongArray(TIFF* tif, TIFFDirEntry* direntry, int32** value);
83 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEntry* direntry, uint64** value);
84 static enum TIFFReadDirEntryErr TIFFReadDirEntrySlong8Array(TIFF* tif, TIFFDirEntry* direntry, int64** value);
85 static enum TIFFReadDirEntryErr TIFFReadDirEntryFloatArray(TIFF* tif, TIFFDirEntry* direntry, float** value);
86 static enum TIFFReadDirEntryErr TIFFReadDirEntryDoubleArray(TIFF* tif, TIFFDirEntry* direntry, double** value);
87 static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8Array(TIFF* tif, TIFFDirEntry* direntry, uint64** value);
88 
89 static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleShort(TIFF* tif, TIFFDirEntry* direntry, uint16* value);
90 #if 0
91 static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleDouble(TIFF* tif, TIFFDirEntry* direntry, double* value);
92 #endif
93 
94 static void TIFFReadDirEntryCheckedByte(TIFF* tif, TIFFDirEntry* direntry, uint8* value);
95 static void TIFFReadDirEntryCheckedSbyte(TIFF* tif, TIFFDirEntry* direntry, int8* value);
96 static void TIFFReadDirEntryCheckedShort(TIFF* tif, TIFFDirEntry* direntry, uint16* value);
97 static void TIFFReadDirEntryCheckedSshort(TIFF* tif, TIFFDirEntry* direntry, int16* value);
98 static void TIFFReadDirEntryCheckedLong(TIFF* tif, TIFFDirEntry* direntry, uint32* value);
99 static void TIFFReadDirEntryCheckedSlong(TIFF* tif, TIFFDirEntry* direntry, int32* value);
100 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedLong8(TIFF* tif, TIFFDirEntry* direntry, uint64* value);
101 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSlong8(TIFF* tif, TIFFDirEntry* direntry, int64* value);
102 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFDirEntry* direntry, double* value);
103 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFFDirEntry* direntry, double* value);
104 static void TIFFReadDirEntryCheckedFloat(TIFF* tif, TIFFDirEntry* direntry, float* value);
105 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedDouble(TIFF* tif, TIFFDirEntry* direntry, double* value);
106 
107 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSbyte(int8 value);
108 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteShort(uint16 value);
109 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSshort(int16 value);
110 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteLong(uint32 value);
111 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSlong(int32 value);
112 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteLong8(uint64 value);
113 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSlong8(int64 value);
114 
115 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteByte(uint8 value);
116 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteShort(uint16 value);
117 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSshort(int16 value);
118 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteLong(uint32 value);
119 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSlong(int32 value);
120 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteLong8(uint64 value);
121 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSlong8(int64 value);
122 
123 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSbyte(int8 value);
124 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSshort(int16 value);
125 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortLong(uint32 value);
126 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSlong(int32 value);
127 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortLong8(uint64 value);
128 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSlong8(int64 value);
129 
130 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortShort(uint16 value);
131 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortLong(uint32 value);
132 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortSlong(int32 value);
133 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortLong8(uint64 value);
134 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortSlong8(int64 value);
135 
136 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSbyte(int8 value);
137 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSshort(int16 value);
138 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSlong(int32 value);
139 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongLong8(uint64 value);
140 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSlong8(int64 value);
141 
142 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSlongLong(uint32 value);
143 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSlongLong8(uint64 value);
144 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSlongSlong8(int64 value);
145 
146 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLong8Sbyte(int8 value);
147 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLong8Sshort(int16 value);
148 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLong8Slong(int32 value);
149 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLong8Slong8(int64 value);
150 
151 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSlong8Long8(uint64 value);
152 
153 static enum TIFFReadDirEntryErr TIFFReadDirEntryData(TIFF* tif, uint64 offset, tmsize_t size, void* dest);
154 static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, const char* module, const char* tagname, int recover);
155 
156 static void TIFFReadDirectoryCheckOrder(TIFF* tif, TIFFDirEntry* dir, uint16 dircount);
157 static TIFFDirEntry* TIFFReadDirectoryFindEntry(TIFF* tif, TIFFDirEntry* dir, uint16 dircount, uint16 tagid);
158 static void TIFFReadDirectoryFindFieldInfo(TIFF* tif, uint16 tagid, uint32* fii);
159 
160 static int EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount);
161 static void MissingRequired(TIFF*, const char*);
162 static int TIFFCheckDirOffset(TIFF* tif, uint64 diroff);
163 static int CheckDirCount(TIFF*, TIFFDirEntry*, uint32);
164 static uint16 TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, uint64* nextdiroff);
165 static int TIFFFetchNormalTag(TIFF*, TIFFDirEntry*, int recover);
166 static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp);
167 static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
168 static void ChopUpSingleUncompressedStrip(TIFF*);
169 static uint64 TIFFReadUInt64(const uint8 *value);
170 
171 static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
172 
173 typedef union _UInt64Aligned_t
174 {
175         double d;
176 	uint64 l;
177 	uint32 i[2];
178 	uint16 s[4];
179 	uint8  c[8];
180 } UInt64Aligned_t;
181 
182 /*
183   Unaligned safe copy of a uint64 value from an octet array.
184 */
TIFFReadUInt64(const uint8 * value)185 static uint64 TIFFReadUInt64(const uint8 *value)
186 {
187 	UInt64Aligned_t result;
188 
189 	result.c[0]=value[0];
190 	result.c[1]=value[1];
191 	result.c[2]=value[2];
192 	result.c[3]=value[3];
193 	result.c[4]=value[4];
194 	result.c[5]=value[5];
195 	result.c[6]=value[6];
196 	result.c[7]=value[7];
197 
198 	return result.l;
199 }
200 
TIFFReadDirEntryByte(TIFF * tif,TIFFDirEntry * direntry,uint8 * value)201 static enum TIFFReadDirEntryErr TIFFReadDirEntryByte(TIFF* tif, TIFFDirEntry* direntry, uint8* value)
202 {
203 	enum TIFFReadDirEntryErr err;
204 	if (direntry->tdir_count!=1)
205 		return(TIFFReadDirEntryErrCount);
206 	switch (direntry->tdir_type)
207 	{
208 		case TIFF_BYTE:
209 			TIFFReadDirEntryCheckedByte(tif,direntry,value);
210 			return(TIFFReadDirEntryErrOk);
211 		case TIFF_SBYTE:
212 			{
213 				int8 m;
214 				TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
215 				err=TIFFReadDirEntryCheckRangeByteSbyte(m);
216 				if (err!=TIFFReadDirEntryErrOk)
217 					return(err);
218 				*value=(uint8)m;
219 				return(TIFFReadDirEntryErrOk);
220 			}
221 		case TIFF_SHORT:
222 			{
223 				uint16 m;
224 				TIFFReadDirEntryCheckedShort(tif,direntry,&m);
225 				err=TIFFReadDirEntryCheckRangeByteShort(m);
226 				if (err!=TIFFReadDirEntryErrOk)
227 					return(err);
228 				*value=(uint8)m;
229 				return(TIFFReadDirEntryErrOk);
230 			}
231 		case TIFF_SSHORT:
232 			{
233 				int16 m;
234 				TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
235 				err=TIFFReadDirEntryCheckRangeByteSshort(m);
236 				if (err!=TIFFReadDirEntryErrOk)
237 					return(err);
238 				*value=(uint8)m;
239 				return(TIFFReadDirEntryErrOk);
240 			}
241 		case TIFF_LONG:
242 			{
243 				uint32 m;
244 				TIFFReadDirEntryCheckedLong(tif,direntry,&m);
245 				err=TIFFReadDirEntryCheckRangeByteLong(m);
246 				if (err!=TIFFReadDirEntryErrOk)
247 					return(err);
248 				*value=(uint8)m;
249 				return(TIFFReadDirEntryErrOk);
250 			}
251 		case TIFF_SLONG:
252 			{
253 				int32 m;
254 				TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
255 				err=TIFFReadDirEntryCheckRangeByteSlong(m);
256 				if (err!=TIFFReadDirEntryErrOk)
257 					return(err);
258 				*value=(uint8)m;
259 				return(TIFFReadDirEntryErrOk);
260 			}
261 		case TIFF_LONG8:
262 			{
263 				uint64 m;
264 				err=TIFFReadDirEntryCheckedLong8(tif,direntry,&m);
265 				if (err!=TIFFReadDirEntryErrOk)
266 					return(err);
267 				err=TIFFReadDirEntryCheckRangeByteLong8(m);
268 				if (err!=TIFFReadDirEntryErrOk)
269 					return(err);
270 				*value=(uint8)m;
271 				return(TIFFReadDirEntryErrOk);
272 			}
273 		case TIFF_SLONG8:
274 			{
275 				int64 m;
276 				err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
277 				if (err!=TIFFReadDirEntryErrOk)
278 					return(err);
279 				err=TIFFReadDirEntryCheckRangeByteSlong8(m);
280 				if (err!=TIFFReadDirEntryErrOk)
281 					return(err);
282 				*value=(uint8)m;
283 				return(TIFFReadDirEntryErrOk);
284 			}
285 		default:
286 			return(TIFFReadDirEntryErrType);
287 	}
288 }
289 
TIFFReadDirEntryShort(TIFF * tif,TIFFDirEntry * direntry,uint16 * value)290 static enum TIFFReadDirEntryErr TIFFReadDirEntryShort(TIFF* tif, TIFFDirEntry* direntry, uint16* value)
291 {
292 	enum TIFFReadDirEntryErr err;
293 	if (direntry->tdir_count!=1)
294 		return(TIFFReadDirEntryErrCount);
295 	switch (direntry->tdir_type)
296 	{
297 		case TIFF_BYTE:
298 			{
299 				uint8 m;
300 				TIFFReadDirEntryCheckedByte(tif,direntry,&m);
301 				*value=(uint16)m;
302 				return(TIFFReadDirEntryErrOk);
303 			}
304 		case TIFF_SBYTE:
305 			{
306 				int8 m;
307 				TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
308 				err=TIFFReadDirEntryCheckRangeShortSbyte(m);
309 				if (err!=TIFFReadDirEntryErrOk)
310 					return(err);
311 				*value=(uint16)m;
312 				return(TIFFReadDirEntryErrOk);
313 			}
314 		case TIFF_SHORT:
315 			TIFFReadDirEntryCheckedShort(tif,direntry,value);
316 			return(TIFFReadDirEntryErrOk);
317 		case TIFF_SSHORT:
318 			{
319 				int16 m;
320 				TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
321 				err=TIFFReadDirEntryCheckRangeShortSshort(m);
322 				if (err!=TIFFReadDirEntryErrOk)
323 					return(err);
324 				*value=(uint16)m;
325 				return(TIFFReadDirEntryErrOk);
326 			}
327 		case TIFF_LONG:
328 			{
329 				uint32 m;
330 				TIFFReadDirEntryCheckedLong(tif,direntry,&m);
331 				err=TIFFReadDirEntryCheckRangeShortLong(m);
332 				if (err!=TIFFReadDirEntryErrOk)
333 					return(err);
334 				*value=(uint16)m;
335 				return(TIFFReadDirEntryErrOk);
336 			}
337 		case TIFF_SLONG:
338 			{
339 				int32 m;
340 				TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
341 				err=TIFFReadDirEntryCheckRangeShortSlong(m);
342 				if (err!=TIFFReadDirEntryErrOk)
343 					return(err);
344 				*value=(uint16)m;
345 				return(TIFFReadDirEntryErrOk);
346 			}
347 		case TIFF_LONG8:
348 			{
349 				uint64 m;
350 				err=TIFFReadDirEntryCheckedLong8(tif,direntry,&m);
351 				if (err!=TIFFReadDirEntryErrOk)
352 					return(err);
353 				err=TIFFReadDirEntryCheckRangeShortLong8(m);
354 				if (err!=TIFFReadDirEntryErrOk)
355 					return(err);
356 				*value=(uint16)m;
357 				return(TIFFReadDirEntryErrOk);
358 			}
359 		case TIFF_SLONG8:
360 			{
361 				int64 m;
362 				err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
363 				if (err!=TIFFReadDirEntryErrOk)
364 					return(err);
365 				err=TIFFReadDirEntryCheckRangeShortSlong8(m);
366 				if (err!=TIFFReadDirEntryErrOk)
367 					return(err);
368 				*value=(uint16)m;
369 				return(TIFFReadDirEntryErrOk);
370 			}
371 		default:
372 			return(TIFFReadDirEntryErrType);
373 	}
374 }
375 
TIFFReadDirEntryLong(TIFF * tif,TIFFDirEntry * direntry,uint32 * value)376 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong(TIFF* tif, TIFFDirEntry* direntry, uint32* value)
377 {
378 	enum TIFFReadDirEntryErr err;
379 	if (direntry->tdir_count!=1)
380 		return(TIFFReadDirEntryErrCount);
381 	switch (direntry->tdir_type)
382 	{
383 		case TIFF_BYTE:
384 			{
385 				uint8 m;
386 				TIFFReadDirEntryCheckedByte(tif,direntry,&m);
387 				*value=(uint32)m;
388 				return(TIFFReadDirEntryErrOk);
389 			}
390 		case TIFF_SBYTE:
391 			{
392 				int8 m;
393 				TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
394 				err=TIFFReadDirEntryCheckRangeLongSbyte(m);
395 				if (err!=TIFFReadDirEntryErrOk)
396 					return(err);
397 				*value=(uint32)m;
398 				return(TIFFReadDirEntryErrOk);
399 			}
400 		case TIFF_SHORT:
401 			{
402 				uint16 m;
403 				TIFFReadDirEntryCheckedShort(tif,direntry,&m);
404 				*value=(uint32)m;
405 				return(TIFFReadDirEntryErrOk);
406 			}
407 		case TIFF_SSHORT:
408 			{
409 				int16 m;
410 				TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
411 				err=TIFFReadDirEntryCheckRangeLongSshort(m);
412 				if (err!=TIFFReadDirEntryErrOk)
413 					return(err);
414 				*value=(uint32)m;
415 				return(TIFFReadDirEntryErrOk);
416 			}
417 		case TIFF_LONG:
418 			TIFFReadDirEntryCheckedLong(tif,direntry,value);
419 			return(TIFFReadDirEntryErrOk);
420 		case TIFF_SLONG:
421 			{
422 				int32 m;
423 				TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
424 				err=TIFFReadDirEntryCheckRangeLongSlong(m);
425 				if (err!=TIFFReadDirEntryErrOk)
426 					return(err);
427 				*value=(uint32)m;
428 				return(TIFFReadDirEntryErrOk);
429 			}
430 		case TIFF_LONG8:
431 			{
432 				uint64 m;
433 				err=TIFFReadDirEntryCheckedLong8(tif,direntry,&m);
434 				if (err!=TIFFReadDirEntryErrOk)
435 					return(err);
436 				err=TIFFReadDirEntryCheckRangeLongLong8(m);
437 				if (err!=TIFFReadDirEntryErrOk)
438 					return(err);
439 				*value=(uint32)m;
440 				return(TIFFReadDirEntryErrOk);
441 			}
442 		case TIFF_SLONG8:
443 			{
444 				int64 m;
445 				err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
446 				if (err!=TIFFReadDirEntryErrOk)
447 					return(err);
448 				err=TIFFReadDirEntryCheckRangeLongSlong8(m);
449 				if (err!=TIFFReadDirEntryErrOk)
450 					return(err);
451 				*value=(uint32)m;
452 				return(TIFFReadDirEntryErrOk);
453 			}
454 		default:
455 			return(TIFFReadDirEntryErrType);
456 	}
457 }
458 
TIFFReadDirEntryLong8(TIFF * tif,TIFFDirEntry * direntry,uint64 * value)459 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8(TIFF* tif, TIFFDirEntry* direntry, uint64* value)
460 {
461 	enum TIFFReadDirEntryErr err;
462 	if (direntry->tdir_count!=1)
463 		return(TIFFReadDirEntryErrCount);
464 	switch (direntry->tdir_type)
465 	{
466 		case TIFF_BYTE:
467 			{
468 				uint8 m;
469 				TIFFReadDirEntryCheckedByte(tif,direntry,&m);
470 				*value=(uint64)m;
471 				return(TIFFReadDirEntryErrOk);
472 			}
473 		case TIFF_SBYTE:
474 			{
475 				int8 m;
476 				TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
477 				err=TIFFReadDirEntryCheckRangeLong8Sbyte(m);
478 				if (err!=TIFFReadDirEntryErrOk)
479 					return(err);
480 				*value=(uint64)m;
481 				return(TIFFReadDirEntryErrOk);
482 			}
483 		case TIFF_SHORT:
484 			{
485 				uint16 m;
486 				TIFFReadDirEntryCheckedShort(tif,direntry,&m);
487 				*value=(uint64)m;
488 				return(TIFFReadDirEntryErrOk);
489 			}
490 		case TIFF_SSHORT:
491 			{
492 				int16 m;
493 				TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
494 				err=TIFFReadDirEntryCheckRangeLong8Sshort(m);
495 				if (err!=TIFFReadDirEntryErrOk)
496 					return(err);
497 				*value=(uint64)m;
498 				return(TIFFReadDirEntryErrOk);
499 			}
500 		case TIFF_LONG:
501 			{
502 				uint32 m;
503 				TIFFReadDirEntryCheckedLong(tif,direntry,&m);
504 				*value=(uint64)m;
505 				return(TIFFReadDirEntryErrOk);
506 			}
507 		case TIFF_SLONG:
508 			{
509 				int32 m;
510 				TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
511 				err=TIFFReadDirEntryCheckRangeLong8Slong(m);
512 				if (err!=TIFFReadDirEntryErrOk)
513 					return(err);
514 				*value=(uint64)m;
515 				return(TIFFReadDirEntryErrOk);
516 			}
517 		case TIFF_LONG8:
518 			err=TIFFReadDirEntryCheckedLong8(tif,direntry,value);
519 			return(err);
520 		case TIFF_SLONG8:
521 			{
522 				int64 m;
523 				err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
524 				if (err!=TIFFReadDirEntryErrOk)
525 					return(err);
526 				err=TIFFReadDirEntryCheckRangeLong8Slong8(m);
527 				if (err!=TIFFReadDirEntryErrOk)
528 					return(err);
529 				*value=(uint64)m;
530 				return(TIFFReadDirEntryErrOk);
531 			}
532 		default:
533 			return(TIFFReadDirEntryErrType);
534 	}
535 }
536 
TIFFReadDirEntryFloat(TIFF * tif,TIFFDirEntry * direntry,float * value)537 static enum TIFFReadDirEntryErr TIFFReadDirEntryFloat(TIFF* tif, TIFFDirEntry* direntry, float* value)
538 {
539 	enum TIFFReadDirEntryErr err;
540 	if (direntry->tdir_count!=1)
541 		return(TIFFReadDirEntryErrCount);
542 	switch (direntry->tdir_type)
543 	{
544 		case TIFF_BYTE:
545 			{
546 				uint8 m;
547 				TIFFReadDirEntryCheckedByte(tif,direntry,&m);
548 				*value=(float)m;
549 				return(TIFFReadDirEntryErrOk);
550 			}
551 		case TIFF_SBYTE:
552 			{
553 				int8 m;
554 				TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
555 				*value=(float)m;
556 				return(TIFFReadDirEntryErrOk);
557 			}
558 		case TIFF_SHORT:
559 			{
560 				uint16 m;
561 				TIFFReadDirEntryCheckedShort(tif,direntry,&m);
562 				*value=(float)m;
563 				return(TIFFReadDirEntryErrOk);
564 			}
565 		case TIFF_SSHORT:
566 			{
567 				int16 m;
568 				TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
569 				*value=(float)m;
570 				return(TIFFReadDirEntryErrOk);
571 			}
572 		case TIFF_LONG:
573 			{
574 				uint32 m;
575 				TIFFReadDirEntryCheckedLong(tif,direntry,&m);
576 				*value=(float)m;
577 				return(TIFFReadDirEntryErrOk);
578 			}
579 		case TIFF_SLONG:
580 			{
581 				int32 m;
582 				TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
583 				*value=(float)m;
584 				return(TIFFReadDirEntryErrOk);
585 			}
586 		case TIFF_LONG8:
587 			{
588 				uint64 m;
589 				err=TIFFReadDirEntryCheckedLong8(tif,direntry,&m);
590 				if (err!=TIFFReadDirEntryErrOk)
591 					return(err);
592 #if defined(__WIN32__) && (_MSC_VER < 1500)
593 				/*
594 				 * XXX: MSVC 6.0 does not support conversion
595 				 * of 64-bit integers into floating point
596 				 * values.
597 				 */
598 				*value = _TIFFUInt64ToFloat(m);
599 #else
600 				*value=(float)m;
601 #endif
602 				return(TIFFReadDirEntryErrOk);
603 			}
604 		case TIFF_SLONG8:
605 			{
606 				int64 m;
607 				err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
608 				if (err!=TIFFReadDirEntryErrOk)
609 					return(err);
610 				*value=(float)m;
611 				return(TIFFReadDirEntryErrOk);
612 			}
613 		case TIFF_RATIONAL:
614 			{
615 				double m;
616 				err=TIFFReadDirEntryCheckedRational(tif,direntry,&m);
617 				if (err!=TIFFReadDirEntryErrOk)
618 					return(err);
619 				*value=(float)m;
620 				return(TIFFReadDirEntryErrOk);
621 			}
622 		case TIFF_SRATIONAL:
623 			{
624 				double m;
625 				err=TIFFReadDirEntryCheckedSrational(tif,direntry,&m);
626 				if (err!=TIFFReadDirEntryErrOk)
627 					return(err);
628 				*value=(float)m;
629 				return(TIFFReadDirEntryErrOk);
630 			}
631 		case TIFF_FLOAT:
632 			TIFFReadDirEntryCheckedFloat(tif,direntry,value);
633 			return(TIFFReadDirEntryErrOk);
634 		case TIFF_DOUBLE:
635 			{
636 				double m;
637 				err=TIFFReadDirEntryCheckedDouble(tif,direntry,&m);
638 				if (err!=TIFFReadDirEntryErrOk)
639 					return(err);
640 				*value=(float)m;
641 				return(TIFFReadDirEntryErrOk);
642 			}
643 		default:
644 			return(TIFFReadDirEntryErrType);
645 	}
646 }
647 
TIFFReadDirEntryDouble(TIFF * tif,TIFFDirEntry * direntry,double * value)648 static enum TIFFReadDirEntryErr TIFFReadDirEntryDouble(TIFF* tif, TIFFDirEntry* direntry, double* value)
649 {
650 	enum TIFFReadDirEntryErr err;
651 	if (direntry->tdir_count!=1)
652 		return(TIFFReadDirEntryErrCount);
653 	switch (direntry->tdir_type)
654 	{
655 		case TIFF_BYTE:
656 			{
657 				uint8 m;
658 				TIFFReadDirEntryCheckedByte(tif,direntry,&m);
659 				*value=(double)m;
660 				return(TIFFReadDirEntryErrOk);
661 			}
662 		case TIFF_SBYTE:
663 			{
664 				int8 m;
665 				TIFFReadDirEntryCheckedSbyte(tif,direntry,&m);
666 				*value=(double)m;
667 				return(TIFFReadDirEntryErrOk);
668 			}
669 		case TIFF_SHORT:
670 			{
671 				uint16 m;
672 				TIFFReadDirEntryCheckedShort(tif,direntry,&m);
673 				*value=(double)m;
674 				return(TIFFReadDirEntryErrOk);
675 			}
676 		case TIFF_SSHORT:
677 			{
678 				int16 m;
679 				TIFFReadDirEntryCheckedSshort(tif,direntry,&m);
680 				*value=(double)m;
681 				return(TIFFReadDirEntryErrOk);
682 			}
683 		case TIFF_LONG:
684 			{
685 				uint32 m;
686 				TIFFReadDirEntryCheckedLong(tif,direntry,&m);
687 				*value=(double)m;
688 				return(TIFFReadDirEntryErrOk);
689 			}
690 		case TIFF_SLONG:
691 			{
692 				int32 m;
693 				TIFFReadDirEntryCheckedSlong(tif,direntry,&m);
694 				*value=(double)m;
695 				return(TIFFReadDirEntryErrOk);
696 			}
697 		case TIFF_LONG8:
698 			{
699 				uint64 m;
700 				err=TIFFReadDirEntryCheckedLong8(tif,direntry,&m);
701 				if (err!=TIFFReadDirEntryErrOk)
702 					return(err);
703 #if defined(__WIN32__) && (_MSC_VER < 1500)
704 				/*
705 				 * XXX: MSVC 6.0 does not support conversion
706 				 * of 64-bit integers into floating point
707 				 * values.
708 				 */
709 				*value = _TIFFUInt64ToDouble(m);
710 #else
711 				*value = (double)m;
712 #endif
713 				return(TIFFReadDirEntryErrOk);
714 			}
715 		case TIFF_SLONG8:
716 			{
717 				int64 m;
718 				err=TIFFReadDirEntryCheckedSlong8(tif,direntry,&m);
719 				if (err!=TIFFReadDirEntryErrOk)
720 					return(err);
721 				*value=(double)m;
722 				return(TIFFReadDirEntryErrOk);
723 			}
724 		case TIFF_RATIONAL:
725 			err=TIFFReadDirEntryCheckedRational(tif,direntry,value);
726 			return(err);
727 		case TIFF_SRATIONAL:
728 			err=TIFFReadDirEntryCheckedSrational(tif,direntry,value);
729 			return(err);
730 		case TIFF_FLOAT:
731 			{
732 				float m;
733 				TIFFReadDirEntryCheckedFloat(tif,direntry,&m);
734 				*value=(double)m;
735 				return(TIFFReadDirEntryErrOk);
736 			}
737 		case TIFF_DOUBLE:
738 			err=TIFFReadDirEntryCheckedDouble(tif,direntry,value);
739 			return(err);
740 		default:
741 			return(TIFFReadDirEntryErrType);
742 	}
743 }
744 
TIFFReadDirEntryIfd8(TIFF * tif,TIFFDirEntry * direntry,uint64 * value)745 static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8(TIFF* tif, TIFFDirEntry* direntry, uint64* value)
746 {
747 	enum TIFFReadDirEntryErr err;
748 	if (direntry->tdir_count!=1)
749 		return(TIFFReadDirEntryErrCount);
750 	switch (direntry->tdir_type)
751 	{
752 		case TIFF_LONG:
753 		case TIFF_IFD:
754 			{
755 				uint32 m;
756 				TIFFReadDirEntryCheckedLong(tif,direntry,&m);
757 				*value=(uint64)m;
758 				return(TIFFReadDirEntryErrOk);
759 			}
760 		case TIFF_LONG8:
761 		case TIFF_IFD8:
762 			err=TIFFReadDirEntryCheckedLong8(tif,direntry,value);
763 			return(err);
764 		default:
765 			return(TIFFReadDirEntryErrType);
766 	}
767 }
768 
TIFFReadDirEntryArray(TIFF * tif,TIFFDirEntry * direntry,uint32 * count,uint32 desttypesize,void ** value)769 static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value)
770 {
771 	int typesize;
772 	uint32 datasize;
773 	void* data;
774 	typesize=TIFFDataWidth(direntry->tdir_type);
775 	if ((direntry->tdir_count==0)||(typesize==0))
776 	{
777 		*value=0;
778 		return(TIFFReadDirEntryErrOk);
779 	}
780         (void) desttypesize;
781 
782         /*
783          * As a sanity check, make sure we have no more than a 2GB tag array
784          * in either the current data type or the dest data type.  This also
785          * avoids problems with overflow of tmsize_t on 32bit systems.
786          */
787 	if ((uint64)(2147483647/typesize)<direntry->tdir_count)
788 		return(TIFFReadDirEntryErrSizesan);
789 	if ((uint64)(2147483647/desttypesize)<direntry->tdir_count)
790 		return(TIFFReadDirEntryErrSizesan);
791 
792 	*count=(uint32)direntry->tdir_count;
793 	datasize=(*count)*typesize;
794 	assert((tmsize_t)datasize>0);
795 	data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");
796 	if (data==0)
797 		return(TIFFReadDirEntryErrAlloc);
798 	if (!(tif->tif_flags&TIFF_BIGTIFF))
799 	{
800 		if (datasize<=4)
801 			_TIFFmemcpy(data,&direntry->tdir_offset,datasize);
802 		else
803 		{
804 			enum TIFFReadDirEntryErr err;
805 			uint32 offset = direntry->tdir_offset.toff_long;
806 			if (tif->tif_flags&TIFF_SWAB)
807 				TIFFSwabLong(&offset);
808 			err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);
809 			if (err!=TIFFReadDirEntryErrOk)
810 			{
811 				_TIFFfree(data);
812 				return(err);
813 			}
814 		}
815 	}
816 	else
817 	{
818 		if (datasize<=8)
819 			_TIFFmemcpy(data,&direntry->tdir_offset,datasize);
820 		else
821 		{
822 			enum TIFFReadDirEntryErr err;
823 			uint64 offset = direntry->tdir_offset.toff_long8;
824 			if (tif->tif_flags&TIFF_SWAB)
825 				TIFFSwabLong8(&offset);
826 			err=TIFFReadDirEntryData(tif,offset,(tmsize_t)datasize,data);
827 			if (err!=TIFFReadDirEntryErrOk)
828 			{
829 				_TIFFfree(data);
830 				return(err);
831 			}
832 		}
833 	}
834 	*value=data;
835 	return(TIFFReadDirEntryErrOk);
836 }
837 
TIFFReadDirEntryByteArray(TIFF * tif,TIFFDirEntry * direntry,uint8 ** value)838 static enum TIFFReadDirEntryErr TIFFReadDirEntryByteArray(TIFF* tif, TIFFDirEntry* direntry, uint8** value)
839 {
840 	enum TIFFReadDirEntryErr err;
841 	uint32 count;
842 	void* origdata;
843 	uint8* data;
844 	switch (direntry->tdir_type)
845 	{
846 		case TIFF_ASCII:
847 		case TIFF_UNDEFINED:
848 		case TIFF_BYTE:
849 		case TIFF_SBYTE:
850 		case TIFF_SHORT:
851 		case TIFF_SSHORT:
852 		case TIFF_LONG:
853 		case TIFF_SLONG:
854 		case TIFF_LONG8:
855 		case TIFF_SLONG8:
856 			break;
857 		default:
858 			return(TIFFReadDirEntryErrType);
859 	}
860 	err=TIFFReadDirEntryArray(tif,direntry,&count,1,&origdata);
861 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
862 	{
863 		*value=0;
864 		return(err);
865 	}
866 	switch (direntry->tdir_type)
867 	{
868 		case TIFF_ASCII:
869 		case TIFF_UNDEFINED:
870 		case TIFF_BYTE:
871 			*value=(uint8*)origdata;
872 			return(TIFFReadDirEntryErrOk);
873 		case TIFF_SBYTE:
874 			{
875 				int8* m;
876 				uint32 n;
877 				m=(int8*)origdata;
878 				for (n=0; n<count; n++)
879 				{
880 					err=TIFFReadDirEntryCheckRangeByteSbyte(*m);
881 					if (err!=TIFFReadDirEntryErrOk)
882 					{
883 						_TIFFfree(origdata);
884 						return(err);
885 					}
886 					m++;
887 				}
888 				*value=(uint8*)origdata;
889 				return(TIFFReadDirEntryErrOk);
890 			}
891 	}
892 	data=(uint8*)_TIFFmalloc(count);
893 	if (data==0)
894 	{
895 		_TIFFfree(origdata);
896 		return(TIFFReadDirEntryErrAlloc);
897 	}
898 	switch (direntry->tdir_type)
899 	{
900 		case TIFF_SHORT:
901 			{
902 				uint16* ma;
903 				uint8* mb;
904 				uint32 n;
905 				ma=(uint16*)origdata;
906 				mb=data;
907 				for (n=0; n<count; n++)
908 				{
909 					if (tif->tif_flags&TIFF_SWAB)
910 						TIFFSwabShort(ma);
911 					err=TIFFReadDirEntryCheckRangeByteShort(*ma);
912 					if (err!=TIFFReadDirEntryErrOk)
913 						break;
914 					*mb++=(uint8)(*ma++);
915 				}
916 			}
917 			break;
918 		case TIFF_SSHORT:
919 			{
920 				int16* ma;
921 				uint8* mb;
922 				uint32 n;
923 				ma=(int16*)origdata;
924 				mb=data;
925 				for (n=0; n<count; n++)
926 				{
927 					if (tif->tif_flags&TIFF_SWAB)
928 						TIFFSwabShort((uint16*)ma);
929 					err=TIFFReadDirEntryCheckRangeByteSshort(*ma);
930 					if (err!=TIFFReadDirEntryErrOk)
931 						break;
932 					*mb++=(uint8)(*ma++);
933 				}
934 			}
935 			break;
936 		case TIFF_LONG:
937 			{
938 				uint32* ma;
939 				uint8* mb;
940 				uint32 n;
941 				ma=(uint32*)origdata;
942 				mb=data;
943 				for (n=0; n<count; n++)
944 				{
945 					if (tif->tif_flags&TIFF_SWAB)
946 						TIFFSwabLong(ma);
947 					err=TIFFReadDirEntryCheckRangeByteLong(*ma);
948 					if (err!=TIFFReadDirEntryErrOk)
949 						break;
950 					*mb++=(uint8)(*ma++);
951 				}
952 			}
953 			break;
954 		case TIFF_SLONG:
955 			{
956 				int32* ma;
957 				uint8* mb;
958 				uint32 n;
959 				ma=(int32*)origdata;
960 				mb=data;
961 				for (n=0; n<count; n++)
962 				{
963 					if (tif->tif_flags&TIFF_SWAB)
964 						TIFFSwabLong((uint32*)ma);
965 					err=TIFFReadDirEntryCheckRangeByteSlong(*ma);
966 					if (err!=TIFFReadDirEntryErrOk)
967 						break;
968 					*mb++=(uint8)(*ma++);
969 				}
970 			}
971 			break;
972 		case TIFF_LONG8:
973 			{
974 				uint64* ma;
975 				uint8* mb;
976 				uint32 n;
977 				ma=(uint64*)origdata;
978 				mb=data;
979 				for (n=0; n<count; n++)
980 				{
981 					if (tif->tif_flags&TIFF_SWAB)
982 						TIFFSwabLong8(ma);
983 					err=TIFFReadDirEntryCheckRangeByteLong8(*ma);
984 					if (err!=TIFFReadDirEntryErrOk)
985 						break;
986 					*mb++=(uint8)(*ma++);
987 				}
988 			}
989 			break;
990 		case TIFF_SLONG8:
991 			{
992 				int64* ma;
993 				uint8* mb;
994 				uint32 n;
995 				ma=(int64*)origdata;
996 				mb=data;
997 				for (n=0; n<count; n++)
998 				{
999 					if (tif->tif_flags&TIFF_SWAB)
1000 						TIFFSwabLong8((uint64*)ma);
1001 					err=TIFFReadDirEntryCheckRangeByteSlong8(*ma);
1002 					if (err!=TIFFReadDirEntryErrOk)
1003 						break;
1004 					*mb++=(uint8)(*ma++);
1005 				}
1006 			}
1007 			break;
1008 	}
1009 	_TIFFfree(origdata);
1010 	if (err!=TIFFReadDirEntryErrOk)
1011 	{
1012 		_TIFFfree(data);
1013 		return(err);
1014 	}
1015 	*value=data;
1016 	return(TIFFReadDirEntryErrOk);
1017 }
1018 
TIFFReadDirEntrySbyteArray(TIFF * tif,TIFFDirEntry * direntry,int8 ** value)1019 static enum TIFFReadDirEntryErr TIFFReadDirEntrySbyteArray(TIFF* tif, TIFFDirEntry* direntry, int8** value)
1020 {
1021 	enum TIFFReadDirEntryErr err;
1022 	uint32 count;
1023 	void* origdata;
1024 	int8* data;
1025 	switch (direntry->tdir_type)
1026 	{
1027 		case TIFF_UNDEFINED:
1028 		case TIFF_BYTE:
1029 		case TIFF_SBYTE:
1030 		case TIFF_SHORT:
1031 		case TIFF_SSHORT:
1032 		case TIFF_LONG:
1033 		case TIFF_SLONG:
1034 		case TIFF_LONG8:
1035 		case TIFF_SLONG8:
1036 			break;
1037 		default:
1038 			return(TIFFReadDirEntryErrType);
1039 	}
1040 	err=TIFFReadDirEntryArray(tif,direntry,&count,1,&origdata);
1041 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1042 	{
1043 		*value=0;
1044 		return(err);
1045 	}
1046 	switch (direntry->tdir_type)
1047 	{
1048 		case TIFF_UNDEFINED:
1049 		case TIFF_BYTE:
1050 			{
1051 				uint8* m;
1052 				uint32 n;
1053 				m=(uint8*)origdata;
1054 				for (n=0; n<count; n++)
1055 				{
1056 					err=TIFFReadDirEntryCheckRangeSbyteByte(*m);
1057 					if (err!=TIFFReadDirEntryErrOk)
1058 					{
1059 						_TIFFfree(origdata);
1060 						return(err);
1061 					}
1062 					m++;
1063 				}
1064 				*value=(int8*)origdata;
1065 				return(TIFFReadDirEntryErrOk);
1066 			}
1067 		case TIFF_SBYTE:
1068 			*value=(int8*)origdata;
1069 			return(TIFFReadDirEntryErrOk);
1070 	}
1071 	data=(int8*)_TIFFmalloc(count);
1072 	if (data==0)
1073 	{
1074 		_TIFFfree(origdata);
1075 		return(TIFFReadDirEntryErrAlloc);
1076 	}
1077 	switch (direntry->tdir_type)
1078 	{
1079 		case TIFF_SHORT:
1080 			{
1081 				uint16* ma;
1082 				int8* mb;
1083 				uint32 n;
1084 				ma=(uint16*)origdata;
1085 				mb=data;
1086 				for (n=0; n<count; n++)
1087 				{
1088 					if (tif->tif_flags&TIFF_SWAB)
1089 						TIFFSwabShort(ma);
1090 					err=TIFFReadDirEntryCheckRangeSbyteShort(*ma);
1091 					if (err!=TIFFReadDirEntryErrOk)
1092 						break;
1093 					*mb++=(int8)(*ma++);
1094 				}
1095 			}
1096 			break;
1097 		case TIFF_SSHORT:
1098 			{
1099 				int16* ma;
1100 				int8* mb;
1101 				uint32 n;
1102 				ma=(int16*)origdata;
1103 				mb=data;
1104 				for (n=0; n<count; n++)
1105 				{
1106 					if (tif->tif_flags&TIFF_SWAB)
1107 						TIFFSwabShort((uint16*)ma);
1108 					err=TIFFReadDirEntryCheckRangeSbyteSshort(*ma);
1109 					if (err!=TIFFReadDirEntryErrOk)
1110 						break;
1111 					*mb++=(int8)(*ma++);
1112 				}
1113 			}
1114 			break;
1115 		case TIFF_LONG:
1116 			{
1117 				uint32* ma;
1118 				int8* mb;
1119 				uint32 n;
1120 				ma=(uint32*)origdata;
1121 				mb=data;
1122 				for (n=0; n<count; n++)
1123 				{
1124 					if (tif->tif_flags&TIFF_SWAB)
1125 						TIFFSwabLong(ma);
1126 					err=TIFFReadDirEntryCheckRangeSbyteLong(*ma);
1127 					if (err!=TIFFReadDirEntryErrOk)
1128 						break;
1129 					*mb++=(int8)(*ma++);
1130 				}
1131 			}
1132 			break;
1133 		case TIFF_SLONG:
1134 			{
1135 				int32* ma;
1136 				int8* mb;
1137 				uint32 n;
1138 				ma=(int32*)origdata;
1139 				mb=data;
1140 				for (n=0; n<count; n++)
1141 				{
1142 					if (tif->tif_flags&TIFF_SWAB)
1143 						TIFFSwabLong((uint32*)ma);
1144 					err=TIFFReadDirEntryCheckRangeSbyteSlong(*ma);
1145 					if (err!=TIFFReadDirEntryErrOk)
1146 						break;
1147 					*mb++=(int8)(*ma++);
1148 				}
1149 			}
1150 			break;
1151 		case TIFF_LONG8:
1152 			{
1153 				uint64* ma;
1154 				int8* mb;
1155 				uint32 n;
1156 				ma=(uint64*)origdata;
1157 				mb=data;
1158 				for (n=0; n<count; n++)
1159 				{
1160 					if (tif->tif_flags&TIFF_SWAB)
1161 						TIFFSwabLong8(ma);
1162 					err=TIFFReadDirEntryCheckRangeSbyteLong8(*ma);
1163 					if (err!=TIFFReadDirEntryErrOk)
1164 						break;
1165 					*mb++=(int8)(*ma++);
1166 				}
1167 			}
1168 			break;
1169 		case TIFF_SLONG8:
1170 			{
1171 				int64* ma;
1172 				int8* mb;
1173 				uint32 n;
1174 				ma=(int64*)origdata;
1175 				mb=data;
1176 				for (n=0; n<count; n++)
1177 				{
1178 					if (tif->tif_flags&TIFF_SWAB)
1179 						TIFFSwabLong8((uint64*)ma);
1180 					err=TIFFReadDirEntryCheckRangeSbyteSlong8(*ma);
1181 					if (err!=TIFFReadDirEntryErrOk)
1182 						break;
1183 					*mb++=(int8)(*ma++);
1184 				}
1185 			}
1186 			break;
1187 	}
1188 	_TIFFfree(origdata);
1189 	if (err!=TIFFReadDirEntryErrOk)
1190 	{
1191 		_TIFFfree(data);
1192 		return(err);
1193 	}
1194 	*value=data;
1195 	return(TIFFReadDirEntryErrOk);
1196 }
1197 
TIFFReadDirEntryShortArray(TIFF * tif,TIFFDirEntry * direntry,uint16 ** value)1198 static enum TIFFReadDirEntryErr TIFFReadDirEntryShortArray(TIFF* tif, TIFFDirEntry* direntry, uint16** value)
1199 {
1200 	enum TIFFReadDirEntryErr err;
1201 	uint32 count;
1202 	void* origdata;
1203 	uint16* data;
1204 	switch (direntry->tdir_type)
1205 	{
1206 		case TIFF_BYTE:
1207 		case TIFF_SBYTE:
1208 		case TIFF_SHORT:
1209 		case TIFF_SSHORT:
1210 		case TIFF_LONG:
1211 		case TIFF_SLONG:
1212 		case TIFF_LONG8:
1213 		case TIFF_SLONG8:
1214 			break;
1215 		default:
1216 			return(TIFFReadDirEntryErrType);
1217 	}
1218 	err=TIFFReadDirEntryArray(tif,direntry,&count,2,&origdata);
1219 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1220 	{
1221 		*value=0;
1222 		return(err);
1223 	}
1224 	switch (direntry->tdir_type)
1225 	{
1226 		case TIFF_SHORT:
1227 			*value=(uint16*)origdata;
1228 			if (tif->tif_flags&TIFF_SWAB)
1229 				TIFFSwabArrayOfShort(*value,count);
1230 			return(TIFFReadDirEntryErrOk);
1231 		case TIFF_SSHORT:
1232 			{
1233 				int16* m;
1234 				uint32 n;
1235 				m=(int16*)origdata;
1236 				for (n=0; n<count; n++)
1237 				{
1238 					if (tif->tif_flags&TIFF_SWAB)
1239 						TIFFSwabShort((uint16*)m);
1240 					err=TIFFReadDirEntryCheckRangeShortSshort(*m);
1241 					if (err!=TIFFReadDirEntryErrOk)
1242 					{
1243 						_TIFFfree(origdata);
1244 						return(err);
1245 					}
1246 					m++;
1247 				}
1248 				*value=(uint16*)origdata;
1249 				return(TIFFReadDirEntryErrOk);
1250 			}
1251 	}
1252 	data=(uint16*)_TIFFmalloc(count*2);
1253 	if (data==0)
1254 	{
1255 		_TIFFfree(origdata);
1256 		return(TIFFReadDirEntryErrAlloc);
1257 	}
1258 	switch (direntry->tdir_type)
1259 	{
1260 		case TIFF_BYTE:
1261 			{
1262 				uint8* ma;
1263 				uint16* mb;
1264 				uint32 n;
1265 				ma=(uint8*)origdata;
1266 				mb=data;
1267 				for (n=0; n<count; n++)
1268 					*mb++=(uint16)(*ma++);
1269 			}
1270 			break;
1271 		case TIFF_SBYTE:
1272 			{
1273 				int8* ma;
1274 				uint16* mb;
1275 				uint32 n;
1276 				ma=(int8*)origdata;
1277 				mb=data;
1278 				for (n=0; n<count; n++)
1279 				{
1280 					err=TIFFReadDirEntryCheckRangeShortSbyte(*ma);
1281 					if (err!=TIFFReadDirEntryErrOk)
1282 						break;
1283 					*mb++=(uint16)(*ma++);
1284 				}
1285 			}
1286 			break;
1287 		case TIFF_LONG:
1288 			{
1289 				uint32* ma;
1290 				uint16* mb;
1291 				uint32 n;
1292 				ma=(uint32*)origdata;
1293 				mb=data;
1294 				for (n=0; n<count; n++)
1295 				{
1296 					if (tif->tif_flags&TIFF_SWAB)
1297 						TIFFSwabLong(ma);
1298 					err=TIFFReadDirEntryCheckRangeShortLong(*ma);
1299 					if (err!=TIFFReadDirEntryErrOk)
1300 						break;
1301 					*mb++=(uint16)(*ma++);
1302 				}
1303 			}
1304 			break;
1305 		case TIFF_SLONG:
1306 			{
1307 				int32* ma;
1308 				uint16* mb;
1309 				uint32 n;
1310 				ma=(int32*)origdata;
1311 				mb=data;
1312 				for (n=0; n<count; n++)
1313 				{
1314 					if (tif->tif_flags&TIFF_SWAB)
1315 						TIFFSwabLong((uint32*)ma);
1316 					err=TIFFReadDirEntryCheckRangeShortSlong(*ma);
1317 					if (err!=TIFFReadDirEntryErrOk)
1318 						break;
1319 					*mb++=(uint16)(*ma++);
1320 				}
1321 			}
1322 			break;
1323 		case TIFF_LONG8:
1324 			{
1325 				uint64* ma;
1326 				uint16* mb;
1327 				uint32 n;
1328 				ma=(uint64*)origdata;
1329 				mb=data;
1330 				for (n=0; n<count; n++)
1331 				{
1332 					if (tif->tif_flags&TIFF_SWAB)
1333 						TIFFSwabLong8(ma);
1334 					err=TIFFReadDirEntryCheckRangeShortLong8(*ma);
1335 					if (err!=TIFFReadDirEntryErrOk)
1336 						break;
1337 					*mb++=(uint16)(*ma++);
1338 				}
1339 			}
1340 			break;
1341 		case TIFF_SLONG8:
1342 			{
1343 				int64* ma;
1344 				uint16* mb;
1345 				uint32 n;
1346 				ma=(int64*)origdata;
1347 				mb=data;
1348 				for (n=0; n<count; n++)
1349 				{
1350 					if (tif->tif_flags&TIFF_SWAB)
1351 						TIFFSwabLong8((uint64*)ma);
1352 					err=TIFFReadDirEntryCheckRangeShortSlong8(*ma);
1353 					if (err!=TIFFReadDirEntryErrOk)
1354 						break;
1355 					*mb++=(uint16)(*ma++);
1356 				}
1357 			}
1358 			break;
1359 	}
1360 	_TIFFfree(origdata);
1361 	if (err!=TIFFReadDirEntryErrOk)
1362 	{
1363 		_TIFFfree(data);
1364 		return(err);
1365 	}
1366 	*value=data;
1367 	return(TIFFReadDirEntryErrOk);
1368 }
1369 
TIFFReadDirEntrySshortArray(TIFF * tif,TIFFDirEntry * direntry,int16 ** value)1370 static enum TIFFReadDirEntryErr TIFFReadDirEntrySshortArray(TIFF* tif, TIFFDirEntry* direntry, int16** value)
1371 {
1372 	enum TIFFReadDirEntryErr err;
1373 	uint32 count;
1374 	void* origdata;
1375 	int16* data;
1376 	switch (direntry->tdir_type)
1377 	{
1378 		case TIFF_BYTE:
1379 		case TIFF_SBYTE:
1380 		case TIFF_SHORT:
1381 		case TIFF_SSHORT:
1382 		case TIFF_LONG:
1383 		case TIFF_SLONG:
1384 		case TIFF_LONG8:
1385 		case TIFF_SLONG8:
1386 			break;
1387 		default:
1388 			return(TIFFReadDirEntryErrType);
1389 	}
1390 	err=TIFFReadDirEntryArray(tif,direntry,&count,2,&origdata);
1391 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1392 	{
1393 		*value=0;
1394 		return(err);
1395 	}
1396 	switch (direntry->tdir_type)
1397 	{
1398 		case TIFF_SHORT:
1399 			{
1400 				uint16* m;
1401 				uint32 n;
1402 				m=(uint16*)origdata;
1403 				for (n=0; n<count; n++)
1404 				{
1405 					if (tif->tif_flags&TIFF_SWAB)
1406 						TIFFSwabShort(m);
1407 					err=TIFFReadDirEntryCheckRangeSshortShort(*m);
1408 					if (err!=TIFFReadDirEntryErrOk)
1409 					{
1410 						_TIFFfree(origdata);
1411 						return(err);
1412 					}
1413 					m++;
1414 				}
1415 				*value=(int16*)origdata;
1416 				return(TIFFReadDirEntryErrOk);
1417 			}
1418 		case TIFF_SSHORT:
1419 			*value=(int16*)origdata;
1420 			if (tif->tif_flags&TIFF_SWAB)
1421 				TIFFSwabArrayOfShort((uint16*)(*value),count);
1422 			return(TIFFReadDirEntryErrOk);
1423 	}
1424 	data=(int16*)_TIFFmalloc(count*2);
1425 	if (data==0)
1426 	{
1427 		_TIFFfree(origdata);
1428 		return(TIFFReadDirEntryErrAlloc);
1429 	}
1430 	switch (direntry->tdir_type)
1431 	{
1432 		case TIFF_BYTE:
1433 			{
1434 				uint8* ma;
1435 				int16* mb;
1436 				uint32 n;
1437 				ma=(uint8*)origdata;
1438 				mb=data;
1439 				for (n=0; n<count; n++)
1440 					*mb++=(int16)(*ma++);
1441 			}
1442 			break;
1443 		case TIFF_SBYTE:
1444 			{
1445 				int8* ma;
1446 				int16* mb;
1447 				uint32 n;
1448 				ma=(int8*)origdata;
1449 				mb=data;
1450 				for (n=0; n<count; n++)
1451 					*mb++=(int16)(*ma++);
1452 			}
1453 			break;
1454 		case TIFF_LONG:
1455 			{
1456 				uint32* ma;
1457 				int16* mb;
1458 				uint32 n;
1459 				ma=(uint32*)origdata;
1460 				mb=data;
1461 				for (n=0; n<count; n++)
1462 				{
1463 					if (tif->tif_flags&TIFF_SWAB)
1464 						TIFFSwabLong(ma);
1465 					err=TIFFReadDirEntryCheckRangeSshortLong(*ma);
1466 					if (err!=TIFFReadDirEntryErrOk)
1467 						break;
1468 					*mb++=(int16)(*ma++);
1469 				}
1470 			}
1471 			break;
1472 		case TIFF_SLONG:
1473 			{
1474 				int32* ma;
1475 				int16* mb;
1476 				uint32 n;
1477 				ma=(int32*)origdata;
1478 				mb=data;
1479 				for (n=0; n<count; n++)
1480 				{
1481 					if (tif->tif_flags&TIFF_SWAB)
1482 						TIFFSwabLong((uint32*)ma);
1483 					err=TIFFReadDirEntryCheckRangeSshortSlong(*ma);
1484 					if (err!=TIFFReadDirEntryErrOk)
1485 						break;
1486 					*mb++=(int16)(*ma++);
1487 				}
1488 			}
1489 			break;
1490 		case TIFF_LONG8:
1491 			{
1492 				uint64* ma;
1493 				int16* mb;
1494 				uint32 n;
1495 				ma=(uint64*)origdata;
1496 				mb=data;
1497 				for (n=0; n<count; n++)
1498 				{
1499 					if (tif->tif_flags&TIFF_SWAB)
1500 						TIFFSwabLong8(ma);
1501 					err=TIFFReadDirEntryCheckRangeSshortLong8(*ma);
1502 					if (err!=TIFFReadDirEntryErrOk)
1503 						break;
1504 					*mb++=(int16)(*ma++);
1505 				}
1506 			}
1507 			break;
1508 		case TIFF_SLONG8:
1509 			{
1510 				int64* ma;
1511 				int16* mb;
1512 				uint32 n;
1513 				ma=(int64*)origdata;
1514 				mb=data;
1515 				for (n=0; n<count; n++)
1516 				{
1517 					if (tif->tif_flags&TIFF_SWAB)
1518 						TIFFSwabLong8((uint64*)ma);
1519 					err=TIFFReadDirEntryCheckRangeSshortSlong8(*ma);
1520 					if (err!=TIFFReadDirEntryErrOk)
1521 						break;
1522 					*mb++=(int16)(*ma++);
1523 				}
1524 			}
1525 			break;
1526 	}
1527 	_TIFFfree(origdata);
1528 	if (err!=TIFFReadDirEntryErrOk)
1529 	{
1530 		_TIFFfree(data);
1531 		return(err);
1532 	}
1533 	*value=data;
1534 	return(TIFFReadDirEntryErrOk);
1535 }
1536 
TIFFReadDirEntryLongArray(TIFF * tif,TIFFDirEntry * direntry,uint32 ** value)1537 static enum TIFFReadDirEntryErr TIFFReadDirEntryLongArray(TIFF* tif, TIFFDirEntry* direntry, uint32** value)
1538 {
1539 	enum TIFFReadDirEntryErr err;
1540 	uint32 count;
1541 	void* origdata;
1542 	uint32* data;
1543 	switch (direntry->tdir_type)
1544 	{
1545 		case TIFF_BYTE:
1546 		case TIFF_SBYTE:
1547 		case TIFF_SHORT:
1548 		case TIFF_SSHORT:
1549 		case TIFF_LONG:
1550 		case TIFF_SLONG:
1551 		case TIFF_LONG8:
1552 		case TIFF_SLONG8:
1553 			break;
1554 		default:
1555 			return(TIFFReadDirEntryErrType);
1556 	}
1557 	err=TIFFReadDirEntryArray(tif,direntry,&count,4,&origdata);
1558 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1559 	{
1560 		*value=0;
1561 		return(err);
1562 	}
1563 	switch (direntry->tdir_type)
1564 	{
1565 		case TIFF_LONG:
1566 			*value=(uint32*)origdata;
1567 			if (tif->tif_flags&TIFF_SWAB)
1568 				TIFFSwabArrayOfLong(*value,count);
1569 			return(TIFFReadDirEntryErrOk);
1570 		case TIFF_SLONG:
1571 			{
1572 				int32* m;
1573 				uint32 n;
1574 				m=(int32*)origdata;
1575 				for (n=0; n<count; n++)
1576 				{
1577 					if (tif->tif_flags&TIFF_SWAB)
1578 						TIFFSwabLong((uint32*)m);
1579 					err=TIFFReadDirEntryCheckRangeLongSlong(*m);
1580 					if (err!=TIFFReadDirEntryErrOk)
1581 					{
1582 						_TIFFfree(origdata);
1583 						return(err);
1584 					}
1585 					m++;
1586 				}
1587 				*value=(uint32*)origdata;
1588 				return(TIFFReadDirEntryErrOk);
1589 			}
1590 	}
1591 	data=(uint32*)_TIFFmalloc(count*4);
1592 	if (data==0)
1593 	{
1594 		_TIFFfree(origdata);
1595 		return(TIFFReadDirEntryErrAlloc);
1596 	}
1597 	switch (direntry->tdir_type)
1598 	{
1599 		case TIFF_BYTE:
1600 			{
1601 				uint8* ma;
1602 				uint32* mb;
1603 				uint32 n;
1604 				ma=(uint8*)origdata;
1605 				mb=data;
1606 				for (n=0; n<count; n++)
1607 					*mb++=(uint32)(*ma++);
1608 			}
1609 			break;
1610 		case TIFF_SBYTE:
1611 			{
1612 				int8* ma;
1613 				uint32* mb;
1614 				uint32 n;
1615 				ma=(int8*)origdata;
1616 				mb=data;
1617 				for (n=0; n<count; n++)
1618 				{
1619 					err=TIFFReadDirEntryCheckRangeLongSbyte(*ma);
1620 					if (err!=TIFFReadDirEntryErrOk)
1621 						break;
1622 					*mb++=(uint32)(*ma++);
1623 				}
1624 			}
1625 			break;
1626 		case TIFF_SHORT:
1627 			{
1628 				uint16* ma;
1629 				uint32* mb;
1630 				uint32 n;
1631 				ma=(uint16*)origdata;
1632 				mb=data;
1633 				for (n=0; n<count; n++)
1634 				{
1635 					if (tif->tif_flags&TIFF_SWAB)
1636 						TIFFSwabShort(ma);
1637 					*mb++=(uint32)(*ma++);
1638 				}
1639 			}
1640 			break;
1641 		case TIFF_SSHORT:
1642 			{
1643 				int16* ma;
1644 				uint32* mb;
1645 				uint32 n;
1646 				ma=(int16*)origdata;
1647 				mb=data;
1648 				for (n=0; n<count; n++)
1649 				{
1650 					if (tif->tif_flags&TIFF_SWAB)
1651 						TIFFSwabShort((uint16*)ma);
1652 					err=TIFFReadDirEntryCheckRangeLongSshort(*ma);
1653 					if (err!=TIFFReadDirEntryErrOk)
1654 						break;
1655 					*mb++=(uint32)(*ma++);
1656 				}
1657 			}
1658 			break;
1659 		case TIFF_LONG8:
1660 			{
1661 				uint64* ma;
1662 				uint32* mb;
1663 				uint32 n;
1664 				ma=(uint64*)origdata;
1665 				mb=data;
1666 				for (n=0; n<count; n++)
1667 				{
1668 					if (tif->tif_flags&TIFF_SWAB)
1669 						TIFFSwabLong8(ma);
1670 					err=TIFFReadDirEntryCheckRangeLongLong8(*ma);
1671 					if (err!=TIFFReadDirEntryErrOk)
1672 						break;
1673 					*mb++=(uint32)(*ma++);
1674 				}
1675 			}
1676 			break;
1677 		case TIFF_SLONG8:
1678 			{
1679 				int64* ma;
1680 				uint32* mb;
1681 				uint32 n;
1682 				ma=(int64*)origdata;
1683 				mb=data;
1684 				for (n=0; n<count; n++)
1685 				{
1686 					if (tif->tif_flags&TIFF_SWAB)
1687 						TIFFSwabLong8((uint64*)ma);
1688 					err=TIFFReadDirEntryCheckRangeLongSlong8(*ma);
1689 					if (err!=TIFFReadDirEntryErrOk)
1690 						break;
1691 					*mb++=(uint32)(*ma++);
1692 				}
1693 			}
1694 			break;
1695 	}
1696 	_TIFFfree(origdata);
1697 	if (err!=TIFFReadDirEntryErrOk)
1698 	{
1699 		_TIFFfree(data);
1700 		return(err);
1701 	}
1702 	*value=data;
1703 	return(TIFFReadDirEntryErrOk);
1704 }
1705 
TIFFReadDirEntrySlongArray(TIFF * tif,TIFFDirEntry * direntry,int32 ** value)1706 static enum TIFFReadDirEntryErr TIFFReadDirEntrySlongArray(TIFF* tif, TIFFDirEntry* direntry, int32** value)
1707 {
1708 	enum TIFFReadDirEntryErr err;
1709 	uint32 count;
1710 	void* origdata;
1711 	int32* data;
1712 	switch (direntry->tdir_type)
1713 	{
1714 		case TIFF_BYTE:
1715 		case TIFF_SBYTE:
1716 		case TIFF_SHORT:
1717 		case TIFF_SSHORT:
1718 		case TIFF_LONG:
1719 		case TIFF_SLONG:
1720 		case TIFF_LONG8:
1721 		case TIFF_SLONG8:
1722 			break;
1723 		default:
1724 			return(TIFFReadDirEntryErrType);
1725 	}
1726 	err=TIFFReadDirEntryArray(tif,direntry,&count,4,&origdata);
1727 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1728 	{
1729 		*value=0;
1730 		return(err);
1731 	}
1732 	switch (direntry->tdir_type)
1733 	{
1734 		case TIFF_LONG:
1735 			{
1736 				uint32* m;
1737 				uint32 n;
1738 				m=(uint32*)origdata;
1739 				for (n=0; n<count; n++)
1740 				{
1741 					if (tif->tif_flags&TIFF_SWAB)
1742 						TIFFSwabLong((uint32*)m);
1743 					err=TIFFReadDirEntryCheckRangeSlongLong(*m);
1744 					if (err!=TIFFReadDirEntryErrOk)
1745 					{
1746 						_TIFFfree(origdata);
1747 						return(err);
1748 					}
1749 					m++;
1750 				}
1751 				*value=(int32*)origdata;
1752 				return(TIFFReadDirEntryErrOk);
1753 			}
1754 		case TIFF_SLONG:
1755 			*value=(int32*)origdata;
1756 			if (tif->tif_flags&TIFF_SWAB)
1757 				TIFFSwabArrayOfLong((uint32*)(*value),count);
1758 			return(TIFFReadDirEntryErrOk);
1759 	}
1760 	data=(int32*)_TIFFmalloc(count*4);
1761 	if (data==0)
1762 	{
1763 		_TIFFfree(origdata);
1764 		return(TIFFReadDirEntryErrAlloc);
1765 	}
1766 	switch (direntry->tdir_type)
1767 	{
1768 		case TIFF_BYTE:
1769 			{
1770 				uint8* ma;
1771 				int32* mb;
1772 				uint32 n;
1773 				ma=(uint8*)origdata;
1774 				mb=data;
1775 				for (n=0; n<count; n++)
1776 					*mb++=(int32)(*ma++);
1777 			}
1778 			break;
1779 		case TIFF_SBYTE:
1780 			{
1781 				int8* ma;
1782 				int32* mb;
1783 				uint32 n;
1784 				ma=(int8*)origdata;
1785 				mb=data;
1786 				for (n=0; n<count; n++)
1787 					*mb++=(int32)(*ma++);
1788 			}
1789 			break;
1790 		case TIFF_SHORT:
1791 			{
1792 				uint16* ma;
1793 				int32* mb;
1794 				uint32 n;
1795 				ma=(uint16*)origdata;
1796 				mb=data;
1797 				for (n=0; n<count; n++)
1798 				{
1799 					if (tif->tif_flags&TIFF_SWAB)
1800 						TIFFSwabShort(ma);
1801 					*mb++=(int32)(*ma++);
1802 				}
1803 			}
1804 			break;
1805 		case TIFF_SSHORT:
1806 			{
1807 				int16* ma;
1808 				int32* mb;
1809 				uint32 n;
1810 				ma=(int16*)origdata;
1811 				mb=data;
1812 				for (n=0; n<count; n++)
1813 				{
1814 					if (tif->tif_flags&TIFF_SWAB)
1815 						TIFFSwabShort((uint16*)ma);
1816 					*mb++=(int32)(*ma++);
1817 				}
1818 			}
1819 			break;
1820 		case TIFF_LONG8:
1821 			{
1822 				uint64* ma;
1823 				int32* mb;
1824 				uint32 n;
1825 				ma=(uint64*)origdata;
1826 				mb=data;
1827 				for (n=0; n<count; n++)
1828 				{
1829 					if (tif->tif_flags&TIFF_SWAB)
1830 						TIFFSwabLong8(ma);
1831 					err=TIFFReadDirEntryCheckRangeSlongLong8(*ma);
1832 					if (err!=TIFFReadDirEntryErrOk)
1833 						break;
1834 					*mb++=(int32)(*ma++);
1835 				}
1836 			}
1837 			break;
1838 		case TIFF_SLONG8:
1839 			{
1840 				int64* ma;
1841 				int32* mb;
1842 				uint32 n;
1843 				ma=(int64*)origdata;
1844 				mb=data;
1845 				for (n=0; n<count; n++)
1846 				{
1847 					if (tif->tif_flags&TIFF_SWAB)
1848 						TIFFSwabLong8((uint64*)ma);
1849 					err=TIFFReadDirEntryCheckRangeSlongSlong8(*ma);
1850 					if (err!=TIFFReadDirEntryErrOk)
1851 						break;
1852 					*mb++=(int32)(*ma++);
1853 				}
1854 			}
1855 			break;
1856 	}
1857 	_TIFFfree(origdata);
1858 	if (err!=TIFFReadDirEntryErrOk)
1859 	{
1860 		_TIFFfree(data);
1861 		return(err);
1862 	}
1863 	*value=data;
1864 	return(TIFFReadDirEntryErrOk);
1865 }
1866 
TIFFReadDirEntryLong8Array(TIFF * tif,TIFFDirEntry * direntry,uint64 ** value)1867 static enum TIFFReadDirEntryErr TIFFReadDirEntryLong8Array(TIFF* tif, TIFFDirEntry* direntry, uint64** value)
1868 {
1869 	enum TIFFReadDirEntryErr err;
1870 	uint32 count;
1871 	void* origdata;
1872 	uint64* data;
1873 	switch (direntry->tdir_type)
1874 	{
1875 		case TIFF_BYTE:
1876 		case TIFF_SBYTE:
1877 		case TIFF_SHORT:
1878 		case TIFF_SSHORT:
1879 		case TIFF_LONG:
1880 		case TIFF_SLONG:
1881 		case TIFF_LONG8:
1882 		case TIFF_SLONG8:
1883 			break;
1884 		default:
1885 			return(TIFFReadDirEntryErrType);
1886 	}
1887 	err=TIFFReadDirEntryArray(tif,direntry,&count,8,&origdata);
1888 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
1889 	{
1890 		*value=0;
1891 		return(err);
1892 	}
1893 	switch (direntry->tdir_type)
1894 	{
1895 		case TIFF_LONG8:
1896 			*value=(uint64*)origdata;
1897 			if (tif->tif_flags&TIFF_SWAB)
1898 				TIFFSwabArrayOfLong8(*value,count);
1899 			return(TIFFReadDirEntryErrOk);
1900 		case TIFF_SLONG8:
1901 			{
1902 				int64* m;
1903 				uint32 n;
1904 				m=(int64*)origdata;
1905 				for (n=0; n<count; n++)
1906 				{
1907 					if (tif->tif_flags&TIFF_SWAB)
1908 						TIFFSwabLong8((uint64*)m);
1909 					err=TIFFReadDirEntryCheckRangeLong8Slong8(*m);
1910 					if (err!=TIFFReadDirEntryErrOk)
1911 					{
1912 						_TIFFfree(origdata);
1913 						return(err);
1914 					}
1915 					m++;
1916 				}
1917 				*value=(uint64*)origdata;
1918 				return(TIFFReadDirEntryErrOk);
1919 			}
1920 	}
1921 	data=(uint64*)_TIFFmalloc(count*8);
1922 	if (data==0)
1923 	{
1924 		_TIFFfree(origdata);
1925 		return(TIFFReadDirEntryErrAlloc);
1926 	}
1927 	switch (direntry->tdir_type)
1928 	{
1929 		case TIFF_BYTE:
1930 			{
1931 				uint8* ma;
1932 				uint64* mb;
1933 				uint32 n;
1934 				ma=(uint8*)origdata;
1935 				mb=data;
1936 				for (n=0; n<count; n++)
1937 					*mb++=(uint64)(*ma++);
1938 			}
1939 			break;
1940 		case TIFF_SBYTE:
1941 			{
1942 				int8* ma;
1943 				uint64* mb;
1944 				uint32 n;
1945 				ma=(int8*)origdata;
1946 				mb=data;
1947 				for (n=0; n<count; n++)
1948 				{
1949 					err=TIFFReadDirEntryCheckRangeLong8Sbyte(*ma);
1950 					if (err!=TIFFReadDirEntryErrOk)
1951 						break;
1952 					*mb++=(uint64)(*ma++);
1953 				}
1954 			}
1955 			break;
1956 		case TIFF_SHORT:
1957 			{
1958 				uint16* ma;
1959 				uint64* mb;
1960 				uint32 n;
1961 				ma=(uint16*)origdata;
1962 				mb=data;
1963 				for (n=0; n<count; n++)
1964 				{
1965 					if (tif->tif_flags&TIFF_SWAB)
1966 						TIFFSwabShort(ma);
1967 					*mb++=(uint64)(*ma++);
1968 				}
1969 			}
1970 			break;
1971 		case TIFF_SSHORT:
1972 			{
1973 				int16* ma;
1974 				uint64* mb;
1975 				uint32 n;
1976 				ma=(int16*)origdata;
1977 				mb=data;
1978 				for (n=0; n<count; n++)
1979 				{
1980 					if (tif->tif_flags&TIFF_SWAB)
1981 						TIFFSwabShort((uint16*)ma);
1982 					err=TIFFReadDirEntryCheckRangeLong8Sshort(*ma);
1983 					if (err!=TIFFReadDirEntryErrOk)
1984 						break;
1985 					*mb++=(uint64)(*ma++);
1986 				}
1987 			}
1988 			break;
1989 		case TIFF_LONG:
1990 			{
1991 				uint32* ma;
1992 				uint64* mb;
1993 				uint32 n;
1994 				ma=(uint32*)origdata;
1995 				mb=data;
1996 				for (n=0; n<count; n++)
1997 				{
1998 					if (tif->tif_flags&TIFF_SWAB)
1999 						TIFFSwabLong(ma);
2000 					*mb++=(uint64)(*ma++);
2001 				}
2002 			}
2003 			break;
2004 		case TIFF_SLONG:
2005 			{
2006 				int32* ma;
2007 				uint64* mb;
2008 				uint32 n;
2009 				ma=(int32*)origdata;
2010 				mb=data;
2011 				for (n=0; n<count; n++)
2012 				{
2013 					if (tif->tif_flags&TIFF_SWAB)
2014 						TIFFSwabLong((uint32*)ma);
2015 					err=TIFFReadDirEntryCheckRangeLong8Slong(*ma);
2016 					if (err!=TIFFReadDirEntryErrOk)
2017 						break;
2018 					*mb++=(uint64)(*ma++);
2019 				}
2020 			}
2021 			break;
2022 	}
2023 	_TIFFfree(origdata);
2024 	if (err!=TIFFReadDirEntryErrOk)
2025 	{
2026 		_TIFFfree(data);
2027 		return(err);
2028 	}
2029 	*value=data;
2030 	return(TIFFReadDirEntryErrOk);
2031 }
2032 
TIFFReadDirEntrySlong8Array(TIFF * tif,TIFFDirEntry * direntry,int64 ** value)2033 static enum TIFFReadDirEntryErr TIFFReadDirEntrySlong8Array(TIFF* tif, TIFFDirEntry* direntry, int64** value)
2034 {
2035 	enum TIFFReadDirEntryErr err;
2036 	uint32 count;
2037 	void* origdata;
2038 	int64* data;
2039 	switch (direntry->tdir_type)
2040 	{
2041 		case TIFF_BYTE:
2042 		case TIFF_SBYTE:
2043 		case TIFF_SHORT:
2044 		case TIFF_SSHORT:
2045 		case TIFF_LONG:
2046 		case TIFF_SLONG:
2047 		case TIFF_LONG8:
2048 		case TIFF_SLONG8:
2049 			break;
2050 		default:
2051 			return(TIFFReadDirEntryErrType);
2052 	}
2053 	err=TIFFReadDirEntryArray(tif,direntry,&count,8,&origdata);
2054 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
2055 	{
2056 		*value=0;
2057 		return(err);
2058 	}
2059 	switch (direntry->tdir_type)
2060 	{
2061 		case TIFF_LONG8:
2062 			{
2063 				uint64* m;
2064 				uint32 n;
2065 				m=(uint64*)origdata;
2066 				for (n=0; n<count; n++)
2067 				{
2068 					if (tif->tif_flags&TIFF_SWAB)
2069 						TIFFSwabLong8(m);
2070 					err=TIFFReadDirEntryCheckRangeSlong8Long8(*m);
2071 					if (err!=TIFFReadDirEntryErrOk)
2072 					{
2073 						_TIFFfree(origdata);
2074 						return(err);
2075 					}
2076 					m++;
2077 				}
2078 				*value=(int64*)origdata;
2079 				return(TIFFReadDirEntryErrOk);
2080 			}
2081 		case TIFF_SLONG8:
2082 			*value=(int64*)origdata;
2083 			if (tif->tif_flags&TIFF_SWAB)
2084 				TIFFSwabArrayOfLong8((uint64*)(*value),count);
2085 			return(TIFFReadDirEntryErrOk);
2086 	}
2087 	data=(int64*)_TIFFmalloc(count*8);
2088 	if (data==0)
2089 	{
2090 		_TIFFfree(origdata);
2091 		return(TIFFReadDirEntryErrAlloc);
2092 	}
2093 	switch (direntry->tdir_type)
2094 	{
2095 		case TIFF_BYTE:
2096 			{
2097 				uint8* ma;
2098 				int64* mb;
2099 				uint32 n;
2100 				ma=(uint8*)origdata;
2101 				mb=data;
2102 				for (n=0; n<count; n++)
2103 					*mb++=(int64)(*ma++);
2104 			}
2105 			break;
2106 		case TIFF_SBYTE:
2107 			{
2108 				int8* ma;
2109 				int64* mb;
2110 				uint32 n;
2111 				ma=(int8*)origdata;
2112 				mb=data;
2113 				for (n=0; n<count; n++)
2114 					*mb++=(int64)(*ma++);
2115 			}
2116 			break;
2117 		case TIFF_SHORT:
2118 			{
2119 				uint16* ma;
2120 				int64* mb;
2121 				uint32 n;
2122 				ma=(uint16*)origdata;
2123 				mb=data;
2124 				for (n=0; n<count; n++)
2125 				{
2126 					if (tif->tif_flags&TIFF_SWAB)
2127 						TIFFSwabShort(ma);
2128 					*mb++=(int64)(*ma++);
2129 				}
2130 			}
2131 			break;
2132 		case TIFF_SSHORT:
2133 			{
2134 				int16* ma;
2135 				int64* mb;
2136 				uint32 n;
2137 				ma=(int16*)origdata;
2138 				mb=data;
2139 				for (n=0; n<count; n++)
2140 				{
2141 					if (tif->tif_flags&TIFF_SWAB)
2142 						TIFFSwabShort((uint16*)ma);
2143 					*mb++=(int64)(*ma++);
2144 				}
2145 			}
2146 			break;
2147 		case TIFF_LONG:
2148 			{
2149 				uint32* ma;
2150 				int64* mb;
2151 				uint32 n;
2152 				ma=(uint32*)origdata;
2153 				mb=data;
2154 				for (n=0; n<count; n++)
2155 				{
2156 					if (tif->tif_flags&TIFF_SWAB)
2157 						TIFFSwabLong(ma);
2158 					*mb++=(int64)(*ma++);
2159 				}
2160 			}
2161 			break;
2162 		case TIFF_SLONG:
2163 			{
2164 				int32* ma;
2165 				int64* mb;
2166 				uint32 n;
2167 				ma=(int32*)origdata;
2168 				mb=data;
2169 				for (n=0; n<count; n++)
2170 				{
2171 					if (tif->tif_flags&TIFF_SWAB)
2172 						TIFFSwabLong((uint32*)ma);
2173 					*mb++=(int64)(*ma++);
2174 				}
2175 			}
2176 			break;
2177 	}
2178 	_TIFFfree(origdata);
2179 	*value=data;
2180 	return(TIFFReadDirEntryErrOk);
2181 }
2182 
TIFFReadDirEntryFloatArray(TIFF * tif,TIFFDirEntry * direntry,float ** value)2183 static enum TIFFReadDirEntryErr TIFFReadDirEntryFloatArray(TIFF* tif, TIFFDirEntry* direntry, float** value)
2184 {
2185 	enum TIFFReadDirEntryErr err;
2186 	uint32 count;
2187 	void* origdata;
2188 	float* data;
2189 	switch (direntry->tdir_type)
2190 	{
2191 		case TIFF_BYTE:
2192 		case TIFF_SBYTE:
2193 		case TIFF_SHORT:
2194 		case TIFF_SSHORT:
2195 		case TIFF_LONG:
2196 		case TIFF_SLONG:
2197 		case TIFF_LONG8:
2198 		case TIFF_SLONG8:
2199 		case TIFF_RATIONAL:
2200 		case TIFF_SRATIONAL:
2201 		case TIFF_FLOAT:
2202 		case TIFF_DOUBLE:
2203 			break;
2204 		default:
2205 			return(TIFFReadDirEntryErrType);
2206 	}
2207 	err=TIFFReadDirEntryArray(tif,direntry,&count,4,&origdata);
2208 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
2209 	{
2210 		*value=0;
2211 		return(err);
2212 	}
2213 	switch (direntry->tdir_type)
2214 	{
2215 		case TIFF_FLOAT:
2216 			if (tif->tif_flags&TIFF_SWAB)
2217 				TIFFSwabArrayOfLong((uint32*)origdata,count);
2218 			TIFFCvtIEEEDoubleToNative(tif,count,(float*)origdata);
2219 			*value=(float*)origdata;
2220 			return(TIFFReadDirEntryErrOk);
2221 	}
2222 	data=(float*)_TIFFmalloc(count*sizeof(float));
2223 	if (data==0)
2224 	{
2225 		_TIFFfree(origdata);
2226 		return(TIFFReadDirEntryErrAlloc);
2227 	}
2228 	switch (direntry->tdir_type)
2229 	{
2230 		case TIFF_BYTE:
2231 			{
2232 				uint8* ma;
2233 				float* mb;
2234 				uint32 n;
2235 				ma=(uint8*)origdata;
2236 				mb=data;
2237 				for (n=0; n<count; n++)
2238 					*mb++=(float)(*ma++);
2239 			}
2240 			break;
2241 		case TIFF_SBYTE:
2242 			{
2243 				int8* ma;
2244 				float* mb;
2245 				uint32 n;
2246 				ma=(int8*)origdata;
2247 				mb=data;
2248 				for (n=0; n<count; n++)
2249 					*mb++=(float)(*ma++);
2250 			}
2251 			break;
2252 		case TIFF_SHORT:
2253 			{
2254 				uint16* ma;
2255 				float* mb;
2256 				uint32 n;
2257 				ma=(uint16*)origdata;
2258 				mb=data;
2259 				for (n=0; n<count; n++)
2260 				{
2261 					if (tif->tif_flags&TIFF_SWAB)
2262 						TIFFSwabShort(ma);
2263 					*mb++=(float)(*ma++);
2264 				}
2265 			}
2266 			break;
2267 		case TIFF_SSHORT:
2268 			{
2269 				int16* ma;
2270 				float* mb;
2271 				uint32 n;
2272 				ma=(int16*)origdata;
2273 				mb=data;
2274 				for (n=0; n<count; n++)
2275 				{
2276 					if (tif->tif_flags&TIFF_SWAB)
2277 						TIFFSwabShort((uint16*)ma);
2278 					*mb++=(float)(*ma++);
2279 				}
2280 			}
2281 			break;
2282 		case TIFF_LONG:
2283 			{
2284 				uint32* ma;
2285 				float* mb;
2286 				uint32 n;
2287 				ma=(uint32*)origdata;
2288 				mb=data;
2289 				for (n=0; n<count; n++)
2290 				{
2291 					if (tif->tif_flags&TIFF_SWAB)
2292 						TIFFSwabLong(ma);
2293 					*mb++=(float)(*ma++);
2294 				}
2295 			}
2296 			break;
2297 		case TIFF_SLONG:
2298 			{
2299 				int32* ma;
2300 				float* mb;
2301 				uint32 n;
2302 				ma=(int32*)origdata;
2303 				mb=data;
2304 				for (n=0; n<count; n++)
2305 				{
2306 					if (tif->tif_flags&TIFF_SWAB)
2307 						TIFFSwabLong((uint32*)ma);
2308 					*mb++=(float)(*ma++);
2309 				}
2310 			}
2311 			break;
2312 		case TIFF_LONG8:
2313 			{
2314 				uint64* ma;
2315 				float* mb;
2316 				uint32 n;
2317 				ma=(uint64*)origdata;
2318 				mb=data;
2319 				for (n=0; n<count; n++)
2320 				{
2321 					if (tif->tif_flags&TIFF_SWAB)
2322 						TIFFSwabLong8(ma);
2323 #if defined(__WIN32__) && (_MSC_VER < 1500)
2324 					/*
2325 					 * XXX: MSVC 6.0 does not support
2326 					 * conversion of 64-bit integers into
2327 					 * floating point values.
2328 					 */
2329 					*mb++ = _TIFFUInt64ToFloat(*ma++);
2330 #else
2331 					*mb++ = (float)(*ma++);
2332 #endif
2333 				}
2334 			}
2335 			break;
2336 		case TIFF_SLONG8:
2337 			{
2338 				int64* ma;
2339 				float* mb;
2340 				uint32 n;
2341 				ma=(int64*)origdata;
2342 				mb=data;
2343 				for (n=0; n<count; n++)
2344 				{
2345 					if (tif->tif_flags&TIFF_SWAB)
2346 						TIFFSwabLong8((uint64*)ma);
2347 					*mb++=(float)(*ma++);
2348 				}
2349 			}
2350 			break;
2351 		case TIFF_RATIONAL:
2352 			{
2353 				uint32* ma;
2354 				uint32 maa;
2355 				uint32 mab;
2356 				float* mb;
2357 				uint32 n;
2358 				ma=(uint32*)origdata;
2359 				mb=data;
2360 				for (n=0; n<count; n++)
2361 				{
2362 					if (tif->tif_flags&TIFF_SWAB)
2363 						TIFFSwabLong(ma);
2364 					maa=*ma++;
2365 					if (tif->tif_flags&TIFF_SWAB)
2366 						TIFFSwabLong(ma);
2367 					mab=*ma++;
2368 					if (mab==0)
2369 						*mb++=0.0;
2370 					else
2371 						*mb++=(float)maa/(float)mab;
2372 				}
2373 			}
2374 			break;
2375 		case TIFF_SRATIONAL:
2376 			{
2377 				uint32* ma;
2378 				int32 maa;
2379 				uint32 mab;
2380 				float* mb;
2381 				uint32 n;
2382 				ma=(uint32*)origdata;
2383 				mb=data;
2384 				for (n=0; n<count; n++)
2385 				{
2386 					if (tif->tif_flags&TIFF_SWAB)
2387 						TIFFSwabLong(ma);
2388 					maa=*(int32*)ma;
2389 					ma++;
2390 					if (tif->tif_flags&TIFF_SWAB)
2391 						TIFFSwabLong(ma);
2392 					mab=*ma++;
2393 					if (mab==0)
2394 						*mb++=0.0;
2395 					else
2396 						*mb++=(float)maa/(float)mab;
2397 				}
2398 			}
2399 			break;
2400 		case TIFF_DOUBLE:
2401 			{
2402 				double* ma;
2403 				float* mb;
2404 				uint32 n;
2405 				if (tif->tif_flags&TIFF_SWAB)
2406 					TIFFSwabArrayOfLong8((uint64*)origdata,count);
2407 				TIFFCvtIEEEDoubleToNative(tif,count,(double*)origdata);
2408 				ma=(double*)origdata;
2409 				mb=data;
2410 				for (n=0; n<count; n++)
2411                                 {
2412                                     double val = *ma++;
2413                                     if( val > FLT_MAX )
2414                                         val = FLT_MAX;
2415                                     else if( val < -FLT_MAX )
2416                                         val = -FLT_MAX;
2417                                     *mb++=(float)val;
2418                                 }
2419 			}
2420 			break;
2421 	}
2422 	_TIFFfree(origdata);
2423 	*value=data;
2424 	return(TIFFReadDirEntryErrOk);
2425 }
2426 
2427 static enum TIFFReadDirEntryErr
TIFFReadDirEntryDoubleArray(TIFF * tif,TIFFDirEntry * direntry,double ** value)2428 TIFFReadDirEntryDoubleArray(TIFF* tif, TIFFDirEntry* direntry, double** value)
2429 {
2430 	enum TIFFReadDirEntryErr err;
2431 	uint32 count;
2432 	void* origdata;
2433 	double* data;
2434 	switch (direntry->tdir_type)
2435 	{
2436 		case TIFF_BYTE:
2437 		case TIFF_SBYTE:
2438 		case TIFF_SHORT:
2439 		case TIFF_SSHORT:
2440 		case TIFF_LONG:
2441 		case TIFF_SLONG:
2442 		case TIFF_LONG8:
2443 		case TIFF_SLONG8:
2444 		case TIFF_RATIONAL:
2445 		case TIFF_SRATIONAL:
2446 		case TIFF_FLOAT:
2447 		case TIFF_DOUBLE:
2448 			break;
2449 		default:
2450 			return(TIFFReadDirEntryErrType);
2451 	}
2452 	err=TIFFReadDirEntryArray(tif,direntry,&count,8,&origdata);
2453 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
2454 	{
2455 		*value=0;
2456 		return(err);
2457 	}
2458 	switch (direntry->tdir_type)
2459 	{
2460 		case TIFF_DOUBLE:
2461 			if (tif->tif_flags&TIFF_SWAB)
2462 				TIFFSwabArrayOfLong8((uint64*)origdata,count);
2463 			TIFFCvtIEEEDoubleToNative(tif,count,(double*)origdata);
2464 			*value=(double*)origdata;
2465 			return(TIFFReadDirEntryErrOk);
2466 	}
2467 	data=(double*)_TIFFmalloc(count*sizeof(double));
2468 	if (data==0)
2469 	{
2470 		_TIFFfree(origdata);
2471 		return(TIFFReadDirEntryErrAlloc);
2472 	}
2473 	switch (direntry->tdir_type)
2474 	{
2475 		case TIFF_BYTE:
2476 			{
2477 				uint8* ma;
2478 				double* mb;
2479 				uint32 n;
2480 				ma=(uint8*)origdata;
2481 				mb=data;
2482 				for (n=0; n<count; n++)
2483 					*mb++=(double)(*ma++);
2484 			}
2485 			break;
2486 		case TIFF_SBYTE:
2487 			{
2488 				int8* ma;
2489 				double* mb;
2490 				uint32 n;
2491 				ma=(int8*)origdata;
2492 				mb=data;
2493 				for (n=0; n<count; n++)
2494 					*mb++=(double)(*ma++);
2495 			}
2496 			break;
2497 		case TIFF_SHORT:
2498 			{
2499 				uint16* ma;
2500 				double* mb;
2501 				uint32 n;
2502 				ma=(uint16*)origdata;
2503 				mb=data;
2504 				for (n=0; n<count; n++)
2505 				{
2506 					if (tif->tif_flags&TIFF_SWAB)
2507 						TIFFSwabShort(ma);
2508 					*mb++=(double)(*ma++);
2509 				}
2510 			}
2511 			break;
2512 		case TIFF_SSHORT:
2513 			{
2514 				int16* ma;
2515 				double* mb;
2516 				uint32 n;
2517 				ma=(int16*)origdata;
2518 				mb=data;
2519 				for (n=0; n<count; n++)
2520 				{
2521 					if (tif->tif_flags&TIFF_SWAB)
2522 						TIFFSwabShort((uint16*)ma);
2523 					*mb++=(double)(*ma++);
2524 				}
2525 			}
2526 			break;
2527 		case TIFF_LONG:
2528 			{
2529 				uint32* ma;
2530 				double* mb;
2531 				uint32 n;
2532 				ma=(uint32*)origdata;
2533 				mb=data;
2534 				for (n=0; n<count; n++)
2535 				{
2536 					if (tif->tif_flags&TIFF_SWAB)
2537 						TIFFSwabLong(ma);
2538 					*mb++=(double)(*ma++);
2539 				}
2540 			}
2541 			break;
2542 		case TIFF_SLONG:
2543 			{
2544 				int32* ma;
2545 				double* mb;
2546 				uint32 n;
2547 				ma=(int32*)origdata;
2548 				mb=data;
2549 				for (n=0; n<count; n++)
2550 				{
2551 					if (tif->tif_flags&TIFF_SWAB)
2552 						TIFFSwabLong((uint32*)ma);
2553 					*mb++=(double)(*ma++);
2554 				}
2555 			}
2556 			break;
2557 		case TIFF_LONG8:
2558 			{
2559 				uint64* ma;
2560 				double* mb;
2561 				uint32 n;
2562 				ma=(uint64*)origdata;
2563 				mb=data;
2564 				for (n=0; n<count; n++)
2565 				{
2566 					if (tif->tif_flags&TIFF_SWAB)
2567 						TIFFSwabLong8(ma);
2568 #if defined(__WIN32__) && (_MSC_VER < 1500)
2569 					/*
2570 					 * XXX: MSVC 6.0 does not support
2571 					 * conversion of 64-bit integers into
2572 					 * floating point values.
2573 					 */
2574 					*mb++ = _TIFFUInt64ToDouble(*ma++);
2575 #else
2576 					*mb++ = (double)(*ma++);
2577 #endif
2578 				}
2579 			}
2580 			break;
2581 		case TIFF_SLONG8:
2582 			{
2583 				int64* ma;
2584 				double* mb;
2585 				uint32 n;
2586 				ma=(int64*)origdata;
2587 				mb=data;
2588 				for (n=0; n<count; n++)
2589 				{
2590 					if (tif->tif_flags&TIFF_SWAB)
2591 						TIFFSwabLong8((uint64*)ma);
2592 					*mb++=(double)(*ma++);
2593 				}
2594 			}
2595 			break;
2596 		case TIFF_RATIONAL:
2597 			{
2598 				uint32* ma;
2599 				uint32 maa;
2600 				uint32 mab;
2601 				double* mb;
2602 				uint32 n;
2603 				ma=(uint32*)origdata;
2604 				mb=data;
2605 				for (n=0; n<count; n++)
2606 				{
2607 					if (tif->tif_flags&TIFF_SWAB)
2608 						TIFFSwabLong(ma);
2609 					maa=*ma++;
2610 					if (tif->tif_flags&TIFF_SWAB)
2611 						TIFFSwabLong(ma);
2612 					mab=*ma++;
2613 					if (mab==0)
2614 						*mb++=0.0;
2615 					else
2616 						*mb++=(double)maa/(double)mab;
2617 				}
2618 			}
2619 			break;
2620 		case TIFF_SRATIONAL:
2621 			{
2622 				uint32* ma;
2623 				int32 maa;
2624 				uint32 mab;
2625 				double* mb;
2626 				uint32 n;
2627 				ma=(uint32*)origdata;
2628 				mb=data;
2629 				for (n=0; n<count; n++)
2630 				{
2631 					if (tif->tif_flags&TIFF_SWAB)
2632 						TIFFSwabLong(ma);
2633 					maa=*(int32*)ma;
2634 					ma++;
2635 					if (tif->tif_flags&TIFF_SWAB)
2636 						TIFFSwabLong(ma);
2637 					mab=*ma++;
2638 					if (mab==0)
2639 						*mb++=0.0;
2640 					else
2641 						*mb++=(double)maa/(double)mab;
2642 				}
2643 			}
2644 			break;
2645 		case TIFF_FLOAT:
2646 			{
2647 				float* ma;
2648 				double* mb;
2649 				uint32 n;
2650 				if (tif->tif_flags&TIFF_SWAB)
2651 					TIFFSwabArrayOfLong((uint32*)origdata,count);
2652 				TIFFCvtIEEEFloatToNative(tif,count,(float*)origdata);
2653 				ma=(float*)origdata;
2654 				mb=data;
2655 				for (n=0; n<count; n++)
2656 					*mb++=(double)(*ma++);
2657 			}
2658 			break;
2659 	}
2660 	_TIFFfree(origdata);
2661 	*value=data;
2662 	return(TIFFReadDirEntryErrOk);
2663 }
2664 
TIFFReadDirEntryIfd8Array(TIFF * tif,TIFFDirEntry * direntry,uint64 ** value)2665 static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8Array(TIFF* tif, TIFFDirEntry* direntry, uint64** value)
2666 {
2667 	enum TIFFReadDirEntryErr err;
2668 	uint32 count;
2669 	void* origdata;
2670 	uint64* data;
2671 	switch (direntry->tdir_type)
2672 	{
2673 		case TIFF_LONG:
2674 		case TIFF_LONG8:
2675 		case TIFF_IFD:
2676 		case TIFF_IFD8:
2677 			break;
2678 		default:
2679 			return(TIFFReadDirEntryErrType);
2680 	}
2681 	err=TIFFReadDirEntryArray(tif,direntry,&count,8,&origdata);
2682 	if ((err!=TIFFReadDirEntryErrOk)||(origdata==0))
2683 	{
2684 		*value=0;
2685 		return(err);
2686 	}
2687 	switch (direntry->tdir_type)
2688 	{
2689 		case TIFF_LONG8:
2690 		case TIFF_IFD8:
2691 			*value=(uint64*)origdata;
2692 			if (tif->tif_flags&TIFF_SWAB)
2693 				TIFFSwabArrayOfLong8(*value,count);
2694 			return(TIFFReadDirEntryErrOk);
2695 	}
2696 	data=(uint64*)_TIFFmalloc(count*8);
2697 	if (data==0)
2698 	{
2699 		_TIFFfree(origdata);
2700 		return(TIFFReadDirEntryErrAlloc);
2701 	}
2702 	switch (direntry->tdir_type)
2703 	{
2704 		case TIFF_LONG:
2705 		case TIFF_IFD:
2706 			{
2707 				uint32* ma;
2708 				uint64* mb;
2709 				uint32 n;
2710 				ma=(uint32*)origdata;
2711 				mb=data;
2712 				for (n=0; n<count; n++)
2713 				{
2714 					if (tif->tif_flags&TIFF_SWAB)
2715 						TIFFSwabLong(ma);
2716 					*mb++=(uint64)(*ma++);
2717 				}
2718 			}
2719 			break;
2720 	}
2721 	_TIFFfree(origdata);
2722 	*value=data;
2723 	return(TIFFReadDirEntryErrOk);
2724 }
2725 
TIFFReadDirEntryPersampleShort(TIFF * tif,TIFFDirEntry * direntry,uint16 * value)2726 static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleShort(TIFF* tif, TIFFDirEntry* direntry, uint16* value)
2727 {
2728 	enum TIFFReadDirEntryErr err;
2729 	uint16* m;
2730 	uint16* na;
2731 	uint16 nb;
2732 	if (direntry->tdir_count<(uint64)tif->tif_dir.td_samplesperpixel)
2733 		return(TIFFReadDirEntryErrCount);
2734 	err=TIFFReadDirEntryShortArray(tif,direntry,&m);
2735 	if (err!=TIFFReadDirEntryErrOk)
2736 		return(err);
2737 	na=m;
2738 	nb=tif->tif_dir.td_samplesperpixel;
2739 	*value=*na++;
2740 	nb--;
2741 	while (nb>0)
2742 	{
2743 		if (*na++!=*value)
2744 		{
2745 			err=TIFFReadDirEntryErrPsdif;
2746 			break;
2747 		}
2748 		nb--;
2749 	}
2750 	_TIFFfree(m);
2751 	return(err);
2752 }
2753 
2754 #if 0
2755 static enum TIFFReadDirEntryErr TIFFReadDirEntryPersampleDouble(TIFF* tif, TIFFDirEntry* direntry, double* value)
2756 {
2757 	enum TIFFReadDirEntryErr err;
2758 	double* m;
2759 	double* na;
2760 	uint16 nb;
2761 	if (direntry->tdir_count<(uint64)tif->tif_dir.td_samplesperpixel)
2762 		return(TIFFReadDirEntryErrCount);
2763 	err=TIFFReadDirEntryDoubleArray(tif,direntry,&m);
2764 	if (err!=TIFFReadDirEntryErrOk)
2765 		return(err);
2766 	na=m;
2767 	nb=tif->tif_dir.td_samplesperpixel;
2768 	*value=*na++;
2769 	nb--;
2770 	while (nb>0)
2771 	{
2772 		if (*na++!=*value)
2773 		{
2774 			err=TIFFReadDirEntryErrPsdif;
2775 			break;
2776 		}
2777 		nb--;
2778 	}
2779 	_TIFFfree(m);
2780 	return(err);
2781 }
2782 #endif
2783 
TIFFReadDirEntryCheckedByte(TIFF * tif,TIFFDirEntry * direntry,uint8 * value)2784 static void TIFFReadDirEntryCheckedByte(TIFF* tif, TIFFDirEntry* direntry, uint8* value)
2785 {
2786 	(void) tif;
2787 	*value=*(uint8*)(&direntry->tdir_offset);
2788 }
2789 
TIFFReadDirEntryCheckedSbyte(TIFF * tif,TIFFDirEntry * direntry,int8 * value)2790 static void TIFFReadDirEntryCheckedSbyte(TIFF* tif, TIFFDirEntry* direntry, int8* value)
2791 {
2792 	(void) tif;
2793 	*value=*(int8*)(&direntry->tdir_offset);
2794 }
2795 
TIFFReadDirEntryCheckedShort(TIFF * tif,TIFFDirEntry * direntry,uint16 * value)2796 static void TIFFReadDirEntryCheckedShort(TIFF* tif, TIFFDirEntry* direntry, uint16* value)
2797 {
2798 	*value = direntry->tdir_offset.toff_short;
2799 	/* *value=*(uint16*)(&direntry->tdir_offset); */
2800 	if (tif->tif_flags&TIFF_SWAB)
2801 		TIFFSwabShort(value);
2802 }
2803 
TIFFReadDirEntryCheckedSshort(TIFF * tif,TIFFDirEntry * direntry,int16 * value)2804 static void TIFFReadDirEntryCheckedSshort(TIFF* tif, TIFFDirEntry* direntry, int16* value)
2805 {
2806 	*value=*(int16*)(&direntry->tdir_offset);
2807 	if (tif->tif_flags&TIFF_SWAB)
2808 		TIFFSwabShort((uint16*)value);
2809 }
2810 
TIFFReadDirEntryCheckedLong(TIFF * tif,TIFFDirEntry * direntry,uint32 * value)2811 static void TIFFReadDirEntryCheckedLong(TIFF* tif, TIFFDirEntry* direntry, uint32* value)
2812 {
2813 	*value=*(uint32*)(&direntry->tdir_offset);
2814 	if (tif->tif_flags&TIFF_SWAB)
2815 		TIFFSwabLong(value);
2816 }
2817 
TIFFReadDirEntryCheckedSlong(TIFF * tif,TIFFDirEntry * direntry,int32 * value)2818 static void TIFFReadDirEntryCheckedSlong(TIFF* tif, TIFFDirEntry* direntry, int32* value)
2819 {
2820 	*value=*(int32*)(&direntry->tdir_offset);
2821 	if (tif->tif_flags&TIFF_SWAB)
2822 		TIFFSwabLong((uint32*)value);
2823 }
2824 
TIFFReadDirEntryCheckedLong8(TIFF * tif,TIFFDirEntry * direntry,uint64 * value)2825 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedLong8(TIFF* tif, TIFFDirEntry* direntry, uint64* value)
2826 {
2827 	if (!(tif->tif_flags&TIFF_BIGTIFF))
2828 	{
2829 		enum TIFFReadDirEntryErr err;
2830 		uint32 offset = direntry->tdir_offset.toff_long;
2831 		if (tif->tif_flags&TIFF_SWAB)
2832 			TIFFSwabLong(&offset);
2833 		err=TIFFReadDirEntryData(tif,offset,8,value);
2834 		if (err!=TIFFReadDirEntryErrOk)
2835 			return(err);
2836 	}
2837 	else
2838 		*value = direntry->tdir_offset.toff_long8;
2839 	if (tif->tif_flags&TIFF_SWAB)
2840 		TIFFSwabLong8(value);
2841 	return(TIFFReadDirEntryErrOk);
2842 }
2843 
TIFFReadDirEntryCheckedSlong8(TIFF * tif,TIFFDirEntry * direntry,int64 * value)2844 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSlong8(TIFF* tif, TIFFDirEntry* direntry, int64* value)
2845 {
2846 	if (!(tif->tif_flags&TIFF_BIGTIFF))
2847 	{
2848 		enum TIFFReadDirEntryErr err;
2849 		uint32 offset = direntry->tdir_offset.toff_long;
2850 		if (tif->tif_flags&TIFF_SWAB)
2851 			TIFFSwabLong(&offset);
2852 		err=TIFFReadDirEntryData(tif,offset,8,value);
2853 		if (err!=TIFFReadDirEntryErrOk)
2854 			return(err);
2855 	}
2856 	else
2857 		*value=*(int64*)(&direntry->tdir_offset);
2858 	if (tif->tif_flags&TIFF_SWAB)
2859 		TIFFSwabLong8((uint64*)value);
2860 	return(TIFFReadDirEntryErrOk);
2861 }
2862 
TIFFReadDirEntryCheckedRational(TIFF * tif,TIFFDirEntry * direntry,double * value)2863 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFDirEntry* direntry, double* value)
2864 {
2865 	UInt64Aligned_t m;
2866 
2867 	assert(sizeof(double)==8);
2868 	assert(sizeof(uint64)==8);
2869 	assert(sizeof(uint32)==4);
2870 	if (!(tif->tif_flags&TIFF_BIGTIFF))
2871 	{
2872 		enum TIFFReadDirEntryErr err;
2873 		uint32 offset = direntry->tdir_offset.toff_long;
2874 		if (tif->tif_flags&TIFF_SWAB)
2875 			TIFFSwabLong(&offset);
2876 		err=TIFFReadDirEntryData(tif,offset,8,m.i);
2877 		if (err!=TIFFReadDirEntryErrOk)
2878 			return(err);
2879 	}
2880 	else
2881 		m.l = direntry->tdir_offset.toff_long8;
2882 	if (tif->tif_flags&TIFF_SWAB)
2883 		TIFFSwabArrayOfLong(m.i,2);
2884         /* Not completely sure what we should do when m.i[1]==0, but some */
2885         /* sanitizers do not like division by 0.0: */
2886         /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
2887 	if (m.i[0]==0 || m.i[1]==0)
2888 		*value=0.0;
2889 	else
2890 		*value=(double)m.i[0]/(double)m.i[1];
2891 	return(TIFFReadDirEntryErrOk);
2892 }
2893 
TIFFReadDirEntryCheckedSrational(TIFF * tif,TIFFDirEntry * direntry,double * value)2894 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFFDirEntry* direntry, double* value)
2895 {
2896 	UInt64Aligned_t m;
2897 	assert(sizeof(double)==8);
2898 	assert(sizeof(uint64)==8);
2899 	assert(sizeof(int32)==4);
2900 	assert(sizeof(uint32)==4);
2901 	if (!(tif->tif_flags&TIFF_BIGTIFF))
2902 	{
2903 		enum TIFFReadDirEntryErr err;
2904 		uint32 offset = direntry->tdir_offset.toff_long;
2905 		if (tif->tif_flags&TIFF_SWAB)
2906 			TIFFSwabLong(&offset);
2907 		err=TIFFReadDirEntryData(tif,offset,8,m.i);
2908 		if (err!=TIFFReadDirEntryErrOk)
2909 			return(err);
2910 	}
2911 	else
2912 		m.l=direntry->tdir_offset.toff_long8;
2913 	if (tif->tif_flags&TIFF_SWAB)
2914 		TIFFSwabArrayOfLong(m.i,2);
2915         /* Not completely sure what we should do when m.i[1]==0, but some */
2916         /* sanitizers do not like division by 0.0: */
2917         /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
2918 	if ((int32)m.i[0]==0 || m.i[1]==0)
2919 		*value=0.0;
2920 	else
2921 		*value=(double)((int32)m.i[0])/(double)m.i[1];
2922 	return(TIFFReadDirEntryErrOk);
2923 }
2924 
TIFFReadDirEntryCheckedFloat(TIFF * tif,TIFFDirEntry * direntry,float * value)2925 static void TIFFReadDirEntryCheckedFloat(TIFF* tif, TIFFDirEntry* direntry, float* value)
2926 {
2927          union
2928 	 {
2929 	   float  f;
2930 	   uint32 i;
2931 	 } float_union;
2932 	assert(sizeof(float)==4);
2933 	assert(sizeof(uint32)==4);
2934 	assert(sizeof(float_union)==4);
2935 	float_union.i=*(uint32*)(&direntry->tdir_offset);
2936 	*value=float_union.f;
2937 	if (tif->tif_flags&TIFF_SWAB)
2938 		TIFFSwabLong((uint32*)value);
2939 }
2940 
TIFFReadDirEntryCheckedDouble(TIFF * tif,TIFFDirEntry * direntry,double * value)2941 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedDouble(TIFF* tif, TIFFDirEntry* direntry, double* value)
2942 {
2943 	assert(sizeof(double)==8);
2944 	assert(sizeof(uint64)==8);
2945 	assert(sizeof(UInt64Aligned_t)==8);
2946 	if (!(tif->tif_flags&TIFF_BIGTIFF))
2947 	{
2948 		enum TIFFReadDirEntryErr err;
2949 		uint32 offset = direntry->tdir_offset.toff_long;
2950 		if (tif->tif_flags&TIFF_SWAB)
2951 			TIFFSwabLong(&offset);
2952 		err=TIFFReadDirEntryData(tif,offset,8,value);
2953 		if (err!=TIFFReadDirEntryErrOk)
2954 			return(err);
2955 	}
2956 	else
2957 	{
2958 	       UInt64Aligned_t uint64_union;
2959 	       uint64_union.l=direntry->tdir_offset.toff_long8;
2960 	       *value=uint64_union.d;
2961 	}
2962 	if (tif->tif_flags&TIFF_SWAB)
2963 		TIFFSwabLong8((uint64*)value);
2964 	return(TIFFReadDirEntryErrOk);
2965 }
2966 
TIFFReadDirEntryCheckRangeByteSbyte(int8 value)2967 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSbyte(int8 value)
2968 {
2969 	if (value<0)
2970 		return(TIFFReadDirEntryErrRange);
2971 	else
2972 		return(TIFFReadDirEntryErrOk);
2973 }
2974 
TIFFReadDirEntryCheckRangeByteShort(uint16 value)2975 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteShort(uint16 value)
2976 {
2977 	if (value>0xFF)
2978 		return(TIFFReadDirEntryErrRange);
2979 	else
2980 		return(TIFFReadDirEntryErrOk);
2981 }
2982 
TIFFReadDirEntryCheckRangeByteSshort(int16 value)2983 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSshort(int16 value)
2984 {
2985 	if ((value<0)||(value>0xFF))
2986 		return(TIFFReadDirEntryErrRange);
2987 	else
2988 		return(TIFFReadDirEntryErrOk);
2989 }
2990 
TIFFReadDirEntryCheckRangeByteLong(uint32 value)2991 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteLong(uint32 value)
2992 {
2993 	if (value>0xFF)
2994 		return(TIFFReadDirEntryErrRange);
2995 	else
2996 		return(TIFFReadDirEntryErrOk);
2997 }
2998 
TIFFReadDirEntryCheckRangeByteSlong(int32 value)2999 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSlong(int32 value)
3000 {
3001 	if ((value<0)||(value>0xFF))
3002 		return(TIFFReadDirEntryErrRange);
3003 	else
3004 		return(TIFFReadDirEntryErrOk);
3005 }
3006 
TIFFReadDirEntryCheckRangeByteLong8(uint64 value)3007 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteLong8(uint64 value)
3008 {
3009 	if (value>0xFF)
3010 		return(TIFFReadDirEntryErrRange);
3011 	else
3012 		return(TIFFReadDirEntryErrOk);
3013 }
3014 
TIFFReadDirEntryCheckRangeByteSlong8(int64 value)3015 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeByteSlong8(int64 value)
3016 {
3017 	if ((value<0)||(value>0xFF))
3018 		return(TIFFReadDirEntryErrRange);
3019 	else
3020 		return(TIFFReadDirEntryErrOk);
3021 }
3022 
TIFFReadDirEntryCheckRangeSbyteByte(uint8 value)3023 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteByte(uint8 value)
3024 {
3025 	if (value>0x7F)
3026 		return(TIFFReadDirEntryErrRange);
3027 	else
3028 		return(TIFFReadDirEntryErrOk);
3029 }
3030 
TIFFReadDirEntryCheckRangeSbyteShort(uint16 value)3031 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteShort(uint16 value)
3032 {
3033 	if (value>0x7F)
3034 		return(TIFFReadDirEntryErrRange);
3035 	else
3036 		return(TIFFReadDirEntryErrOk);
3037 }
3038 
TIFFReadDirEntryCheckRangeSbyteSshort(int16 value)3039 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSshort(int16 value)
3040 {
3041 	if ((value<-0x80)||(value>0x7F))
3042 		return(TIFFReadDirEntryErrRange);
3043 	else
3044 		return(TIFFReadDirEntryErrOk);
3045 }
3046 
TIFFReadDirEntryCheckRangeSbyteLong(uint32 value)3047 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteLong(uint32 value)
3048 {
3049 	if (value>0x7F)
3050 		return(TIFFReadDirEntryErrRange);
3051 	else
3052 		return(TIFFReadDirEntryErrOk);
3053 }
3054 
TIFFReadDirEntryCheckRangeSbyteSlong(int32 value)3055 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSlong(int32 value)
3056 {
3057 	if ((value<-0x80)||(value>0x7F))
3058 		return(TIFFReadDirEntryErrRange);
3059 	else
3060 		return(TIFFReadDirEntryErrOk);
3061 }
3062 
TIFFReadDirEntryCheckRangeSbyteLong8(uint64 value)3063 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteLong8(uint64 value)
3064 {
3065 	if (value>0x7F)
3066 		return(TIFFReadDirEntryErrRange);
3067 	else
3068 		return(TIFFReadDirEntryErrOk);
3069 }
3070 
TIFFReadDirEntryCheckRangeSbyteSlong8(int64 value)3071 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSbyteSlong8(int64 value)
3072 {
3073 	if ((value<-0x80)||(value>0x7F))
3074 		return(TIFFReadDirEntryErrRange);
3075 	else
3076 		return(TIFFReadDirEntryErrOk);
3077 }
3078 
TIFFReadDirEntryCheckRangeShortSbyte(int8 value)3079 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSbyte(int8 value)
3080 {
3081 	if (value<0)
3082 		return(TIFFReadDirEntryErrRange);
3083 	else
3084 		return(TIFFReadDirEntryErrOk);
3085 }
3086 
TIFFReadDirEntryCheckRangeShortSshort(int16 value)3087 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSshort(int16 value)
3088 {
3089 	if (value<0)
3090 		return(TIFFReadDirEntryErrRange);
3091 	else
3092 		return(TIFFReadDirEntryErrOk);
3093 }
3094 
TIFFReadDirEntryCheckRangeShortLong(uint32 value)3095 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortLong(uint32 value)
3096 {
3097 	if (value>0xFFFF)
3098 		return(TIFFReadDirEntryErrRange);
3099 	else
3100 		return(TIFFReadDirEntryErrOk);
3101 }
3102 
TIFFReadDirEntryCheckRangeShortSlong(int32 value)3103 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSlong(int32 value)
3104 {
3105 	if ((value<0)||(value>0xFFFF))
3106 		return(TIFFReadDirEntryErrRange);
3107 	else
3108 		return(TIFFReadDirEntryErrOk);
3109 }
3110 
TIFFReadDirEntryCheckRangeShortLong8(uint64 value)3111 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortLong8(uint64 value)
3112 {
3113 	if (value>0xFFFF)
3114 		return(TIFFReadDirEntryErrRange);
3115 	else
3116 		return(TIFFReadDirEntryErrOk);
3117 }
3118 
TIFFReadDirEntryCheckRangeShortSlong8(int64 value)3119 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeShortSlong8(int64 value)
3120 {
3121 	if ((value<0)||(value>0xFFFF))
3122 		return(TIFFReadDirEntryErrRange);
3123 	else
3124 		return(TIFFReadDirEntryErrOk);
3125 }
3126 
TIFFReadDirEntryCheckRangeSshortShort(uint16 value)3127 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortShort(uint16 value)
3128 {
3129 	if (value>0x7FFF)
3130 		return(TIFFReadDirEntryErrRange);
3131 	else
3132 		return(TIFFReadDirEntryErrOk);
3133 }
3134 
TIFFReadDirEntryCheckRangeSshortLong(uint32 value)3135 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortLong(uint32 value)
3136 {
3137 	if (value>0x7FFF)
3138 		return(TIFFReadDirEntryErrRange);
3139 	else
3140 		return(TIFFReadDirEntryErrOk);
3141 }
3142 
TIFFReadDirEntryCheckRangeSshortSlong(int32 value)3143 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortSlong(int32 value)
3144 {
3145 	if ((value<-0x8000)||(value>0x7FFF))
3146 		return(TIFFReadDirEntryErrRange);
3147 	else
3148 		return(TIFFReadDirEntryErrOk);
3149 }
3150 
TIFFReadDirEntryCheckRangeSshortLong8(uint64 value)3151 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortLong8(uint64 value)
3152 {
3153 	if (value>0x7FFF)
3154 		return(TIFFReadDirEntryErrRange);
3155 	else
3156 		return(TIFFReadDirEntryErrOk);
3157 }
3158 
TIFFReadDirEntryCheckRangeSshortSlong8(int64 value)3159 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeSshortSlong8(int64 value)
3160 {
3161 	if ((value<-0x8000)||(value>0x7FFF))
3162 		return(TIFFReadDirEntryErrRange);
3163 	else
3164 		return(TIFFReadDirEntryErrOk);
3165 }
3166 
TIFFReadDirEntryCheckRangeLongSbyte(int8 value)3167 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSbyte(int8 value)
3168 {
3169 	if (value<0)
3170 		return(TIFFReadDirEntryErrRange);
3171 	else
3172 		return(TIFFReadDirEntryErrOk);
3173 }
3174 
TIFFReadDirEntryCheckRangeLongSshort(int16 value)3175 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSshort(int16 value)
3176 {
3177 	if (value<0)
3178 		return(TIFFReadDirEntryErrRange);
3179 	else
3180 		return(TIFFReadDirEntryErrOk);
3181 }
3182 
TIFFReadDirEntryCheckRangeLongSlong(int32 value)3183 static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckRangeLongSlong(int32 value)
3184 {
3185 	if (value<0)
3186 		return(TIFFReadDirEntryErrRange);
3187 	else
3188 		return(TIFFReadDirEntryErrOk);
3189 }
3190 
3191 /*
3192  * Largest 32-bit unsigned integer value.
3193  */
3194 #define TIFF_UINT32_MAX 0xFFFFFFFFU
3195 
3196 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLongLong8(uint64 value)3197 TIFFReadDirEntryCheckRangeLongLong8(uint64 value)
3198 {
3199 	if (value > TIFF_UINT32_MAX)
3200 		return(TIFFReadDirEntryErrRange);
3201 	else
3202 		return(TIFFReadDirEntryErrOk);
3203 }
3204 
3205 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLongSlong8(int64 value)3206 TIFFReadDirEntryCheckRangeLongSlong8(int64 value)
3207 {
3208 	if ((value < 0) || (value > (int64) TIFF_UINT32_MAX))
3209 		return(TIFFReadDirEntryErrRange);
3210 	else
3211 		return(TIFFReadDirEntryErrOk);
3212 }
3213 
3214 #undef TIFF_UINT32_MAX
3215 
3216 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlongLong(uint32 value)3217 TIFFReadDirEntryCheckRangeSlongLong(uint32 value)
3218 {
3219 	if (value > 0x7FFFFFFFUL)
3220 		return(TIFFReadDirEntryErrRange);
3221 	else
3222 		return(TIFFReadDirEntryErrOk);
3223 }
3224 
3225 /* Check that the 8-byte unsigned value can fit in a 4-byte unsigned range */
3226 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlongLong8(uint64 value)3227 TIFFReadDirEntryCheckRangeSlongLong8(uint64 value)
3228 {
3229 	if (value > 0x7FFFFFFF)
3230 		return(TIFFReadDirEntryErrRange);
3231 	else
3232 		return(TIFFReadDirEntryErrOk);
3233 }
3234 
3235 /* Check that the 8-byte signed value can fit in a 4-byte signed range */
3236 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlongSlong8(int64 value)3237 TIFFReadDirEntryCheckRangeSlongSlong8(int64 value)
3238 {
3239         if ((value < 0-((int64) 0x7FFFFFFF+1)) || (value > 0x7FFFFFFF))
3240 		return(TIFFReadDirEntryErrRange);
3241 	else
3242 		return(TIFFReadDirEntryErrOk);
3243 }
3244 
3245 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Sbyte(int8 value)3246 TIFFReadDirEntryCheckRangeLong8Sbyte(int8 value)
3247 {
3248 	if (value < 0)
3249 		return(TIFFReadDirEntryErrRange);
3250 	else
3251 		return(TIFFReadDirEntryErrOk);
3252 }
3253 
3254 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Sshort(int16 value)3255 TIFFReadDirEntryCheckRangeLong8Sshort(int16 value)
3256 {
3257 	if (value < 0)
3258 		return(TIFFReadDirEntryErrRange);
3259 	else
3260 		return(TIFFReadDirEntryErrOk);
3261 }
3262 
3263 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Slong(int32 value)3264 TIFFReadDirEntryCheckRangeLong8Slong(int32 value)
3265 {
3266 	if (value < 0)
3267 		return(TIFFReadDirEntryErrRange);
3268 	else
3269 		return(TIFFReadDirEntryErrOk);
3270 }
3271 
3272 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Slong8(int64 value)3273 TIFFReadDirEntryCheckRangeLong8Slong8(int64 value)
3274 {
3275 	if (value < 0)
3276 		return(TIFFReadDirEntryErrRange);
3277 	else
3278 		return(TIFFReadDirEntryErrOk);
3279 }
3280 
3281 /*
3282  * Largest 64-bit signed integer value.
3283  */
3284 #define TIFF_INT64_MAX ((int64)(((uint64) ~0) >> 1))
3285 
3286 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlong8Long8(uint64 value)3287 TIFFReadDirEntryCheckRangeSlong8Long8(uint64 value)
3288 {
3289 	if (value > TIFF_INT64_MAX)
3290 		return(TIFFReadDirEntryErrRange);
3291 	else
3292 		return(TIFFReadDirEntryErrOk);
3293 }
3294 
3295 #undef TIFF_INT64_MAX
3296 
3297 static enum TIFFReadDirEntryErr
TIFFReadDirEntryData(TIFF * tif,uint64 offset,tmsize_t size,void * dest)3298 TIFFReadDirEntryData(TIFF* tif, uint64 offset, tmsize_t size, void* dest)
3299 {
3300 	assert(size>0);
3301 	if (!isMapped(tif)) {
3302 		if (!SeekOK(tif,offset))
3303 			return(TIFFReadDirEntryErrIo);
3304 		if (!ReadOK(tif,dest,size))
3305 			return(TIFFReadDirEntryErrIo);
3306 	} else {
3307 		size_t ma,mb;
3308 		ma=(size_t)offset;
3309 		mb=ma+size;
3310 		if (((uint64)ma!=offset)
3311 		    || (mb < ma)
3312 		    || (mb - ma != (size_t) size)
3313 		    || (mb < (size_t)size)
3314 		    || (mb > (size_t)tif->tif_size)
3315 		    )
3316 			return(TIFFReadDirEntryErrIo);
3317 		_TIFFmemcpy(dest,tif->tif_base+ma,size);
3318 	}
3319 	return(TIFFReadDirEntryErrOk);
3320 }
3321 
TIFFReadDirEntryOutputErr(TIFF * tif,enum TIFFReadDirEntryErr err,const char * module,const char * tagname,int recover)3322 static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, const char* module, const char* tagname, int recover)
3323 {
3324 	if (!recover) {
3325 		switch (err) {
3326 			case TIFFReadDirEntryErrCount:
3327 				TIFFErrorExt(tif->tif_clientdata, module,
3328 					     "Incorrect count for \"%s\"",
3329 					     tagname);
3330 				break;
3331 			case TIFFReadDirEntryErrType:
3332 				TIFFErrorExt(tif->tif_clientdata, module,
3333 					     "Incompatible type for \"%s\"",
3334 					     tagname);
3335 				break;
3336 			case TIFFReadDirEntryErrIo:
3337 				TIFFErrorExt(tif->tif_clientdata, module,
3338 					     "IO error during reading of \"%s\"",
3339 					     tagname);
3340 				break;
3341 			case TIFFReadDirEntryErrRange:
3342 				TIFFErrorExt(tif->tif_clientdata, module,
3343 					     "Incorrect value for \"%s\"",
3344 					     tagname);
3345 				break;
3346 			case TIFFReadDirEntryErrPsdif:
3347 				TIFFErrorExt(tif->tif_clientdata, module,
3348 			"Cannot handle different values per sample for \"%s\"",
3349 					     tagname);
3350 				break;
3351 			case TIFFReadDirEntryErrSizesan:
3352 				TIFFErrorExt(tif->tif_clientdata, module,
3353 				"Sanity check on size of \"%s\" value failed",
3354 					     tagname);
3355 				break;
3356 			case TIFFReadDirEntryErrAlloc:
3357 				TIFFErrorExt(tif->tif_clientdata, module,
3358 					     "Out of memory reading of \"%s\"",
3359 					     tagname);
3360 				break;
3361 			default:
3362 				assert(0);   /* we should never get here */
3363 				break;
3364 		}
3365 	} else {
3366 		switch (err) {
3367 			case TIFFReadDirEntryErrCount:
3368 				TIFFWarningExt(tif->tif_clientdata, module,
3369 				"Incorrect count for \"%s\"; tag ignored",
3370 					     tagname);
3371 				break;
3372 			case TIFFReadDirEntryErrType:
3373 				TIFFWarningExt(tif->tif_clientdata, module,
3374 				"Incompatible type for \"%s\"; tag ignored",
3375 					       tagname);
3376 				break;
3377 			case TIFFReadDirEntryErrIo:
3378 				TIFFWarningExt(tif->tif_clientdata, module,
3379 			"IO error during reading of \"%s\"; tag ignored",
3380 					       tagname);
3381 				break;
3382 			case TIFFReadDirEntryErrRange:
3383 				TIFFWarningExt(tif->tif_clientdata, module,
3384 				"Incorrect value for \"%s\"; tag ignored",
3385 					       tagname);
3386 				break;
3387 			case TIFFReadDirEntryErrPsdif:
3388 				TIFFWarningExt(tif->tif_clientdata, module,
3389 	"Cannot handle different values per sample for \"%s\"; tag ignored",
3390 					       tagname);
3391 				break;
3392 			case TIFFReadDirEntryErrSizesan:
3393 				TIFFWarningExt(tif->tif_clientdata, module,
3394 		"Sanity check on size of \"%s\" value failed; tag ignored",
3395 					       tagname);
3396 				break;
3397 			case TIFFReadDirEntryErrAlloc:
3398 				TIFFWarningExt(tif->tif_clientdata, module,
3399 				"Out of memory reading of \"%s\"; tag ignored",
3400 					       tagname);
3401 				break;
3402 			default:
3403 				assert(0);   /* we should never get here */
3404 				break;
3405 		}
3406 	}
3407 }
3408 
3409 /*
3410  * Read the next TIFF directory from a file and convert it to the internal
3411  * format. We read directories sequentially.
3412  */
3413 int
TIFFReadDirectory(TIFF * tif)3414 TIFFReadDirectory(TIFF* tif)
3415 {
3416 	static const char module[] = "TIFFReadDirectory";
3417 	TIFFDirEntry* dir;
3418 	uint16 dircount;
3419 	TIFFDirEntry* dp;
3420 	uint16 di;
3421 	const TIFFField* fip;
3422 	uint32 fii=FAILED_FII;
3423         toff_t nextdiroff;
3424     int bitspersample_read = FALSE;
3425 
3426 	tif->tif_diroff=tif->tif_nextdiroff;
3427 	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
3428 		return 0;           /* last offset or bad offset (IFD looping) */
3429 	(*tif->tif_cleanup)(tif);   /* cleanup any previous compression state */
3430 	tif->tif_curdir++;
3431         nextdiroff = tif->tif_nextdiroff;
3432 	dircount=TIFFFetchDirectory(tif,nextdiroff,&dir,&tif->tif_nextdiroff);
3433 	if (!dircount)
3434 	{
3435 		TIFFErrorExt(tif->tif_clientdata,module,
3436 		    "Failed to read directory at offset " TIFF_UINT64_FORMAT,nextdiroff);
3437 		return 0;
3438 	}
3439 	TIFFReadDirectoryCheckOrder(tif,dir,dircount);
3440 
3441         /*
3442          * Mark duplicates of any tag to be ignored (bugzilla 1994)
3443          * to avoid certain pathological problems.
3444          */
3445 	{
3446 		TIFFDirEntry* ma;
3447 		uint16 mb;
3448 		for (ma=dir, mb=0; mb<dircount; ma++, mb++)
3449 		{
3450 			TIFFDirEntry* na;
3451 			uint16 nb;
3452 			for (na=ma+1, nb=mb+1; nb<dircount; na++, nb++)
3453 			{
3454 				if (ma->tdir_tag==na->tdir_tag)
3455 					na->tdir_tag=IGNORE;
3456 			}
3457 		}
3458 	}
3459 
3460 	tif->tif_flags &= ~TIFF_BEENWRITING;    /* reset before new dir */
3461 	tif->tif_flags &= ~TIFF_BUF4WRITE;      /* reset before new dir */
3462 	/* free any old stuff and reinit */
3463 	TIFFFreeDirectory(tif);
3464 	TIFFDefaultDirectory(tif);
3465 	/*
3466 	 * Electronic Arts writes gray-scale TIFF files
3467 	 * without a PlanarConfiguration directory entry.
3468 	 * Thus we setup a default value here, even though
3469 	 * the TIFF spec says there is no default value.
3470 	 */
3471 	TIFFSetField(tif,TIFFTAG_PLANARCONFIG,PLANARCONFIG_CONTIG);
3472 	/*
3473 	 * Setup default value and then make a pass over
3474 	 * the fields to check type and tag information,
3475 	 * and to extract info required to size data
3476 	 * structures.  A second pass is made afterwards
3477 	 * to read in everything not taken in the first pass.
3478 	 * But we must process the Compression tag first
3479 	 * in order to merge in codec-private tag definitions (otherwise
3480 	 * we may get complaints about unknown tags).  However, the
3481 	 * Compression tag may be dependent on the SamplesPerPixel
3482 	 * tag value because older TIFF specs permitted Compression
3483 	 * to be written as a SamplesPerPixel-count tag entry.
3484 	 * Thus if we don't first figure out the correct SamplesPerPixel
3485 	 * tag value then we may end up ignoring the Compression tag
3486 	 * value because it has an incorrect count value (if the
3487 	 * true value of SamplesPerPixel is not 1).
3488 	 */
3489 	dp=TIFFReadDirectoryFindEntry(tif,dir,dircount,TIFFTAG_SAMPLESPERPIXEL);
3490 	if (dp)
3491 	{
3492 		if (!TIFFFetchNormalTag(tif,dp,0))
3493 			goto bad;
3494 		dp->tdir_tag=IGNORE;
3495 	}
3496 	dp=TIFFReadDirectoryFindEntry(tif,dir,dircount,TIFFTAG_COMPRESSION);
3497 	if (dp)
3498 	{
3499 		/*
3500 		 * The 5.0 spec says the Compression tag has one value, while
3501 		 * earlier specs say it has one value per sample.  Because of
3502 		 * this, we accept the tag if one value is supplied with either
3503 		 * count.
3504 		 */
3505 		uint16 value;
3506 		enum TIFFReadDirEntryErr err;
3507 		err=TIFFReadDirEntryShort(tif,dp,&value);
3508 		if (err==TIFFReadDirEntryErrCount)
3509 			err=TIFFReadDirEntryPersampleShort(tif,dp,&value);
3510 		if (err!=TIFFReadDirEntryErrOk)
3511 		{
3512 			TIFFReadDirEntryOutputErr(tif,err,module,"Compression",0);
3513 			goto bad;
3514 		}
3515 		if (!TIFFSetField(tif,TIFFTAG_COMPRESSION,value))
3516 			goto bad;
3517 		dp->tdir_tag=IGNORE;
3518 	}
3519 	else
3520 	{
3521 		if (!TIFFSetField(tif,TIFFTAG_COMPRESSION,COMPRESSION_NONE))
3522 			goto bad;
3523 	}
3524 	/*
3525 	 * First real pass over the directory.
3526 	 */
3527 	for (di=0, dp=dir; di<dircount; di++, dp++)
3528 	{
3529 		if (dp->tdir_tag!=IGNORE)
3530 		{
3531 			TIFFReadDirectoryFindFieldInfo(tif,dp->tdir_tag,&fii);
3532 			if (fii == FAILED_FII)
3533 			{
3534 				TIFFWarningExt(tif->tif_clientdata, module,
3535 				    "Unknown field with tag %d (0x%x) encountered",
3536 				    dp->tdir_tag,dp->tdir_tag);
3537                                 /* the following knowingly leaks the
3538                                    anonymous field structure */
3539 				if (!_TIFFMergeFields(tif,
3540 					_TIFFCreateAnonField(tif,
3541 						dp->tdir_tag,
3542 						(TIFFDataType) dp->tdir_type),
3543 					1)) {
3544 					TIFFWarningExt(tif->tif_clientdata,
3545 					    module,
3546 					    "Registering anonymous field with tag %d (0x%x) failed",
3547 					    dp->tdir_tag,
3548 					    dp->tdir_tag);
3549 					dp->tdir_tag=IGNORE;
3550 				} else {
3551 					TIFFReadDirectoryFindFieldInfo(tif,dp->tdir_tag,&fii);
3552 					assert(fii != FAILED_FII);
3553 				}
3554 			}
3555 		}
3556 		if (dp->tdir_tag!=IGNORE)
3557 		{
3558 			fip=tif->tif_fields[fii];
3559 			if (fip->field_bit==FIELD_IGNORE)
3560 				dp->tdir_tag=IGNORE;
3561 			else
3562 			{
3563 				switch (dp->tdir_tag)
3564 				{
3565 					case TIFFTAG_STRIPOFFSETS:
3566 					case TIFFTAG_STRIPBYTECOUNTS:
3567 					case TIFFTAG_TILEOFFSETS:
3568 					case TIFFTAG_TILEBYTECOUNTS:
3569 						TIFFSetFieldBit(tif,fip->field_bit);
3570 						break;
3571 					case TIFFTAG_IMAGEWIDTH:
3572 					case TIFFTAG_IMAGELENGTH:
3573 					case TIFFTAG_IMAGEDEPTH:
3574 					case TIFFTAG_TILELENGTH:
3575 					case TIFFTAG_TILEWIDTH:
3576 					case TIFFTAG_TILEDEPTH:
3577 					case TIFFTAG_PLANARCONFIG:
3578 					case TIFFTAG_ROWSPERSTRIP:
3579 					case TIFFTAG_EXTRASAMPLES:
3580 						if (!TIFFFetchNormalTag(tif,dp,0))
3581 							goto bad;
3582 						dp->tdir_tag=IGNORE;
3583 						break;
3584 				}
3585 			}
3586 		}
3587 	}
3588 	/*
3589 	 * XXX: OJPEG hack.
3590 	 * If a) compression is OJPEG, b) planarconfig tag says it's separate,
3591 	 * c) strip offsets/bytecounts tag are both present and
3592 	 * d) both contain exactly one value, then we consistently find
3593 	 * that the buggy implementation of the buggy compression scheme
3594 	 * matches contig planarconfig best. So we 'fix-up' the tag here
3595 	 */
3596 	if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
3597 	    (tif->tif_dir.td_planarconfig==PLANARCONFIG_SEPARATE))
3598 	{
3599         if (!_TIFFFillStriles(tif))
3600             goto bad;
3601 		dp=TIFFReadDirectoryFindEntry(tif,dir,dircount,TIFFTAG_STRIPOFFSETS);
3602 		if ((dp!=0)&&(dp->tdir_count==1))
3603 		{
3604 			dp=TIFFReadDirectoryFindEntry(tif,dir,dircount,
3605 			    TIFFTAG_STRIPBYTECOUNTS);
3606 			if ((dp!=0)&&(dp->tdir_count==1))
3607 			{
3608 				tif->tif_dir.td_planarconfig=PLANARCONFIG_CONTIG;
3609 				TIFFWarningExt(tif->tif_clientdata,module,
3610 				    "Planarconfig tag value assumed incorrect, "
3611 				    "assuming data is contig instead of chunky");
3612 			}
3613 		}
3614 	}
3615 	/*
3616 	 * Allocate directory structure and setup defaults.
3617 	 */
3618 	if (!TIFFFieldSet(tif,FIELD_IMAGEDIMENSIONS))
3619 	{
3620 		MissingRequired(tif,"ImageLength");
3621 		goto bad;
3622 	}
3623 	/*
3624 	 * Setup appropriate structures (by strip or by tile)
3625 	 */
3626 	if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
3627 		tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
3628 		tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
3629 		tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
3630 		tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
3631 		tif->tif_flags &= ~TIFF_ISTILED;
3632 	} else {
3633 		tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
3634 		tif->tif_flags |= TIFF_ISTILED;
3635 	}
3636 	if (!tif->tif_dir.td_nstrips) {
3637 		TIFFErrorExt(tif->tif_clientdata, module,
3638 		    "Cannot handle zero number of %s",
3639 		    isTiled(tif) ? "tiles" : "strips");
3640 		goto bad;
3641 	}
3642 	if (tif->tif_dir.td_nstrips > INT_MAX) {
3643 		TIFFErrorExt(tif->tif_clientdata, module,
3644 		    "Cannot handle %u number of %s",
3645 		    tif->tif_dir.td_nstrips,
3646 		    isTiled(tif) ? "tiles" : "strips");
3647 		goto bad;
3648 	}
3649 	tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
3650 	if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
3651 		tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
3652 	if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
3653 #ifdef OJPEG_SUPPORT
3654 		if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
3655 		    (isTiled(tif)==0) &&
3656 		    (tif->tif_dir.td_nstrips==1)) {
3657 			/*
3658 			 * XXX: OJPEG hack.
3659 			 * If a) compression is OJPEG, b) it's not a tiled TIFF,
3660 			 * and c) the number of strips is 1,
3661 			 * then we tolerate the absence of stripoffsets tag,
3662 			 * because, presumably, all required data is in the
3663 			 * JpegInterchangeFormat stream.
3664 			 */
3665 			TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
3666 		} else
3667 #endif
3668         {
3669 			MissingRequired(tif,
3670 				isTiled(tif) ? "TileOffsets" : "StripOffsets");
3671 			goto bad;
3672 		}
3673 	}
3674 	/*
3675 	 * Second pass: extract other information.
3676 	 */
3677 	for (di=0, dp=dir; di<dircount; di++, dp++)
3678 	{
3679 		switch (dp->tdir_tag)
3680 		{
3681 			case IGNORE:
3682 				break;
3683 			case TIFFTAG_MINSAMPLEVALUE:
3684 			case TIFFTAG_MAXSAMPLEVALUE:
3685 			case TIFFTAG_BITSPERSAMPLE:
3686 			case TIFFTAG_DATATYPE:
3687 			case TIFFTAG_SAMPLEFORMAT:
3688 				/*
3689 				 * The MinSampleValue, MaxSampleValue, BitsPerSample
3690 				 * DataType and SampleFormat tags are supposed to be
3691 				 * written as one value/sample, but some vendors
3692 				 * incorrectly write one value only -- so we accept
3693 				 * that as well (yuck). Other vendors write correct
3694 				 * value for NumberOfSamples, but incorrect one for
3695 				 * BitsPerSample and friends, and we will read this
3696 				 * too.
3697 				 */
3698 				{
3699 					uint16 value;
3700 					enum TIFFReadDirEntryErr err;
3701 					err=TIFFReadDirEntryShort(tif,dp,&value);
3702 					if (err==TIFFReadDirEntryErrCount)
3703 						err=TIFFReadDirEntryPersampleShort(tif,dp,&value);
3704 					if (err!=TIFFReadDirEntryErrOk)
3705 					{
3706 						fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3707 						TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",0);
3708 						goto bad;
3709 					}
3710 					if (!TIFFSetField(tif,dp->tdir_tag,value))
3711 						goto bad;
3712                     if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE )
3713                         bitspersample_read = TRUE;
3714 				}
3715 				break;
3716 			case TIFFTAG_SMINSAMPLEVALUE:
3717 			case TIFFTAG_SMAXSAMPLEVALUE:
3718 				{
3719 
3720 					double *data = NULL;
3721 					enum TIFFReadDirEntryErr err;
3722 					uint32 saved_flags;
3723 					int m;
3724 					if (dp->tdir_count != (uint64)tif->tif_dir.td_samplesperpixel)
3725 						err = TIFFReadDirEntryErrCount;
3726 					else
3727 						err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
3728 					if (err!=TIFFReadDirEntryErrOk)
3729 					{
3730 						fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3731 						TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",0);
3732 						goto bad;
3733 					}
3734 					saved_flags = tif->tif_flags;
3735 					tif->tif_flags |= TIFF_PERSAMPLE;
3736 					m = TIFFSetField(tif,dp->tdir_tag,data);
3737 					tif->tif_flags = saved_flags;
3738 					_TIFFfree(data);
3739 					if (!m)
3740 						goto bad;
3741 				}
3742 				break;
3743 			case TIFFTAG_STRIPOFFSETS:
3744 			case TIFFTAG_TILEOFFSETS:
3745 #if defined(DEFER_STRILE_LOAD)
3746                                 _TIFFmemcpy( &(tif->tif_dir.td_stripoffset_entry),
3747                                              dp, sizeof(TIFFDirEntry) );
3748 #else
3749                                 if( tif->tif_dir.td_stripoffset != NULL )
3750                                 {
3751                                     TIFFErrorExt(tif->tif_clientdata, module,
3752                                         "tif->tif_dir.td_stripoffset is "
3753                                         "already allocated. Likely duplicated "
3754                                         "StripOffsets/TileOffsets tag");
3755                                     goto bad;
3756                                 }
3757 				if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripoffset))
3758 					goto bad;
3759 #endif
3760 				break;
3761 			case TIFFTAG_STRIPBYTECOUNTS:
3762 			case TIFFTAG_TILEBYTECOUNTS:
3763 #if defined(DEFER_STRILE_LOAD)
3764                                 _TIFFmemcpy( &(tif->tif_dir.td_stripbytecount_entry),
3765                                              dp, sizeof(TIFFDirEntry) );
3766 #else
3767                                 if( tif->tif_dir.td_stripbytecount != NULL )
3768                                 {
3769                                     TIFFErrorExt(tif->tif_clientdata, module,
3770                                         "tif->tif_dir.td_stripbytecount is "
3771                                         "already allocated. Likely duplicated "
3772                                         "StripByteCounts/TileByteCounts tag");
3773                                     goto bad;
3774                                 }
3775                                 if (!TIFFFetchStripThing(tif,dp,tif->tif_dir.td_nstrips,&tif->tif_dir.td_stripbytecount))
3776 					goto bad;
3777 #endif
3778 				break;
3779 			case TIFFTAG_COLORMAP:
3780 			case TIFFTAG_TRANSFERFUNCTION:
3781 				{
3782 					enum TIFFReadDirEntryErr err;
3783 					uint32 countpersample;
3784 					uint32 countrequired;
3785 					uint32 incrementpersample;
3786 					uint16* value=NULL;
3787                     /* It would be dangerous to instantiate those tag values */
3788                     /* since if td_bitspersample has not yet been read (due to */
3789                     /* unordered tags), it could be read afterwards with a */
3790                     /* values greater than the default one (1), which may cause */
3791                     /* crashes in user code */
3792                     if( !bitspersample_read )
3793                     {
3794                         fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3795                         TIFFWarningExt(tif->tif_clientdata,module,
3796                                        "Ignoring %s since BitsPerSample tag not found",
3797                                        fip ? fip->field_name : "unknown tagname");
3798                         continue;
3799                     }
3800 					/* ColorMap or TransferFunction for high bit */
3801 					/* depths do not make much sense and could be */
3802 					/* used as a denial of service vector */
3803 					if (tif->tif_dir.td_bitspersample > 24)
3804 					{
3805 					    fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3806 					    TIFFWarningExt(tif->tif_clientdata,module,
3807 						"Ignoring %s because BitsPerSample=%d>24",
3808 						fip ? fip->field_name : "unknown tagname",
3809 						tif->tif_dir.td_bitspersample);
3810 					    continue;
3811 					}
3812 					countpersample=(1U<<tif->tif_dir.td_bitspersample);
3813 					if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample))
3814 					{
3815 						countrequired=countpersample;
3816 						incrementpersample=0;
3817 					}
3818 					else
3819 					{
3820 						countrequired=3*countpersample;
3821 						incrementpersample=countpersample;
3822 					}
3823 					if (dp->tdir_count!=(uint64)countrequired)
3824 						err=TIFFReadDirEntryErrCount;
3825 					else
3826 						err=TIFFReadDirEntryShortArray(tif,dp,&value);
3827 					if (err!=TIFFReadDirEntryErrOk)
3828                     {
3829 						fip = TIFFFieldWithTag(tif,dp->tdir_tag);
3830 						TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",1);
3831                     }
3832 					else
3833 					{
3834 						TIFFSetField(tif,dp->tdir_tag,value,value+incrementpersample,value+2*incrementpersample);
3835 						_TIFFfree(value);
3836 					}
3837 				}
3838 				break;
3839 /* BEGIN REV 4.0 COMPATIBILITY */
3840 			case TIFFTAG_OSUBFILETYPE:
3841 				{
3842 					uint16 valueo;
3843 					uint32 value;
3844 					if (TIFFReadDirEntryShort(tif,dp,&valueo)==TIFFReadDirEntryErrOk)
3845 					{
3846 						switch (valueo)
3847 						{
3848 							case OFILETYPE_REDUCEDIMAGE: value=FILETYPE_REDUCEDIMAGE; break;
3849 							case OFILETYPE_PAGE: value=FILETYPE_PAGE; break;
3850 							default: value=0; break;
3851 						}
3852 						if (value!=0)
3853 							TIFFSetField(tif,TIFFTAG_SUBFILETYPE,value);
3854 					}
3855 				}
3856 				break;
3857 /* END REV 4.0 COMPATIBILITY */
3858 			default:
3859 				(void) TIFFFetchNormalTag(tif, dp, TRUE);
3860 				break;
3861 		}
3862 	}
3863 	/*
3864 	 * OJPEG hack:
3865 	 * - If a) compression is OJPEG, and b) photometric tag is missing,
3866 	 * then we consistently find that photometric should be YCbCr
3867 	 * - If a) compression is OJPEG, and b) photometric tag says it's RGB,
3868 	 * then we consistently find that the buggy implementation of the
3869 	 * buggy compression scheme matches photometric YCbCr instead.
3870 	 * - If a) compression is OJPEG, and b) bitspersample tag is missing,
3871 	 * then we consistently find bitspersample should be 8.
3872 	 * - If a) compression is OJPEG, b) samplesperpixel tag is missing,
3873 	 * and c) photometric is RGB or YCbCr, then we consistently find
3874 	 * samplesperpixel should be 3
3875 	 * - If a) compression is OJPEG, b) samplesperpixel tag is missing,
3876 	 * and c) photometric is MINISWHITE or MINISBLACK, then we consistently
3877 	 * find samplesperpixel should be 3
3878 	 */
3879 	if (tif->tif_dir.td_compression==COMPRESSION_OJPEG)
3880 	{
3881 		if (!TIFFFieldSet(tif,FIELD_PHOTOMETRIC))
3882 		{
3883 			TIFFWarningExt(tif->tif_clientdata, module,
3884 			    "Photometric tag is missing, assuming data is YCbCr");
3885 			if (!TIFFSetField(tif,TIFFTAG_PHOTOMETRIC,PHOTOMETRIC_YCBCR))
3886 				goto bad;
3887 		}
3888 		else if (tif->tif_dir.td_photometric==PHOTOMETRIC_RGB)
3889 		{
3890 			tif->tif_dir.td_photometric=PHOTOMETRIC_YCBCR;
3891 			TIFFWarningExt(tif->tif_clientdata, module,
3892 			    "Photometric tag value assumed incorrect, "
3893 			    "assuming data is YCbCr instead of RGB");
3894 		}
3895 		if (!TIFFFieldSet(tif,FIELD_BITSPERSAMPLE))
3896 		{
3897 			TIFFWarningExt(tif->tif_clientdata,module,
3898 			    "BitsPerSample tag is missing, assuming 8 bits per sample");
3899 			if (!TIFFSetField(tif,TIFFTAG_BITSPERSAMPLE,8))
3900 				goto bad;
3901 		}
3902 		if (!TIFFFieldSet(tif,FIELD_SAMPLESPERPIXEL))
3903 		{
3904 			if (tif->tif_dir.td_photometric==PHOTOMETRIC_RGB)
3905 			{
3906 				TIFFWarningExt(tif->tif_clientdata,module,
3907 				    "SamplesPerPixel tag is missing, "
3908 				    "assuming correct SamplesPerPixel value is 3");
3909 				if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,3))
3910 					goto bad;
3911 			}
3912 			if (tif->tif_dir.td_photometric==PHOTOMETRIC_YCBCR)
3913 			{
3914 				TIFFWarningExt(tif->tif_clientdata,module,
3915 				    "SamplesPerPixel tag is missing, "
3916 				    "applying correct SamplesPerPixel value of 3");
3917 				if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,3))
3918 					goto bad;
3919 			}
3920 			else if ((tif->tif_dir.td_photometric==PHOTOMETRIC_MINISWHITE)
3921 				 || (tif->tif_dir.td_photometric==PHOTOMETRIC_MINISBLACK))
3922 			{
3923 				/*
3924 				 * SamplesPerPixel tag is missing, but is not required
3925 				 * by spec.  Assume correct SamplesPerPixel value of 1.
3926 				 */
3927 				if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1))
3928 					goto bad;
3929 			}
3930 		}
3931 	}
3932 	/*
3933 	 * Verify Palette image has a Colormap.
3934 	 */
3935 	if (tif->tif_dir.td_photometric == PHOTOMETRIC_PALETTE &&
3936 	    !TIFFFieldSet(tif, FIELD_COLORMAP)) {
3937 		if ( tif->tif_dir.td_bitspersample>=8 && tif->tif_dir.td_samplesperpixel==3)
3938 			tif->tif_dir.td_photometric = PHOTOMETRIC_RGB;
3939 		else if (tif->tif_dir.td_bitspersample>=8)
3940 			tif->tif_dir.td_photometric = PHOTOMETRIC_MINISBLACK;
3941 		else {
3942 			MissingRequired(tif, "Colormap");
3943 			goto bad;
3944 		}
3945 	}
3946 	/*
3947 	 * OJPEG hack:
3948 	 * We do no further messing with strip/tile offsets/bytecounts in OJPEG
3949 	 * TIFFs
3950 	 */
3951 	if (tif->tif_dir.td_compression!=COMPRESSION_OJPEG)
3952 	{
3953 		/*
3954 		 * Attempt to deal with a missing StripByteCounts tag.
3955 		 */
3956 		if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
3957 			/*
3958 			 * Some manufacturers violate the spec by not giving
3959 			 * the size of the strips.  In this case, assume there
3960 			 * is one uncompressed strip of data.
3961 			 */
3962 			if ((tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
3963 			    tif->tif_dir.td_nstrips > 1) ||
3964 			    (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE &&
3965 			     tif->tif_dir.td_nstrips != (uint32)tif->tif_dir.td_samplesperpixel)) {
3966 			    MissingRequired(tif, "StripByteCounts");
3967 			    goto bad;
3968 			}
3969 			TIFFWarningExt(tif->tif_clientdata, module,
3970 				"TIFF directory is missing required "
3971 				"\"StripByteCounts\" field, calculating from imagelength");
3972 			if (EstimateStripByteCounts(tif, dir, dircount) < 0)
3973 			    goto bad;
3974 		/*
3975 		 * Assume we have wrong StripByteCount value (in case
3976 		 * of single strip) in following cases:
3977 		 *   - it is equal to zero along with StripOffset;
3978 		 *   - it is larger than file itself (in case of uncompressed
3979 		 *     image);
3980 		 *   - it is smaller than the size of the bytes per row
3981 		 *     multiplied on the number of rows.  The last case should
3982 		 *     not be checked in the case of writing new image,
3983 		 *     because we may do not know the exact strip size
3984 		 *     until the whole image will be written and directory
3985 		 *     dumped out.
3986 		 */
3987 		#define	BYTECOUNTLOOKSBAD \
3988 		    ( (tif->tif_dir.td_stripbytecount[0] == 0 && tif->tif_dir.td_stripoffset[0] != 0) || \
3989 		      (tif->tif_dir.td_compression == COMPRESSION_NONE && \
3990 		       tif->tif_dir.td_stripbytecount[0] > TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) || \
3991 		      (tif->tif_mode == O_RDONLY && \
3992 		       tif->tif_dir.td_compression == COMPRESSION_NONE && \
3993 		       tif->tif_dir.td_stripbytecount[0] < TIFFScanlineSize64(tif) * tif->tif_dir.td_imagelength) )
3994 
3995 		} else if (tif->tif_dir.td_nstrips == 1
3996                            && _TIFFFillStriles(tif)
3997 			   && tif->tif_dir.td_stripoffset[0] != 0
3998 			   && BYTECOUNTLOOKSBAD) {
3999 			/*
4000 			 * XXX: Plexus (and others) sometimes give a value of
4001 			 * zero for a tag when they don't know what the
4002 			 * correct value is!  Try and handle the simple case
4003 			 * of estimating the size of a one strip image.
4004 			 */
4005 			TIFFWarningExt(tif->tif_clientdata, module,
4006 			    "Bogus \"StripByteCounts\" field, ignoring and calculating from imagelength");
4007 			if(EstimateStripByteCounts(tif, dir, dircount) < 0)
4008 			    goto bad;
4009 
4010 #if !defined(DEFER_STRILE_LOAD)
4011 		} else if (tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG
4012 			   && tif->tif_dir.td_nstrips > 2
4013 			   && tif->tif_dir.td_compression == COMPRESSION_NONE
4014 			   && tif->tif_dir.td_stripbytecount[0] != tif->tif_dir.td_stripbytecount[1]
4015 			   && tif->tif_dir.td_stripbytecount[0] != 0
4016 			   && tif->tif_dir.td_stripbytecount[1] != 0 ) {
4017 			/*
4018 			 * XXX: Some vendors fill StripByteCount array with
4019 			 * absolutely wrong values (it can be equal to
4020 			 * StripOffset array, for example). Catch this case
4021 			 * here.
4022                          *
4023                          * We avoid this check if deferring strile loading
4024                          * as it would always force us to load the strip/tile
4025                          * information.
4026 			 */
4027 			TIFFWarningExt(tif->tif_clientdata, module,
4028 			    "Wrong \"StripByteCounts\" field, ignoring and calculating from imagelength");
4029 			if (EstimateStripByteCounts(tif, dir, dircount) < 0)
4030 			    goto bad;
4031 #endif /* !defined(DEFER_STRILE_LOAD) */
4032 		}
4033 	}
4034 	if (dir)
4035 	{
4036 		_TIFFfree(dir);
4037 		dir=NULL;
4038 	}
4039 	if (!TIFFFieldSet(tif, FIELD_MAXSAMPLEVALUE))
4040 	{
4041 		if (tif->tif_dir.td_bitspersample>=16)
4042 			tif->tif_dir.td_maxsamplevalue=0xFFFF;
4043 		else
4044 			tif->tif_dir.td_maxsamplevalue = (uint16)((1L<<tif->tif_dir.td_bitspersample)-1);
4045 	}
4046 	/*
4047 	 * XXX: We can optimize checking for the strip bounds using the sorted
4048 	 * bytecounts array. See also comments for TIFFAppendToStrip()
4049 	 * function in tif_write.c.
4050 	 */
4051 #if !defined(DEFER_STRILE_LOAD)
4052 	if (tif->tif_dir.td_nstrips > 1) {
4053 		uint32 strip;
4054 
4055 		tif->tif_dir.td_stripbytecountsorted = 1;
4056 		for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) {
4057 			if (tif->tif_dir.td_stripoffset[strip - 1] >
4058 			    tif->tif_dir.td_stripoffset[strip]) {
4059 				tif->tif_dir.td_stripbytecountsorted = 0;
4060 				break;
4061 			}
4062 		}
4063 	}
4064 #endif /* !defined(DEFER_STRILE_LOAD) */
4065 
4066 	/*
4067 	 * An opportunity for compression mode dependent tag fixup
4068 	 */
4069 	(*tif->tif_fixuptags)(tif);
4070 
4071 	/*
4072 	 * Some manufacturers make life difficult by writing
4073 	 * large amounts of uncompressed data as a single strip.
4074 	 * This is contrary to the recommendations of the spec.
4075 	 * The following makes an attempt at breaking such images
4076 	 * into strips closer to the recommended 8k bytes.  A
4077 	 * side effect, however, is that the RowsPerStrip tag
4078 	 * value may be changed.
4079 	 */
4080 	if ((tif->tif_dir.td_planarconfig==PLANARCONFIG_CONTIG)&&
4081 	    (tif->tif_dir.td_nstrips==1)&&
4082 	    (tif->tif_dir.td_compression==COMPRESSION_NONE)&&
4083 	    ((tif->tif_flags&(TIFF_STRIPCHOP|TIFF_ISTILED))==TIFF_STRIPCHOP))
4084     {
4085         if ( !_TIFFFillStriles(tif) || !tif->tif_dir.td_stripbytecount )
4086             return 0;
4087 		ChopUpSingleUncompressedStrip(tif);
4088     }
4089 
4090         /*
4091          * Clear the dirty directory flag.
4092          */
4093 	tif->tif_flags &= ~TIFF_DIRTYDIRECT;
4094 	tif->tif_flags &= ~TIFF_DIRTYSTRIP;
4095 
4096 	/*
4097 	 * Reinitialize i/o since we are starting on a new directory.
4098 	 */
4099 	tif->tif_row = (uint32) -1;
4100 	tif->tif_curstrip = (uint32) -1;
4101 	tif->tif_col = (uint32) -1;
4102 	tif->tif_curtile = (uint32) -1;
4103 	tif->tif_tilesize = (tmsize_t) -1;
4104 
4105 	tif->tif_scanlinesize = TIFFScanlineSize(tif);
4106 	if (!tif->tif_scanlinesize) {
4107 		TIFFErrorExt(tif->tif_clientdata, module,
4108 		    "Cannot handle zero scanline size");
4109 		return (0);
4110 	}
4111 
4112 	if (isTiled(tif)) {
4113 		tif->tif_tilesize = TIFFTileSize(tif);
4114 		if (!tif->tif_tilesize) {
4115 			TIFFErrorExt(tif->tif_clientdata, module,
4116 			     "Cannot handle zero tile size");
4117 			return (0);
4118 		}
4119 	} else {
4120 		if (!TIFFStripSize(tif)) {
4121 			TIFFErrorExt(tif->tif_clientdata, module,
4122 			    "Cannot handle zero strip size");
4123 			return (0);
4124 		}
4125 	}
4126 	return (1);
4127 bad:
4128 	if (dir)
4129 		_TIFFfree(dir);
4130 	return (0);
4131 }
4132 
4133 static void
TIFFReadDirectoryCheckOrder(TIFF * tif,TIFFDirEntry * dir,uint16 dircount)4134 TIFFReadDirectoryCheckOrder(TIFF* tif, TIFFDirEntry* dir, uint16 dircount)
4135 {
4136 	static const char module[] = "TIFFReadDirectoryCheckOrder";
4137 	uint16 m;
4138 	uint16 n;
4139 	TIFFDirEntry* o;
4140 	m=0;
4141 	for (n=0, o=dir; n<dircount; n++, o++)
4142 	{
4143 		if (o->tdir_tag<m)
4144 		{
4145 			TIFFWarningExt(tif->tif_clientdata,module,
4146 			    "Invalid TIFF directory; tags are not sorted in ascending order");
4147 			break;
4148 		}
4149 		m=o->tdir_tag+1;
4150 	}
4151 }
4152 
4153 static TIFFDirEntry*
TIFFReadDirectoryFindEntry(TIFF * tif,TIFFDirEntry * dir,uint16 dircount,uint16 tagid)4154 TIFFReadDirectoryFindEntry(TIFF* tif, TIFFDirEntry* dir, uint16 dircount, uint16 tagid)
4155 {
4156 	TIFFDirEntry* m;
4157 	uint16 n;
4158 	(void) tif;
4159 	for (m=dir, n=0; n<dircount; m++, n++)
4160 	{
4161 		if (m->tdir_tag==tagid)
4162 			return(m);
4163 	}
4164 	return(0);
4165 }
4166 
4167 static void
TIFFReadDirectoryFindFieldInfo(TIFF * tif,uint16 tagid,uint32 * fii)4168 TIFFReadDirectoryFindFieldInfo(TIFF* tif, uint16 tagid, uint32* fii)
4169 {
4170 	int32 ma,mb,mc;
4171 	ma=-1;
4172 	mc=(int32)tif->tif_nfields;
4173 	while (1)
4174 	{
4175 		if (ma+1==mc)
4176 		{
4177 			*fii = FAILED_FII;
4178 			return;
4179 		}
4180 		mb=(ma+mc)/2;
4181 		if (tif->tif_fields[mb]->field_tag==(uint32)tagid)
4182 			break;
4183 		if (tif->tif_fields[mb]->field_tag<(uint32)tagid)
4184 			ma=mb;
4185 		else
4186 			mc=mb;
4187 	}
4188 	while (1)
4189 	{
4190 		if (mb==0)
4191 			break;
4192 		if (tif->tif_fields[mb-1]->field_tag!=(uint32)tagid)
4193 			break;
4194 		mb--;
4195 	}
4196 	*fii=mb;
4197 }
4198 
4199 /*
4200  * Read custom directory from the arbitrary offset.
4201  * The code is very similar to TIFFReadDirectory().
4202  */
4203 int
TIFFReadCustomDirectory(TIFF * tif,toff_t diroff,const TIFFFieldArray * infoarray)4204 TIFFReadCustomDirectory(TIFF* tif, toff_t diroff,
4205 			const TIFFFieldArray* infoarray)
4206 {
4207 	static const char module[] = "TIFFReadCustomDirectory";
4208 	TIFFDirEntry* dir;
4209 	uint16 dircount;
4210 	TIFFDirEntry* dp;
4211 	uint16 di;
4212 	const TIFFField* fip;
4213 	uint32 fii;
4214 	_TIFFSetupFields(tif, infoarray);
4215 	dircount=TIFFFetchDirectory(tif,diroff,&dir,NULL);
4216 	if (!dircount)
4217 	{
4218 		TIFFErrorExt(tif->tif_clientdata,module,
4219 		    "Failed to read custom directory at offset " TIFF_UINT64_FORMAT,diroff);
4220 		return 0;
4221 	}
4222 	TIFFFreeDirectory(tif);
4223 	_TIFFmemset(&tif->tif_dir, 0, sizeof(TIFFDirectory));
4224 	TIFFReadDirectoryCheckOrder(tif,dir,dircount);
4225 	for (di=0, dp=dir; di<dircount; di++, dp++)
4226 	{
4227 		TIFFReadDirectoryFindFieldInfo(tif,dp->tdir_tag,&fii);
4228 		if (fii == FAILED_FII)
4229 		{
4230 			TIFFWarningExt(tif->tif_clientdata, module,
4231 			    "Unknown field with tag %d (0x%x) encountered",
4232 			    dp->tdir_tag, dp->tdir_tag);
4233 			if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
4234 						dp->tdir_tag,
4235 						(TIFFDataType) dp->tdir_type),
4236 					     1)) {
4237 				TIFFWarningExt(tif->tif_clientdata, module,
4238 				    "Registering anonymous field with tag %d (0x%x) failed",
4239 				    dp->tdir_tag, dp->tdir_tag);
4240 				dp->tdir_tag=IGNORE;
4241 			} else {
4242 				TIFFReadDirectoryFindFieldInfo(tif,dp->tdir_tag,&fii);
4243 				assert( fii != FAILED_FII );
4244 			}
4245 		}
4246 		if (dp->tdir_tag!=IGNORE)
4247 		{
4248 			fip=tif->tif_fields[fii];
4249 			if (fip->field_bit==FIELD_IGNORE)
4250 				dp->tdir_tag=IGNORE;
4251 			else
4252 			{
4253 				/* check data type */
4254 				while ((fip->field_type!=TIFF_ANY)&&(fip->field_type!=dp->tdir_type))
4255 				{
4256 					fii++;
4257 					if ((fii==tif->tif_nfields)||
4258 					    (tif->tif_fields[fii]->field_tag!=(uint32)dp->tdir_tag))
4259 					{
4260 						fii=0xFFFF;
4261 						break;
4262 					}
4263 					fip=tif->tif_fields[fii];
4264 				}
4265 				if (fii==0xFFFF)
4266 				{
4267 					TIFFWarningExt(tif->tif_clientdata, module,
4268 					    "Wrong data type %d for \"%s\"; tag ignored",
4269 					    dp->tdir_type,fip->field_name);
4270 					dp->tdir_tag=IGNORE;
4271 				}
4272 				else
4273 				{
4274 					/* check count if known in advance */
4275 					if ((fip->field_readcount!=TIFF_VARIABLE)&&
4276 					    (fip->field_readcount!=TIFF_VARIABLE2))
4277 					{
4278 						uint32 expected;
4279 						if (fip->field_readcount==TIFF_SPP)
4280 							expected=(uint32)tif->tif_dir.td_samplesperpixel;
4281 						else
4282 							expected=(uint32)fip->field_readcount;
4283 						if (!CheckDirCount(tif,dp,expected))
4284 							dp->tdir_tag=IGNORE;
4285 					}
4286 				}
4287 			}
4288 			switch (dp->tdir_tag)
4289 			{
4290 				case IGNORE:
4291 					break;
4292 				case EXIFTAG_SUBJECTDISTANCE:
4293 					(void) TIFFFetchSubjectDistance(tif,dp);
4294 					break;
4295 				default:
4296 					(void) TIFFFetchNormalTag(tif, dp, TRUE);
4297 					break;
4298 			}
4299 		}
4300 	}
4301 	if (dir)
4302 		_TIFFfree(dir);
4303 	return 1;
4304 }
4305 
4306 /*
4307  * EXIF is important special case of custom IFD, so we have a special
4308  * function to read it.
4309  */
4310 int
TIFFReadEXIFDirectory(TIFF * tif,toff_t diroff)4311 TIFFReadEXIFDirectory(TIFF* tif, toff_t diroff)
4312 {
4313 	const TIFFFieldArray* exifFieldArray;
4314 	exifFieldArray = _TIFFGetExifFields();
4315 	return TIFFReadCustomDirectory(tif, diroff, exifFieldArray);
4316 }
4317 
4318 static int
EstimateStripByteCounts(TIFF * tif,TIFFDirEntry * dir,uint16 dircount)4319 EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount)
4320 {
4321 	static const char module[] = "EstimateStripByteCounts";
4322 
4323 	TIFFDirEntry *dp;
4324 	TIFFDirectory *td = &tif->tif_dir;
4325 	uint32 strip;
4326 
4327     /* Do not try to load stripbytecount as we will compute it */
4328         if( !_TIFFFillStrilesInternal( tif, 0 ) )
4329             return -1;
4330 
4331 	if (td->td_stripbytecount)
4332 		_TIFFfree(td->td_stripbytecount);
4333 	td->td_stripbytecount = (uint64*)
4334 	    _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
4335 		"for \"StripByteCounts\" array");
4336         if( td->td_stripbytecount == NULL )
4337             return -1;
4338 
4339 	if (td->td_compression != COMPRESSION_NONE) {
4340 		uint64 space;
4341 		uint64 filesize;
4342 		uint16 n;
4343 		filesize = TIFFGetFileSize(tif);
4344 		if (!(tif->tif_flags&TIFF_BIGTIFF))
4345 			space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
4346 		else
4347 			space=sizeof(TIFFHeaderBig)+8+dircount*20+8;
4348 		/* calculate amount of space used by indirect values */
4349 		for (dp = dir, n = dircount; n > 0; n--, dp++)
4350 		{
4351 			uint32 typewidth;
4352 			uint64 datasize;
4353 			typewidth = TIFFDataWidth((TIFFDataType) dp->tdir_type);
4354 			if (typewidth == 0) {
4355 				TIFFErrorExt(tif->tif_clientdata, module,
4356 				    "Cannot determine size of unknown tag type %d",
4357 				    dp->tdir_type);
4358 				return -1;
4359 			}
4360 			datasize=(uint64)typewidth*dp->tdir_count;
4361 			if (!(tif->tif_flags&TIFF_BIGTIFF))
4362 			{
4363 				if (datasize<=4)
4364 					datasize=0;
4365 			}
4366 			else
4367 			{
4368 				if (datasize<=8)
4369 					datasize=0;
4370 			}
4371 			space+=datasize;
4372 		}
4373 		space = filesize - space;
4374 		if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
4375 			space /= td->td_samplesperpixel;
4376 		for (strip = 0; strip < td->td_nstrips; strip++)
4377 			td->td_stripbytecount[strip] = space;
4378 		/*
4379 		 * This gross hack handles the case were the offset to
4380 		 * the last strip is past the place where we think the strip
4381 		 * should begin.  Since a strip of data must be contiguous,
4382 		 * it's safe to assume that we've overestimated the amount
4383 		 * of data in the strip and trim this number back accordingly.
4384 		 */
4385 		strip--;
4386 		if (td->td_stripoffset[strip]+td->td_stripbytecount[strip] > filesize)
4387 			td->td_stripbytecount[strip] = filesize - td->td_stripoffset[strip];
4388 	} else if (isTiled(tif)) {
4389 		uint64 bytespertile = TIFFTileSize64(tif);
4390 
4391 		for (strip = 0; strip < td->td_nstrips; strip++)
4392 		    td->td_stripbytecount[strip] = bytespertile;
4393 	} else {
4394 		uint64 rowbytes = TIFFScanlineSize64(tif);
4395 		uint32 rowsperstrip = td->td_imagelength/td->td_stripsperimage;
4396 		for (strip = 0; strip < td->td_nstrips; strip++)
4397 			td->td_stripbytecount[strip] = rowbytes * rowsperstrip;
4398 	}
4399 	TIFFSetFieldBit(tif, FIELD_STRIPBYTECOUNTS);
4400 	if (!TIFFFieldSet(tif, FIELD_ROWSPERSTRIP))
4401 		td->td_rowsperstrip = td->td_imagelength;
4402 	return 1;
4403 }
4404 
4405 static void
MissingRequired(TIFF * tif,const char * tagname)4406 MissingRequired(TIFF* tif, const char* tagname)
4407 {
4408 	static const char module[] = "MissingRequired";
4409 
4410 	TIFFErrorExt(tif->tif_clientdata, module,
4411 	    "TIFF directory is missing required \"%s\" field",
4412 	    tagname);
4413 }
4414 
4415 /*
4416  * Check the directory offset against the list of already seen directory
4417  * offsets. This is a trick to prevent IFD looping. The one can create TIFF
4418  * file with looped directory pointers. We will maintain a list of already
4419  * seen directories and check every IFD offset against that list.
4420  */
4421 static int
TIFFCheckDirOffset(TIFF * tif,uint64 diroff)4422 TIFFCheckDirOffset(TIFF* tif, uint64 diroff)
4423 {
4424 	uint16 n;
4425 
4426 	if (diroff == 0)			/* no more directories */
4427 		return 0;
4428 	if (tif->tif_dirnumber == 65535) {
4429 	    TIFFErrorExt(tif->tif_clientdata, "TIFFCheckDirOffset",
4430 			 "Cannot handle more than 65535 TIFF directories");
4431 	    return 0;
4432 	}
4433 
4434 	for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlist; n++) {
4435 		if (tif->tif_dirlist[n] == diroff)
4436 			return 0;
4437 	}
4438 
4439 	tif->tif_dirnumber++;
4440 
4441 	if (tif->tif_dirlist == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) {
4442 		uint64* new_dirlist;
4443 
4444 		/*
4445 		 * XXX: Reduce memory allocation granularity of the dirlist
4446 		 * array.
4447 		 */
4448 		new_dirlist = (uint64*)_TIFFCheckRealloc(tif, tif->tif_dirlist,
4449 		    tif->tif_dirnumber, 2 * sizeof(uint64), "for IFD list");
4450 		if (!new_dirlist)
4451 			return 0;
4452 		if( tif->tif_dirnumber >= 32768 )
4453 		    tif->tif_dirlistsize = 65535;
4454 		else
4455 		    tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
4456 		tif->tif_dirlist = new_dirlist;
4457 	}
4458 
4459 	tif->tif_dirlist[tif->tif_dirnumber - 1] = diroff;
4460 
4461 	return 1;
4462 }
4463 
4464 /*
4465  * Check the count field of a directory entry against a known value.  The
4466  * caller is expected to skip/ignore the tag if there is a mismatch.
4467  */
4468 static int
CheckDirCount(TIFF * tif,TIFFDirEntry * dir,uint32 count)4469 CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
4470 {
4471 	if ((uint64)count > dir->tdir_count) {
4472 		const TIFFField* fip = TIFFFieldWithTag(tif, dir->tdir_tag);
4473 		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
4474 	"incorrect count for field \"%s\" (" TIFF_UINT64_FORMAT ", expecting %u); tag ignored",
4475 		    fip ? fip->field_name : "unknown tagname",
4476 		    dir->tdir_count, count);
4477 		return (0);
4478 	} else if ((uint64)count < dir->tdir_count) {
4479 		const TIFFField* fip = TIFFFieldWithTag(tif, dir->tdir_tag);
4480 		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
4481 	"incorrect count for field \"%s\" (" TIFF_UINT64_FORMAT ", expecting %u); tag trimmed",
4482 		    fip ? fip->field_name : "unknown tagname",
4483 		    dir->tdir_count, count);
4484 		dir->tdir_count = count;
4485 		return (1);
4486 	}
4487 	return (1);
4488 }
4489 
4490 /*
4491  * Read IFD structure from the specified offset. If the pointer to
4492  * nextdiroff variable has been specified, read it too. Function returns a
4493  * number of fields in the directory or 0 if failed.
4494  */
4495 static uint16
TIFFFetchDirectory(TIFF * tif,uint64 diroff,TIFFDirEntry ** pdir,uint64 * nextdiroff)4496 TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir,
4497                    uint64 *nextdiroff)
4498 {
4499 	static const char module[] = "TIFFFetchDirectory";
4500 
4501 	void* origdir;
4502 	uint16 dircount16;
4503 	uint32 dirsize;
4504 	TIFFDirEntry* dir;
4505 	uint8* ma;
4506 	TIFFDirEntry* mb;
4507 	uint16 n;
4508 
4509 	assert(pdir);
4510 
4511 	tif->tif_diroff = diroff;
4512 	if (nextdiroff)
4513 		*nextdiroff = 0;
4514 	if (!isMapped(tif)) {
4515 		if (!SeekOK(tif, tif->tif_diroff)) {
4516 			TIFFErrorExt(tif->tif_clientdata, module,
4517 				"%s: Seek error accessing TIFF directory",
4518 				tif->tif_name);
4519 			return 0;
4520 		}
4521 		if (!(tif->tif_flags&TIFF_BIGTIFF))
4522 		{
4523 			if (!ReadOK(tif, &dircount16, sizeof (uint16))) {
4524 				TIFFErrorExt(tif->tif_clientdata, module,
4525 				    "%s: Can not read TIFF directory count",
4526 				    tif->tif_name);
4527 				return 0;
4528 			}
4529 			if (tif->tif_flags & TIFF_SWAB)
4530 				TIFFSwabShort(&dircount16);
4531 			if (dircount16>4096)
4532 			{
4533 				TIFFErrorExt(tif->tif_clientdata, module,
4534 				    "Sanity check on directory count failed, this is probably not a valid IFD offset");
4535 				return 0;
4536 			}
4537 			dirsize = 12;
4538 		} else {
4539 			uint64 dircount64;
4540 			if (!ReadOK(tif, &dircount64, sizeof (uint64))) {
4541 				TIFFErrorExt(tif->tif_clientdata, module,
4542 					"%s: Can not read TIFF directory count",
4543 					tif->tif_name);
4544 				return 0;
4545 			}
4546 			if (tif->tif_flags & TIFF_SWAB)
4547 				TIFFSwabLong8(&dircount64);
4548 			if (dircount64>4096)
4549 			{
4550 				TIFFErrorExt(tif->tif_clientdata, module,
4551 				    "Sanity check on directory count failed, this is probably not a valid IFD offset");
4552 				return 0;
4553 			}
4554 			dircount16 = (uint16)dircount64;
4555 			dirsize = 20;
4556 		}
4557 		origdir = _TIFFCheckMalloc(tif, dircount16,
4558 		    dirsize, "to read TIFF directory");
4559 		if (origdir == NULL)
4560 			return 0;
4561 		if (!ReadOK(tif, origdir, (tmsize_t)(dircount16*dirsize))) {
4562 			TIFFErrorExt(tif->tif_clientdata, module,
4563 				"%.100s: Can not read TIFF directory",
4564 				tif->tif_name);
4565 			_TIFFfree(origdir);
4566 			return 0;
4567 		}
4568 		/*
4569 		 * Read offset to next directory for sequential scans if
4570 		 * needed.
4571 		 */
4572 		if (nextdiroff)
4573 		{
4574 			if (!(tif->tif_flags&TIFF_BIGTIFF))
4575 			{
4576 				uint32 nextdiroff32;
4577 				if (!ReadOK(tif, &nextdiroff32, sizeof(uint32)))
4578 					nextdiroff32 = 0;
4579 				if (tif->tif_flags&TIFF_SWAB)
4580 					TIFFSwabLong(&nextdiroff32);
4581 				*nextdiroff=nextdiroff32;
4582 			} else {
4583 				if (!ReadOK(tif, nextdiroff, sizeof(uint64)))
4584 					*nextdiroff = 0;
4585 				if (tif->tif_flags&TIFF_SWAB)
4586 					TIFFSwabLong8(nextdiroff);
4587 			}
4588 		}
4589 	} else {
4590 		tmsize_t m;
4591 		tmsize_t off = (tmsize_t) tif->tif_diroff;
4592 		if ((uint64)off!=tif->tif_diroff)
4593 		{
4594 			TIFFErrorExt(tif->tif_clientdata,module,"Can not read TIFF directory count");
4595 			return(0);
4596 		}
4597 
4598 		/*
4599 		 * Check for integer overflow when validating the dir_off,
4600 		 * otherwise a very high offset may cause an OOB read and
4601 		 * crash the client. Make two comparisons instead of
4602 		 *
4603 		 *  off + sizeof(uint16) > tif->tif_size
4604 		 *
4605 		 * to avoid overflow.
4606 		 */
4607 		if (!(tif->tif_flags&TIFF_BIGTIFF))
4608 		{
4609 			m=off+sizeof(uint16);
4610 			if ((m<off)||(m<(tmsize_t)sizeof(uint16))||(m>tif->tif_size)) {
4611 				TIFFErrorExt(tif->tif_clientdata, module,
4612 					"Can not read TIFF directory count");
4613 				return 0;
4614 			} else {
4615 				_TIFFmemcpy(&dircount16, tif->tif_base + off,
4616 					    sizeof(uint16));
4617 			}
4618 			off += sizeof (uint16);
4619 			if (tif->tif_flags & TIFF_SWAB)
4620 				TIFFSwabShort(&dircount16);
4621 			if (dircount16>4096)
4622 			{
4623 				TIFFErrorExt(tif->tif_clientdata, module,
4624 				    "Sanity check on directory count failed, this is probably not a valid IFD offset");
4625 				return 0;
4626 			}
4627 			dirsize = 12;
4628 		}
4629 		else
4630 		{
4631 			uint64 dircount64;
4632 			m=off+sizeof(uint64);
4633 			if ((m<off)||(m<(tmsize_t)sizeof(uint64))||(m>tif->tif_size)) {
4634 				TIFFErrorExt(tif->tif_clientdata, module,
4635 					"Can not read TIFF directory count");
4636 				return 0;
4637 			} else {
4638 				_TIFFmemcpy(&dircount64, tif->tif_base + off,
4639 					    sizeof(uint64));
4640 			}
4641 			off += sizeof (uint64);
4642 			if (tif->tif_flags & TIFF_SWAB)
4643 				TIFFSwabLong8(&dircount64);
4644 			if (dircount64>4096)
4645 			{
4646 				TIFFErrorExt(tif->tif_clientdata, module,
4647 				    "Sanity check on directory count failed, this is probably not a valid IFD offset");
4648 				return 0;
4649 			}
4650 			dircount16 = (uint16)dircount64;
4651 			dirsize = 20;
4652 		}
4653 		if (dircount16 == 0 )
4654 		{
4655 			TIFFErrorExt(tif->tif_clientdata, module,
4656 			             "Sanity check on directory count failed, zero tag directories not supported");
4657 			return 0;
4658 		}
4659 		origdir = _TIFFCheckMalloc(tif, dircount16,
4660 						dirsize,
4661 						"to read TIFF directory");
4662 		if (origdir == NULL)
4663 			return 0;
4664 		m=off+dircount16*dirsize;
4665 		if ((m<off)||(m<(tmsize_t)(dircount16*dirsize))||(m>tif->tif_size)) {
4666 			TIFFErrorExt(tif->tif_clientdata, module,
4667 				     "Can not read TIFF directory");
4668 			_TIFFfree(origdir);
4669 			return 0;
4670 		} else {
4671 			_TIFFmemcpy(origdir, tif->tif_base + off,
4672 				    dircount16 * dirsize);
4673 		}
4674 		if (nextdiroff) {
4675 			off += dircount16 * dirsize;
4676 			if (!(tif->tif_flags&TIFF_BIGTIFF))
4677 			{
4678 				uint32 nextdiroff32;
4679 				m=off+sizeof(uint32);
4680 				if ((m<off)||(m<(tmsize_t)sizeof(uint32))||(m>tif->tif_size))
4681 					nextdiroff32 = 0;
4682 				else
4683 					_TIFFmemcpy(&nextdiroff32, tif->tif_base + off,
4684 						    sizeof (uint32));
4685 				if (tif->tif_flags&TIFF_SWAB)
4686 					TIFFSwabLong(&nextdiroff32);
4687 				*nextdiroff = nextdiroff32;
4688 			}
4689 			else
4690 			{
4691 				m=off+sizeof(uint64);
4692 				if ((m<off)||(m<(tmsize_t)sizeof(uint64))||(m>tif->tif_size))
4693 					*nextdiroff = 0;
4694 				else
4695 					_TIFFmemcpy(nextdiroff, tif->tif_base + off,
4696 						    sizeof (uint64));
4697 				if (tif->tif_flags&TIFF_SWAB)
4698 					TIFFSwabLong8(nextdiroff);
4699 			}
4700 		}
4701 	}
4702 	dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
4703 						sizeof(TIFFDirEntry),
4704 						"to read TIFF directory");
4705 	if (dir==0)
4706 	{
4707 		_TIFFfree(origdir);
4708 		return 0;
4709 	}
4710 	ma=(uint8*)origdir;
4711 	mb=dir;
4712 	for (n=0; n<dircount16; n++)
4713 	{
4714 		if (tif->tif_flags&TIFF_SWAB)
4715 			TIFFSwabShort((uint16*)ma);
4716 		mb->tdir_tag=*(uint16*)ma;
4717 		ma+=sizeof(uint16);
4718 		if (tif->tif_flags&TIFF_SWAB)
4719 			TIFFSwabShort((uint16*)ma);
4720 		mb->tdir_type=*(uint16*)ma;
4721 		ma+=sizeof(uint16);
4722 		if (!(tif->tif_flags&TIFF_BIGTIFF))
4723 		{
4724 			if (tif->tif_flags&TIFF_SWAB)
4725 				TIFFSwabLong((uint32*)ma);
4726 			mb->tdir_count=(uint64)(*(uint32*)ma);
4727 			ma+=sizeof(uint32);
4728 			*(uint32*)(&mb->tdir_offset)=*(uint32*)ma;
4729 			ma+=sizeof(uint32);
4730 		}
4731 		else
4732 		{
4733 			if (tif->tif_flags&TIFF_SWAB)
4734 				TIFFSwabLong8((uint64*)ma);
4735                         mb->tdir_count=TIFFReadUInt64(ma);
4736 			ma+=sizeof(uint64);
4737 			mb->tdir_offset.toff_long8=TIFFReadUInt64(ma);
4738 			ma+=sizeof(uint64);
4739 		}
4740 		mb++;
4741 	}
4742 	_TIFFfree(origdir);
4743 	*pdir = dir;
4744 	return dircount16;
4745 }
4746 
4747 /*
4748  * Fetch a tag that is not handled by special case code.
4749  */
4750 static int
TIFFFetchNormalTag(TIFF * tif,TIFFDirEntry * dp,int recover)4751 TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
4752 {
4753 	static const char module[] = "TIFFFetchNormalTag";
4754 	enum TIFFReadDirEntryErr err;
4755 	uint32 fii;
4756 	const TIFFField* fip = NULL;
4757 	TIFFReadDirectoryFindFieldInfo(tif,dp->tdir_tag,&fii);
4758         if( fii == FAILED_FII )
4759         {
4760             TIFFErrorExt(tif->tif_clientdata, "TIFFFetchNormalTag",
4761                          "No definition found for tag %d",
4762                          dp->tdir_tag);
4763             return 0;
4764         }
4765 	fip=tif->tif_fields[fii];
4766 	assert(fip != NULL); /* should not happen */
4767 	assert(fip->set_field_type!=TIFF_SETGET_OTHER);  /* if so, we shouldn't arrive here but deal with this in specialized code */
4768 	assert(fip->set_field_type!=TIFF_SETGET_INT);    /* if so, we shouldn't arrive here as this is only the case for pseudo-tags */
4769 	err=TIFFReadDirEntryErrOk;
4770 	switch (fip->set_field_type)
4771 	{
4772 		case TIFF_SETGET_UNDEFINED:
4773 			break;
4774 		case TIFF_SETGET_ASCII:
4775 			{
4776 				uint8* data;
4777 				assert(fip->field_passcount==0);
4778 				err=TIFFReadDirEntryByteArray(tif,dp,&data);
4779 				if (err==TIFFReadDirEntryErrOk)
4780 				{
4781 					uint8* ma;
4782 					uint32 mb;
4783 					int n;
4784 					ma=data;
4785 					mb=0;
4786 					while (mb<(uint32)dp->tdir_count)
4787 					{
4788 						if (*ma==0)
4789 							break;
4790 						ma++;
4791 						mb++;
4792 					}
4793 					if (mb+1<(uint32)dp->tdir_count)
4794 						TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" contains null byte in value; value incorrectly truncated during reading due to implementation limitations",fip->field_name);
4795 					else if (mb+1>(uint32)dp->tdir_count)
4796 					{
4797 						uint8* o;
4798 						TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte",fip->field_name);
4799 						if ((uint32)dp->tdir_count+1!=dp->tdir_count+1)
4800 							o=NULL;
4801 						else
4802 							o=_TIFFmalloc((uint32)dp->tdir_count+1);
4803 						if (o==NULL)
4804 						{
4805 							if (data!=NULL)
4806 								_TIFFfree(data);
4807 							return(0);
4808 						}
4809 						_TIFFmemcpy(o,data,(uint32)dp->tdir_count);
4810 						o[(uint32)dp->tdir_count]=0;
4811 						if (data!=0)
4812 							_TIFFfree(data);
4813 						data=o;
4814 					}
4815 					n=TIFFSetField(tif,dp->tdir_tag,data);
4816 					if (data!=0)
4817 						_TIFFfree(data);
4818 					if (!n)
4819 						return(0);
4820 				}
4821 			}
4822 			break;
4823 		case TIFF_SETGET_UINT8:
4824 			{
4825 				uint8 data=0;
4826 				assert(fip->field_readcount==1);
4827 				assert(fip->field_passcount==0);
4828 				err=TIFFReadDirEntryByte(tif,dp,&data);
4829 				if (err==TIFFReadDirEntryErrOk)
4830 				{
4831 					if (!TIFFSetField(tif,dp->tdir_tag,data))
4832 						return(0);
4833 				}
4834 			}
4835 			break;
4836 		case TIFF_SETGET_UINT16:
4837 			{
4838 				uint16 data;
4839 				assert(fip->field_readcount==1);
4840 				assert(fip->field_passcount==0);
4841 				err=TIFFReadDirEntryShort(tif,dp,&data);
4842 				if (err==TIFFReadDirEntryErrOk)
4843 				{
4844 					if (!TIFFSetField(tif,dp->tdir_tag,data))
4845 						return(0);
4846 				}
4847 			}
4848 			break;
4849 		case TIFF_SETGET_UINT32:
4850 			{
4851 				uint32 data;
4852 				assert(fip->field_readcount==1);
4853 				assert(fip->field_passcount==0);
4854 				err=TIFFReadDirEntryLong(tif,dp,&data);
4855 				if (err==TIFFReadDirEntryErrOk)
4856 				{
4857 					if (!TIFFSetField(tif,dp->tdir_tag,data))
4858 						return(0);
4859 				}
4860 			}
4861 			break;
4862 		case TIFF_SETGET_UINT64:
4863 			{
4864 				uint64 data;
4865 				assert(fip->field_readcount==1);
4866 				assert(fip->field_passcount==0);
4867 				err=TIFFReadDirEntryLong8(tif,dp,&data);
4868 				if (err==TIFFReadDirEntryErrOk)
4869 				{
4870 					if (!TIFFSetField(tif,dp->tdir_tag,data))
4871 						return(0);
4872 				}
4873 			}
4874 			break;
4875 		case TIFF_SETGET_FLOAT:
4876 			{
4877 				float data;
4878 				assert(fip->field_readcount==1);
4879 				assert(fip->field_passcount==0);
4880 				err=TIFFReadDirEntryFloat(tif,dp,&data);
4881 				if (err==TIFFReadDirEntryErrOk)
4882 				{
4883 					if (!TIFFSetField(tif,dp->tdir_tag,data))
4884 						return(0);
4885 				}
4886 			}
4887 			break;
4888 		case TIFF_SETGET_DOUBLE:
4889 			{
4890 				double data;
4891 				assert(fip->field_readcount==1);
4892 				assert(fip->field_passcount==0);
4893 				err=TIFFReadDirEntryDouble(tif,dp,&data);
4894 				if (err==TIFFReadDirEntryErrOk)
4895 				{
4896 					if (!TIFFSetField(tif,dp->tdir_tag,data))
4897 						return(0);
4898 				}
4899 			}
4900 			break;
4901 		case TIFF_SETGET_IFD8:
4902 			{
4903 				uint64 data;
4904 				assert(fip->field_readcount==1);
4905 				assert(fip->field_passcount==0);
4906 				err=TIFFReadDirEntryIfd8(tif,dp,&data);
4907 				if (err==TIFFReadDirEntryErrOk)
4908 				{
4909 					if (!TIFFSetField(tif,dp->tdir_tag,data))
4910 						return(0);
4911 				}
4912 			}
4913 			break;
4914 		case TIFF_SETGET_UINT16_PAIR:
4915 			{
4916 				uint16* data;
4917 				assert(fip->field_readcount==2);
4918 				assert(fip->field_passcount==0);
4919 				if (dp->tdir_count!=2) {
4920 					TIFFWarningExt(tif->tif_clientdata,module,
4921 						       "incorrect count for field \"%s\", expected 2, got %d",
4922 						       fip->field_name,(int)dp->tdir_count);
4923 					return(0);
4924 				}
4925 				err=TIFFReadDirEntryShortArray(tif,dp,&data);
4926 				if (err==TIFFReadDirEntryErrOk)
4927 				{
4928 					int m;
4929 					m=TIFFSetField(tif,dp->tdir_tag,data[0],data[1]);
4930 					_TIFFfree(data);
4931 					if (!m)
4932 						return(0);
4933 				}
4934 			}
4935 			break;
4936 		case TIFF_SETGET_C0_UINT8:
4937 			{
4938 				uint8* data;
4939 				assert(fip->field_readcount>=1);
4940 				assert(fip->field_passcount==0);
4941 				if (dp->tdir_count!=(uint64)fip->field_readcount) {
4942 					TIFFWarningExt(tif->tif_clientdata,module,
4943 						       "incorrect count for field \"%s\", expected %d, got %d",
4944 						       fip->field_name,(int) fip->field_readcount, (int)dp->tdir_count);
4945 					return 0;
4946 				}
4947 				else
4948 				{
4949 					err=TIFFReadDirEntryByteArray(tif,dp,&data);
4950 					if (err==TIFFReadDirEntryErrOk)
4951 					{
4952 						int m;
4953 						m=TIFFSetField(tif,dp->tdir_tag,data);
4954 						if (data!=0)
4955 							_TIFFfree(data);
4956 						if (!m)
4957 							return(0);
4958 					}
4959 				}
4960 			}
4961 			break;
4962 		case TIFF_SETGET_C0_UINT16:
4963 			{
4964 				uint16* data;
4965 				assert(fip->field_readcount>=1);
4966 				assert(fip->field_passcount==0);
4967 				if (dp->tdir_count!=(uint64)fip->field_readcount)
4968                                     /* corrupt file */;
4969 				else
4970 				{
4971 					err=TIFFReadDirEntryShortArray(tif,dp,&data);
4972 					if (err==TIFFReadDirEntryErrOk)
4973 					{
4974 						int m;
4975 						m=TIFFSetField(tif,dp->tdir_tag,data);
4976 						if (data!=0)
4977 							_TIFFfree(data);
4978 						if (!m)
4979 							return(0);
4980 					}
4981 				}
4982 			}
4983 			break;
4984 		case TIFF_SETGET_C0_UINT32:
4985 			{
4986 				uint32* data;
4987 				assert(fip->field_readcount>=1);
4988 				assert(fip->field_passcount==0);
4989 				if (dp->tdir_count!=(uint64)fip->field_readcount)
4990                                     /* corrupt file */;
4991 				else
4992 				{
4993 					err=TIFFReadDirEntryLongArray(tif,dp,&data);
4994 					if (err==TIFFReadDirEntryErrOk)
4995 					{
4996 						int m;
4997 						m=TIFFSetField(tif,dp->tdir_tag,data);
4998 						if (data!=0)
4999 							_TIFFfree(data);
5000 						if (!m)
5001 							return(0);
5002 					}
5003 				}
5004 			}
5005 			break;
5006 		case TIFF_SETGET_C0_FLOAT:
5007 			{
5008 				float* data;
5009 				assert(fip->field_readcount>=1);
5010 				assert(fip->field_passcount==0);
5011 				if (dp->tdir_count!=(uint64)fip->field_readcount)
5012                                     /* corrupt file */;
5013 				else
5014 				{
5015 					err=TIFFReadDirEntryFloatArray(tif,dp,&data);
5016 					if (err==TIFFReadDirEntryErrOk)
5017 					{
5018 						int m;
5019 						m=TIFFSetField(tif,dp->tdir_tag,data);
5020 						if (data!=0)
5021 							_TIFFfree(data);
5022 						if (!m)
5023 							return(0);
5024 					}
5025 				}
5026 			}
5027 			break;
5028 		case TIFF_SETGET_C16_ASCII:
5029 			{
5030 				uint8* data;
5031 				assert(fip->field_readcount==TIFF_VARIABLE);
5032 				assert(fip->field_passcount==1);
5033 				if (dp->tdir_count>0xFFFF)
5034 					err=TIFFReadDirEntryErrCount;
5035 				else
5036 				{
5037 					err=TIFFReadDirEntryByteArray(tif,dp,&data);
5038 					if (err==TIFFReadDirEntryErrOk)
5039 					{
5040 						int m;
5041                         if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
5042                         {
5043                             TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
5044                             data[dp->tdir_count-1] = '\0';
5045                         }
5046 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
5047 						if (data!=0)
5048 							_TIFFfree(data);
5049 						if (!m)
5050 							return(0);
5051 					}
5052 				}
5053 			}
5054 			break;
5055 		case TIFF_SETGET_C16_UINT8:
5056 			{
5057 				uint8* data;
5058 				assert(fip->field_readcount==TIFF_VARIABLE);
5059 				assert(fip->field_passcount==1);
5060 				if (dp->tdir_count>0xFFFF)
5061 					err=TIFFReadDirEntryErrCount;
5062 				else
5063 				{
5064 					err=TIFFReadDirEntryByteArray(tif,dp,&data);
5065 					if (err==TIFFReadDirEntryErrOk)
5066 					{
5067 						int m;
5068 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
5069 						if (data!=0)
5070 							_TIFFfree(data);
5071 						if (!m)
5072 							return(0);
5073 					}
5074 				}
5075 			}
5076 			break;
5077 		case TIFF_SETGET_C16_UINT16:
5078 			{
5079 				uint16* data;
5080 				assert(fip->field_readcount==TIFF_VARIABLE);
5081 				assert(fip->field_passcount==1);
5082 				if (dp->tdir_count>0xFFFF)
5083 					err=TIFFReadDirEntryErrCount;
5084 				else
5085 				{
5086 					err=TIFFReadDirEntryShortArray(tif,dp,&data);
5087 					if (err==TIFFReadDirEntryErrOk)
5088 					{
5089 						int m;
5090 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
5091 						if (data!=0)
5092 							_TIFFfree(data);
5093 						if (!m)
5094 							return(0);
5095 					}
5096 				}
5097 			}
5098 			break;
5099 		case TIFF_SETGET_C16_UINT32:
5100 			{
5101 				uint32* data;
5102 				assert(fip->field_readcount==TIFF_VARIABLE);
5103 				assert(fip->field_passcount==1);
5104 				if (dp->tdir_count>0xFFFF)
5105 					err=TIFFReadDirEntryErrCount;
5106 				else
5107 				{
5108 					err=TIFFReadDirEntryLongArray(tif,dp,&data);
5109 					if (err==TIFFReadDirEntryErrOk)
5110 					{
5111 						int m;
5112 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
5113 						if (data!=0)
5114 							_TIFFfree(data);
5115 						if (!m)
5116 							return(0);
5117 					}
5118 				}
5119 			}
5120 			break;
5121 		case TIFF_SETGET_C16_UINT64:
5122 			{
5123 				uint64* data;
5124 				assert(fip->field_readcount==TIFF_VARIABLE);
5125 				assert(fip->field_passcount==1);
5126 				if (dp->tdir_count>0xFFFF)
5127 					err=TIFFReadDirEntryErrCount;
5128 				else
5129 				{
5130 					err=TIFFReadDirEntryLong8Array(tif,dp,&data);
5131 					if (err==TIFFReadDirEntryErrOk)
5132 					{
5133 						int m;
5134 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
5135 						if (data!=0)
5136 							_TIFFfree(data);
5137 						if (!m)
5138 							return(0);
5139 					}
5140 				}
5141 			}
5142 			break;
5143 		case TIFF_SETGET_C16_FLOAT:
5144 			{
5145 				float* data;
5146 				assert(fip->field_readcount==TIFF_VARIABLE);
5147 				assert(fip->field_passcount==1);
5148 				if (dp->tdir_count>0xFFFF)
5149 					err=TIFFReadDirEntryErrCount;
5150 				else
5151 				{
5152 					err=TIFFReadDirEntryFloatArray(tif,dp,&data);
5153 					if (err==TIFFReadDirEntryErrOk)
5154 					{
5155 						int m;
5156 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
5157 						if (data!=0)
5158 							_TIFFfree(data);
5159 						if (!m)
5160 							return(0);
5161 					}
5162 				}
5163 			}
5164 			break;
5165 		case TIFF_SETGET_C16_DOUBLE:
5166 			{
5167 				double* data;
5168 				assert(fip->field_readcount==TIFF_VARIABLE);
5169 				assert(fip->field_passcount==1);
5170 				if (dp->tdir_count>0xFFFF)
5171 					err=TIFFReadDirEntryErrCount;
5172 				else
5173 				{
5174 					err=TIFFReadDirEntryDoubleArray(tif,dp,&data);
5175 					if (err==TIFFReadDirEntryErrOk)
5176 					{
5177 						int m;
5178 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
5179 						if (data!=0)
5180 							_TIFFfree(data);
5181 						if (!m)
5182 							return(0);
5183 					}
5184 				}
5185 			}
5186 			break;
5187 		case TIFF_SETGET_C16_IFD8:
5188 			{
5189 				uint64* data;
5190 				assert(fip->field_readcount==TIFF_VARIABLE);
5191 				assert(fip->field_passcount==1);
5192 				if (dp->tdir_count>0xFFFF)
5193 					err=TIFFReadDirEntryErrCount;
5194 				else
5195 				{
5196 					err=TIFFReadDirEntryIfd8Array(tif,dp,&data);
5197 					if (err==TIFFReadDirEntryErrOk)
5198 					{
5199 						int m;
5200 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
5201 						if (data!=0)
5202 							_TIFFfree(data);
5203 						if (!m)
5204 							return(0);
5205 					}
5206 				}
5207 			}
5208 			break;
5209 		case TIFF_SETGET_C32_ASCII:
5210 			{
5211 				uint8* data;
5212 				assert(fip->field_readcount==TIFF_VARIABLE2);
5213 				assert(fip->field_passcount==1);
5214 				err=TIFFReadDirEntryByteArray(tif,dp,&data);
5215 				if (err==TIFFReadDirEntryErrOk)
5216 				{
5217 					int m;
5218                     if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
5219                     {
5220                         TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
5221                         data[dp->tdir_count-1] = '\0';
5222                     }
5223 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5224 					if (data!=0)
5225 						_TIFFfree(data);
5226 					if (!m)
5227 						return(0);
5228 				}
5229 			}
5230 			break;
5231 		case TIFF_SETGET_C32_UINT8:
5232 			{
5233 				uint8* data;
5234 				assert(fip->field_readcount==TIFF_VARIABLE2);
5235 				assert(fip->field_passcount==1);
5236 				err=TIFFReadDirEntryByteArray(tif,dp,&data);
5237 				if (err==TIFFReadDirEntryErrOk)
5238 				{
5239 					int m;
5240 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5241 					if (data!=0)
5242 						_TIFFfree(data);
5243 					if (!m)
5244 						return(0);
5245 				}
5246 			}
5247 			break;
5248 		case TIFF_SETGET_C32_SINT8:
5249 			{
5250 				int8* data = NULL;
5251 				assert(fip->field_readcount==TIFF_VARIABLE2);
5252 				assert(fip->field_passcount==1);
5253 				err=TIFFReadDirEntrySbyteArray(tif,dp,&data);
5254 				if (err==TIFFReadDirEntryErrOk)
5255 				{
5256 					int m;
5257 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5258 					if (data!=0)
5259 						_TIFFfree(data);
5260 					if (!m)
5261 						return(0);
5262 				}
5263 			}
5264 			break;
5265 		case TIFF_SETGET_C32_UINT16:
5266 			{
5267 				uint16* data;
5268 				assert(fip->field_readcount==TIFF_VARIABLE2);
5269 				assert(fip->field_passcount==1);
5270 				err=TIFFReadDirEntryShortArray(tif,dp,&data);
5271 				if (err==TIFFReadDirEntryErrOk)
5272 				{
5273 					int m;
5274 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5275 					if (data!=0)
5276 						_TIFFfree(data);
5277 					if (!m)
5278 						return(0);
5279 				}
5280 			}
5281 			break;
5282 		case TIFF_SETGET_C32_SINT16:
5283 			{
5284 				int16* data = NULL;
5285 				assert(fip->field_readcount==TIFF_VARIABLE2);
5286 				assert(fip->field_passcount==1);
5287 				err=TIFFReadDirEntrySshortArray(tif,dp,&data);
5288 				if (err==TIFFReadDirEntryErrOk)
5289 				{
5290 					int m;
5291 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5292 					if (data!=0)
5293 						_TIFFfree(data);
5294 					if (!m)
5295 						return(0);
5296 				}
5297 			}
5298 			break;
5299 		case TIFF_SETGET_C32_UINT32:
5300 			{
5301 				uint32* data;
5302 				assert(fip->field_readcount==TIFF_VARIABLE2);
5303 				assert(fip->field_passcount==1);
5304 				err=TIFFReadDirEntryLongArray(tif,dp,&data);
5305 				if (err==TIFFReadDirEntryErrOk)
5306 				{
5307 					int m;
5308 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5309 					if (data!=0)
5310 						_TIFFfree(data);
5311 					if (!m)
5312 						return(0);
5313 				}
5314 			}
5315 			break;
5316 		case TIFF_SETGET_C32_SINT32:
5317 			{
5318 				int32* data = NULL;
5319 				assert(fip->field_readcount==TIFF_VARIABLE2);
5320 				assert(fip->field_passcount==1);
5321 				err=TIFFReadDirEntrySlongArray(tif,dp,&data);
5322 				if (err==TIFFReadDirEntryErrOk)
5323 				{
5324 					int m;
5325 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5326 					if (data!=0)
5327 						_TIFFfree(data);
5328 					if (!m)
5329 						return(0);
5330 				}
5331 			}
5332 			break;
5333 		case TIFF_SETGET_C32_UINT64:
5334 			{
5335 				uint64* data;
5336 				assert(fip->field_readcount==TIFF_VARIABLE2);
5337 				assert(fip->field_passcount==1);
5338 				err=TIFFReadDirEntryLong8Array(tif,dp,&data);
5339 				if (err==TIFFReadDirEntryErrOk)
5340 				{
5341 					int m;
5342 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5343 					if (data!=0)
5344 						_TIFFfree(data);
5345 					if (!m)
5346 						return(0);
5347 				}
5348 			}
5349 			break;
5350 		case TIFF_SETGET_C32_SINT64:
5351 			{
5352 				int64* data = NULL;
5353 				assert(fip->field_readcount==TIFF_VARIABLE2);
5354 				assert(fip->field_passcount==1);
5355 				err=TIFFReadDirEntrySlong8Array(tif,dp,&data);
5356 				if (err==TIFFReadDirEntryErrOk)
5357 				{
5358 					int m;
5359 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5360 					if (data!=0)
5361 						_TIFFfree(data);
5362 					if (!m)
5363 						return(0);
5364 				}
5365 			}
5366 			break;
5367 		case TIFF_SETGET_C32_FLOAT:
5368 			{
5369 				float* data;
5370 				assert(fip->field_readcount==TIFF_VARIABLE2);
5371 				assert(fip->field_passcount==1);
5372 				err=TIFFReadDirEntryFloatArray(tif,dp,&data);
5373 				if (err==TIFFReadDirEntryErrOk)
5374 				{
5375 					int m;
5376 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5377 					if (data!=0)
5378 						_TIFFfree(data);
5379 					if (!m)
5380 						return(0);
5381 				}
5382 			}
5383 			break;
5384 		case TIFF_SETGET_C32_DOUBLE:
5385 			{
5386 				double* data;
5387 				assert(fip->field_readcount==TIFF_VARIABLE2);
5388 				assert(fip->field_passcount==1);
5389 				err=TIFFReadDirEntryDoubleArray(tif,dp,&data);
5390 				if (err==TIFFReadDirEntryErrOk)
5391 				{
5392 					int m;
5393 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5394 					if (data!=0)
5395 						_TIFFfree(data);
5396 					if (!m)
5397 						return(0);
5398 				}
5399 			}
5400 			break;
5401 		case TIFF_SETGET_C32_IFD8:
5402 			{
5403 				uint64* data;
5404 				assert(fip->field_readcount==TIFF_VARIABLE2);
5405 				assert(fip->field_passcount==1);
5406 				err=TIFFReadDirEntryIfd8Array(tif,dp,&data);
5407 				if (err==TIFFReadDirEntryErrOk)
5408 				{
5409 					int m;
5410 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
5411 					if (data!=0)
5412 						_TIFFfree(data);
5413 					if (!m)
5414 						return(0);
5415 				}
5416 			}
5417 			break;
5418 		default:
5419 			assert(0);    /* we should never get here */
5420 			break;
5421 	}
5422 	if (err!=TIFFReadDirEntryErrOk)
5423 	{
5424 		TIFFReadDirEntryOutputErr(tif,err,module,fip->field_name,recover);
5425 		return(0);
5426 	}
5427 	return(1);
5428 }
5429 
5430 /*
5431  * Fetch a set of offsets or lengths.
5432  * While this routine says "strips", in fact it's also used for tiles.
5433  */
5434 static int
TIFFFetchStripThing(TIFF * tif,TIFFDirEntry * dir,uint32 nstrips,uint64 ** lpp)5435 TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
5436 {
5437 	static const char module[] = "TIFFFetchStripThing";
5438 	enum TIFFReadDirEntryErr err;
5439 	uint64* data;
5440 	err=TIFFReadDirEntryLong8Array(tif,dir,&data);
5441 	if (err!=TIFFReadDirEntryErrOk)
5442 	{
5443 		const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag);
5444 		TIFFReadDirEntryOutputErr(tif,err,module,fip ? fip->field_name : "unknown tagname",0);
5445 		return(0);
5446 	}
5447 	if (dir->tdir_count!=(uint64)nstrips)
5448 	{
5449 		uint64* resizeddata;
5450 		resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
5451 		if (resizeddata==0) {
5452 			_TIFFfree(data);
5453 			return(0);
5454 		}
5455 		if (dir->tdir_count<(uint64)nstrips)
5456 		{
5457 			_TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
5458 			_TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
5459 		}
5460 		else
5461 			_TIFFmemcpy(resizeddata,data,nstrips*sizeof(uint64));
5462 		_TIFFfree(data);
5463 		data=resizeddata;
5464 	}
5465 	*lpp=data;
5466 	return(1);
5467 }
5468 
5469 /*
5470  * Fetch and set the SubjectDistance EXIF tag.
5471  */
5472 static int
TIFFFetchSubjectDistance(TIFF * tif,TIFFDirEntry * dir)5473 TIFFFetchSubjectDistance(TIFF* tif, TIFFDirEntry* dir)
5474 {
5475 	static const char module[] = "TIFFFetchSubjectDistance";
5476 	enum TIFFReadDirEntryErr err;
5477 	UInt64Aligned_t m;
5478     m.l=0;
5479 	assert(sizeof(double)==8);
5480 	assert(sizeof(uint64)==8);
5481 	assert(sizeof(uint32)==4);
5482 	if (dir->tdir_count!=1)
5483 		err=TIFFReadDirEntryErrCount;
5484 	else if (dir->tdir_type!=TIFF_RATIONAL)
5485 		err=TIFFReadDirEntryErrType;
5486 	else
5487 	{
5488 		if (!(tif->tif_flags&TIFF_BIGTIFF))
5489 		{
5490 			uint32 offset;
5491 			offset=*(uint32*)(&dir->tdir_offset);
5492 			if (tif->tif_flags&TIFF_SWAB)
5493 				TIFFSwabLong(&offset);
5494 			err=TIFFReadDirEntryData(tif,offset,8,m.i);
5495 		}
5496 		else
5497 		{
5498 			m.l=dir->tdir_offset.toff_long8;
5499 			err=TIFFReadDirEntryErrOk;
5500 		}
5501 	}
5502 	if (err==TIFFReadDirEntryErrOk)
5503 	{
5504 		double n;
5505 		if (tif->tif_flags&TIFF_SWAB)
5506 			TIFFSwabArrayOfLong(m.i,2);
5507 		if (m.i[0]==0)
5508 			n=0.0;
5509 		else if (m.i[0]==0xFFFFFFFF)
5510 			/*
5511 			 * XXX: Numerator 0xFFFFFFFF means that we have infinite
5512 			 * distance. Indicate that with a negative floating point
5513 			 * SubjectDistance value.
5514 			 */
5515 			n=-1.0;
5516 		else
5517 			n=(double)m.i[0]/(double)m.i[1];
5518 		return(TIFFSetField(tif,dir->tdir_tag,n));
5519 	}
5520 	else
5521 	{
5522 		TIFFReadDirEntryOutputErr(tif,err,module,"SubjectDistance",TRUE);
5523 		return(0);
5524 	}
5525 }
5526 
5527 /*
5528  * Replace a single strip (tile) of uncompressed data by multiple strips
5529  * (tiles), each approximately STRIP_SIZE_DEFAULT bytes. This is useful for
5530  * dealing with large images or for dealing with machines with a limited
5531  * amount memory.
5532  */
5533 static void
ChopUpSingleUncompressedStrip(TIFF * tif)5534 ChopUpSingleUncompressedStrip(TIFF* tif)
5535 {
5536 	register TIFFDirectory *td = &tif->tif_dir;
5537 	uint64 bytecount;
5538 	uint64 offset;
5539 	uint32 rowblock;
5540 	uint64 rowblockbytes;
5541 	uint64 stripbytes;
5542 	uint32 strip;
5543 	uint32 nstrips;
5544 	uint32 rowsperstrip;
5545 	uint64* newcounts;
5546 	uint64* newoffsets;
5547 
5548 	bytecount = td->td_stripbytecount[0];
5549 	offset = td->td_stripoffset[0];
5550 	assert(td->td_planarconfig == PLANARCONFIG_CONTIG);
5551 	if ((td->td_photometric == PHOTOMETRIC_YCBCR)&&
5552 	    (!isUpSampled(tif)))
5553 		rowblock = td->td_ycbcrsubsampling[1];
5554 	else
5555 		rowblock = 1;
5556 	rowblockbytes = TIFFVTileSize64(tif, rowblock);
5557 	/*
5558 	 * Make the rows hold at least one scanline, but fill specified amount
5559 	 * of data if possible.
5560 	 */
5561 	if (rowblockbytes > STRIP_SIZE_DEFAULT) {
5562 		stripbytes = rowblockbytes;
5563 		rowsperstrip = rowblock;
5564 	} else if (rowblockbytes > 0 ) {
5565 		uint32 rowblocksperstrip;
5566 		rowblocksperstrip = (uint32) (STRIP_SIZE_DEFAULT / rowblockbytes);
5567 		rowsperstrip = rowblocksperstrip * rowblock;
5568 		stripbytes = rowblocksperstrip * rowblockbytes;
5569 	}
5570 	else
5571 	    return;
5572 
5573 	/*
5574 	 * never increase the number of rows per strip
5575 	 */
5576 	if (rowsperstrip >= td->td_rowsperstrip)
5577 		return;
5578         nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
5579         if( nstrips == 0 )
5580             return;
5581 
5582 	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
5583 				"for chopped \"StripByteCounts\" array");
5584 	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
5585 				"for chopped \"StripOffsets\" array");
5586 	if (newcounts == NULL || newoffsets == NULL) {
5587 		/*
5588 		 * Unable to allocate new strip information, give up and use
5589 		 * the original one strip information.
5590 		 */
5591 		if (newcounts != NULL)
5592 			_TIFFfree(newcounts);
5593 		if (newoffsets != NULL)
5594 			_TIFFfree(newoffsets);
5595 		return;
5596 	}
5597 	/*
5598 	 * Fill the strip information arrays with new bytecounts and offsets
5599 	 * that reflect the broken-up format.
5600 	 */
5601 	for (strip = 0; strip < nstrips; strip++) {
5602 		if (stripbytes > bytecount)
5603 			stripbytes = bytecount;
5604 		newcounts[strip] = stripbytes;
5605 		newoffsets[strip] = stripbytes ? offset : 0;
5606 		offset += stripbytes;
5607 		bytecount -= stripbytes;
5608 	}
5609 	/*
5610 	 * Replace old single strip info with multi-strip info.
5611 	 */
5612 	td->td_stripsperimage = td->td_nstrips = nstrips;
5613 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
5614 
5615 	_TIFFfree(td->td_stripbytecount);
5616 	_TIFFfree(td->td_stripoffset);
5617 	td->td_stripbytecount = newcounts;
5618 	td->td_stripoffset = newoffsets;
5619 	td->td_stripbytecountsorted = 1;
5620 }
5621 
_TIFFFillStriles(TIFF * tif)5622 int _TIFFFillStriles( TIFF *tif )
5623 {
5624     return _TIFFFillStrilesInternal( tif, 1 );
5625 }
5626 
_TIFFFillStrilesInternal(TIFF * tif,int loadStripByteCount)5627 static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount )
5628 {
5629 #if defined(DEFER_STRILE_LOAD)
5630         register TIFFDirectory *td = &tif->tif_dir;
5631         int return_value = 1;
5632 
5633         if( td->td_stripoffset != NULL )
5634                 return 1;
5635 
5636         if( td->td_stripoffset_entry.tdir_count == 0 )
5637                 return 0;
5638 
5639         if (!TIFFFetchStripThing(tif,&(td->td_stripoffset_entry),
5640                                  td->td_nstrips,&td->td_stripoffset))
5641         {
5642                 return_value = 0;
5643         }
5644 
5645         if (loadStripByteCount &&
5646             !TIFFFetchStripThing(tif,&(td->td_stripbytecount_entry),
5647                                  td->td_nstrips,&td->td_stripbytecount))
5648         {
5649                 return_value = 0;
5650         }
5651 
5652         _TIFFmemset( &(td->td_stripoffset_entry), 0, sizeof(TIFFDirEntry));
5653         _TIFFmemset( &(td->td_stripbytecount_entry), 0, sizeof(TIFFDirEntry));
5654 
5655 	if (tif->tif_dir.td_nstrips > 1 && return_value == 1 ) {
5656 		uint32 strip;
5657 
5658 		tif->tif_dir.td_stripbytecountsorted = 1;
5659 		for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) {
5660 			if (tif->tif_dir.td_stripoffset[strip - 1] >
5661 			    tif->tif_dir.td_stripoffset[strip]) {
5662 				tif->tif_dir.td_stripbytecountsorted = 0;
5663 				break;
5664 			}
5665 		}
5666 	}
5667 
5668         return return_value;
5669 #else /* !defined(DEFER_STRILE_LOAD) */
5670         (void) tif;
5671         (void) loadStripByteCount;
5672         return 1;
5673 #endif
5674 }
5675 
5676 
5677 /* vim: set ts=8 sts=8 sw=8 noet: */
5678 /*
5679  * Local Variables:
5680  * mode: c
5681  * c-basic-offset: 8
5682  * fill-column: 78
5683  * End:
5684  */
5685