1 /* $Id: tif_read.c,v 1.59 2017-05-13 15:34:06 erouault Exp $ */
2 
3 /*
4  * Copyright (c) 1988-1997 Sam Leffler
5  * Copyright (c) 1991-1997 Silicon Graphics, Inc.
6  *
7  * Permission to use, copy, modify, distribute, and sell this software and
8  * its documentation for any purpose is hereby granted without fee, provided
9  * that (i) the above copyright notices and this permission notice appear in
10  * all copies of the software and related documentation, and (ii) the names of
11  * Sam Leffler and Silicon Graphics may not be used in any advertising or
12  * publicity relating to the software without the specific, prior written
13  * permission of Sam Leffler and Silicon Graphics.
14  *
15  * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
17  * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
18  *
19  * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
20  * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
21  * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
22  * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
23  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
24  * OF THIS SOFTWARE.
25  */
26 
27 /*
28  * TIFF Library.
29  * Scanline-oriented Read Support
30  */
31 #include "tiffiop.h"
32 #include <stdio.h>
33 
34 #define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
35 #define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
36 
37 int TIFFFillStrip(TIFF* tif, uint32 strip);
38 int TIFFFillTile(TIFF* tif, uint32 tile);
39 static int TIFFStartStrip(TIFF* tif, uint32 strip);
40 static int TIFFStartTile(TIFF* tif, uint32 tile);
41 static int TIFFCheckRead(TIFF*, int);
42 static tmsize_t
43 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module);
44 static tmsize_t
45 TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module);
46 
47 #define NOSTRIP ((uint32)(-1))       /* undefined state */
48 #define NOTILE ((uint32)(-1))         /* undefined state */
49 
50 #define INITIAL_THRESHOLD (1024 * 1024)
51 #define THRESHOLD_MULTIPLIER 10
52 #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
53 
54 /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
55  * Returns 1 in case of success, 0 otherwise. */
TIFFReadAndRealloc(TIFF * tif,tmsize_t size,tmsize_t rawdata_offset,int is_strip,uint32 strip_or_tile,const char * module)56 static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
57                                tmsize_t rawdata_offset,
58                                int is_strip, uint32 strip_or_tile,
59                                const char* module )
60 {
61 #if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8
62         tmsize_t threshold = INITIAL_THRESHOLD;
63 #endif
64         tmsize_t already_read = 0;
65 
66         /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
67         /* so as to avoid allocating too much memory in case the file is too */
68         /* short. We could ask for the file size, but this might be */
69         /* expensive with some I/O layers (think of reading a gzipped file) */
70         /* Restrict to 64 bit processes, so as to avoid reallocs() */
71         /* on 32 bit processes where virtual memory is scarce.  */
72         while( already_read < size )
73         {
74             tmsize_t bytes_read;
75             tmsize_t to_read = size - already_read;
76 #if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8
77             if( to_read >= threshold && threshold < MAX_THRESHOLD &&
78                 already_read + to_read + rawdata_offset > tif->tif_rawdatasize )
79             {
80                 to_read = threshold;
81                 threshold *= THRESHOLD_MULTIPLIER;
82             }
83 #endif
84             if (already_read + to_read + rawdata_offset > tif->tif_rawdatasize) {
85                 uint8* new_rawdata;
86                 assert((tif->tif_flags & TIFF_MYBUFFER) != 0);
87                 tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64(
88                         (uint64)already_read + to_read + rawdata_offset, 1024);
89                 if (tif->tif_rawdatasize==0) {
90                     TIFFErrorExt(tif->tif_clientdata, module,
91                                 "Invalid buffer size");
92                     return 0;
93                 }
94                 new_rawdata = (uint8*) _TIFFrealloc(
95                                 tif->tif_rawdata, tif->tif_rawdatasize);
96                 if( new_rawdata == 0 )
97                 {
98                     TIFFErrorExt(tif->tif_clientdata, module,
99                         "No space for data buffer at scanline %lu",
100                         (unsigned long) tif->tif_row);
101                     _TIFFfree(tif->tif_rawdata);
102                     tif->tif_rawdata = 0;
103                     tif->tif_rawdatasize = 0;
104                     return 0;
105                 }
106                 tif->tif_rawdata = new_rawdata;
107             }
108 
109             bytes_read = TIFFReadFile(tif,
110                 tif->tif_rawdata + rawdata_offset + already_read, to_read);
111             already_read += bytes_read;
112             if (bytes_read != to_read) {
113                 memset( tif->tif_rawdata + rawdata_offset + already_read, 0,
114                         tif->tif_rawdatasize - rawdata_offset - already_read );
115 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
116                 if( is_strip )
117                 {
118                     TIFFErrorExt(tif->tif_clientdata, module,
119                         "Read error at scanline %lu; got %I64u bytes, "
120                         "expected %I64u",
121                                         (unsigned long) tif->tif_row,
122                                         (unsigned __int64) already_read,
123                                         (unsigned __int64) size);
124                 }
125                 else
126                 {
127                     TIFFErrorExt(tif->tif_clientdata, module,
128                         "Read error at row %lu, col %lu, tile %lu; "
129                         "got %I64u bytes, expected %I64u",
130                                         (unsigned long) tif->tif_row,
131                                         (unsigned long) tif->tif_col,
132                                         (unsigned long) strip_or_tile,
133                                         (unsigned __int64) already_read,
134                                         (unsigned __int64) size);
135                 }
136 #else
137                 if( is_strip )
138                 {
139                     TIFFErrorExt(tif->tif_clientdata, module,
140                         "Read error at scanline %lu; got %llu bytes, "
141                         "expected %llu",
142                                         (unsigned long) tif->tif_row,
143                                         (unsigned long long) already_read,
144                                         (unsigned long long) size);
145                 }
146                 else
147                 {
148                     TIFFErrorExt(tif->tif_clientdata, module,
149                         "Read error at row %lu, col %lu, tile %lu; "
150                         "got %llu bytes, expected %llu",
151                                         (unsigned long) tif->tif_row,
152                                         (unsigned long) tif->tif_col,
153                                         (unsigned long) strip_or_tile,
154                                         (unsigned long long) already_read,
155                                         (unsigned long long) size);
156                 }
157 #endif
158                 return 0;
159             }
160         }
161         return 1;
162 }
163 
164 
165 static int
TIFFFillStripPartial(TIFF * tif,int strip,tmsize_t read_ahead,int restart)166 TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
167 {
168 	static const char module[] = "TIFFFillStripPartial";
169 	register TIFFDirectory *td = &tif->tif_dir;
170         tmsize_t unused_data;
171         uint64 read_offset;
172         tmsize_t to_read;
173         tmsize_t read_ahead_mod;
174         /* tmsize_t bytecountm; */
175 
176         if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
177             return 0;
178 
179         /*
180          * Expand raw data buffer, if needed, to hold data
181          * strip coming from file (perhaps should set upper
182          * bound on the size of a buffer we'll use?).
183          */
184 
185         /* bytecountm=(tmsize_t) td->td_stripbytecount[strip]; */
186 
187         /* Not completely sure where the * 2 comes from, but probably for */
188         /* an exponentional growth strategy of tif_rawdatasize */
189         if( read_ahead < TIFF_TMSIZE_T_MAX / 2 )
190                 read_ahead_mod = read_ahead * 2;
191         else
192                 read_ahead_mod = read_ahead;
193         if (read_ahead_mod > tif->tif_rawdatasize) {
194                 assert( restart );
195 
196                 tif->tif_curstrip = NOSTRIP;
197                 if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
198                         TIFFErrorExt(tif->tif_clientdata, module,
199                                      "Data buffer too small to hold part of strip %lu",
200                                      (unsigned long) strip);
201                         return (0);
202                 }
203         }
204 
205         if( restart )
206         {
207                 tif->tif_rawdataloaded = 0;
208                 tif->tif_rawdataoff = 0;
209         }
210 
211         /*
212         ** If we are reading more data, move any unused data to the
213         ** start of the buffer.
214         */
215         if( tif->tif_rawdataloaded > 0 )
216                 unused_data = tif->tif_rawdataloaded - (tif->tif_rawcp - tif->tif_rawdata);
217         else
218                 unused_data = 0;
219 
220         if( unused_data > 0 )
221         {
222 		assert((tif->tif_flags&TIFF_BUFFERMMAP)==0);
223                 memmove( tif->tif_rawdata, tif->tif_rawcp, unused_data );
224         }
225 
226         /*
227         ** Seek to the point in the file where more data should be read.
228         */
229         read_offset = td->td_stripoffset[strip]
230                 + tif->tif_rawdataoff + tif->tif_rawdataloaded;
231 
232         if (!SeekOK(tif, read_offset)) {
233                 TIFFErrorExt(tif->tif_clientdata, module,
234                              "Seek error at scanline %lu, strip %lu",
235                              (unsigned long) tif->tif_row, (unsigned long) strip);
236                 return 0;
237         }
238 
239         /*
240         ** How much do we want to read?
241         */
242         if( read_ahead_mod > tif->tif_rawdatasize )
243                 to_read = read_ahead_mod - unused_data;
244         else
245                 to_read = tif->tif_rawdatasize - unused_data;
246         if( (uint64) to_read > td->td_stripbytecount[strip]
247             - tif->tif_rawdataoff - tif->tif_rawdataloaded )
248         {
249                 to_read = (tmsize_t) td->td_stripbytecount[strip]
250                         - tif->tif_rawdataoff - tif->tif_rawdataloaded;
251         }
252 
253 	assert((tif->tif_flags&TIFF_BUFFERMMAP)==0);
254         if( !TIFFReadAndRealloc( tif, to_read, unused_data,
255                                  1, /* is_strip */
256                                  0, /* strip_or_tile */
257                                  module) )
258         {
259                 return 0;
260         }
261 
262         tif->tif_rawdataoff = tif->tif_rawdataoff + tif->tif_rawdataloaded - unused_data ;
263         tif->tif_rawdataloaded = unused_data + to_read;
264 
265         tif->tif_rawcp = tif->tif_rawdata;
266 
267         if (!isFillOrder(tif, td->td_fillorder) &&
268             (tif->tif_flags & TIFF_NOBITREV) == 0) {
269 		assert((tif->tif_flags&TIFF_BUFFERMMAP)==0);
270                 TIFFReverseBits(tif->tif_rawdata + unused_data, to_read );
271 	}
272 
273         /*
274         ** When starting a strip from the beginning we need to
275         ** restart the decoder.
276         */
277         if( restart )
278                 return TIFFStartStrip(tif, strip);
279         else
280         {
281                 tif->tif_rawcc = tif->tif_rawdataloaded;
282                 return 1;
283         }
284 }
285 
286 /*
287  * Seek to a random row+sample in a file.
288  *
289  * Only used by TIFFReadScanline, and is only used on
290  * strip organized files.  We do some tricky stuff to try
291  * and avoid reading the whole compressed raw data for big
292  * strips.
293  */
294 static int
TIFFSeek(TIFF * tif,uint32 row,uint16 sample)295 TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
296 {
297 	register TIFFDirectory *td = &tif->tif_dir;
298 	uint32 strip;
299         int    whole_strip;
300 	tmsize_t read_ahead = 0;
301 
302         /*
303         ** Establish what strip we are working from.
304         */
305 	if (row >= td->td_imagelength) {	/* out of range */
306 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
307 		    "%lu: Row out of range, max %lu",
308 		    (unsigned long) row,
309 		    (unsigned long) td->td_imagelength);
310 		return (0);
311 	}
312 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE) {
313 		if (sample >= td->td_samplesperpixel) {
314 			TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
315 			    "%lu: Sample out of range, max %lu",
316 			    (unsigned long) sample, (unsigned long) td->td_samplesperpixel);
317 			return (0);
318 		}
319 		strip = (uint32)sample*td->td_stripsperimage + row/td->td_rowsperstrip;
320 	} else
321 		strip = row / td->td_rowsperstrip;
322 
323         /*
324          * Do we want to treat this strip as one whole chunk or
325          * read it a few lines at a time?
326          */
327 #if defined(CHUNKY_STRIP_READ_SUPPORT)
328         if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
329             return 0;
330         whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
331                 || isMapped(tif);
332 #else
333         whole_strip = 1;
334 #endif
335 
336         if( !whole_strip )
337         {
338                 /* 16 is for YCbCr mode where we may need to read 16 */
339                 /* lines at a time to get a decompressed line, and 5000 */
340                 /* is some constant value, for example for JPEG tables */
341                 if( tif->tif_scanlinesize < TIFF_TMSIZE_T_MAX / 16 &&
342                     tif->tif_scanlinesize * 16 < TIFF_TMSIZE_T_MAX - 5000 )
343                 {
344                         read_ahead = tif->tif_scanlinesize * 16 + 5000;
345                 }
346                 else
347                 {
348                         read_ahead = tif->tif_scanlinesize;
349                 }
350         }
351 
352         /*
353          * If we haven't loaded this strip, do so now, possibly
354          * only reading the first part.
355          */
356 	if (strip != tif->tif_curstrip) {	/* different strip, refill */
357 
358                 if( whole_strip )
359                 {
360                         if (!TIFFFillStrip(tif, strip))
361                                 return (0);
362                 }
363                 else
364                 {
365                         if( !TIFFFillStripPartial(tif,strip,read_ahead,1) )
366                                 return 0;
367                 }
368 	}
369 
370         /*
371         ** If we already have some data loaded, do we need to read some more?
372         */
373         else if( !whole_strip )
374         {
375                 if( ((tif->tif_rawdata + tif->tif_rawdataloaded) - tif->tif_rawcp) < read_ahead
376                     && (uint64) tif->tif_rawdataoff+tif->tif_rawdataloaded < td->td_stripbytecount[strip] )
377                 {
378                         if( !TIFFFillStripPartial(tif,strip,read_ahead,0) )
379                                 return 0;
380                 }
381         }
382 
383         if (row < tif->tif_row) {
384 		/*
385 		 * Moving backwards within the same strip: backup
386 		 * to the start and then decode forward (below).
387 		 *
388 		 * NB: If you're planning on lots of random access within a
389 		 * strip, it's better to just read and decode the entire
390 		 * strip, and then access the decoded data in a random fashion.
391 		 */
392 
393                 if( tif->tif_rawdataoff != 0 )
394                 {
395                         if( !TIFFFillStripPartial(tif,strip,read_ahead,1) )
396                                 return 0;
397                 }
398                 else
399                 {
400                         if (!TIFFStartStrip(tif, strip))
401                                 return (0);
402                 }
403 	}
404 
405 	if (row != tif->tif_row) {
406 		/*
407 		 * Seek forward to the desired row.
408 		 */
409 
410                 /* TODO: Will this really work with partial buffers? */
411 
412 		if (!(*tif->tif_seek)(tif, row - tif->tif_row))
413 			return (0);
414 		tif->tif_row = row;
415 	}
416 
417 	return (1);
418 }
419 
420 int
TIFFReadScanline(TIFF * tif,void * buf,uint32 row,uint16 sample)421 TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample)
422 {
423 	int e;
424 
425 	if (!TIFFCheckRead(tif, 0))
426 		return (-1);
427 	if( (e = TIFFSeek(tif, row, sample)) != 0) {
428 		/*
429 		 * Decompress desired row into user buffer.
430 		 */
431 		e = (*tif->tif_decoderow)
432 		    (tif, (uint8*) buf, tif->tif_scanlinesize, sample);
433 
434 		/* we are now poised at the beginning of the next row */
435 		tif->tif_row = row + 1;
436 
437 		if (e)
438 			(*tif->tif_postdecode)(tif, (uint8*) buf,
439 			    tif->tif_scanlinesize);
440 	}
441 	return (e > 0 ? 1 : -1);
442 }
443 
444 /*
445  * Calculate the strip size according to the number of
446  * rows in the strip (check for truncated last strip on any
447  * of the separations).
448  */
TIFFReadEncodedStripGetStripSize(TIFF * tif,uint32 strip,uint16 * pplane)449 static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane)
450 {
451 	static const char module[] = "TIFFReadEncodedStrip";
452 	TIFFDirectory *td = &tif->tif_dir;
453 	uint32 rowsperstrip;
454 	uint32 stripsperplane;
455 	uint32 stripinplane;
456 	uint32 rows;
457 	tmsize_t stripsize;
458 	if (!TIFFCheckRead(tif,0))
459 		return((tmsize_t)(-1));
460 	if (strip>=td->td_nstrips)
461 	{
462 		TIFFErrorExt(tif->tif_clientdata,module,
463 		    "%lu: Strip out of range, max %lu",(unsigned long)strip,
464 		    (unsigned long)td->td_nstrips);
465 		return((tmsize_t)(-1));
466 	}
467 
468 	rowsperstrip=td->td_rowsperstrip;
469 	if (rowsperstrip>td->td_imagelength)
470 		rowsperstrip=td->td_imagelength;
471 	stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
472 	stripinplane=(strip%stripsperplane);
473 	if( pplane ) *pplane=(uint16)(strip/stripsperplane);
474 	rows=td->td_imagelength-stripinplane*rowsperstrip;
475 	if (rows>rowsperstrip)
476 		rows=rowsperstrip;
477 	stripsize=TIFFVStripSize(tif,rows);
478 	if (stripsize==0)
479 		return((tmsize_t)(-1));
480     return stripsize;
481 }
482 
483 /*
484  * Read a strip of data and decompress the specified
485  * amount into the user-supplied buffer.
486  */
487 tmsize_t
TIFFReadEncodedStrip(TIFF * tif,uint32 strip,void * buf,tmsize_t size)488 TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
489 {
490   static const char module[] = "TIFFReadEncodedStrip";
491   TIFFDirectory *td = &tif->tif_dir;
492   tmsize_t stripsize;
493   uint16 plane;
494 
495   stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
496   if (stripsize==((tmsize_t)(-1)))
497       return((tmsize_t)(-1));
498 
499     /* shortcut to avoid an extra memcpy() */
500     if( td->td_compression == COMPRESSION_NONE &&
501         size!=(tmsize_t)(-1) && size >= stripsize &&
502         !isMapped(tif) &&
503         ((tif->tif_flags&TIFF_NOREADRAW)==0) )
504     {
505         if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize)
506             return ((tmsize_t)(-1));
507 
508         if (!isFillOrder(tif, td->td_fillorder) &&
509             (tif->tif_flags & TIFF_NOBITREV) == 0)
510             TIFFReverseBits(buf,stripsize);
511 
512         (*tif->tif_postdecode)(tif,buf,stripsize);
513         return (stripsize);
514     }
515 
516 	if ((size!=(tmsize_t)(-1))&&(size<stripsize))
517 		stripsize=size;
518 	if (!TIFFFillStrip(tif,strip))
519 		return((tmsize_t)(-1));
520 	if ((*tif->tif_decodestrip)(tif,buf,stripsize,plane)<=0)
521 		return((tmsize_t)(-1));
522 	(*tif->tif_postdecode)(tif,buf,stripsize);
523 	return(stripsize);
524 }
525 
526 /* Variant of TIFFReadEncodedStrip() that does
527  * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has
528  *   suceeded. This avoid excessive memory allocation in case of truncated
529  *   file.
530  * * calls regular TIFFReadEncodedStrip() if *buf != NULL
531  */
532 tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF * tif,uint32 strip,void ** buf,tmsize_t bufsizetoalloc,tmsize_t size_to_read)533 _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
534                                     void **buf, tmsize_t bufsizetoalloc,
535                                     tmsize_t size_to_read)
536 {
537     tmsize_t this_stripsize;
538     uint16 plane;
539 
540     if( *buf != NULL )
541     {
542         return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read);
543     }
544 
545     this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
546     if (this_stripsize==((tmsize_t)(-1)))
547             return((tmsize_t)(-1));
548 
549     if ((size_to_read!=(tmsize_t)(-1))&&(size_to_read<this_stripsize))
550             this_stripsize=size_to_read;
551     if (!TIFFFillStrip(tif,strip))
552             return((tmsize_t)(-1));
553 
554     *buf = _TIFFmalloc(bufsizetoalloc);
555     if (*buf == NULL) {
556             TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
557             return((tmsize_t)(-1));
558     }
559     _TIFFmemset(*buf, 0, bufsizetoalloc);
560 
561     if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0)
562             return((tmsize_t)(-1));
563     (*tif->tif_postdecode)(tif,*buf,this_stripsize);
564     return(this_stripsize);
565 
566 
567 }
568 
569 
570 static tmsize_t
TIFFReadRawStrip1(TIFF * tif,uint32 strip,void * buf,tmsize_t size,const char * module)571 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
572     const char* module)
573 {
574 	TIFFDirectory *td = &tif->tif_dir;
575 
576     if (!_TIFFFillStriles( tif ))
577         return ((tmsize_t)(-1));
578 
579 	assert((tif->tif_flags&TIFF_NOREADRAW)==0);
580 	if (!isMapped(tif)) {
581 		tmsize_t cc;
582 
583 		if (!SeekOK(tif, td->td_stripoffset[strip])) {
584 			TIFFErrorExt(tif->tif_clientdata, module,
585 			    "Seek error at scanline %lu, strip %lu",
586 			    (unsigned long) tif->tif_row, (unsigned long) strip);
587 			return ((tmsize_t)(-1));
588 		}
589 		cc = TIFFReadFile(tif, buf, size);
590 		if (cc != size) {
591 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
592 			TIFFErrorExt(tif->tif_clientdata, module,
593 		"Read error at scanline %lu; got %I64u bytes, expected %I64u",
594 				     (unsigned long) tif->tif_row,
595 				     (unsigned __int64) cc,
596 				     (unsigned __int64) size);
597 #else
598 			TIFFErrorExt(tif->tif_clientdata, module,
599 		"Read error at scanline %lu; got %llu bytes, expected %llu",
600 				     (unsigned long) tif->tif_row,
601 				     (unsigned long long) cc,
602 				     (unsigned long long) size);
603 #endif
604 			return ((tmsize_t)(-1));
605 		}
606 	} else {
607 		tmsize_t ma = 0;
608 		tmsize_t n;
609 		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
610                     ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
611                 {
612                     n=0;
613                 }
614                 else if( ma > TIFF_TMSIZE_T_MAX - size )
615                 {
616                     n=0;
617                 }
618                 else
619                 {
620                     tmsize_t mb=ma+size;
621                     if (mb>tif->tif_size)
622                             n=tif->tif_size-ma;
623                     else
624                             n=size;
625                 }
626 		if (n!=size) {
627 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
628 			TIFFErrorExt(tif->tif_clientdata, module,
629 	"Read error at scanline %lu, strip %lu; got %I64u bytes, expected %I64u",
630 				     (unsigned long) tif->tif_row,
631 				     (unsigned long) strip,
632 				     (unsigned __int64) n,
633 				     (unsigned __int64) size);
634 #else
635 			TIFFErrorExt(tif->tif_clientdata, module,
636 	"Read error at scanline %lu, strip %lu; got %llu bytes, expected %llu",
637 				     (unsigned long) tif->tif_row,
638 				     (unsigned long) strip,
639 				     (unsigned long long) n,
640 				     (unsigned long long) size);
641 #endif
642 			return ((tmsize_t)(-1));
643 		}
644 		_TIFFmemcpy(buf, tif->tif_base + ma,
645 			    size);
646 	}
647 	return (size);
648 }
649 
650 static tmsize_t
TIFFReadRawStripOrTile2(TIFF * tif,uint32 strip_or_tile,int is_strip,tmsize_t size,const char * module)651 TIFFReadRawStripOrTile2(TIFF* tif, uint32 strip_or_tile, int is_strip,
652                         tmsize_t size, const char* module)
653 {
654         TIFFDirectory *td = &tif->tif_dir;
655 
656         assert( !isMapped(tif) );
657         assert((tif->tif_flags&TIFF_NOREADRAW)==0);
658 
659         if (!SeekOK(tif, td->td_stripoffset[strip_or_tile])) {
660             if( is_strip )
661             {
662                 TIFFErrorExt(tif->tif_clientdata, module,
663                     "Seek error at scanline %lu, strip %lu",
664                     (unsigned long) tif->tif_row,
665                     (unsigned long) strip_or_tile);
666             }
667             else
668             {
669                 TIFFErrorExt(tif->tif_clientdata, module,
670                     "Seek error at row %lu, col %lu, tile %lu",
671                     (unsigned long) tif->tif_row,
672                     (unsigned long) tif->tif_col,
673                     (unsigned long) strip_or_tile);
674             }
675             return ((tmsize_t)(-1));
676         }
677 
678         if( !TIFFReadAndRealloc( tif, size, 0, is_strip,
679                                  strip_or_tile, module ) )
680         {
681             return ((tmsize_t)(-1));
682         }
683 
684         return (size);
685 }
686 
687 /*
688  * Read a strip of data from the file.
689  */
690 tmsize_t
TIFFReadRawStrip(TIFF * tif,uint32 strip,void * buf,tmsize_t size)691 TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
692 {
693 	static const char module[] = "TIFFReadRawStrip";
694 	TIFFDirectory *td = &tif->tif_dir;
695 	uint64 bytecount;
696 	tmsize_t bytecountm;
697 
698 	if (!TIFFCheckRead(tif, 0))
699 		return ((tmsize_t)(-1));
700 	if (strip >= td->td_nstrips) {
701 		TIFFErrorExt(tif->tif_clientdata, module,
702 		     "%lu: Strip out of range, max %lu",
703 		     (unsigned long) strip,
704 		     (unsigned long) td->td_nstrips);
705 		return ((tmsize_t)(-1));
706 	}
707 	if (tif->tif_flags&TIFF_NOREADRAW)
708 	{
709 		TIFFErrorExt(tif->tif_clientdata, module,
710 		    "Compression scheme does not support access to raw uncompressed data");
711 		return ((tmsize_t)(-1));
712 	}
713 	bytecount = td->td_stripbytecount[strip];
714 	if ((int64)bytecount <= 0) {
715 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
716 		TIFFErrorExt(tif->tif_clientdata, module,
717 			     "%I64u: Invalid strip byte count, strip %lu",
718 			     (unsigned __int64) bytecount,
719 			     (unsigned long) strip);
720 #else
721 		TIFFErrorExt(tif->tif_clientdata, module,
722 			     "%llu: Invalid strip byte count, strip %lu",
723 			     (unsigned long long) bytecount,
724 			     (unsigned long) strip);
725 #endif
726 		return ((tmsize_t)(-1));
727 	}
728 	bytecountm = (tmsize_t)bytecount;
729 	if ((uint64)bytecountm!=bytecount) {
730 		TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
731 		return ((tmsize_t)(-1));
732 	}
733 	if (size != (tmsize_t)(-1) && size < bytecountm)
734 		bytecountm = size;
735 	return (TIFFReadRawStrip1(tif, strip, buf, bytecountm, module));
736 }
737 
738 /*
739  * Read the specified strip and setup for decoding. The data buffer is
740  * expanded, as necessary, to hold the strip's data.
741  */
742 int
TIFFFillStrip(TIFF * tif,uint32 strip)743 TIFFFillStrip(TIFF* tif, uint32 strip)
744 {
745 	static const char module[] = "TIFFFillStrip";
746 	TIFFDirectory *td = &tif->tif_dir;
747 
748         if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
749             return 0;
750 
751 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
752 	{
753 		uint64 bytecount = td->td_stripbytecount[strip];
754 		if ((int64)bytecount <= 0) {
755 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
756 			TIFFErrorExt(tif->tif_clientdata, module,
757 				"Invalid strip byte count %I64u, strip %lu",
758 				     (unsigned __int64) bytecount,
759 				     (unsigned long) strip);
760 #else
761 			TIFFErrorExt(tif->tif_clientdata, module,
762 				"Invalid strip byte count %llu, strip %lu",
763 				     (unsigned long long) bytecount,
764 				     (unsigned long) strip);
765 #endif
766 			return (0);
767 		}
768 
769 		/* To avoid excessive memory allocations: */
770 		/* Byte count should normally not be larger than a number of */
771 		/* times the uncompressed size plus some margin */
772                 if( bytecount > 1024 * 1024 )
773                 {
774 			/* 10 and 4096 are just values that could be adjusted. */
775 			/* Hopefully they are safe enough for all codecs */
776 			tmsize_t stripsize = TIFFStripSize(tif);
777 			if( stripsize != 0 &&
778 			    (bytecount - 4096) / 10 > (uint64)stripsize  )
779 			{
780 				uint64 newbytecount = (uint64)stripsize * 10 + 4096;
781 				if( (int64)newbytecount >= 0 )
782 				{
783 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
784 					TIFFWarningExt(tif->tif_clientdata, module,
785 					  "Too large strip byte count %I64u, strip %lu. Limiting to %I64u",
786 					     (unsigned __int64) bytecount,
787 					     (unsigned long) strip,
788 					     (unsigned __int64) newbytecount);
789 #else
790 					TIFFErrorExt(tif->tif_clientdata, module,
791 					  "Too large strip byte count %llu, strip %lu. Limiting to %llu",
792 					     (unsigned long long) bytecount,
793 					     (unsigned long) strip,
794 					     (unsigned long long) newbytecount);
795 #endif
796 					bytecount = newbytecount;
797 				}
798 			}
799 		}
800 
801 		if (isMapped(tif) &&
802 		    (isFillOrder(tif, td->td_fillorder)
803 		    || (tif->tif_flags & TIFF_NOBITREV))) {
804 			/*
805 			 * The image is mapped into memory and we either don't
806 			 * need to flip bits or the compression routine is
807 			 * going to handle this operation itself.  In this
808 			 * case, avoid copying the raw data and instead just
809 			 * reference the data from the memory mapped file
810 			 * image.  This assumes that the decompression
811 			 * routines do not modify the contents of the raw data
812 			 * buffer (if they try to, the application will get a
813 			 * fault since the file is mapped read-only).
814 			 */
815 			if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) {
816 				_TIFFfree(tif->tif_rawdata);
817 				tif->tif_rawdata = NULL;
818 				tif->tif_rawdatasize = 0;
819 			}
820 			tif->tif_flags &= ~TIFF_MYBUFFER;
821 			/*
822 			 * We must check for overflow, potentially causing
823 			 * an OOB read. Instead of simple
824 			 *
825 			 *  td->td_stripoffset[strip]+bytecount > tif->tif_size
826 			 *
827 			 * comparison (which can overflow) we do the following
828 			 * two comparisons:
829 			 */
830 			if (bytecount > (uint64)tif->tif_size ||
831 			    td->td_stripoffset[strip] > (uint64)tif->tif_size - bytecount) {
832 				/*
833 				 * This error message might seem strange, but
834 				 * it's what would happen if a read were done
835 				 * instead.
836 				 */
837 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
838 				TIFFErrorExt(tif->tif_clientdata, module,
839 
840 					"Read error on strip %lu; "
841 					"got %I64u bytes, expected %I64u",
842 					(unsigned long) strip,
843 					(unsigned __int64) tif->tif_size - td->td_stripoffset[strip],
844 					(unsigned __int64) bytecount);
845 #else
846 				TIFFErrorExt(tif->tif_clientdata, module,
847 
848 					"Read error on strip %lu; "
849 					"got %llu bytes, expected %llu",
850 					(unsigned long) strip,
851 					(unsigned long long) tif->tif_size - td->td_stripoffset[strip],
852 					(unsigned long long) bytecount);
853 #endif
854 				tif->tif_curstrip = NOSTRIP;
855 				return (0);
856 			}
857 			tif->tif_rawdatasize = (tmsize_t)bytecount;
858 			tif->tif_rawdata = tif->tif_base + (tmsize_t)td->td_stripoffset[strip];
859                         tif->tif_rawdataoff = 0;
860                         tif->tif_rawdataloaded = (tmsize_t) bytecount;
861 
862 			/*
863 			 * When we have tif_rawdata reference directly into the memory mapped file
864 			 * we need to be pretty careful about how we use the rawdata.  It is not
865 			 * a general purpose working buffer as it normally otherwise is.  So we
866 			 * keep track of this fact to avoid using it improperly.
867 			 */
868 			tif->tif_flags |= TIFF_BUFFERMMAP;
869 		} else {
870 			/*
871 			 * Expand raw data buffer, if needed, to hold data
872 			 * strip coming from file (perhaps should set upper
873 			 * bound on the size of a buffer we'll use?).
874 			 */
875 			tmsize_t bytecountm;
876 			bytecountm=(tmsize_t)bytecount;
877 			if ((uint64)bytecountm!=bytecount)
878 			{
879 				TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
880 				return(0);
881 			}
882 			if (bytecountm > tif->tif_rawdatasize) {
883 				tif->tif_curstrip = NOSTRIP;
884 				if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
885 					TIFFErrorExt(tif->tif_clientdata, module,
886 					    "Data buffer too small to hold strip %lu",
887 					    (unsigned long) strip);
888 					return (0);
889 				}
890 			}
891 			if (tif->tif_flags&TIFF_BUFFERMMAP) {
892 				tif->tif_curstrip = NOSTRIP;
893 				tif->tif_rawdata = NULL;
894 				tif->tif_rawdatasize = 0;
895 				tif->tif_flags &= ~TIFF_BUFFERMMAP;
896 			}
897 
898 			if( isMapped(tif) )
899 			{
900 				if (bytecountm > tif->tif_rawdatasize &&
901 				    !TIFFReadBufferSetup(tif, 0, bytecountm))
902 				{
903 					return (0);
904 				}
905 				if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata,
906 				    bytecountm, module) != bytecountm)
907 				{
908 					return (0);
909 				}
910 			}
911 			else
912 			{
913 				if (TIFFReadRawStripOrTile2(tif, strip, 1,
914 				    bytecountm, module) != bytecountm)
915 				{
916 					return (0);
917 				}
918 			}
919 
920 
921                         tif->tif_rawdataoff = 0;
922                         tif->tif_rawdataloaded = bytecountm;
923 
924 			if (!isFillOrder(tif, td->td_fillorder) &&
925 			    (tif->tif_flags & TIFF_NOBITREV) == 0)
926 				TIFFReverseBits(tif->tif_rawdata, bytecountm);
927                 }
928 	}
929 	return (TIFFStartStrip(tif, strip));
930 }
931 
932 /*
933  * Tile-oriented Read Support
934  * Contributed by Nancy Cam (Silicon Graphics).
935  */
936 
937 /*
938  * Read and decompress a tile of data.  The
939  * tile is selected by the (x,y,z,s) coordinates.
940  */
941 tmsize_t
TIFFReadTile(TIFF * tif,void * buf,uint32 x,uint32 y,uint32 z,uint16 s)942 TIFFReadTile(TIFF* tif, void* buf, uint32 x, uint32 y, uint32 z, uint16 s)
943 {
944 	if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
945 		return ((tmsize_t)(-1));
946 	return (TIFFReadEncodedTile(tif,
947 	    TIFFComputeTile(tif, x, y, z, s), buf, (tmsize_t)(-1)));
948 }
949 
950 /*
951  * Read a tile of data and decompress the specified
952  * amount into the user-supplied buffer.
953  */
954 tmsize_t
TIFFReadEncodedTile(TIFF * tif,uint32 tile,void * buf,tmsize_t size)955 TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
956 {
957 	static const char module[] = "TIFFReadEncodedTile";
958 	TIFFDirectory *td = &tif->tif_dir;
959 	tmsize_t tilesize = tif->tif_tilesize;
960 
961 	if (!TIFFCheckRead(tif, 1))
962 		return ((tmsize_t)(-1));
963 	if (tile >= td->td_nstrips) {
964 		TIFFErrorExt(tif->tif_clientdata, module,
965 		    "%lu: Tile out of range, max %lu",
966 		    (unsigned long) tile, (unsigned long) td->td_nstrips);
967 		return ((tmsize_t)(-1));
968 	}
969 
970     /* shortcut to avoid an extra memcpy() */
971     if( td->td_compression == COMPRESSION_NONE &&
972         size!=(tmsize_t)(-1) && size >= tilesize &&
973         !isMapped(tif) &&
974         ((tif->tif_flags&TIFF_NOREADRAW)==0) )
975     {
976         if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize)
977             return ((tmsize_t)(-1));
978 
979         if (!isFillOrder(tif, td->td_fillorder) &&
980             (tif->tif_flags & TIFF_NOBITREV) == 0)
981             TIFFReverseBits(buf,tilesize);
982 
983         (*tif->tif_postdecode)(tif,buf,tilesize);
984         return (tilesize);
985     }
986 
987 	if (size == (tmsize_t)(-1))
988 		size = tilesize;
989 	else if (size > tilesize)
990 		size = tilesize;
991 	if (TIFFFillTile(tif, tile) && (*tif->tif_decodetile)(tif,
992 	    (uint8*) buf, size, (uint16)(tile/td->td_stripsperimage))) {
993 		(*tif->tif_postdecode)(tif, (uint8*) buf, size);
994 		return (size);
995 	} else
996 		return ((tmsize_t)(-1));
997 }
998 
999 /* Variant of TIFFReadTile() that does
1000  * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
1001  *   suceeded. This avoid excessive memory allocation in case of truncated
1002  *   file.
1003  * * calls regular TIFFReadEncodedTile() if *buf != NULL
1004  */
1005 tmsize_t
_TIFFReadTileAndAllocBuffer(TIFF * tif,void ** buf,tmsize_t bufsizetoalloc,uint32 x,uint32 y,uint32 z,uint16 s)1006 _TIFFReadTileAndAllocBuffer(TIFF* tif,
1007                             void **buf, tmsize_t bufsizetoalloc,
1008                             uint32 x, uint32 y, uint32 z, uint16 s)
1009 {
1010     if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
1011             return ((tmsize_t)(-1));
1012     return (_TIFFReadEncodedTileAndAllocBuffer(tif,
1013                                                TIFFComputeTile(tif, x, y, z, s),
1014                                                buf, bufsizetoalloc,
1015                                                (tmsize_t)(-1)));
1016 }
1017 
1018 /* Variant of TIFFReadEncodedTile() that does
1019  * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
1020  *   suceeded. This avoid excessive memory allocation in case of truncated
1021  *   file.
1022  * * calls regular TIFFReadEncodedTile() if *buf != NULL
1023  */
1024 tmsize_t
_TIFFReadEncodedTileAndAllocBuffer(TIFF * tif,uint32 tile,void ** buf,tmsize_t bufsizetoalloc,tmsize_t size_to_read)1025 _TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile,
1026                                     void **buf, tmsize_t bufsizetoalloc,
1027                                     tmsize_t size_to_read)
1028 {
1029     static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer";
1030     TIFFDirectory *td = &tif->tif_dir;
1031     tmsize_t tilesize = tif->tif_tilesize;
1032 
1033     if( *buf != NULL )
1034     {
1035         return TIFFReadEncodedTile(tif, tile, *buf, size_to_read);
1036     }
1037 
1038     if (!TIFFCheckRead(tif, 1))
1039             return ((tmsize_t)(-1));
1040     if (tile >= td->td_nstrips) {
1041             TIFFErrorExt(tif->tif_clientdata, module,
1042                 "%lu: Tile out of range, max %lu",
1043                 (unsigned long) tile, (unsigned long) td->td_nstrips);
1044             return ((tmsize_t)(-1));
1045     }
1046 
1047     if (!TIFFFillTile(tif,tile))
1048             return((tmsize_t)(-1));
1049 
1050     *buf = _TIFFmalloc(bufsizetoalloc);
1051     if (*buf == NULL) {
1052             TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
1053                          "No space for tile buffer");
1054             return((tmsize_t)(-1));
1055     }
1056     _TIFFmemset(*buf, 0, bufsizetoalloc);
1057 
1058     if (size_to_read == (tmsize_t)(-1))
1059         size_to_read = tilesize;
1060     else if (size_to_read > tilesize)
1061         size_to_read = tilesize;
1062     if( (*tif->tif_decodetile)(tif,
1063         (uint8*) *buf, size_to_read, (uint16)(tile/td->td_stripsperimage))) {
1064         (*tif->tif_postdecode)(tif, (uint8*) *buf, size_to_read);
1065         return (size_to_read);
1066     } else
1067         return ((tmsize_t)(-1));
1068 }
1069 
1070 
1071 static tmsize_t
TIFFReadRawTile1(TIFF * tif,uint32 tile,void * buf,tmsize_t size,const char * module)1072 TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module)
1073 {
1074 	TIFFDirectory *td = &tif->tif_dir;
1075 
1076     if (!_TIFFFillStriles( tif ))
1077         return ((tmsize_t)(-1));
1078 
1079 	assert((tif->tif_flags&TIFF_NOREADRAW)==0);
1080 	if (!isMapped(tif)) {
1081 		tmsize_t cc;
1082 
1083 		if (!SeekOK(tif, td->td_stripoffset[tile])) {
1084 			TIFFErrorExt(tif->tif_clientdata, module,
1085 			    "Seek error at row %lu, col %lu, tile %lu",
1086 			    (unsigned long) tif->tif_row,
1087 			    (unsigned long) tif->tif_col,
1088 			    (unsigned long) tile);
1089 			return ((tmsize_t)(-1));
1090 		}
1091 		cc = TIFFReadFile(tif, buf, size);
1092 		if (cc != size) {
1093 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
1094 			TIFFErrorExt(tif->tif_clientdata, module,
1095 	"Read error at row %lu, col %lu; got %I64u bytes, expected %I64u",
1096 				     (unsigned long) tif->tif_row,
1097 				     (unsigned long) tif->tif_col,
1098 				     (unsigned __int64) cc,
1099 				     (unsigned __int64) size);
1100 #else
1101 			TIFFErrorExt(tif->tif_clientdata, module,
1102 	"Read error at row %lu, col %lu; got %llu bytes, expected %llu",
1103 				     (unsigned long) tif->tif_row,
1104 				     (unsigned long) tif->tif_col,
1105 				     (unsigned long long) cc,
1106 				     (unsigned long long) size);
1107 #endif
1108 			return ((tmsize_t)(-1));
1109 		}
1110 	} else {
1111 		tmsize_t ma,mb;
1112 		tmsize_t n;
1113 		ma=(tmsize_t)td->td_stripoffset[tile];
1114 		mb=ma+size;
1115 		if ((td->td_stripoffset[tile] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
1116 			n=0;
1117 		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
1118 			n=tif->tif_size-ma;
1119 		else
1120 			n=size;
1121 		if (n!=size) {
1122 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
1123 			TIFFErrorExt(tif->tif_clientdata, module,
1124 "Read error at row %lu, col %lu, tile %lu; got %I64u bytes, expected %I64u",
1125 				     (unsigned long) tif->tif_row,
1126 				     (unsigned long) tif->tif_col,
1127 				     (unsigned long) tile,
1128 				     (unsigned __int64) n,
1129 				     (unsigned __int64) size);
1130 #else
1131 			TIFFErrorExt(tif->tif_clientdata, module,
1132 "Read error at row %lu, col %lu, tile %lu; got %llu bytes, expected %llu",
1133 				     (unsigned long) tif->tif_row,
1134 				     (unsigned long) tif->tif_col,
1135 				     (unsigned long) tile,
1136 				     (unsigned long long) n,
1137 				     (unsigned long long) size);
1138 #endif
1139 			return ((tmsize_t)(-1));
1140 		}
1141 		_TIFFmemcpy(buf, tif->tif_base + ma, size);
1142 	}
1143 	return (size);
1144 }
1145 
1146 /*
1147  * Read a tile of data from the file.
1148  */
1149 tmsize_t
TIFFReadRawTile(TIFF * tif,uint32 tile,void * buf,tmsize_t size)1150 TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
1151 {
1152 	static const char module[] = "TIFFReadRawTile";
1153 	TIFFDirectory *td = &tif->tif_dir;
1154 	uint64 bytecount64;
1155 	tmsize_t bytecountm;
1156 
1157 	if (!TIFFCheckRead(tif, 1))
1158 		return ((tmsize_t)(-1));
1159 	if (tile >= td->td_nstrips) {
1160 		TIFFErrorExt(tif->tif_clientdata, module,
1161 		    "%lu: Tile out of range, max %lu",
1162 		    (unsigned long) tile, (unsigned long) td->td_nstrips);
1163 		return ((tmsize_t)(-1));
1164 	}
1165 	if (tif->tif_flags&TIFF_NOREADRAW)
1166 	{
1167 		TIFFErrorExt(tif->tif_clientdata, module,
1168 		"Compression scheme does not support access to raw uncompressed data");
1169 		return ((tmsize_t)(-1));
1170 	}
1171 	bytecount64 = td->td_stripbytecount[tile];
1172 	if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
1173 		bytecount64 = (uint64)size;
1174 	bytecountm = (tmsize_t)bytecount64;
1175 	if ((uint64)bytecountm!=bytecount64)
1176 	{
1177 		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
1178 		return ((tmsize_t)(-1));
1179 	}
1180 	return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
1181 }
1182 
1183 /*
1184  * Read the specified tile and setup for decoding. The data buffer is
1185  * expanded, as necessary, to hold the tile's data.
1186  */
1187 int
TIFFFillTile(TIFF * tif,uint32 tile)1188 TIFFFillTile(TIFF* tif, uint32 tile)
1189 {
1190 	static const char module[] = "TIFFFillTile";
1191 	TIFFDirectory *td = &tif->tif_dir;
1192 
1193         if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
1194             return 0;
1195 
1196 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
1197 	{
1198 		uint64 bytecount = td->td_stripbytecount[tile];
1199 		if ((int64)bytecount <= 0) {
1200 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
1201 			TIFFErrorExt(tif->tif_clientdata, module,
1202 				"%I64u: Invalid tile byte count, tile %lu",
1203 				     (unsigned __int64) bytecount,
1204 				     (unsigned long) tile);
1205 #else
1206 			TIFFErrorExt(tif->tif_clientdata, module,
1207 				"%llu: Invalid tile byte count, tile %lu",
1208 				     (unsigned long long) bytecount,
1209 				     (unsigned long) tile);
1210 #endif
1211 			return (0);
1212 		}
1213 		if (isMapped(tif) &&
1214 		    (isFillOrder(tif, td->td_fillorder)
1215 		     || (tif->tif_flags & TIFF_NOBITREV))) {
1216 			/*
1217 			 * The image is mapped into memory and we either don't
1218 			 * need to flip bits or the compression routine is
1219 			 * going to handle this operation itself.  In this
1220 			 * case, avoid copying the raw data and instead just
1221 			 * reference the data from the memory mapped file
1222 			 * image.  This assumes that the decompression
1223 			 * routines do not modify the contents of the raw data
1224 			 * buffer (if they try to, the application will get a
1225 			 * fault since the file is mapped read-only).
1226 			 */
1227 			if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) {
1228 				_TIFFfree(tif->tif_rawdata);
1229 				tif->tif_rawdata = NULL;
1230 				tif->tif_rawdatasize = 0;
1231 			}
1232 			tif->tif_flags &= ~TIFF_MYBUFFER;
1233 			/*
1234 			 * We must check for overflow, potentially causing
1235 			 * an OOB read. Instead of simple
1236 			 *
1237 			 *  td->td_stripoffset[tile]+bytecount > tif->tif_size
1238 			 *
1239 			 * comparison (which can overflow) we do the following
1240 			 * two comparisons:
1241 			 */
1242 			if (bytecount > (uint64)tif->tif_size ||
1243 			    td->td_stripoffset[tile] > (uint64)tif->tif_size - bytecount) {
1244 				tif->tif_curtile = NOTILE;
1245 				return (0);
1246 			}
1247 			tif->tif_rawdatasize = (tmsize_t)bytecount;
1248 			tif->tif_rawdata =
1249 				tif->tif_base + (tmsize_t)td->td_stripoffset[tile];
1250                         tif->tif_rawdataoff = 0;
1251                         tif->tif_rawdataloaded = (tmsize_t) bytecount;
1252 			tif->tif_flags |= TIFF_BUFFERMMAP;
1253 		} else {
1254 			/*
1255 			 * Expand raw data buffer, if needed, to hold data
1256 			 * tile coming from file (perhaps should set upper
1257 			 * bound on the size of a buffer we'll use?).
1258 			 */
1259 			tmsize_t bytecountm;
1260 			bytecountm=(tmsize_t)bytecount;
1261 			if ((uint64)bytecountm!=bytecount)
1262 			{
1263 				TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
1264 				return(0);
1265 			}
1266 			if (bytecountm > tif->tif_rawdatasize) {
1267 				tif->tif_curtile = NOTILE;
1268 				if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
1269 					TIFFErrorExt(tif->tif_clientdata, module,
1270 					    "Data buffer too small to hold tile %lu",
1271 					    (unsigned long) tile);
1272 					return (0);
1273 				}
1274 			}
1275 			if (tif->tif_flags&TIFF_BUFFERMMAP) {
1276 				tif->tif_curtile = NOTILE;
1277 				tif->tif_rawdata = NULL;
1278 				tif->tif_rawdatasize = 0;
1279 				tif->tif_flags &= ~TIFF_BUFFERMMAP;
1280 			}
1281 
1282 			if( isMapped(tif) )
1283 			{
1284 				if (bytecountm > tif->tif_rawdatasize &&
1285 				    !TIFFReadBufferSetup(tif, 0, bytecountm))
1286 				{
1287 					return (0);
1288 				}
1289 				if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata,
1290 				    bytecountm, module) != bytecountm)
1291 				{
1292 					return (0);
1293 				}
1294 			}
1295 			else
1296 			{
1297 				if (TIFFReadRawStripOrTile2(tif, tile, 0,
1298 				    bytecountm, module) != bytecountm)
1299 				{
1300 					return (0);
1301 				}
1302 			}
1303 
1304 
1305                         tif->tif_rawdataoff = 0;
1306                         tif->tif_rawdataloaded = bytecountm;
1307 
1308 			if (!isFillOrder(tif, td->td_fillorder) &&
1309 			    (tif->tif_flags & TIFF_NOBITREV) == 0)
1310 				TIFFReverseBits(tif->tif_rawdata,
1311                                                 tif->tif_rawdataloaded);
1312 		}
1313 	}
1314 	return (TIFFStartTile(tif, tile));
1315 }
1316 
1317 /*
1318  * Setup the raw data buffer in preparation for
1319  * reading a strip of raw data.  If the buffer
1320  * is specified as zero, then a buffer of appropriate
1321  * size is allocated by the library.  Otherwise,
1322  * the client must guarantee that the buffer is
1323  * large enough to hold any individual strip of
1324  * raw data.
1325  */
1326 int
TIFFReadBufferSetup(TIFF * tif,void * bp,tmsize_t size)1327 TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
1328 {
1329 	static const char module[] = "TIFFReadBufferSetup";
1330 
1331 	assert((tif->tif_flags&TIFF_NOREADRAW)==0);
1332 	tif->tif_flags &= ~TIFF_BUFFERMMAP;
1333 
1334 	if (tif->tif_rawdata) {
1335 		if (tif->tif_flags & TIFF_MYBUFFER)
1336 			_TIFFfree(tif->tif_rawdata);
1337 		tif->tif_rawdata = NULL;
1338 		tif->tif_rawdatasize = 0;
1339 	}
1340 	if (bp) {
1341 		tif->tif_rawdatasize = size;
1342 		tif->tif_rawdata = (uint8*) bp;
1343 		tif->tif_flags &= ~TIFF_MYBUFFER;
1344 	} else {
1345 		tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64((uint64)size, 1024);
1346 		if (tif->tif_rawdatasize==0) {
1347 		    TIFFErrorExt(tif->tif_clientdata, module,
1348 				 "Invalid buffer size");
1349 		    return (0);
1350 		}
1351 		/* Initialize to zero to avoid uninitialized buffers in case of */
1352                 /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
1353 		tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
1354 		tif->tif_flags |= TIFF_MYBUFFER;
1355 	}
1356 	if (tif->tif_rawdata == NULL) {
1357 		TIFFErrorExt(tif->tif_clientdata, module,
1358 		    "No space for data buffer at scanline %lu",
1359 		    (unsigned long) tif->tif_row);
1360 		tif->tif_rawdatasize = 0;
1361 		return (0);
1362 	}
1363 	return (1);
1364 }
1365 
1366 /*
1367  * Set state to appear as if a
1368  * strip has just been read in.
1369  */
1370 static int
TIFFStartStrip(TIFF * tif,uint32 strip)1371 TIFFStartStrip(TIFF* tif, uint32 strip)
1372 {
1373 	TIFFDirectory *td = &tif->tif_dir;
1374 
1375         if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
1376             return 0;
1377 
1378 	if ((tif->tif_flags & TIFF_CODERSETUP) == 0) {
1379 		if (!(*tif->tif_setupdecode)(tif))
1380 			return (0);
1381 		tif->tif_flags |= TIFF_CODERSETUP;
1382 	}
1383 	tif->tif_curstrip = strip;
1384 	tif->tif_row = (strip % td->td_stripsperimage) * td->td_rowsperstrip;
1385         tif->tif_flags &= ~TIFF_BUF4WRITE;
1386 
1387 	if (tif->tif_flags&TIFF_NOREADRAW)
1388 	{
1389 		tif->tif_rawcp = NULL;
1390 		tif->tif_rawcc = 0;
1391 	}
1392 	else
1393 	{
1394 		tif->tif_rawcp = tif->tif_rawdata;
1395 		if( tif->tif_rawdataloaded > 0 )
1396 			tif->tif_rawcc = tif->tif_rawdataloaded;
1397 		else
1398 			tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[strip];
1399 	}
1400 	return ((*tif->tif_predecode)(tif,
1401 			(uint16)(strip / td->td_stripsperimage)));
1402 }
1403 
1404 /*
1405  * Set state to appear as if a
1406  * tile has just been read in.
1407  */
1408 static int
TIFFStartTile(TIFF * tif,uint32 tile)1409 TIFFStartTile(TIFF* tif, uint32 tile)
1410 {
1411         static const char module[] = "TIFFStartTile";
1412 	TIFFDirectory *td = &tif->tif_dir;
1413         uint32 howmany32;
1414 
1415         if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
1416                 return 0;
1417 
1418 	if ((tif->tif_flags & TIFF_CODERSETUP) == 0) {
1419 		if (!(*tif->tif_setupdecode)(tif))
1420 			return (0);
1421 		tif->tif_flags |= TIFF_CODERSETUP;
1422 	}
1423 	tif->tif_curtile = tile;
1424         howmany32=TIFFhowmany_32(td->td_imagewidth, td->td_tilewidth);
1425         if (howmany32 == 0) {
1426                  TIFFErrorExt(tif->tif_clientdata,module,"Zero tiles");
1427                 return 0;
1428         }
1429 	tif->tif_row = (tile % howmany32) * td->td_tilelength;
1430         howmany32=TIFFhowmany_32(td->td_imagelength, td->td_tilelength);
1431         if (howmany32 == 0) {
1432                 TIFFErrorExt(tif->tif_clientdata,module,"Zero tiles");
1433                 return 0;
1434         }
1435 	tif->tif_col = (tile % howmany32) * td->td_tilewidth;
1436         tif->tif_flags &= ~TIFF_BUF4WRITE;
1437 	if (tif->tif_flags&TIFF_NOREADRAW)
1438 	{
1439 		tif->tif_rawcp = NULL;
1440 		tif->tif_rawcc = 0;
1441 	}
1442 	else
1443 	{
1444 		tif->tif_rawcp = tif->tif_rawdata;
1445 		tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile];
1446 	}
1447 	return ((*tif->tif_predecode)(tif,
1448 			(uint16)(tile/td->td_stripsperimage)));
1449 }
1450 
1451 static int
TIFFCheckRead(TIFF * tif,int tiles)1452 TIFFCheckRead(TIFF* tif, int tiles)
1453 {
1454 	if (tif->tif_mode == O_WRONLY) {
1455 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "File not open for reading");
1456 		return (0);
1457 	}
1458 	if (tiles ^ isTiled(tif)) {
1459 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name, tiles ?
1460 		    "Can not read tiles from a stripped image" :
1461 		    "Can not read scanlines from a tiled image");
1462 		return (0);
1463 	}
1464 	return (1);
1465 }
1466 
1467 void
_TIFFNoPostDecode(TIFF * tif,uint8 * buf,tmsize_t cc)1468 _TIFFNoPostDecode(TIFF* tif, uint8* buf, tmsize_t cc)
1469 {
1470     (void) tif; (void) buf; (void) cc;
1471 }
1472 
1473 void
_TIFFSwab16BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1474 _TIFFSwab16BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1475 {
1476     (void) tif;
1477     assert((cc & 1) == 0);
1478     TIFFSwabArrayOfShort((uint16*) buf, cc/2);
1479 }
1480 
1481 void
_TIFFSwab24BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1482 _TIFFSwab24BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1483 {
1484     (void) tif;
1485     assert((cc % 3) == 0);
1486     TIFFSwabArrayOfTriples((uint8*) buf, cc/3);
1487 }
1488 
1489 void
_TIFFSwab32BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1490 _TIFFSwab32BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1491 {
1492     (void) tif;
1493     assert((cc & 3) == 0);
1494     TIFFSwabArrayOfLong((uint32*) buf, cc/4);
1495 }
1496 
1497 void
_TIFFSwab64BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1498 _TIFFSwab64BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1499 {
1500     (void) tif;
1501     assert((cc & 7) == 0);
1502     TIFFSwabArrayOfDouble((double*) buf, cc/8);
1503 }
1504 
1505 /* vim: set ts=8 sts=8 sw=8 noet: */
1506 /*
1507  * Local Variables:
1508  * mode: c
1509  * c-basic-offset: 8
1510  * fill-column: 78
1511  * End:
1512  */
1513