1 /* $Id: tif_read.c,v 1.45 2015-06-07 22:35:40 bfriesen Exp $ */
2 
3 /*
4  * Copyright (c) 1988-1997 Sam Leffler
5  * Copyright (c) 1991-1997 Silicon Graphics, Inc.
6  *
7  * Permission to use, copy, modify, distribute, and sell this software and
8  * its documentation for any purpose is hereby granted without fee, provided
9  * that (i) the above copyright notices and this permission notice appear in
10  * all copies of the software and related documentation, and (ii) the names of
11  * Sam Leffler and Silicon Graphics may not be used in any advertising or
12  * publicity relating to the software without the specific, prior written
13  * permission of Sam Leffler and Silicon Graphics.
14  *
15  * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
17  * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
18  *
19  * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
20  * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
21  * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
22  * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
23  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
24  * OF THIS SOFTWARE.
25  */
26 
27 /*
28  * TIFF Library.
29  * Scanline-oriented Read Support
30  */
31 #include "tiffiop.h"
32 #include <stdio.h>
33 
34 int TIFFFillStrip(TIFF* tif, uint32 strip);
35 int TIFFFillTile(TIFF* tif, uint32 tile);
36 static int TIFFStartStrip(TIFF* tif, uint32 strip);
37 static int TIFFStartTile(TIFF* tif, uint32 tile);
38 static int TIFFCheckRead(TIFF*, int);
39 static tmsize_t
40 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module);
41 
42 #define NOSTRIP ((uint32)(-1))       /* undefined state */
43 #define NOTILE ((uint32)(-1))         /* undefined state */
44 
45 static int
TIFFFillStripPartial(TIFF * tif,int strip,tmsize_t read_ahead,int restart)46 TIFFFillStripPartial( TIFF *tif, int strip, tmsize_t read_ahead, int restart )
47 {
48 	static const char module[] = "TIFFFillStripPartial";
49 	register TIFFDirectory *td = &tif->tif_dir;
50         tmsize_t unused_data;
51         uint64 read_offset;
52         tmsize_t cc, to_read;
53         /* tmsize_t bytecountm; */
54 
55         if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
56             return 0;
57 
58         /*
59          * Expand raw data buffer, if needed, to hold data
60          * strip coming from file (perhaps should set upper
61          * bound on the size of a buffer we'll use?).
62          */
63 
64         /* bytecountm=(tmsize_t) td->td_stripbytecount[strip]; */
65         if (read_ahead*2 > tif->tif_rawdatasize) {
66                 assert( restart );
67 
68                 tif->tif_curstrip = NOSTRIP;
69                 if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
70                         TIFFErrorExt(tif->tif_clientdata, module,
71                                      "Data buffer too small to hold part of strip %lu",
72                                      (unsigned long) strip);
73                         return (0);
74                 }
75                 if (!TIFFReadBufferSetup(tif, 0, read_ahead*2))
76                         return (0);
77         }
78 
79         if( restart )
80         {
81                 tif->tif_rawdataloaded = 0;
82                 tif->tif_rawdataoff = 0;
83         }
84 
85         /*
86         ** If we are reading more data, move any unused data to the
87         ** start of the buffer.
88         */
89         if( tif->tif_rawdataloaded > 0 )
90                 unused_data = tif->tif_rawdataloaded - (tif->tif_rawcp - tif->tif_rawdata);
91         else
92                 unused_data = 0;
93 
94         if( unused_data > 0 )
95         {
96 		assert((tif->tif_flags&TIFF_BUFFERMMAP)==0);
97                 memmove( tif->tif_rawdata, tif->tif_rawcp, unused_data );
98         }
99 
100         /*
101         ** Seek to the point in the file where more data should be read.
102         */
103         read_offset = td->td_stripoffset[strip]
104                 + tif->tif_rawdataoff + tif->tif_rawdataloaded;
105 
106         if (!SeekOK(tif, read_offset)) {
107                 TIFFErrorExt(tif->tif_clientdata, module,
108                              "Seek error at scanline %lu, strip %lu",
109                              (unsigned long) tif->tif_row, (unsigned long) strip);
110                 return 0;
111         }
112 
113         /*
114         ** How much do we want to read?
115         */
116         to_read = tif->tif_rawdatasize - unused_data;
117         if( (uint64) to_read > td->td_stripbytecount[strip]
118             - tif->tif_rawdataoff - tif->tif_rawdataloaded )
119         {
120                 to_read = (tmsize_t) td->td_stripbytecount[strip]
121                         - tif->tif_rawdataoff - tif->tif_rawdataloaded;
122         }
123 
124 	assert((tif->tif_flags&TIFF_BUFFERMMAP)==0);
125         cc = TIFFReadFile(tif, tif->tif_rawdata + unused_data, to_read);
126 
127         if (cc != to_read) {
128 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
129                 TIFFErrorExt(tif->tif_clientdata, module,
130                              "Read error at scanline %lu; got %I64u bytes, expected %I64u",
131                              (unsigned long) tif->tif_row,
132                              (unsigned __int64) cc,
133                              (unsigned __int64) to_read);
134 #else
135                 TIFFErrorExt(tif->tif_clientdata, module,
136                              "Read error at scanline %lu; got %llu bytes, expected %llu",
137                              (unsigned long) tif->tif_row,
138                              (unsigned long long) cc,
139                              (unsigned long long) to_read);
140 #endif
141                 return 0;
142         }
143 
144         tif->tif_rawdataoff = tif->tif_rawdataoff + tif->tif_rawdataloaded - unused_data ;
145         tif->tif_rawdataloaded = unused_data + to_read;
146 
147         tif->tif_rawcp = tif->tif_rawdata;
148 
149         if (!isFillOrder(tif, td->td_fillorder) &&
150             (tif->tif_flags & TIFF_NOBITREV) == 0) {
151 		assert((tif->tif_flags&TIFF_BUFFERMMAP)==0);
152                 TIFFReverseBits(tif->tif_rawdata + unused_data, to_read );
153 	}
154 
155         /*
156         ** When starting a strip from the beginning we need to
157         ** restart the decoder.
158         */
159         if( restart )
160                 return TIFFStartStrip(tif, strip);
161         else
162                 return 1;
163 }
164 
165 /*
166  * Seek to a random row+sample in a file.
167  *
168  * Only used by TIFFReadScanline, and is only used on
169  * strip organized files.  We do some tricky stuff to try
170  * and avoid reading the whole compressed raw data for big
171  * strips.
172  */
173 static int
TIFFSeek(TIFF * tif,uint32 row,uint16 sample)174 TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
175 {
176 	register TIFFDirectory *td = &tif->tif_dir;
177 	uint32 strip;
178         int    whole_strip;
179 	tmsize_t read_ahead = 0;
180 
181         /*
182         ** Establish what strip we are working from.
183         */
184 	if (row >= td->td_imagelength) {	/* out of range */
185 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
186 		    "%lu: Row out of range, max %lu",
187 		    (unsigned long) row,
188 		    (unsigned long) td->td_imagelength);
189 		return (0);
190 	}
191 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE) {
192 		if (sample >= td->td_samplesperpixel) {
193 			TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
194 			    "%lu: Sample out of range, max %lu",
195 			    (unsigned long) sample, (unsigned long) td->td_samplesperpixel);
196 			return (0);
197 		}
198 		strip = (uint32)sample*td->td_stripsperimage + row/td->td_rowsperstrip;
199 	} else
200 		strip = row / td->td_rowsperstrip;
201 
202         /*
203          * Do we want to treat this strip as one whole chunk or
204          * read it a few lines at a time?
205          */
206 #if defined(CHUNKY_STRIP_READ_SUPPORT)
207         if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
208             return 0;
209         whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
210                 || isMapped(tif);
211 #else
212         whole_strip = 1;
213 #endif
214 
215         if( !whole_strip )
216         {
217                 read_ahead = tif->tif_scanlinesize * 16 + 5000;
218         }
219 
220         /*
221          * If we haven't loaded this strip, do so now, possibly
222          * only reading the first part.
223          */
224 	if (strip != tif->tif_curstrip) {	/* different strip, refill */
225 
226                 if( whole_strip )
227                 {
228                         if (!TIFFFillStrip(tif, strip))
229                                 return (0);
230                 }
231                 else
232                 {
233                         if( !TIFFFillStripPartial(tif,strip,read_ahead,1) )
234                                 return 0;
235                 }
236 	}
237 
238         /*
239         ** If we already have some data loaded, do we need to read some more?
240         */
241         else if( !whole_strip )
242         {
243                 if( ((tif->tif_rawdata + tif->tif_rawdataloaded) - tif->tif_rawcp) < read_ahead
244                     && (uint64) tif->tif_rawdataoff+tif->tif_rawdataloaded < td->td_stripbytecount[strip] )
245                 {
246                         if( !TIFFFillStripPartial(tif,strip,read_ahead,0) )
247                                 return 0;
248                 }
249         }
250 
251         if (row < tif->tif_row) {
252 		/*
253 		 * Moving backwards within the same strip: backup
254 		 * to the start and then decode forward (below).
255 		 *
256 		 * NB: If you're planning on lots of random access within a
257 		 * strip, it's better to just read and decode the entire
258 		 * strip, and then access the decoded data in a random fashion.
259 		 */
260 
261                 if( tif->tif_rawdataoff != 0 )
262                 {
263                         if( !TIFFFillStripPartial(tif,strip,read_ahead,1) )
264                                 return 0;
265                 }
266                 else
267                 {
268                         if (!TIFFStartStrip(tif, strip))
269                                 return (0);
270                 }
271 	}
272 
273 	if (row != tif->tif_row) {
274 		/*
275 		 * Seek forward to the desired row.
276 		 */
277 
278                 /* TODO: Will this really work with partial buffers? */
279 
280 		if (!(*tif->tif_seek)(tif, row - tif->tif_row))
281 			return (0);
282 		tif->tif_row = row;
283 	}
284 
285 	return (1);
286 }
287 
288 int
TIFFReadScanline(TIFF * tif,void * buf,uint32 row,uint16 sample)289 TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample)
290 {
291 	int e;
292 
293 	if (!TIFFCheckRead(tif, 0))
294 		return (-1);
295 	if( (e = TIFFSeek(tif, row, sample)) != 0) {
296 		/*
297 		 * Decompress desired row into user buffer.
298 		 */
299 		e = (*tif->tif_decoderow)
300 		    (tif, (uint8*) buf, tif->tif_scanlinesize, sample);
301 
302 		/* we are now poised at the beginning of the next row */
303 		tif->tif_row = row + 1;
304 
305 		if (e)
306 			(*tif->tif_postdecode)(tif, (uint8*) buf,
307 			    tif->tif_scanlinesize);
308 	}
309 	return (e > 0 ? 1 : -1);
310 }
311 
312 /*
313  * Read a strip of data and decompress the specified
314  * amount into the user-supplied buffer.
315  */
316 tmsize_t
TIFFReadEncodedStrip(TIFF * tif,uint32 strip,void * buf,tmsize_t size)317 TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
318 {
319 	static const char module[] = "TIFFReadEncodedStrip";
320 	TIFFDirectory *td = &tif->tif_dir;
321 	uint32 rowsperstrip;
322 	uint32 stripsperplane;
323 	uint32 stripinplane;
324 	uint16 plane;
325 	uint32 rows;
326 	tmsize_t stripsize;
327 	if (!TIFFCheckRead(tif,0))
328 		return((tmsize_t)(-1));
329 	if (strip>=td->td_nstrips)
330 	{
331 		TIFFErrorExt(tif->tif_clientdata,module,
332 		    "%lu: Strip out of range, max %lu",(unsigned long)strip,
333 		    (unsigned long)td->td_nstrips);
334 		return((tmsize_t)(-1));
335 	}
336 	/*
337 	 * Calculate the strip size according to the number of
338 	 * rows in the strip (check for truncated last strip on any
339 	 * of the separations).
340 	 */
341 	rowsperstrip=td->td_rowsperstrip;
342 	if (rowsperstrip>td->td_imagelength)
343 		rowsperstrip=td->td_imagelength;
344 	stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
345 	stripinplane=(strip%stripsperplane);
346 	plane=(strip/stripsperplane);
347 	rows=td->td_imagelength-stripinplane*rowsperstrip;
348 	if (rows>rowsperstrip)
349 		rows=rowsperstrip;
350 	stripsize=TIFFVStripSize(tif,rows);
351 	if (stripsize==0)
352 		return((tmsize_t)(-1));
353 	if ((size!=(tmsize_t)(-1))&&(size<stripsize))
354 		stripsize=size;
355 	if (!TIFFFillStrip(tif,strip))
356 		return((tmsize_t)(-1));
357 	if ((*tif->tif_decodestrip)(tif,buf,stripsize,plane)<=0)
358 		return((tmsize_t)(-1));
359 	(*tif->tif_postdecode)(tif,buf,stripsize);
360 	return(stripsize);
361 }
362 
363 static tmsize_t
TIFFReadRawStrip1(TIFF * tif,uint32 strip,void * buf,tmsize_t size,const char * module)364 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
365     const char* module)
366 {
367 	TIFFDirectory *td = &tif->tif_dir;
368 
369     if (!_TIFFFillStriles( tif ))
370         return ((tmsize_t)(-1));
371 
372 	assert((tif->tif_flags&TIFF_NOREADRAW)==0);
373 	if (!isMapped(tif)) {
374 		tmsize_t cc;
375 
376 		if (!SeekOK(tif, td->td_stripoffset[strip])) {
377 			TIFFErrorExt(tif->tif_clientdata, module,
378 			    "Seek error at scanline %lu, strip %lu",
379 			    (unsigned long) tif->tif_row, (unsigned long) strip);
380 			return ((tmsize_t)(-1));
381 		}
382 		cc = TIFFReadFile(tif, buf, size);
383 		if (cc != size) {
384 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
385 			TIFFErrorExt(tif->tif_clientdata, module,
386 		"Read error at scanline %lu; got %I64u bytes, expected %I64u",
387 				     (unsigned long) tif->tif_row,
388 				     (unsigned __int64) cc,
389 				     (unsigned __int64) size);
390 #else
391 			TIFFErrorExt(tif->tif_clientdata, module,
392 		"Read error at scanline %lu; got %llu bytes, expected %llu",
393 				     (unsigned long) tif->tif_row,
394 				     (unsigned long long) cc,
395 				     (unsigned long long) size);
396 #endif
397 			return ((tmsize_t)(-1));
398 		}
399 	} else {
400 		tmsize_t ma,mb;
401 		tmsize_t n;
402 		ma=(tmsize_t)td->td_stripoffset[strip];
403 		mb=ma+size;
404 		if (((uint64)ma!=td->td_stripoffset[strip])||(ma>tif->tif_size))
405 			n=0;
406 		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
407 			n=tif->tif_size-ma;
408 		else
409 			n=size;
410 		if (n!=size) {
411 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
412 			TIFFErrorExt(tif->tif_clientdata, module,
413 	"Read error at scanline %lu, strip %lu; got %I64u bytes, expected %I64u",
414 				     (unsigned long) tif->tif_row,
415 				     (unsigned long) strip,
416 				     (unsigned __int64) n,
417 				     (unsigned __int64) size);
418 #else
419 			TIFFErrorExt(tif->tif_clientdata, module,
420 	"Read error at scanline %lu, strip %lu; got %llu bytes, expected %llu",
421 				     (unsigned long) tif->tif_row,
422 				     (unsigned long) strip,
423 				     (unsigned long long) n,
424 				     (unsigned long long) size);
425 #endif
426 			return ((tmsize_t)(-1));
427 		}
428 		_TIFFmemcpy(buf, tif->tif_base + ma,
429 			    size);
430 	}
431 	return (size);
432 }
433 
434 /*
435  * Read a strip of data from the file.
436  */
437 tmsize_t
TIFFReadRawStrip(TIFF * tif,uint32 strip,void * buf,tmsize_t size)438 TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
439 {
440 	static const char module[] = "TIFFReadRawStrip";
441 	TIFFDirectory *td = &tif->tif_dir;
442 	uint64 bytecount;
443 	tmsize_t bytecountm;
444 
445 	if (!TIFFCheckRead(tif, 0))
446 		return ((tmsize_t)(-1));
447 	if (strip >= td->td_nstrips) {
448 		TIFFErrorExt(tif->tif_clientdata, module,
449 		     "%lu: Strip out of range, max %lu",
450 		     (unsigned long) strip,
451 		     (unsigned long) td->td_nstrips);
452 		return ((tmsize_t)(-1));
453 	}
454 	if (tif->tif_flags&TIFF_NOREADRAW)
455 	{
456 		TIFFErrorExt(tif->tif_clientdata, module,
457 		    "Compression scheme does not support access to raw uncompressed data");
458 		return ((tmsize_t)(-1));
459 	}
460 	bytecount = td->td_stripbytecount[strip];
461 	if ((int64)bytecount <= 0) {
462 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
463 		TIFFErrorExt(tif->tif_clientdata, module,
464 			     "%I64u: Invalid strip byte count, strip %lu",
465 			     (unsigned __int64) bytecount,
466 			     (unsigned long) strip);
467 #else
468 		TIFFErrorExt(tif->tif_clientdata, module,
469 			     "%llu: Invalid strip byte count, strip %lu",
470 			     (unsigned long long) bytecount,
471 			     (unsigned long) strip);
472 #endif
473 		return ((tmsize_t)(-1));
474 	}
475 	bytecountm = (tmsize_t)bytecount;
476 	if ((uint64)bytecountm!=bytecount) {
477 		TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
478 		return ((tmsize_t)(-1));
479 	}
480 	if (size != (tmsize_t)(-1) && size < bytecountm)
481 		bytecountm = size;
482 	return (TIFFReadRawStrip1(tif, strip, buf, bytecountm, module));
483 }
484 
485 /*
486  * Read the specified strip and setup for decoding. The data buffer is
487  * expanded, as necessary, to hold the strip's data.
488  */
489 int
TIFFFillStrip(TIFF * tif,uint32 strip)490 TIFFFillStrip(TIFF* tif, uint32 strip)
491 {
492 	static const char module[] = "TIFFFillStrip";
493 	TIFFDirectory *td = &tif->tif_dir;
494 
495     if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
496         return 0;
497 
498 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
499 	{
500 		uint64 bytecount = td->td_stripbytecount[strip];
501 		if ((int64)bytecount <= 0) {
502 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
503 			TIFFErrorExt(tif->tif_clientdata, module,
504 				"Invalid strip byte count %I64u, strip %lu",
505 				     (unsigned __int64) bytecount,
506 				     (unsigned long) strip);
507 #else
508 			TIFFErrorExt(tif->tif_clientdata, module,
509 				"Invalid strip byte count %llu, strip %lu",
510 				     (unsigned long long) bytecount,
511 				     (unsigned long) strip);
512 #endif
513 			return (0);
514 		}
515 		if (isMapped(tif) &&
516 		    (isFillOrder(tif, td->td_fillorder)
517 		    || (tif->tif_flags & TIFF_NOBITREV))) {
518 			/*
519 			 * The image is mapped into memory and we either don't
520 			 * need to flip bits or the compression routine is
521 			 * going to handle this operation itself.  In this
522 			 * case, avoid copying the raw data and instead just
523 			 * reference the data from the memory mapped file
524 			 * image.  This assumes that the decompression
525 			 * routines do not modify the contents of the raw data
526 			 * buffer (if they try to, the application will get a
527 			 * fault since the file is mapped read-only).
528 			 */
529 			if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) {
530 				_TIFFfree(tif->tif_rawdata);
531 				tif->tif_rawdata = NULL;
532 				tif->tif_rawdatasize = 0;
533 			}
534 			tif->tif_flags &= ~TIFF_MYBUFFER;
535 			/*
536 			 * We must check for overflow, potentially causing
537 			 * an OOB read. Instead of simple
538 			 *
539 			 *  td->td_stripoffset[strip]+bytecount > tif->tif_size
540 			 *
541 			 * comparison (which can overflow) we do the following
542 			 * two comparisons:
543 			 */
544 			if (bytecount > (uint64)tif->tif_size ||
545 			    td->td_stripoffset[strip] > (uint64)tif->tif_size - bytecount) {
546 				/*
547 				 * This error message might seem strange, but
548 				 * it's what would happen if a read were done
549 				 * instead.
550 				 */
551 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
552 				TIFFErrorExt(tif->tif_clientdata, module,
553 
554 					"Read error on strip %lu; "
555 					"got %I64u bytes, expected %I64u",
556 					(unsigned long) strip,
557 					(unsigned __int64) tif->tif_size - td->td_stripoffset[strip],
558 					(unsigned __int64) bytecount);
559 #else
560 				TIFFErrorExt(tif->tif_clientdata, module,
561 
562 					"Read error on strip %lu; "
563 					"got %llu bytes, expected %llu",
564 					(unsigned long) strip,
565 					(unsigned long long) tif->tif_size - td->td_stripoffset[strip],
566 					(unsigned long long) bytecount);
567 #endif
568 				tif->tif_curstrip = NOSTRIP;
569 				return (0);
570 			}
571 			tif->tif_rawdatasize = (tmsize_t)bytecount;
572 			tif->tif_rawdata = tif->tif_base + (tmsize_t)td->td_stripoffset[strip];
573                         tif->tif_rawdataoff = 0;
574                         tif->tif_rawdataloaded = (tmsize_t) bytecount;
575 
576 			/*
577 			 * When we have tif_rawdata reference directly into the memory mapped file
578 			 * we need to be pretty careful about how we use the rawdata.  It is not
579 			 * a general purpose working buffer as it normally otherwise is.  So we
580 			 * keep track of this fact to avoid using it improperly.
581 			 */
582 			tif->tif_flags |= TIFF_BUFFERMMAP;
583 		} else {
584 			/*
585 			 * Expand raw data buffer, if needed, to hold data
586 			 * strip coming from file (perhaps should set upper
587 			 * bound on the size of a buffer we'll use?).
588 			 */
589 			tmsize_t bytecountm;
590 			bytecountm=(tmsize_t)bytecount;
591 			if ((uint64)bytecountm!=bytecount)
592 			{
593 				TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
594 				return(0);
595 			}
596 			if (bytecountm > tif->tif_rawdatasize) {
597 				tif->tif_curstrip = NOSTRIP;
598 				if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
599 					TIFFErrorExt(tif->tif_clientdata, module,
600 					    "Data buffer too small to hold strip %lu",
601 					    (unsigned long) strip);
602 					return (0);
603 				}
604 				if (!TIFFReadBufferSetup(tif, 0, bytecountm))
605 					return (0);
606 			}
607 			if (tif->tif_flags&TIFF_BUFFERMMAP) {
608 				tif->tif_curstrip = NOSTRIP;
609 				if (!TIFFReadBufferSetup(tif, 0, bytecountm))
610 					return (0);
611 			}
612 			if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata,
613 				bytecountm, module) != bytecountm)
614 				return (0);
615 
616                         tif->tif_rawdataoff = 0;
617                         tif->tif_rawdataloaded = bytecountm;
618 
619 			if (!isFillOrder(tif, td->td_fillorder) &&
620 			    (tif->tif_flags & TIFF_NOBITREV) == 0)
621 				TIFFReverseBits(tif->tif_rawdata, bytecountm);
622                 }
623 	}
624 	return (TIFFStartStrip(tif, strip));
625 }
626 
627 /*
628  * Tile-oriented Read Support
629  * Contributed by Nancy Cam (Silicon Graphics).
630  */
631 
632 /*
633  * Read and decompress a tile of data.  The
634  * tile is selected by the (x,y,z,s) coordinates.
635  */
636 tmsize_t
TIFFReadTile(TIFF * tif,void * buf,uint32 x,uint32 y,uint32 z,uint16 s)637 TIFFReadTile(TIFF* tif, void* buf, uint32 x, uint32 y, uint32 z, uint16 s)
638 {
639 	if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
640 		return ((tmsize_t)(-1));
641 	return (TIFFReadEncodedTile(tif,
642 	    TIFFComputeTile(tif, x, y, z, s), buf, (tmsize_t)(-1)));
643 }
644 
645 /*
646  * Read a tile of data and decompress the specified
647  * amount into the user-supplied buffer.
648  */
649 tmsize_t
TIFFReadEncodedTile(TIFF * tif,uint32 tile,void * buf,tmsize_t size)650 TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
651 {
652 	static const char module[] = "TIFFReadEncodedTile";
653 	TIFFDirectory *td = &tif->tif_dir;
654 	tmsize_t tilesize = tif->tif_tilesize;
655 
656 	if (!TIFFCheckRead(tif, 1))
657 		return ((tmsize_t)(-1));
658 	if (tile >= td->td_nstrips) {
659 		TIFFErrorExt(tif->tif_clientdata, module,
660 		    "%lu: Tile out of range, max %lu",
661 		    (unsigned long) tile, (unsigned long) td->td_nstrips);
662 		return ((tmsize_t)(-1));
663 	}
664 	if (size == (tmsize_t)(-1))
665 		size = tilesize;
666 	else if (size > tilesize)
667 		size = tilesize;
668 	if (TIFFFillTile(tif, tile) && (*tif->tif_decodetile)(tif,
669 	    (uint8*) buf, size, (uint16)(tile/td->td_stripsperimage))) {
670 		(*tif->tif_postdecode)(tif, (uint8*) buf, size);
671 		return (size);
672 	} else
673 		return ((tmsize_t)(-1));
674 }
675 
676 static tmsize_t
TIFFReadRawTile1(TIFF * tif,uint32 tile,void * buf,tmsize_t size,const char * module)677 TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module)
678 {
679 	TIFFDirectory *td = &tif->tif_dir;
680 
681     if (!_TIFFFillStriles( tif ))
682         return ((tmsize_t)(-1));
683 
684 	assert((tif->tif_flags&TIFF_NOREADRAW)==0);
685 	if (!isMapped(tif)) {
686 		tmsize_t cc;
687 
688 		if (!SeekOK(tif, td->td_stripoffset[tile])) {
689 			TIFFErrorExt(tif->tif_clientdata, module,
690 			    "Seek error at row %lu, col %lu, tile %lu",
691 			    (unsigned long) tif->tif_row,
692 			    (unsigned long) tif->tif_col,
693 			    (unsigned long) tile);
694 			return ((tmsize_t)(-1));
695 		}
696 		cc = TIFFReadFile(tif, buf, size);
697 		if (cc != size) {
698 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
699 			TIFFErrorExt(tif->tif_clientdata, module,
700 	"Read error at row %lu, col %lu; got %I64u bytes, expected %I64u",
701 				     (unsigned long) tif->tif_row,
702 				     (unsigned long) tif->tif_col,
703 				     (unsigned __int64) cc,
704 				     (unsigned __int64) size);
705 #else
706 			TIFFErrorExt(tif->tif_clientdata, module,
707 	"Read error at row %lu, col %lu; got %llu bytes, expected %llu",
708 				     (unsigned long) tif->tif_row,
709 				     (unsigned long) tif->tif_col,
710 				     (unsigned long long) cc,
711 				     (unsigned long long) size);
712 #endif
713 			return ((tmsize_t)(-1));
714 		}
715 	} else {
716 		tmsize_t ma,mb;
717 		tmsize_t n;
718 		ma=(tmsize_t)td->td_stripoffset[tile];
719 		mb=ma+size;
720 		if (((uint64)ma!=td->td_stripoffset[tile])||(ma>tif->tif_size))
721 			n=0;
722 		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
723 			n=tif->tif_size-ma;
724 		else
725 			n=size;
726 		if (n!=size) {
727 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
728 			TIFFErrorExt(tif->tif_clientdata, module,
729 "Read error at row %lu, col %lu, tile %lu; got %I64u bytes, expected %I64u",
730 				     (unsigned long) tif->tif_row,
731 				     (unsigned long) tif->tif_col,
732 				     (unsigned long) tile,
733 				     (unsigned __int64) n,
734 				     (unsigned __int64) size);
735 #else
736 			TIFFErrorExt(tif->tif_clientdata, module,
737 "Read error at row %lu, col %lu, tile %lu; got %llu bytes, expected %llu",
738 				     (unsigned long) tif->tif_row,
739 				     (unsigned long) tif->tif_col,
740 				     (unsigned long) tile,
741 				     (unsigned long long) n,
742 				     (unsigned long long) size);
743 #endif
744 			return ((tmsize_t)(-1));
745 		}
746 		_TIFFmemcpy(buf, tif->tif_base + ma, size);
747 	}
748 	return (size);
749 }
750 
751 /*
752  * Read a tile of data from the file.
753  */
754 tmsize_t
TIFFReadRawTile(TIFF * tif,uint32 tile,void * buf,tmsize_t size)755 TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
756 {
757 	static const char module[] = "TIFFReadRawTile";
758 	TIFFDirectory *td = &tif->tif_dir;
759 	uint64 bytecount64;
760 	tmsize_t bytecountm;
761 
762 	if (!TIFFCheckRead(tif, 1))
763 		return ((tmsize_t)(-1));
764 	if (tile >= td->td_nstrips) {
765 		TIFFErrorExt(tif->tif_clientdata, module,
766 		    "%lu: Tile out of range, max %lu",
767 		    (unsigned long) tile, (unsigned long) td->td_nstrips);
768 		return ((tmsize_t)(-1));
769 	}
770 	if (tif->tif_flags&TIFF_NOREADRAW)
771 	{
772 		TIFFErrorExt(tif->tif_clientdata, module,
773 		"Compression scheme does not support access to raw uncompressed data");
774 		return ((tmsize_t)(-1));
775 	}
776 	bytecount64 = td->td_stripbytecount[tile];
777 	if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
778 		bytecount64 = (uint64)size;
779 	bytecountm = (tmsize_t)bytecount64;
780 	if ((uint64)bytecountm!=bytecount64)
781 	{
782 		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
783 		return ((tmsize_t)(-1));
784 	}
785 	return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
786 }
787 
788 /*
789  * Read the specified tile and setup for decoding. The data buffer is
790  * expanded, as necessary, to hold the tile's data.
791  */
792 int
TIFFFillTile(TIFF * tif,uint32 tile)793 TIFFFillTile(TIFF* tif, uint32 tile)
794 {
795 	static const char module[] = "TIFFFillTile";
796 	TIFFDirectory *td = &tif->tif_dir;
797 
798     if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
799         return 0;
800 
801 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
802 	{
803 		uint64 bytecount = td->td_stripbytecount[tile];
804 		if ((int64)bytecount <= 0) {
805 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
806 			TIFFErrorExt(tif->tif_clientdata, module,
807 				"%I64u: Invalid tile byte count, tile %lu",
808 				     (unsigned __int64) bytecount,
809 				     (unsigned long) tile);
810 #else
811 			TIFFErrorExt(tif->tif_clientdata, module,
812 				"%llu: Invalid tile byte count, tile %lu",
813 				     (unsigned long long) bytecount,
814 				     (unsigned long) tile);
815 #endif
816 			return (0);
817 		}
818 		if (isMapped(tif) &&
819 		    (isFillOrder(tif, td->td_fillorder)
820 		     || (tif->tif_flags & TIFF_NOBITREV))) {
821 			/*
822 			 * The image is mapped into memory and we either don't
823 			 * need to flip bits or the compression routine is
824 			 * going to handle this operation itself.  In this
825 			 * case, avoid copying the raw data and instead just
826 			 * reference the data from the memory mapped file
827 			 * image.  This assumes that the decompression
828 			 * routines do not modify the contents of the raw data
829 			 * buffer (if they try to, the application will get a
830 			 * fault since the file is mapped read-only).
831 			 */
832 			if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) {
833 				_TIFFfree(tif->tif_rawdata);
834 				tif->tif_rawdata = NULL;
835 				tif->tif_rawdatasize = 0;
836 			}
837 			tif->tif_flags &= ~TIFF_MYBUFFER;
838 			/*
839 			 * We must check for overflow, potentially causing
840 			 * an OOB read. Instead of simple
841 			 *
842 			 *  td->td_stripoffset[tile]+bytecount > tif->tif_size
843 			 *
844 			 * comparison (which can overflow) we do the following
845 			 * two comparisons:
846 			 */
847 			if (bytecount > (uint64)tif->tif_size ||
848 			    td->td_stripoffset[tile] > (uint64)tif->tif_size - bytecount) {
849 				tif->tif_curtile = NOTILE;
850 				return (0);
851 			}
852 			tif->tif_rawdatasize = (tmsize_t)bytecount;
853 			tif->tif_rawdata =
854 				tif->tif_base + (tmsize_t)td->td_stripoffset[tile];
855                         tif->tif_rawdataoff = 0;
856                         tif->tif_rawdataloaded = (tmsize_t) bytecount;
857 			tif->tif_flags |= TIFF_BUFFERMMAP;
858 		} else {
859 			/*
860 			 * Expand raw data buffer, if needed, to hold data
861 			 * tile coming from file (perhaps should set upper
862 			 * bound on the size of a buffer we'll use?).
863 			 */
864 			tmsize_t bytecountm;
865 			bytecountm=(tmsize_t)bytecount;
866 			if ((uint64)bytecountm!=bytecount)
867 			{
868 				TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
869 				return(0);
870 			}
871 			if (bytecountm > tif->tif_rawdatasize) {
872 				tif->tif_curtile = NOTILE;
873 				if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
874 					TIFFErrorExt(tif->tif_clientdata, module,
875 					    "Data buffer too small to hold tile %lu",
876 					    (unsigned long) tile);
877 					return (0);
878 				}
879 				if (!TIFFReadBufferSetup(tif, 0, bytecountm))
880 					return (0);
881 			}
882 			if (tif->tif_flags&TIFF_BUFFERMMAP) {
883 				tif->tif_curtile = NOTILE;
884 				if (!TIFFReadBufferSetup(tif, 0, bytecountm))
885 					return (0);
886 			}
887 
888 			if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata,
889 			    bytecountm, module) != bytecountm)
890 				return (0);
891 
892                         tif->tif_rawdataoff = 0;
893                         tif->tif_rawdataloaded = bytecountm;
894 
895 			if (!isFillOrder(tif, td->td_fillorder) &&
896 			    (tif->tif_flags & TIFF_NOBITREV) == 0)
897 				TIFFReverseBits(tif->tif_rawdata,
898                                                 tif->tif_rawdataloaded);
899 		}
900 	}
901 	return (TIFFStartTile(tif, tile));
902 }
903 
904 /*
905  * Setup the raw data buffer in preparation for
906  * reading a strip of raw data.  If the buffer
907  * is specified as zero, then a buffer of appropriate
908  * size is allocated by the library.  Otherwise,
909  * the client must guarantee that the buffer is
910  * large enough to hold any individual strip of
911  * raw data.
912  */
913 int
TIFFReadBufferSetup(TIFF * tif,void * bp,tmsize_t size)914 TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
915 {
916 	static const char module[] = "TIFFReadBufferSetup";
917 
918 	assert((tif->tif_flags&TIFF_NOREADRAW)==0);
919 	tif->tif_flags &= ~TIFF_BUFFERMMAP;
920 
921 	if (tif->tif_rawdata) {
922 		if (tif->tif_flags & TIFF_MYBUFFER)
923 			_TIFFfree(tif->tif_rawdata);
924 		tif->tif_rawdata = NULL;
925 		tif->tif_rawdatasize = 0;
926 	}
927 	if (bp) {
928 		tif->tif_rawdatasize = size;
929 		tif->tif_rawdata = (uint8*) bp;
930 		tif->tif_flags &= ~TIFF_MYBUFFER;
931 	} else {
932 		tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64((uint64)size, 1024);
933 		if (tif->tif_rawdatasize==0) {
934 		    TIFFErrorExt(tif->tif_clientdata, module,
935 				 "Invalid buffer size");
936 		    return (0);
937 		}
938 		tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
939 		if (tif->tif_rawdata)
940 			memset(tif->tif_rawdata, 0, tif->tif_rawdatasize);
941 
942 		tif->tif_flags |= TIFF_MYBUFFER;
943 	}
944 	if (tif->tif_rawdata == NULL) {
945 		TIFFErrorExt(tif->tif_clientdata, module,
946 		    "No space for data buffer at scanline %lu",
947 		    (unsigned long) tif->tif_row);
948 		tif->tif_rawdatasize = 0;
949 		return (0);
950 	}
951 	return (1);
952 }
953 
954 /*
955  * Set state to appear as if a
956  * strip has just been read in.
957  */
958 static int
TIFFStartStrip(TIFF * tif,uint32 strip)959 TIFFStartStrip(TIFF* tif, uint32 strip)
960 {
961 	TIFFDirectory *td = &tif->tif_dir;
962 
963     if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
964         return 0;
965 
966 	if ((tif->tif_flags & TIFF_CODERSETUP) == 0) {
967 		if (!(*tif->tif_setupdecode)(tif))
968 			return (0);
969 		tif->tif_flags |= TIFF_CODERSETUP;
970 	}
971 	tif->tif_curstrip = strip;
972 	tif->tif_row = (strip % td->td_stripsperimage) * td->td_rowsperstrip;
973         tif->tif_flags &= ~TIFF_BUF4WRITE;
974 
975 	if (tif->tif_flags&TIFF_NOREADRAW)
976 	{
977 		tif->tif_rawcp = NULL;
978 		tif->tif_rawcc = 0;
979 	}
980 	else
981 	{
982 		tif->tif_rawcp = tif->tif_rawdata;
983 		tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[strip];
984 	}
985 	return ((*tif->tif_predecode)(tif,
986 			(uint16)(strip / td->td_stripsperimage)));
987 }
988 
989 /*
990  * Set state to appear as if a
991  * tile has just been read in.
992  */
993 static int
TIFFStartTile(TIFF * tif,uint32 tile)994 TIFFStartTile(TIFF* tif, uint32 tile)
995 {
996         static const char module[] = "TIFFStartTile";
997 	TIFFDirectory *td = &tif->tif_dir;
998         uint32 howmany32;
999 
1000         if (!_TIFFFillStriles( tif ) || !tif->tif_dir.td_stripbytecount)
1001                 return 0;
1002 
1003 	if ((tif->tif_flags & TIFF_CODERSETUP) == 0) {
1004 		if (!(*tif->tif_setupdecode)(tif))
1005 			return (0);
1006 		tif->tif_flags |= TIFF_CODERSETUP;
1007 	}
1008 	tif->tif_curtile = tile;
1009         howmany32=TIFFhowmany_32(td->td_imagewidth, td->td_tilewidth);
1010         if (howmany32 == 0) {
1011                  TIFFErrorExt(tif->tif_clientdata,module,"Zero tiles");
1012                 return 0;
1013         }
1014 	tif->tif_row = (tile % howmany32) * td->td_tilelength;
1015         howmany32=TIFFhowmany_32(td->td_imagelength, td->td_tilelength);
1016         if (howmany32 == 0) {
1017                 TIFFErrorExt(tif->tif_clientdata,module,"Zero tiles");
1018                 return 0;
1019         }
1020 	tif->tif_col = (tile % howmany32) * td->td_tilewidth;
1021         tif->tif_flags &= ~TIFF_BUF4WRITE;
1022 	if (tif->tif_flags&TIFF_NOREADRAW)
1023 	{
1024 		tif->tif_rawcp = NULL;
1025 		tif->tif_rawcc = 0;
1026 	}
1027 	else
1028 	{
1029 		tif->tif_rawcp = tif->tif_rawdata;
1030 		tif->tif_rawcc = (tmsize_t)td->td_stripbytecount[tile];
1031 	}
1032 	return ((*tif->tif_predecode)(tif,
1033 			(uint16)(tile/td->td_stripsperimage)));
1034 }
1035 
1036 static int
TIFFCheckRead(TIFF * tif,int tiles)1037 TIFFCheckRead(TIFF* tif, int tiles)
1038 {
1039 	if (tif->tif_mode == O_WRONLY) {
1040 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "File not open for reading");
1041 		return (0);
1042 	}
1043 	if (tiles ^ isTiled(tif)) {
1044 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name, tiles ?
1045 		    "Can not read tiles from a stripped image" :
1046 		    "Can not read scanlines from a tiled image");
1047 		return (0);
1048 	}
1049 	return (1);
1050 }
1051 
1052 void
_TIFFNoPostDecode(TIFF * tif,uint8 * buf,tmsize_t cc)1053 _TIFFNoPostDecode(TIFF* tif, uint8* buf, tmsize_t cc)
1054 {
1055     (void) tif; (void) buf; (void) cc;
1056 }
1057 
1058 void
_TIFFSwab16BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1059 _TIFFSwab16BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1060 {
1061     (void) tif;
1062     assert((cc & 1) == 0);
1063     TIFFSwabArrayOfShort((uint16*) buf, cc/2);
1064 }
1065 
1066 void
_TIFFSwab24BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1067 _TIFFSwab24BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1068 {
1069     (void) tif;
1070     assert((cc % 3) == 0);
1071     TIFFSwabArrayOfTriples((uint8*) buf, cc/3);
1072 }
1073 
1074 void
_TIFFSwab32BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1075 _TIFFSwab32BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1076 {
1077     (void) tif;
1078     assert((cc & 3) == 0);
1079     TIFFSwabArrayOfLong((uint32*) buf, cc/4);
1080 }
1081 
1082 void
_TIFFSwab64BitData(TIFF * tif,uint8 * buf,tmsize_t cc)1083 _TIFFSwab64BitData(TIFF* tif, uint8* buf, tmsize_t cc)
1084 {
1085     (void) tif;
1086     assert((cc & 7) == 0);
1087     TIFFSwabArrayOfDouble((double*) buf, cc/8);
1088 }
1089 
1090 /* vim: set ts=8 sts=8 sw=8 noet: */
1091 /*
1092  * Local Variables:
1093  * mode: c
1094  * c-basic-offset: 8
1095  * fill-column: 78
1096  * End:
1097  */
1098