1diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c 2index 53c938a89..03c9a81fb 100644 3--- a/third_party/libtiff/tif_getimage.c 4+++ b/third_party/libtiff/tif_getimage.c 5@@ -627,7 +627,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 6 uint32 col, row, y, rowstoread; 7 tmsize_t pos; 8 uint32 tw, th; 9- unsigned char* buf; 10+ unsigned char* buf = NULL; 11 int32 fromskew, toskew; 12 int64 safeskew; 13 uint32 nrow; 14@@ -636,13 +636,14 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 15 int32 this_toskew, leftmost_toskew; 16 int32 leftmost_fromskew; 17 uint32 leftmost_tw; 18+ tmsize_t bufsize; 19 20- buf = (unsigned char*) _TIFFmalloc(TIFFTileSize(tif)); 21- if (buf == 0) { 22- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); 23- return (0); 24+ bufsize = TIFFTileSize(tif); 25+ if (bufsize == 0) { 26+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); 27+ return (0); 28 } 29- _TIFFmemset(buf, 0, TIFFTileSize(tif)); 30+ 31 TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); 32 TIFFGetField(tif, TIFFTAG_TILELENGTH, &th); 33 34@@ -691,8 +692,9 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 35 col = img->col_offset; 36 while (tocol < w) 37 { 38- if (TIFFReadTile(tif, buf, col, 39- row+img->row_offset, 0, 0)==(tmsize_t)(-1) && img->stoponerr) 40+ if (_TIFFReadTileAndAllocBuffer(tif, (void**) &buf, bufsize, col, 41+ row+img->row_offset, 0, 0)==(tmsize_t)(-1) && 42+ (buf == NULL || img->stoponerr)) 43 { 44 ret = 0; 45 break; 46@@ -772,11 +774,11 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 47 uint32 col, row, y, rowstoread; 48 tmsize_t pos; 49 uint32 tw, th; 50- unsigned char* buf; 51- unsigned char* p0; 52- unsigned char* p1; 53- unsigned char* p2; 54- unsigned char* pa; 55+ unsigned char* buf = NULL; 56+ unsigned char* p0 = NULL; 57+ unsigned char* p1 = NULL; 58+ unsigned char* p2 = NULL; 59+ unsigned char* pa = NULL; 60 tmsize_t tilesize; 61 tmsize_t bufsize; 62 int32 fromskew, toskew; 63@@ -795,16 +797,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 64 TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); 65 return (0); 66 } 67- buf = (unsigned char*) _TIFFmalloc(bufsize); 68- if (buf == 0) { 69- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); 70- return (0); 71- } 72- _TIFFmemset(buf, 0, bufsize); 73- p0 = buf; 74- p1 = p0 + tilesize; 75- p2 = p1 + tilesize; 76- pa = (alpha?(p2+tilesize):NULL); 77+ 78 TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); 79 TIFFGetField(tif, TIFFTAG_TILELENGTH, &th); 80 81@@ -824,7 +817,6 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 82 case PHOTOMETRIC_MINISBLACK: 83 case PHOTOMETRIC_PALETTE: 84 colorchannels = 1; 85- p2 = p1 = p0; 86 break; 87 88 default: 89@@ -849,7 +841,30 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 90 col = img->col_offset; 91 while (tocol < w) 92 { 93- if (TIFFReadTile(tif, p0, col, 94+ if( buf == NULL ) 95+ { 96+ if (_TIFFReadTileAndAllocBuffer( 97+ tif, (void**) &buf, bufsize, col, 98+ row+img->row_offset,0,0)==(tmsize_t)(-1) 99+ && (buf == NULL || img->stoponerr)) 100+ { 101+ ret = 0; 102+ break; 103+ } 104+ p0 = buf; 105+ if( colorchannels == 1 ) 106+ { 107+ p2 = p1 = p0; 108+ pa = (alpha?(p0+3*tilesize):NULL); 109+ } 110+ else 111+ { 112+ p1 = p0 + tilesize; 113+ p2 = p1 + tilesize; 114+ pa = (alpha?(p2+tilesize):NULL); 115+ } 116+ } 117+ else if (TIFFReadTile(tif, p0, col, 118 row+img->row_offset,0,0)==(tmsize_t)(-1) && img->stoponerr) 119 { 120 ret = 0; 121@@ -940,13 +955,14 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 122 tileContigRoutine put = img->put.contig; 123 uint32 row, y, nrow, nrowsub, rowstoread; 124 tmsize_t pos; 125- unsigned char* buf; 126+ unsigned char* buf = NULL; 127 uint32 rowsperstrip; 128 uint16 subsamplinghor,subsamplingver; 129 uint32 imagewidth = img->width; 130 tmsize_t scanline; 131 int32 fromskew, toskew; 132 int ret = 1, flip; 133+ tmsize_t maxstripsize; 134 135 TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver); 136 if( subsamplingver == 0 ) { 137@@ -954,12 +970,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 138 return (0); 139 } 140 141- buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif)); 142- if (buf == 0) { 143- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); 144- return (0); 145- } 146- _TIFFmemset(buf, 0, TIFFStripSize(tif)); 147+ maxstripsize = TIFFStripSize(tif); 148 149 flip = setorientation(img); 150 if (flip & FLIP_VERTICALLY) { 151@@ -981,11 +992,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 152 nrowsub = nrow; 153 if ((nrowsub%subsamplingver)!=0) 154 nrowsub+=subsamplingver-nrowsub%subsamplingver; 155- if (TIFFReadEncodedStrip(tif, 156+ if (_TIFFReadEncodedStripAndAllocBuffer(tif, 157 TIFFComputeStrip(tif,row+img->row_offset, 0), 158- buf, 159+ (void**)(&buf), 160+ maxstripsize, 161 ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) 162- && img->stoponerr) 163+ && (buf == NULL || img->stoponerr)) 164 { 165 ret = 0; 166 break; 167@@ -1029,8 +1041,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 168 { 169 TIFF* tif = img->tif; 170 tileSeparateRoutine put = img->put.separate; 171- unsigned char *buf; 172- unsigned char *p0, *p1, *p2, *pa; 173+ unsigned char *buf = NULL; 174+ unsigned char *p0 = NULL, *p1 = NULL, *p2 = NULL, *pa = NULL; 175 uint32 row, y, nrow, rowstoread; 176 tmsize_t pos; 177 tmsize_t scanline; 178@@ -1049,15 +1061,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 179 TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); 180 return (0); 181 } 182- p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); 183- if (buf == 0) { 184- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); 185- return (0); 186- } 187- _TIFFmemset(buf, 0, bufsize); 188- p1 = p0 + stripsize; 189- p2 = p1 + stripsize; 190- pa = (alpha?(p2+stripsize):NULL); 191 192 flip = setorientation(img); 193 if (flip & FLIP_VERTICALLY) { 194@@ -1075,7 +1078,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 195 case PHOTOMETRIC_MINISBLACK: 196 case PHOTOMETRIC_PALETTE: 197 colorchannels = 1; 198- p2 = p1 = p0; 199 break; 200 201 default: 202@@ -1091,7 +1093,31 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 203 rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; 204 nrow = (row + rowstoread > h ? h - row : rowstoread); 205 offset_row = row + img->row_offset; 206- if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), 207+ if( buf == NULL ) 208+ { 209+ if (_TIFFReadEncodedStripAndAllocBuffer( 210+ tif, TIFFComputeStrip(tif, offset_row, 0), 211+ (void**) &buf, bufsize, 212+ ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) 213+ && (buf == NULL || img->stoponerr)) 214+ { 215+ ret = 0; 216+ break; 217+ } 218+ p0 = buf; 219+ if( colorchannels == 1 ) 220+ { 221+ p2 = p1 = p0; 222+ pa = (alpha?(p0+3*stripsize):NULL); 223+ } 224+ else 225+ { 226+ p1 = p0 + stripsize; 227+ p2 = p1 + stripsize; 228+ pa = (alpha?(p2+stripsize):NULL); 229+ } 230+ } 231+ else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), 232 p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) 233 && img->stoponerr) 234 { 235diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c 236index cc4f5d2f6..ad0a778c0 100644 237--- a/third_party/libtiff/tif_read.c 238+++ b/third_party/libtiff/tif_read.c 239@@ -442,18 +442,17 @@ TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample) 240 } 241 242 /* 243- * Read a strip of data and decompress the specified 244- * amount into the user-supplied buffer. 245+ * Calculate the strip size according to the number of 246+ * rows in the strip (check for truncated last strip on any 247+ * of the separations). 248 */ 249-tmsize_t 250-TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) 251+static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane) 252 { 253 static const char module[] = "TIFFReadEncodedStrip"; 254 TIFFDirectory *td = &tif->tif_dir; 255 uint32 rowsperstrip; 256 uint32 stripsperplane; 257 uint32 stripinplane; 258- uint16 plane; 259 uint32 rows; 260 tmsize_t stripsize; 261 if (!TIFFCheckRead(tif,0)) 262@@ -465,23 +464,37 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) 263 (unsigned long)td->td_nstrips); 264 return((tmsize_t)(-1)); 265 } 266- /* 267- * Calculate the strip size according to the number of 268- * rows in the strip (check for truncated last strip on any 269- * of the separations). 270- */ 271+ 272 rowsperstrip=td->td_rowsperstrip; 273 if (rowsperstrip>td->td_imagelength) 274 rowsperstrip=td->td_imagelength; 275 stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); 276 stripinplane=(strip%stripsperplane); 277- plane=(uint16)(strip/stripsperplane); 278+ if( pplane ) *pplane=(uint16)(strip/stripsperplane); 279 rows=td->td_imagelength-stripinplane*rowsperstrip; 280 if (rows>rowsperstrip) 281 rows=rowsperstrip; 282 stripsize=TIFFVStripSize(tif,rows); 283 if (stripsize==0) 284 return((tmsize_t)(-1)); 285+ return stripsize; 286+} 287+ 288+/* 289+ * Read a strip of data and decompress the specified 290+ * amount into the user-supplied buffer. 291+ */ 292+tmsize_t 293+TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) 294+{ 295+ static const char module[] = "TIFFReadEncodedStrip"; 296+ TIFFDirectory *td = &tif->tif_dir; 297+ tmsize_t stripsize; 298+ uint16 plane; 299+ 300+ stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane); 301+ if (stripsize==((tmsize_t)(-1))) 302+ return((tmsize_t)(-1)); 303 304 /* shortcut to avoid an extra memcpy() */ 305 if( td->td_compression == COMPRESSION_NONE && 306@@ -510,6 +523,50 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) 307 return(stripsize); 308 } 309 310+/* Variant of TIFFReadEncodedStrip() that does 311+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has 312+ * suceeded. This avoid excessive memory allocation in case of truncated 313+ * file. 314+ * * calls regular TIFFReadEncodedStrip() if *buf != NULL 315+ */ 316+tmsize_t 317+_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, 318+ void **buf, tmsize_t bufsizetoalloc, 319+ tmsize_t size_to_read) 320+{ 321+ tmsize_t this_stripsize; 322+ uint16 plane; 323+ 324+ if( *buf != NULL ) 325+ { 326+ return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read); 327+ } 328+ 329+ this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane); 330+ if (this_stripsize==((tmsize_t)(-1))) 331+ return((tmsize_t)(-1)); 332+ 333+ if ((size_to_read!=(tmsize_t)(-1))&&(size_to_read<this_stripsize)) 334+ this_stripsize=size_to_read; 335+ if (!TIFFFillStrip(tif,strip)) 336+ return((tmsize_t)(-1)); 337+ 338+ *buf = _TIFFmalloc(bufsizetoalloc); 339+ if (*buf == NULL) { 340+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer"); 341+ return((tmsize_t)(-1)); 342+ } 343+ _TIFFmemset(*buf, 0, bufsizetoalloc); 344+ 345+ if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0) 346+ return((tmsize_t)(-1)); 347+ (*tif->tif_postdecode)(tif,*buf,this_stripsize); 348+ return(this_stripsize); 349+ 350+ 351+} 352+ 353+ 354 static tmsize_t 355 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, 356 const char* module) 357@@ -939,6 +996,78 @@ TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) 358 return ((tmsize_t)(-1)); 359 } 360 361+/* Variant of TIFFReadTile() that does 362+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has 363+ * suceeded. This avoid excessive memory allocation in case of truncated 364+ * file. 365+ * * calls regular TIFFReadEncodedTile() if *buf != NULL 366+ */ 367+tmsize_t 368+_TIFFReadTileAndAllocBuffer(TIFF* tif, 369+ void **buf, tmsize_t bufsizetoalloc, 370+ uint32 x, uint32 y, uint32 z, uint16 s) 371+{ 372+ if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s)) 373+ return ((tmsize_t)(-1)); 374+ return (_TIFFReadEncodedTileAndAllocBuffer(tif, 375+ TIFFComputeTile(tif, x, y, z, s), 376+ buf, bufsizetoalloc, 377+ (tmsize_t)(-1))); 378+} 379+ 380+/* Variant of TIFFReadEncodedTile() that does 381+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has 382+ * suceeded. This avoid excessive memory allocation in case of truncated 383+ * file. 384+ * * calls regular TIFFReadEncodedTile() if *buf != NULL 385+ */ 386+tmsize_t 387+_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile, 388+ void **buf, tmsize_t bufsizetoalloc, 389+ tmsize_t size_to_read) 390+{ 391+ static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer"; 392+ TIFFDirectory *td = &tif->tif_dir; 393+ tmsize_t tilesize = tif->tif_tilesize; 394+ 395+ if( *buf != NULL ) 396+ { 397+ return TIFFReadEncodedTile(tif, tile, *buf, size_to_read); 398+ } 399+ 400+ if (!TIFFCheckRead(tif, 1)) 401+ return ((tmsize_t)(-1)); 402+ if (tile >= td->td_nstrips) { 403+ TIFFErrorExt(tif->tif_clientdata, module, 404+ "%lu: Tile out of range, max %lu", 405+ (unsigned long) tile, (unsigned long) td->td_nstrips); 406+ return ((tmsize_t)(-1)); 407+ } 408+ 409+ if (!TIFFFillTile(tif,tile)) 410+ return((tmsize_t)(-1)); 411+ 412+ *buf = _TIFFmalloc(bufsizetoalloc); 413+ if (*buf == NULL) { 414+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), 415+ "No space for tile buffer"); 416+ return((tmsize_t)(-1)); 417+ } 418+ _TIFFmemset(*buf, 0, bufsizetoalloc); 419+ 420+ if (size_to_read == (tmsize_t)(-1)) 421+ size_to_read = tilesize; 422+ else if (size_to_read > tilesize) 423+ size_to_read = tilesize; 424+ if( (*tif->tif_decodetile)(tif, 425+ (uint8*) *buf, size_to_read, (uint16)(tile/td->td_stripsperimage))) { 426+ (*tif->tif_postdecode)(tif, (uint8*) *buf, size_to_read); 427+ return (size_to_read); 428+ } else 429+ return ((tmsize_t)(-1)); 430+} 431+ 432+ 433 static tmsize_t 434 TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module) 435 { 436diff --git a/third_party/libtiff/tiffiop.h b/third_party/libtiff/tiffiop.h 437index 7e415c750..6fb47de5b 100644 438--- a/third_party/libtiff/tiffiop.h 439+++ b/third_party/libtiff/tiffiop.h 440@@ -364,6 +364,20 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); 441 extern double _TIFFUInt64ToDouble(uint64); 442 extern float _TIFFUInt64ToFloat(uint64); 443 444+extern tmsize_t 445+_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, 446+ void **buf, tmsize_t bufsizetoalloc, 447+ tmsize_t size_to_read); 448+extern tmsize_t 449+_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile, 450+ void **buf, tmsize_t bufsizetoalloc, 451+ tmsize_t size_to_read); 452+extern tmsize_t 453+_TIFFReadTileAndAllocBuffer(TIFF* tif, 454+ void **buf, tmsize_t bufsizetoalloc, 455+ uint32 x, uint32 y, uint32 z, uint16 s); 456+ 457+ 458 extern int TIFFInitDumpMode(TIFF*, int); 459 #ifdef PACKBITS_SUPPORT 460 extern int TIFFInitPackBits(TIFF*, int); 461