Attachment #93188 for bug #142383

View | Details | Raw Unified | Return to bug 142383
Collapse All | Expand All




{
	static const char module[] = "_TIFFVSetField";
	
	const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
	TIFFDirectory* td = &tif->tif_dir;
	int status = 1;
	uint32 v32, i, v;

		break;
	case TIFFTAG_ORIENTATION:
		v = va_arg(ap, uint32);
		const TIFFFieldInfo* fip;
		if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
			fip = _TIFFFieldWithTag(tif, tag);
			TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
			    "Bad value %lu for \"%s\" tag ignored",
			    v, fip ? fip->field_name : "Unknown");
		} else
			td->td_orientation = (uint16) v;
		break;

	     * happens, for example, when tiffcp is used to convert between
	     * compression schemes and codec-specific tags are blindly copied.
             */
	    /* 
	     * better not dereference fip if it is NULL.
	     * -- taviso@google.com 15 Jun 2006
	     */
            if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
		TIFFErrorExt(tif->tif_clientdata, module,
		    "%s: Invalid %stag \"%s\" (not supported by codec)",
		    tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
		    fip ? fip->field_name : "Unknown");
		status = 0;
		break;
            }

	    if (fip->field_type == TIFF_ASCII)
		    _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
	    else {
                tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
		if (!tv->value) {
		    status = 0;
		    goto end;

          }
	}
	if (status) {
		TIFFSetFieldBit(tif, fip->field_bit);
		tif->tif_flags |= TIFF_DIRTYDIRECT;
	}


	return (status);
badvalue:
	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
		  tif->tif_name, v, fip ? fip->field_name : "Unknown");
	va_end(ap);
	return (0);
badvalue32:
	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
		   tif->tif_name, v32, fip ? fip->field_name : "Unknown");
	va_end(ap);
	return (0);
}

             * If the client tries to get a tag that is not valid
             * for the image's codec then we'll arrive here.
             */
	    /*
	     * dont dereference fip if it's NULL.
	     * -- taviso@google.com 15 Jun 2006
	     */
            if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
            {
				TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
                          "%s: Invalid %stag \"%s\" (not supported by codec)",
                          tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
                          fip ? fip->field_name : "Unknown");
                ret_val = 0;
                break;
            }




		TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
			  "Internal error, unknown tag 0x%x",
                          (unsigned int) tag);
		/* assert(fip != NULL); */

		/*NOTREACHED*/
	}
	return (fip);

	if (!fip) {
		TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
			  "Internal error, unknown tag %s", field_name);
		/* assert(fip != NULL); */
		
		/*NOTREACHED*/
	}
	return (fip);

Lines 29-34 Link Here

(-)tiff-3.8.2/libtiff/tif_dirread.c (-25 / +82 lines)
29	*	29	*
30	* Directory Read Support Routines.	30	* Directory Read Support Routines.
31	*/	31	*/
		32
		33	#include <limits.h>
		34
32	#include "tiffiop.h"	35	#include "tiffiop.h"
33		36
34	#define IGNORE 0 /* tag placeholder used below */	37	#define IGNORE 0 /* tag placeholder used below */
Lines 81-86 Link Here
81	uint16 dircount;	84	uint16 dircount;
82	toff_t nextdiroff;	85	toff_t nextdiroff;
83	int diroutoforderwarning = 0;	86	int diroutoforderwarning = 0;
		87	int compressionknown = 0;
84	toff_t* new_dirlist;	88	toff_t* new_dirlist;
85		89
86	tif->tif_diroff = tif->tif_nextdiroff;	90	tif->tif_diroff = tif->tif_nextdiroff;
Lines 147-159 Link Here
147	} else {	151	} else {
148	toff_t off = tif->tif_diroff;	152	toff_t off = tif->tif_diroff;
149		153
150	if (off + sizeof (uint16) > tif->tif_size) {	154	/*
151	TIFFErrorExt(tif->tif_clientdata, module,	155	* Check for integer overflow when validating the dir_off, otherwise
152	"%s: Can not read TIFF directory count",	156	* a very high offset may cause an OOB read and crash the client.
153	tif->tif_name);	157	* -- taviso@google.com, 14 Jun 2006.
154	return (0);	158	*/
		159	if (off + sizeof (uint16) > tif->tif_size \|\|
		160	off > (UINT_MAX - sizeof(uint16))) {
		161	TIFFErrorExt(tif->tif_clientdata, module,
		162	"%s: Can not read TIFF directory count",
		163	tif->tif_name);
		164	return (0);
155	} else	165	} else
156	_TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));	166	_TIFFmemcpy(&dircount, tif->tif_base + off,
		167	sizeof (uint16));
157	off += sizeof (uint16);	168	off += sizeof (uint16);
158	if (tif->tif_flags & TIFF_SWAB)	169	if (tif->tif_flags & TIFF_SWAB)
159	TIFFSwabShort(&dircount);	170	TIFFSwabShort(&dircount);
Lines 254-259 Link Here
254	while (fix < tif->tif_nfields &&	265	while (fix < tif->tif_nfields &&
255	tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)	266	tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
256	fix++;	267	fix++;
		268
257	if (fix >= tif->tif_nfields \|\|	269	if (fix >= tif->tif_nfields \|\|
258	tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {	270	tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
259		271
Lines 264-280 Link Here
264	dp->tdir_tag,	276	dp->tdir_tag,
265	dp->tdir_tag,	277	dp->tdir_tag,
266	dp->tdir_type);	278	dp->tdir_type);
267		279	/*
268	TIFFMergeFieldInfo(tif,	280	* creating anonymous fields prior to knowing the compression
269	_TIFFCreateAnonFieldInfo(tif,	281	* algorithm (ie, when the field info has been merged) could cause
270	dp->tdir_tag,	282	* crashes with pathological directories.
271	(TIFFDataType) dp->tdir_type),	283	* -- taviso@google.com 15 Jun 2006
272	1 );	284	*/
		285	if (compressionknown)
		286	TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
		287	(TIFFDataType) dp->tdir_type), 1 );
		288	else goto ignore;
		289
273	fix = 0;	290	fix = 0;
274	while (fix < tif->tif_nfields &&	291	while (fix < tif->tif_nfields &&
275	tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)	292	tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
276	fix++;	293	fix++;
277	}	294	}
		295
278	/*	296	/*
279	* Null out old tags that we ignore.	297	* Null out old tags that we ignore.
280	*/	298	*/
Lines 326-331 Link Here
326	dp->tdir_type, dp->tdir_offset);	344	dp->tdir_type, dp->tdir_offset);
327	if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))	345	if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
328	goto bad;	346	goto bad;
		347	else compressionknown++;
329	break;	348	break;
330	/* XXX: workaround for broken TIFFs */	349	/* XXX: workaround for broken TIFFs */
331	} else if (dp->tdir_type == TIFF_LONG) {	350	} else if (dp->tdir_type == TIFF_LONG) {
Lines 540-545 Link Here
540	* Attempt to deal with a missing StripByteCounts tag.	559	* Attempt to deal with a missing StripByteCounts tag.
541	*/	560	*/
542	if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {	561	if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
		562	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
543	/*	563	/*
544	* Some manufacturers violate the spec by not giving	564	* Some manufacturers violate the spec by not giving
545	* the size of the strips. In this case, assume there	565	* the size of the strips. In this case, assume there
Lines 556-562 Link Here
556	"%s: TIFF directory is missing required "	576	"%s: TIFF directory is missing required "
557	"\"%s\" field, calculating from imagelength",	577	"\"%s\" field, calculating from imagelength",
558	tif->tif_name,	578	tif->tif_name,
559	_TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);	579	fip ? fip->field_name : "Unknown");
560	if (EstimateStripByteCounts(tif, dir, dircount) < 0)	580	if (EstimateStripByteCounts(tif, dir, dircount) < 0)
561	goto bad;	581	goto bad;
562	/*	582	/*
Lines 580-585 Link Here
580	} else if (td->td_nstrips == 1	600	} else if (td->td_nstrips == 1
581	&& td->td_stripoffset[0] != 0	601	&& td->td_stripoffset[0] != 0
582	&& BYTECOUNTLOOKSBAD) {	602	&& BYTECOUNTLOOKSBAD) {
		603	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
583	/*	604	/*
584	* XXX: Plexus (and others) sometimes give a value of zero for	605	* XXX: Plexus (and others) sometimes give a value of zero for
585	* a tag when they don't know what the correct value is! Try	606	* a tag when they don't know what the correct value is! Try
Lines 589-601 Link Here
589	TIFFWarningExt(tif->tif_clientdata, module,	610	TIFFWarningExt(tif->tif_clientdata, module,
590	"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",	611	"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
591	tif->tif_name,	612	tif->tif_name,
592	_TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);	613	fip ? fip->field_name : "Unknown");
593	if(EstimateStripByteCounts(tif, dir, dircount) < 0)	614	if(EstimateStripByteCounts(tif, dir, dircount) < 0)
594	goto bad;	615	goto bad;
595	} else if (td->td_planarconfig == PLANARCONFIG_CONTIG	616	} else if (td->td_planarconfig == PLANARCONFIG_CONTIG
596	&& td->td_nstrips > 2	617	&& td->td_nstrips > 2
597	&& td->td_compression == COMPRESSION_NONE	618	&& td->td_compression == COMPRESSION_NONE
598	&& td->td_stripbytecount[0] != td->td_stripbytecount[1]) {	619	&& td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
		620	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
599	/*	621	/*
600	* XXX: Some vendors fill StripByteCount array with absolutely	622	* XXX: Some vendors fill StripByteCount array with absolutely
601	* wrong values (it can be equal to StripOffset array, for	623	* wrong values (it can be equal to StripOffset array, for
Lines 604-610 Link Here
604	TIFFWarningExt(tif->tif_clientdata, module,	626	TIFFWarningExt(tif->tif_clientdata, module,
605	"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",	627	"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
606	tif->tif_name,	628	tif->tif_name,
607	_TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);	629	fip ? fip->field_name : "Unknown");
608	if (EstimateStripByteCounts(tif, dir, dircount) < 0)	630	if (EstimateStripByteCounts(tif, dir, dircount) < 0)
609	goto bad;	631	goto bad;
610	}	632	}
Lines 870-876 Link Here
870		892
871	register TIFFDirEntry *dp;	893	register TIFFDirEntry *dp;
872	register TIFFDirectory *td = &tif->tif_dir;	894	register TIFFDirectory *td = &tif->tif_dir;
873	uint16 i;	895
		896	/* i is used to iterate over td->td_nstrips, so must be
		897	* at least the same width.
		898	* -- taviso@google.com 15 Jun 2006
		899	*/
		900
		901	uint32 i;
874		902
875	if (td->td_stripbytecount)	903	if (td->td_stripbytecount)
876	_TIFFfree(td->td_stripbytecount);	904	_TIFFfree(td->td_stripbytecount);
Lines 947-962 Link Here
947	static int	975	static int
948	CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)	976	CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
949	{	977	{
		978	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
		979
950	if (count > dir->tdir_count) {	980	if (count > dir->tdir_count) {
951	TIFFWarningExt(tif->tif_clientdata, tif->tif_name,	981	TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
952	"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",	982	"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
953	_TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,	983	fip ? fip->field_name : "Unknown",
954	dir->tdir_count, count);	984	dir->tdir_count, count);
955	return (0);	985	return (0);
956	} else if (count < dir->tdir_count) {	986	} else if (count < dir->tdir_count) {
957	TIFFWarningExt(tif->tif_clientdata, tif->tif_name,	987	TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
958	"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",	988	"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
959	_TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,	989	fip ? fip->field_name : "Unknown",
960	dir->tdir_count, count);	990	dir->tdir_count, count);
961	return (1);	991	return (1);
962	}	992	}
Lines 970-975 Link Here
970	TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)	1000	TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
971	{	1001	{
972	int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);	1002	int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
		1003	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
973	tsize_t cc = dir->tdir_count * w;	1004	tsize_t cc = dir->tdir_count * w;
974		1005
975	/* Check for overflow. */	1006	/* Check for overflow. */
Lines 1013-1019 Link Here
1013	bad:	1044	bad:
1014	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,	1045	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
1015	"Error fetching data for field \"%s\"",	1046	"Error fetching data for field \"%s\"",
1016	_TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);	1047	fip ? fip->field_name : "Unknown");
1017	return (tsize_t) 0;	1048	return (tsize_t) 0;
1018	}	1049	}
1019		1050
Lines 1039-1048 Link Here
1039	static int	1070	static int
1040	cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)	1071	cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
1041	{	1072	{
		1073	const TIFFFieldInfo* fip;
1042	if (denom == 0) {	1074	if (denom == 0) {
		1075	fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
1043	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,	1076	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
1044	"%s: Rational with zero denominator (num = %lu)",	1077	"%s: Rational with zero denominator (num = %lu)",
1045	_TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);	1078	fip ? fip->field_name : "Unknown", num);
1046	return (0);	1079	return (0);
1047	} else {	1080	} else {
1048	if (dir->tdir_type == TIFF_RATIONAL)	1081	if (dir->tdir_type == TIFF_RATIONAL)
Lines 1159-1164 Link Here
1159	static int	1192	static int
1160	TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)	1193	TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
1161	{	1194	{
		1195	/*
		1196	* Prevent overflowing the v stack arrays below by performing a sanity
		1197	* check on tdir_count, this should never be greater than two.
		1198	* -- taviso@google.com 14 Jun 2006.
		1199	*/
		1200	if (dir->tdir_count > 2) {
		1201	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
		1202	TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
		1203	"unexpected count for field \"%s\", %lu, expected 2; ignored.",
		1204	fip ? fip->field_name : "Unknown",
		1205	dir->tdir_count);
		1206	return 0;
		1207	}
		1208
1162	switch (dir->tdir_type) {	1209	switch (dir->tdir_type) {
1163	case TIFF_BYTE:	1210	case TIFF_BYTE:
1164	case TIFF_SBYTE:	1211	case TIFF_SBYTE:
Lines 1329-1342 Link Here
1329	case TIFF_DOUBLE:	1376	case TIFF_DOUBLE:
1330	return (TIFFFetchDoubleArray(tif, dir, (double*) v));	1377	return (TIFFFetchDoubleArray(tif, dir, (double*) v));
1331	default:	1378	default:
		1379	{ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
1332	/* TIFF_NOTYPE */	1380	/* TIFF_NOTYPE */
1333	/* TIFF_ASCII */	1381	/* TIFF_ASCII */
1334	/* TIFF_UNDEFINED */	1382	/* TIFF_UNDEFINED */
1335	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,	1383	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
1336	"cannot read TIFF_ANY type %d for field \"%s\"",	1384	"cannot read TIFF_ANY type %d for field \"%s\"",
1337	dir->tdir_type,	1385	dir->tdir_type,
1338	_TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);	1386	fip ? fip->field_name : "Unknown");
1339	return (0);	1387	return (0); }
1340	}	1388	}
1341	return (1);	1389	return (1);
1342	}	1390	}
Lines 1351-1356 Link Here
1351	int ok = 0;	1399	int ok = 0;
1352	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);	1400	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
1353		1401
		1402	if (fip == NULL) {
		1403	return (0);
		1404	}
1354	if (dp->tdir_count > 1) { /* array of values */	1405	if (dp->tdir_count > 1) { /* array of values */
1355	char* cp = NULL;	1406	char* cp = NULL;
1356		1407
Lines 1493-1498 Link Here
1493	TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)	1544	TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
1494	{	1545	{
1495	uint16 samples = tif->tif_dir.td_samplesperpixel;	1546	uint16 samples = tif->tif_dir.td_samplesperpixel;
		1547	const TIFFFieldInfo* fip;
1496	int status = 0;	1548	int status = 0;
1497		1549
1498	if (CheckDirCount(tif, dir, (uint32) samples)) {	1550	if (CheckDirCount(tif, dir, (uint32) samples)) {
Lines 1510-1518 Link Here
1510		1562
1511	for (i = 1; i < check_count; i++)	1563	for (i = 1; i < check_count; i++)
1512	if (v[i] != v[0]) {	1564	if (v[i] != v[0]) {
		1565	fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
1513	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,	1566	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
1514	"Cannot handle different per-sample values for field \"%s\"",	1567	"Cannot handle different per-sample values for field \"%s\"",
1515	_TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);	1568	fip ? fip->field_name : "Unknown");
1516	goto bad;	1569	goto bad;
1517	}	1570	}
1518	*pl = v[0];	1571	*pl = v[0];
Lines 1534-1539 Link Here
1534	TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)	1587	TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
1535	{	1588	{
1536	uint16 samples = tif->tif_dir.td_samplesperpixel;	1589	uint16 samples = tif->tif_dir.td_samplesperpixel;
		1590	const TIFFFieldInfo* fip;
1537	int status = 0;	1591	int status = 0;
1538		1592
1539	if (CheckDirCount(tif, dir, (uint32) samples)) {	1593	if (CheckDirCount(tif, dir, (uint32) samples)) {
Lines 1551-1559 Link Here
1551	check_count = samples;	1605	check_count = samples;
1552	for (i = 1; i < check_count; i++)	1606	for (i = 1; i < check_count; i++)
1553	if (v[i] != v[0]) {	1607	if (v[i] != v[0]) {
		1608	fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
1554	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,	1609	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
1555	"Cannot handle different per-sample values for field \"%s\"",	1610	"Cannot handle different per-sample values for field \"%s\"",
1556	_TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);	1611	fip ? fip->field_name : "Unknown");
1557	goto bad;	1612	goto bad;
1558	}	1613	}
1559	*pl = v[0];	1614	*pl = v[0];
Lines 1574-1579 Link Here
1574	TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)	1629	TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
1575	{	1630	{
1576	uint16 samples = tif->tif_dir.td_samplesperpixel;	1631	uint16 samples = tif->tif_dir.td_samplesperpixel;
		1632	const TIFFFieldInfo* fip;
1577	int status = 0;	1633	int status = 0;
1578		1634
1579	if (CheckDirCount(tif, dir, (uint32) samples)) {	1635	if (CheckDirCount(tif, dir, (uint32) samples)) {
Lines 1591-1599 Link Here
1591		1647
1592	for (i = 1; i < check_count; i++)	1648	for (i = 1; i < check_count; i++)
1593	if (v[i] != v[0]) {	1649	if (v[i] != v[0]) {
		1650	fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
1594	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,	1651	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
1595	"Cannot handle different per-sample values for field \"%s\"",	1652	"Cannot handle different per-sample values for field \"%s\"",
1596	_TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);	1653	fip ? fip->field_name : "Unknown");
1597	goto bad;	1654	goto bad;
1598	}	1655	}
1599	*pl = v[0];	1656	*pl = v[0];

Lines 1136-1141 Link Here

(-)tiff-3.8.2/libtiff/tif_fax3.c (-1 / +8 lines)
1136	Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)	1136	Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
1137	{	1137	{
1138	Fax3BaseState* sp = Fax3State(tif);	1138	Fax3BaseState* sp = Fax3State(tif);
		1139	const TIFFFieldInfo* fip;
1139		1140
1140	assert(sp != 0);	1141	assert(sp != 0);
1141	assert(sp->vsetparent != 0);	1142	assert(sp->vsetparent != 0);
Lines 1181-1187 Link Here
1181	default:	1182	default:
1182	return (*sp->vsetparent)(tif, tag, ap);	1183	return (*sp->vsetparent)(tif, tag, ap);
1183	}	1184	}
1184	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);	1185
		1186	if ((fip = _TIFFFieldWithTag(tif, tag))) {
		1187	TIFFSetFieldBit(tif, fip->field_bit);
		1188	} else {
		1189	return (0);
		1190	}
		1191
1185	tif->tif_flags \|= TIFF_DIRTYDIRECT;	1192	tif->tif_flags \|= TIFF_DIRTYDIRECT;
1186	return (1);	1193	return (1);
1187	}	1194	}




		segment_width = TIFFhowmany(segment_width, sp->h_sampling);
		segment_height = TIFFhowmany(segment_height, sp->v_sampling);
	}
	if (sp->cinfo.d.image_width < segment_width ||
	    sp->cinfo.d.image_height < segment_height) {
		TIFFWarningExt(tif->tif_clientdata, module,
                 "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
                          segment_width, 
                          segment_height,
                          sp->cinfo.d.image_width, 
                          sp->cinfo.d.image_height);
	} 
	
	if (sp->cinfo.d.image_width > segment_width ||
			sp->cinfo.d.image_height > segment_height) {
		/*
		 * This case could be dangerous, if the strip or tile size has been
		 * reported as less than the amount of data jpeg will return, some
		 * potential security issues arise. Catch this case and error out.
		 * -- taviso@google.com 14 Jun 2006
		 */
		TIFFErrorExt(tif->tif_clientdata, module, 
			"JPEG strip/tile size exceeds expected dimensions,"
			"expected %dx%d, got %dx%d", segment_width, segment_height,
			sp->cinfo.d.image_width, sp->cinfo.d.image_height);
		return (0);
	}

	if (sp->cinfo.d.num_components !=
	    (td->td_planarconfig == PLANARCONFIG_CONTIG ?
	     td->td_samplesperpixel : 1)) {

                                    sp->cinfo.d.comp_info[0].v_samp_factor,
                                    sp->h_sampling, sp->v_sampling);

				/*
				 * There are potential security issues here for decoders that
				 * have already allocated buffers based on the expected sampling
				 * factors. Lets check the sampling factors dont exceed what
				 * we were expecting.
				 * -- taviso@google.com 14 June 2006
				 */
				if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
					sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
						TIFFErrorExt(tif->tif_clientdata, module,
							"Cannot honour JPEG sampling factors that"
							" exceed those specified.");
						return (0);
				}


			    /*
			     * XXX: Files written by the Intergraph software
			     * has different sampling factors stored in the

{
	JPEGState *sp = JState(tif);
	
	/* assert(sp != 0); */

	tif->tif_tagmethods.vgetfield = sp->vgetparent;
	tif->tif_tagmethods.vsetfield = sp->vsetparent;

	if (sp != NULL) {
		if( sp->cinfo_initialized )
		    TIFFjpeg_destroy(sp);	/* release libjpeg resources */
		if (sp->jpegtables)		/* tag value */
			_TIFFfree(sp->jpegtables);
	}

	_TIFFfree(tif->tif_data);	/* release local state */
	tif->tif_data = NULL;


{
	JPEGState* sp = JState(tif);
	TIFFDirectory* td = &tif->tif_dir;
	const TIFFFieldInfo* fip;
	uint32 v32;

	assert(sp != NULL);

	default:
		return (*sp->vsetparent)(tif, tag, ap);
	}

	if ((fip = _TIFFFieldWithTag(tif, tag))) {
		TIFFSetFieldBit(tif, fip->field_bit);
	} else {
		return (0);
	}

	tif->tif_flags |= TIFF_DIRTYDIRECT;
	return (1);
}

{
	JPEGState* sp = JState(tif);

	/* assert(sp != NULL); */
	if (sp == NULL) {
		TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
		return;
	}

	(void) flags;
	if (TIFFFieldSet(tif,FIELD_JPEGTABLES))




			 * as codes of the form <color><npixels>
			 * until we've filled the scanline.
			 */
			/*
			 * Ensure the run does not exceed the scanline
			 * bounds, potentially resulting in a security issue.
			 * -- taviso@google.com 14 Jun 2006.
			 */
			op = row;
			for (;;) {
				grey = (n>>6) & 0x3;
				n &= 0x3f;
				while (n-- > 0 && npixels < imagewidth)
					SETPIXEL(op, grey);
				if (npixels >= (int) imagewidth)
					break;




	if (tif->tif_flags & TIFF_SWAB)
		TIFFSwabArrayOfShort(up, nsamples);

	/* 
	 * if llen is not an exact multiple of nsamples, the decode operation
	 * may overflow the output buffer, so truncate it enough to prevent that
	 * but still salvage as much data as possible.
	 * -- taviso@google.com 14th June 2006
	 */
	if (nsamples % llen) 
		TIFFWarningExt(tif->tif_clientdata, module,
				"%s: stride %lu is not a multiple of sample count, "
				"%lu, data truncated.", tif->tif_name, llen, nsamples);
				
	
	for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
		switch (sp->user_datafmt)  {
		case PIXARLOGDATAFMT_FLOAT:
			horizontalAccumulateF(up, llen, sp->stride,

Lines 31-36 Link Here

(-)tiff-3.8.2/libtiff/tif_read.c (-2 / +16 lines)
31	#include "tiffiop.h"	31	#include "tiffiop.h"
32	#include <stdio.h>	32	#include <stdio.h>
33		33
		34	#include <limits.h>
		35
34	int TIFFFillStrip(TIFF*, tstrip_t);	36	int TIFFFillStrip(TIFF*, tstrip_t);
35	int TIFFFillTile(TIFF*, ttile_t);	37	int TIFFFillTile(TIFF*, ttile_t);
36	static int TIFFStartStrip(TIFF*, tstrip_t);	38	static int TIFFStartStrip(TIFF*, tstrip_t);
Lines 272-278 Link Here
272	if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)	274	if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
273	_TIFFfree(tif->tif_rawdata);	275	_TIFFfree(tif->tif_rawdata);
274	tif->tif_flags &= ~TIFF_MYBUFFER;	276	tif->tif_flags &= ~TIFF_MYBUFFER;
275	if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {	277	/*
		278	* This sanity check could potentially overflow, causing an OOB read.
		279	* verify that offset + bytecount is > offset.
		280	* -- taviso@google.com 14 Jun 2006
		281	*/
		282	if ( td->td_stripoffset[strip] + bytecount > tif->tif_size \|\|
		283	bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
276	/*	284	/*
277	* This error message might seem strange, but it's	285	* This error message might seem strange, but it's
278	* what would happen if a read were done instead.	286	* what would happen if a read were done instead.
Lines 470-476 Link Here
470	if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)	478	if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
471	_TIFFfree(tif->tif_rawdata);	479	_TIFFfree(tif->tif_rawdata);
472	tif->tif_flags &= ~TIFF_MYBUFFER;	480	tif->tif_flags &= ~TIFF_MYBUFFER;
473	if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {	481	/*
		482	* We must check this calculation doesnt overflow, potentially
		483	* causing an OOB read.
		484	* -- taviso@google.com 15 Jun 2006
		485	*/
		486	if (td->td_stripoffset[tile] + bytecount > tif->tif_size \|\|
		487	bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
474	tif->tif_curtile = NOTILE;	488	tif->tif_curtile = NOTILE;
475	return (0);	489	return (0);
476	}	490	}

Return to bug 142383

Lines 775-781 Link Here

(-)tiff-3.8.2/libtiff/tif_dirinfo.c (-2 / +4 lines)
775	TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",	775	TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
776	"Internal error, unknown tag 0x%x",	776	"Internal error, unknown tag 0x%x",
777	(unsigned int) tag);	777	(unsigned int) tag);
778	assert(fip != NULL);	778	/* assert(fip != NULL); */
		779
779	/NOTREACHED/	780	/NOTREACHED/
780	}	781	}
781	return (fip);	782	return (fip);
Lines 789-795 Link Here
789	if (!fip) {	790	if (!fip) {
790	TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",	791	TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
791	"Internal error, unknown tag %s", field_name);	792	"Internal error, unknown tag %s", field_name);
792	assert(fip != NULL);	793	/* assert(fip != NULL); */
		794
793	/NOTREACHED/	795	/NOTREACHED/
794	}	796	}
795	return (fip);	797	return (fip);

Lines 768-774 Link Here

(-)tiff-3.8.2/libtiff/tif_pixarlog.c (-1 / +13 lines)
768	if (tif->tif_flags & TIFF_SWAB)	768	if (tif->tif_flags & TIFF_SWAB)
769	TIFFSwabArrayOfShort(up, nsamples);	769	TIFFSwabArrayOfShort(up, nsamples);
770		770
771	for (i = 0; i < nsamples; i += llen, up += llen) {	771	/*
		772	* if llen is not an exact multiple of nsamples, the decode operation
		773	* may overflow the output buffer, so truncate it enough to prevent that
		774	* but still salvage as much data as possible.
		775	* -- taviso@google.com 14th June 2006
		776	*/
		777	if (nsamples % llen)
		778	TIFFWarningExt(tif->tif_clientdata, module,
		779	"%s: stride %lu is not a multiple of sample count, "
		780	"%lu, data truncated.", tif->tif_name, llen, nsamples);
		781
		782
		783	for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
772	switch (sp->user_datafmt) {	784	switch (sp->user_datafmt) {
773	case PIXARLOGDATAFMT_FLOAT:	785	case PIXARLOGDATAFMT_FLOAT:
774	horizontalAccumulateF(up, llen, sp->stride,	786	horizontalAccumulateF(up, llen, sp->stride,

Lines 122-127 Link Here

(-)tiff-3.8.2/libtiff/tif_dir.c (-7 / +18 lines)
122	{	122	{
123	static const char module[] = "_TIFFVSetField";	123	static const char module[] = "_TIFFVSetField";
124		124
		125	const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
125	TIFFDirectory* td = &tif->tif_dir;	126	TIFFDirectory* td = &tif->tif_dir;
126	int status = 1;	127	int status = 1;
127	uint32 v32, i, v;	128	uint32 v32, i, v;
Lines 195-204 Link Here
195	break;	196	break;
196	case TIFFTAG_ORIENTATION:	197	case TIFFTAG_ORIENTATION:
197	v = va_arg(ap, uint32);	198	v = va_arg(ap, uint32);
		199	const TIFFFieldInfo* fip;
198	if (v < ORIENTATION_TOPLEFT \|\| ORIENTATION_LEFTBOT < v) {	200	if (v < ORIENTATION_TOPLEFT \|\| ORIENTATION_LEFTBOT < v) {
		201	fip = _TIFFFieldWithTag(tif, tag);
199	TIFFWarningExt(tif->tif_clientdata, tif->tif_name,	202	TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
200	"Bad value %lu for \"%s\" tag ignored",	203	"Bad value %lu for \"%s\" tag ignored",
201	v, _TIFFFieldWithTag(tif, tag)->field_name);	204	v, fip ? fip->field_name : "Unknown");
202	} else	205	} else
203	td->td_orientation = (uint16) v;	206	td->td_orientation = (uint16) v;
204	break;	207	break;
Lines 387-397 Link Here
387	* happens, for example, when tiffcp is used to convert between	390	* happens, for example, when tiffcp is used to convert between
388	* compression schemes and codec-specific tags are blindly copied.	391	* compression schemes and codec-specific tags are blindly copied.
389	*/	392	*/
		393	/*
		394	* better not dereference fip if it is NULL.
		395	* -- taviso@google.com 15 Jun 2006
		396	*/
390	if(fip == NULL \|\| fip->field_bit != FIELD_CUSTOM) {	397	if(fip == NULL \|\| fip->field_bit != FIELD_CUSTOM) {
391	TIFFErrorExt(tif->tif_clientdata, module,	398	TIFFErrorExt(tif->tif_clientdata, module,
392	"%s: Invalid %stag \"%s\" (not supported by codec)",	399	"%s: Invalid %stag \"%s\" (not supported by codec)",
393	tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",	400	tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
394	_TIFFFieldWithTag(tif, tag)->field_name);	401	fip ? fip->field_name : "Unknown");
395	status = 0;	402	status = 0;
396	break;	403	break;
397	}	404	}
Lines 468-474 Link Here
468	if (fip->field_type == TIFF_ASCII)	475	if (fip->field_type == TIFF_ASCII)
469	_TIFFsetString((char *)&tv->value, va_arg(ap, char ));	476	_TIFFsetString((char *)&tv->value, va_arg(ap, char ));
470	else {	477	else {
471	tv->value = _TIFFmalloc(tv_size * tv->count);	478	tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
472	if (!tv->value) {	479	if (!tv->value) {
473	status = 0;	480	status = 0;
474	goto end;	481	goto end;
Lines 563-569 Link Here
563	}	570	}
564	}	571	}
565	if (status) {	572	if (status) {
566	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);	573	TIFFSetFieldBit(tif, fip->field_bit);
567	tif->tif_flags \|= TIFF_DIRTYDIRECT;	574	tif->tif_flags \|= TIFF_DIRTYDIRECT;
568	}	575	}
569		576
Lines 572-583 Link Here
572	return (status);	579	return (status);
573	badvalue:	580	badvalue:
574	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",	581	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
575	tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);	582	tif->tif_name, v, fip ? fip->field_name : "Unknown");
576	va_end(ap);	583	va_end(ap);
577	return (0);	584	return (0);
578	badvalue32:	585	badvalue32:
579	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",	586	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
580	tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);	587	tif->tif_name, v32, fip ? fip->field_name : "Unknown");
581	va_end(ap);	588	va_end(ap);
582	return (0);	589	return (0);
583	}	590	}
Lines 813-824 Link Here
813	* If the client tries to get a tag that is not valid	820	* If the client tries to get a tag that is not valid
814	* for the image's codec then we'll arrive here.	821	* for the image's codec then we'll arrive here.
815	*/	822	*/
		823	/*
		824	* dont dereference fip if it's NULL.
		825	* -- taviso@google.com 15 Jun 2006
		826	*/
816	if( fip == NULL \|\| fip->field_bit != FIELD_CUSTOM )	827	if( fip == NULL \|\| fip->field_bit != FIELD_CUSTOM )
817	{	828	{
818	TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",	829	TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
819	"%s: Invalid %stag \"%s\" (not supported by codec)",	830	"%s: Invalid %stag \"%s\" (not supported by codec)",
820	tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",	831	tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
821	_TIFFFieldWithTag(tif, tag)->field_name);	832	fip ? fip->field_name : "Unknown");
822	ret_val = 0;	833	ret_val = 0;
823	break;	834	break;
824	}	835	}

Lines 722-736 Link Here

(-)tiff-3.8.2/libtiff/tif_jpeg.c (-9 / +55 lines)
722	segment_width = TIFFhowmany(segment_width, sp->h_sampling);	722	segment_width = TIFFhowmany(segment_width, sp->h_sampling);
723	segment_height = TIFFhowmany(segment_height, sp->v_sampling);	723	segment_height = TIFFhowmany(segment_height, sp->v_sampling);
724	}	724	}
725	if (sp->cinfo.d.image_width != segment_width \|\|	725	if (sp->cinfo.d.image_width < segment_width \|\|
726	sp->cinfo.d.image_height != segment_height) {	726	sp->cinfo.d.image_height < segment_height) {
727	TIFFWarningExt(tif->tif_clientdata, module,	727	TIFFWarningExt(tif->tif_clientdata, module,
728	"Improper JPEG strip/tile size, expected %dx%d, got %dx%d",	728	"Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
729	segment_width,	729	segment_width,
730	segment_height,	730	segment_height,
731	sp->cinfo.d.image_width,	731	sp->cinfo.d.image_width,
732	sp->cinfo.d.image_height);	732	sp->cinfo.d.image_height);
		733	}
		734
		735	if (sp->cinfo.d.image_width > segment_width \|\|
		736	sp->cinfo.d.image_height > segment_height) {
		737	/*
		738	* This case could be dangerous, if the strip or tile size has been
		739	* reported as less than the amount of data jpeg will return, some
		740	* potential security issues arise. Catch this case and error out.
		741	* -- taviso@google.com 14 Jun 2006
		742	*/
		743	TIFFErrorExt(tif->tif_clientdata, module,
		744	"JPEG strip/tile size exceeds expected dimensions,"
		745	"expected %dx%d, got %dx%d", segment_width, segment_height,
		746	sp->cinfo.d.image_width, sp->cinfo.d.image_height);
		747	return (0);
733	}	748	}
		749
734	if (sp->cinfo.d.num_components !=	750	if (sp->cinfo.d.num_components !=
735	(td->td_planarconfig == PLANARCONFIG_CONTIG ?	751	(td->td_planarconfig == PLANARCONFIG_CONTIG ?
736	td->td_samplesperpixel : 1)) {	752	td->td_samplesperpixel : 1)) {
Lines 761-766 Link Here
761	sp->cinfo.d.comp_info[0].v_samp_factor,	777	sp->cinfo.d.comp_info[0].v_samp_factor,
762	sp->h_sampling, sp->v_sampling);	778	sp->h_sampling, sp->v_sampling);
763		779
		780	/*
		781	* There are potential security issues here for decoders that
		782	* have already allocated buffers based on the expected sampling
		783	* factors. Lets check the sampling factors dont exceed what
		784	* we were expecting.
		785	* -- taviso@google.com 14 June 2006
		786	*/
		787	if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling \|\|
		788	sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
		789	TIFFErrorExt(tif->tif_clientdata, module,
		790	"Cannot honour JPEG sampling factors that"
		791	" exceed those specified.");
		792	return (0);
		793	}
		794
		795
764	/*	796	/*
765	* XXX: Files written by the Intergraph software	797	* XXX: Files written by the Intergraph software
766	* has different sampling factors stored in the	798	* has different sampling factors stored in the
Lines 1521-1535 Link Here
1521	{	1553	{
1522	JPEGState *sp = JState(tif);	1554	JPEGState *sp = JState(tif);
1523		1555
1524	assert(sp != 0);	1556	/* assert(sp != 0); */
1525		1557
1526	tif->tif_tagmethods.vgetfield = sp->vgetparent;	1558	tif->tif_tagmethods.vgetfield = sp->vgetparent;
1527	tif->tif_tagmethods.vsetfield = sp->vsetparent;	1559	tif->tif_tagmethods.vsetfield = sp->vsetparent;
1528		1560
1529	if( sp->cinfo_initialized )	1561	if (sp != NULL) {
1530	TIFFjpeg_destroy(sp); /* release libjpeg resources */	1562	if( sp->cinfo_initialized )
1531	if (sp->jpegtables) /* tag value */	1563	TIFFjpeg_destroy(sp); /* release libjpeg resources */
1532	_TIFFfree(sp->jpegtables);	1564	if (sp->jpegtables) /* tag value */
		1565	_TIFFfree(sp->jpegtables);
		1566	}
		1567
1533	_TIFFfree(tif->tif_data); /* release local state */	1568	_TIFFfree(tif->tif_data); /* release local state */
1534	tif->tif_data = NULL;	1569	tif->tif_data = NULL;
1535		1570
Lines 1541-1546 Link Here
1541	{	1576	{
1542	JPEGState* sp = JState(tif);	1577	JPEGState* sp = JState(tif);
1543	TIFFDirectory* td = &tif->tif_dir;	1578	TIFFDirectory* td = &tif->tif_dir;
		1579	const TIFFFieldInfo* fip;
1544	uint32 v32;	1580	uint32 v32;
1545		1581
1546	assert(sp != NULL);	1582	assert(sp != NULL);
Lines 1606-1612 Link Here
1606	default:	1642	default:
1607	return (*sp->vsetparent)(tif, tag, ap);	1643	return (*sp->vsetparent)(tif, tag, ap);
1608	}	1644	}
1609	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);	1645
		1646	if ((fip = _TIFFFieldWithTag(tif, tag))) {
		1647	TIFFSetFieldBit(tif, fip->field_bit);
		1648	} else {
		1649	return (0);
		1650	}
		1651
1610	tif->tif_flags \|= TIFF_DIRTYDIRECT;	1652	tif->tif_flags \|= TIFF_DIRTYDIRECT;
1611	return (1);	1653	return (1);
1612	}	1654	}
Lines 1726-1732 Link Here
1726	{	1768	{
1727	JPEGState* sp = JState(tif);	1769	JPEGState* sp = JState(tif);
1728		1770
1729	assert(sp != NULL);	1771	/* assert(sp != NULL); */
		1772	if (sp == NULL) {
		1773	TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
		1774	return;
		1775	}
1730		1776
1731	(void) flags;	1777	(void) flags;
1732	if (TIFFFieldSet(tif,FIELD_JPEGTABLES))	1778	if (TIFFFieldSet(tif,FIELD_JPEGTABLES))

Lines 105-115 Link Here

(-)tiff-3.8.2/libtiff/tif_next.c (-1 / +6 lines)
105	* as codes of the form <color><npixels>	105	* as codes of the form <color><npixels>
106	* until we've filled the scanline.	106	* until we've filled the scanline.
107	*/	107	*/
		108	/*
		109	* Ensure the run does not exceed the scanline
		110	* bounds, potentially resulting in a security issue.
		111	* -- taviso@google.com 14 Jun 2006.
		112	*/
108	op = row;	113	op = row;
109	for (;;) {	114	for (;;) {
110	grey = (n>>6) & 0x3;	115	grey = (n>>6) & 0x3;
111	n &= 0x3f;	116	n &= 0x3f;
112	while (n-- > 0)	117	while (n-- > 0 && npixels < imagewidth)
113	SETPIXEL(op, grey);	118	SETPIXEL(op, grey);
114	if (npixels >= (int) imagewidth)	119	if (npixels >= (int) imagewidth)
115	break;	120	break;