1
/*
2
 * Copyright (c) 1988-1997 Sam Leffler
3
 * Copyright (c) 1991-1997 Silicon Graphics, Inc.
4
 *
5
 * Permission to use, copy, modify, distribute, and sell this software and
6
 * its documentation for any purpose is hereby granted without fee, provided
7
 * that (i) the above copyright notices and this permission notice appear in
8
 * all copies of the software and related documentation, and (ii) the names of
9
 * Sam Leffler and Silicon Graphics may not be used in any advertising or
10
 * publicity relating to the software without the specific, prior written
11
 * permission of Sam Leffler and Silicon Graphics.
12
 *
13
 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
14
 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
15
 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
16
 *
17
 * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
18
 * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
19
 * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
20
 * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
21
 * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
22
 * OF THIS SOFTWARE.
23
 */
24

25
/*
26
 * TIFF Library.
27
 * Scanline-oriented Read Support
28
 */
29
#include "tiffiop.h"
30
#include <stdio.h>
31

32
int TIFFFillStrip(TIFF *tif, uint32_t strip);
33
int TIFFFillTile(TIFF *tif, uint32_t tile);
34
static int TIFFStartStrip(TIFF *tif, uint32_t strip);
35
static int TIFFStartTile(TIFF *tif, uint32_t tile);
36
static int TIFFCheckRead(TIFF *, int);
37
static tmsize_t TIFFReadRawStrip1(TIFF *tif, uint32_t strip, void *buf,
38
                                  tmsize_t size, const char *module);
39
static tmsize_t TIFFReadRawTile1(TIFF *tif, uint32_t tile, void *buf,
40
                                 tmsize_t size, const char *module);
41

42
#define NOSTRIP ((uint32_t)(-1)) /* undefined state */
43
#define NOTILE ((uint32_t)(-1))  /* undefined state */
44

45
#define INITIAL_THRESHOLD (1024 * 1024)
46
#define THRESHOLD_MULTIPLIER 10
47
#define MAX_THRESHOLD                                                          \
48
    (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER *      \
49
     INITIAL_THRESHOLD)
50

51
#define TIFF_INT64_MAX ((((int64_t)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
52

53
/* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
54
 * Returns 1 in case of success, 0 otherwise. */
55
static int TIFFReadAndRealloc(TIFF *tif, tmsize_t size, tmsize_t rawdata_offset,
56
                              int is_strip, uint32_t strip_or_tile,
57
                              const char *module)
58
{
59
#if SIZEOF_SIZE_T == 8
60
    tmsize_t threshold = INITIAL_THRESHOLD;
61
#endif
62
    tmsize_t already_read = 0;
63

64
#if SIZEOF_SIZE_T != 8
65
    /* On 32 bit processes, if the request is large enough, check against */
66
    /* file size */
67
    if (size > 1000 * 1000 * 1000)
68
    {
69
        uint64_t filesize = TIFFGetFileSize(tif);
70
        if ((uint64_t)size >= filesize)
71
        {
72
            TIFFErrorExtR(tif, module,
73
                          "Chunk size requested is larger than file size.");
74
            return 0;
75
        }
76
    }
77
#endif
78

79
    /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
80
    /* so as to avoid allocating too much memory in case the file is too */
81
    /* short. We could ask for the file size, but this might be */
82
    /* expensive with some I/O layers (think of reading a gzipped file) */
83
    /* Restrict to 64 bit processes, so as to avoid reallocs() */
84
    /* on 32 bit processes where virtual memory is scarce.  */
85
    while (already_read < size)
86
    {
87
        tmsize_t bytes_read;
88
        tmsize_t to_read = size - already_read;
89
#if SIZEOF_SIZE_T == 8
90
        if (to_read >= threshold && threshold < MAX_THRESHOLD &&
91
            already_read + to_read + rawdata_offset > tif->tif_rawdatasize)
92
        {
93
            to_read = threshold;
94
            threshold *= THRESHOLD_MULTIPLIER;
95
        }
96
#endif
97
        if (already_read + to_read + rawdata_offset > tif->tif_rawdatasize)
98
        {
99
            uint8_t *new_rawdata;
100
            assert((tif->tif_flags & TIFF_MYBUFFER) != 0);
101
            tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64(
102
                (uint64_t)already_read + to_read + rawdata_offset, 1024);
103
            if (tif->tif_rawdatasize == 0)
104
            {
105
                TIFFErrorExtR(tif, module, "Invalid buffer size");
106
                return 0;
107
            }
108
            new_rawdata = (uint8_t *)_TIFFreallocExt(tif, tif->tif_rawdata,
109
                                                     tif->tif_rawdatasize);
110
            if (new_rawdata == 0)
111
            {
112
                TIFFErrorExtR(tif, module,
113
                              "No space for data buffer at scanline %" PRIu32,
114
                              tif->tif_row);
115
                _TIFFfreeExt(tif, tif->tif_rawdata);
116
                tif->tif_rawdata = 0;
117
                tif->tif_rawdatasize = 0;
118
                return 0;
119
            }
120
            tif->tif_rawdata = new_rawdata;
121
        }
122
        if (tif->tif_rawdata == NULL)
123
        {
124
            /* should not happen in practice but helps CoverityScan */
125
            return 0;
126
        }
127

128
        bytes_read = TIFFReadFile(
129
            tif, tif->tif_rawdata + rawdata_offset + already_read, to_read);
130
        already_read += bytes_read;
131
        if (bytes_read != to_read)
132
        {
133
            memset(tif->tif_rawdata + rawdata_offset + already_read, 0,
134
                   tif->tif_rawdatasize - rawdata_offset - already_read);
135
            if (is_strip)
136
            {
137
                TIFFErrorExtR(tif, module,
138
                              "Read error at scanline %" PRIu32
139
                              "; got %" TIFF_SSIZE_FORMAT " bytes, "
140
                              "expected %" TIFF_SSIZE_FORMAT,
141
                              tif->tif_row, already_read, size);
142
            }
143
            else
144
            {
145
                TIFFErrorExtR(tif, module,
146
                              "Read error at row %" PRIu32 ", col %" PRIu32
147
                              ", tile %" PRIu32 "; "
148
                              "got %" TIFF_SSIZE_FORMAT
149
                              " bytes, expected %" TIFF_SSIZE_FORMAT "",
150
                              tif->tif_row, tif->tif_col, strip_or_tile,
151
                              already_read, size);
152
            }
153
            return 0;
154
        }
155
    }
156
    return 1;
157
}
158

159
static int TIFFFillStripPartial(TIFF *tif, int strip, tmsize_t read_ahead,
160
                                int restart)
161
{
162
    static const char module[] = "TIFFFillStripPartial";
163
    register TIFFDirectory *td = &tif->tif_dir;
164
    tmsize_t unused_data;
165
    uint64_t read_offset;
166
    tmsize_t to_read;
167
    tmsize_t read_ahead_mod;
168
    /* tmsize_t bytecountm; */
169

170
    /*
171
     * Expand raw data buffer, if needed, to hold data
172
     * strip coming from file (perhaps should set upper
173
     * bound on the size of a buffer we'll use?).
174
     */
175

176
    /* bytecountm=(tmsize_t) TIFFGetStrileByteCount(tif, strip); */
177

178
    /* Not completely sure where the * 2 comes from, but probably for */
179
    /* an exponentional growth strategy of tif_rawdatasize */
180
    if (read_ahead < TIFF_TMSIZE_T_MAX / 2)
181
        read_ahead_mod = read_ahead * 2;
182
    else
183
        read_ahead_mod = read_ahead;
184
    if (read_ahead_mod > tif->tif_rawdatasize)
185
    {
186
        assert(restart);
187

188
        tif->tif_curstrip = NOSTRIP;
189
        if ((tif->tif_flags & TIFF_MYBUFFER) == 0)
190
        {
191
            TIFFErrorExtR(tif, module,
192
                          "Data buffer too small to hold part of strip %d",
193
                          strip);
194
            return (0);
195
        }
196
    }
197

198
    if (restart)
199
    {
200
        tif->tif_rawdataloaded = 0;
201
        tif->tif_rawdataoff = 0;
202
    }
203

204
    /*
205
    ** If we are reading more data, move any unused data to the
206
    ** start of the buffer.
207
    */
208
    if (tif->tif_rawdataloaded > 0)
209
        unused_data =
210
            tif->tif_rawdataloaded - (tif->tif_rawcp - tif->tif_rawdata);
211
    else
212
        unused_data = 0;
213

214
    if (unused_data > 0)
215
    {
216
        assert((tif->tif_flags & TIFF_BUFFERMMAP) == 0);
217
        memmove(tif->tif_rawdata, tif->tif_rawcp, unused_data);
218
    }
219

220
    /*
221
    ** Seek to the point in the file where more data should be read.
222
    */
223
    read_offset = TIFFGetStrileOffset(tif, strip) + tif->tif_rawdataoff +
224
                  tif->tif_rawdataloaded;
225

226
    if (!SeekOK(tif, read_offset))
227
    {
228
        TIFFErrorExtR(tif, module,
229
                      "Seek error at scanline %" PRIu32 ", strip %d",
230
                      tif->tif_row, strip);
231
        return 0;
232
    }
233

234
    /*
235
    ** How much do we want to read?
236
    */
237
    if (read_ahead_mod > tif->tif_rawdatasize)
238
        to_read = read_ahead_mod - unused_data;
239
    else
240
        to_read = tif->tif_rawdatasize - unused_data;
241
    if ((uint64_t)to_read > TIFFGetStrileByteCount(tif, strip) -
242
                                tif->tif_rawdataoff - tif->tif_rawdataloaded)
243
    {
244
        to_read = (tmsize_t)TIFFGetStrileByteCount(tif, strip) -
245
                  tif->tif_rawdataoff - tif->tif_rawdataloaded;
246
    }
247

248
    assert((tif->tif_flags & TIFF_BUFFERMMAP) == 0);
249
    if (!TIFFReadAndRealloc(tif, to_read, unused_data, 1, /* is_strip */
250
                            0,                            /* strip_or_tile */
251
                            module))
252
    {
253
        return 0;
254
    }
255

256
    tif->tif_rawdataoff =
257
        tif->tif_rawdataoff + tif->tif_rawdataloaded - unused_data;
258
    tif->tif_rawdataloaded = unused_data + to_read;
259

260
    tif->tif_rawcc = tif->tif_rawdataloaded;
261
    tif->tif_rawcp = tif->tif_rawdata;
262

263
    if (!isFillOrder(tif, td->td_fillorder) &&
264
        (tif->tif_flags & TIFF_NOBITREV) == 0)
265
    {
266
        assert((tif->tif_flags & TIFF_BUFFERMMAP) == 0);
267
        TIFFReverseBits(tif->tif_rawdata + unused_data, to_read);
268
    }
269

270
    /*
271
    ** When starting a strip from the beginning we need to
272
    ** restart the decoder.
273
    */
274
    if (restart)
275
    {
276

277
#ifdef JPEG_SUPPORT
278
        /* A bit messy since breaks the codec abstraction. Ultimately */
279
        /* there should be a function pointer for that, but it seems */
280
        /* only JPEG is affected. */
281
        /* For JPEG, if there are multiple scans (can generally be known */
282
        /* with the  read_ahead used), we need to read the whole strip */
283
        if (tif->tif_dir.td_compression == COMPRESSION_JPEG &&
284
            (uint64_t)tif->tif_rawcc < TIFFGetStrileByteCount(tif, strip))
285
        {
286
            if (TIFFJPEGIsFullStripRequired(tif))
287
            {
288
                return TIFFFillStrip(tif, strip);
289
            }
290
        }
291
#endif
292

293
        return TIFFStartStrip(tif, strip);
294
    }
295
    else
296
    {
297
        return 1;
298
    }
299
}
300

301
/*
302
 * Seek to a random row+sample in a file.
303
 *
304
 * Only used by TIFFReadScanline, and is only used on
305
 * strip organized files.  We do some tricky stuff to try
306
 * and avoid reading the whole compressed raw data for big
307
 * strips.
308
 */
309
static int TIFFSeek(TIFF *tif, uint32_t row, uint16_t sample)
310
{
311
    register TIFFDirectory *td = &tif->tif_dir;
312
    uint32_t strip;
313
    int whole_strip;
314
    tmsize_t read_ahead = 0;
315

316
    /*
317
    ** Establish what strip we are working from.
318
    */
319
    if (row >= td->td_imagelength)
320
    { /* out of range */
321
        TIFFErrorExtR(tif, tif->tif_name,
322
                      "%" PRIu32 ": Row out of range, max %" PRIu32 "", row,
323
                      td->td_imagelength);
324
        return (0);
325
    }
326
    if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
327
    {
328
        if (sample >= td->td_samplesperpixel)
329
        {
330
            TIFFErrorExtR(tif, tif->tif_name,
331
                          "%" PRIu16 ": Sample out of range, max %" PRIu16 "",
332
                          sample, td->td_samplesperpixel);
333
            return (0);
334
        }
335
        strip = (uint32_t)sample * td->td_stripsperimage +
336
                row / td->td_rowsperstrip;
337
    }
338
    else
339
        strip = row / td->td_rowsperstrip;
340

341
        /*
342
         * Do we want to treat this strip as one whole chunk or
343
         * read it a few lines at a time?
344
         */
345
#if defined(CHUNKY_STRIP_READ_SUPPORT)
346
    whole_strip = TIFFGetStrileByteCount(tif, strip) < 10 || isMapped(tif);
347
    if (td->td_compression == COMPRESSION_LERC ||
348
        td->td_compression == COMPRESSION_JBIG)
349
    {
350
        /* Ideally plugins should have a way to declare they don't support
351
         * chunk strip */
352
        whole_strip = 1;
353
    }
354
#else
355
    whole_strip = 1;
356
#endif
357

358
    if (!whole_strip)
359
    {
360
        /* 16 is for YCbCr mode where we may need to read 16 */
361
        /* lines at a time to get a decompressed line, and 5000 */
362
        /* is some constant value, for example for JPEG tables */
363
        if (tif->tif_scanlinesize < TIFF_TMSIZE_T_MAX / 16 &&
364
            tif->tif_scanlinesize * 16 < TIFF_TMSIZE_T_MAX - 5000)
365
        {
366
            read_ahead = tif->tif_scanlinesize * 16 + 5000;
367
        }
368
        else
369
        {
370
            read_ahead = tif->tif_scanlinesize;
371
        }
372
    }
373

374
    /*
375
     * If we haven't loaded this strip, do so now, possibly
376
     * only reading the first part.
377
     */
378
    if (strip != tif->tif_curstrip)
379
    { /* different strip, refill */
380

381
        if (whole_strip)
382
        {
383
            if (!TIFFFillStrip(tif, strip))
384
                return (0);
385
        }
386
        else
387
        {
388
            if (!TIFFFillStripPartial(tif, strip, read_ahead, 1))
389
                return 0;
390
        }
391
    }
392

393
    /*
394
    ** If we already have some data loaded, do we need to read some more?
395
    */
396
    else if (!whole_strip)
397
    {
398
        if (((tif->tif_rawdata + tif->tif_rawdataloaded) - tif->tif_rawcp) <
399
                read_ahead &&
400
            (uint64_t)tif->tif_rawdataoff + tif->tif_rawdataloaded <
401
                TIFFGetStrileByteCount(tif, strip))
402
        {
403
            if (!TIFFFillStripPartial(tif, strip, read_ahead, 0))
404
                return 0;
405
        }
406
    }
407

408
    if (row < tif->tif_row)
409
    {
410
        /*
411
         * Moving backwards within the same strip: backup
412
         * to the start and then decode forward (below).
413
         *
414
         * NB: If you're planning on lots of random access within a
415
         * strip, it's better to just read and decode the entire
416
         * strip, and then access the decoded data in a random fashion.
417
         */
418

419
        if (tif->tif_rawdataoff != 0)
420
        {
421
            if (!TIFFFillStripPartial(tif, strip, read_ahead, 1))
422
                return 0;
423
        }
424
        else
425
        {
426
            if (!TIFFStartStrip(tif, strip))
427
                return (0);
428
        }
429
    }
430

431
    if (row != tif->tif_row)
432
    {
433
        /*
434
         * Seek forward to the desired row.
435
         */
436

437
        /* TODO: Will this really work with partial buffers? */
438

439
        if (!(*tif->tif_seek)(tif, row - tif->tif_row))
440
            return (0);
441
        tif->tif_row = row;
442
    }
443

444
    return (1);
445
}
446

447
int TIFFReadScanline(TIFF *tif, void *buf, uint32_t row, uint16_t sample)
448
{
449
    int e;
450

451
    if (!TIFFCheckRead(tif, 0))
452
        return (-1);
453
    if ((e = TIFFSeek(tif, row, sample)) != 0)
454
    {
455
        /*
456
         * Decompress desired row into user buffer.
457
         */
458
        e = (*tif->tif_decoderow)(tif, (uint8_t *)buf, tif->tif_scanlinesize,
459
                                  sample);
460

461
        /* we are now poised at the beginning of the next row */
462
        tif->tif_row = row + 1;
463

464
        if (e)
465
            (*tif->tif_postdecode)(tif, (uint8_t *)buf, tif->tif_scanlinesize);
466
    }
467
    else
468
    {
469
        memset(buf, 0, (size_t)tif->tif_scanlinesize);
470
    }
471
    return (e > 0 ? 1 : -1);
472
}
473

474
/*
475
 * Calculate the strip size according to the number of
476
 * rows in the strip (check for truncated last strip on any
477
 * of the separations).
478
 */
479
static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF *tif, uint32_t strip,
480
                                                 uint16_t *pplane)
481
{
482
    static const char module[] = "TIFFReadEncodedStrip";
483
    TIFFDirectory *td = &tif->tif_dir;
484
    uint32_t rowsperstrip;
485
    uint32_t stripsperplane;
486
    uint32_t stripinplane;
487
    uint32_t rows;
488
    tmsize_t stripsize;
489
    if (!TIFFCheckRead(tif, 0))
490
        return ((tmsize_t)(-1));
491
    if (strip >= td->td_nstrips)
492
    {
493
        TIFFErrorExtR(tif, module,
494
                      "%" PRIu32 ": Strip out of range, max %" PRIu32, strip,
495
                      td->td_nstrips);
496
        return ((tmsize_t)(-1));
497
    }
498

499
    rowsperstrip = td->td_rowsperstrip;
500
    if (rowsperstrip > td->td_imagelength)
501
        rowsperstrip = td->td_imagelength;
502
    if (rowsperstrip == 0)
503
    {
504
        TIFFErrorExtR(tif, module, "rowsperstrip is zero");
505
        return ((tmsize_t)(-1));
506
    }
507
    stripsperplane =
508
        TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
509
    stripinplane = (strip % stripsperplane);
510
    if (pplane)
511
        *pplane = (uint16_t)(strip / stripsperplane);
512
    rows = td->td_imagelength - stripinplane * rowsperstrip;
513
    if (rows > rowsperstrip)
514
        rows = rowsperstrip;
515
    stripsize = TIFFVStripSize(tif, rows);
516
    if (stripsize == 0)
517
        return ((tmsize_t)(-1));
518
    return stripsize;
519
}
520

521
/*
522
 * Read a strip of data and decompress the specified
523
 * amount into the user-supplied buffer.
524
 */
525
tmsize_t TIFFReadEncodedStrip(TIFF *tif, uint32_t strip, void *buf,
526
                              tmsize_t size)
527
{
528
    static const char module[] = "TIFFReadEncodedStrip";
529
    TIFFDirectory *td = &tif->tif_dir;
530
    tmsize_t stripsize;
531
    uint16_t plane;
532

533
    stripsize = TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
534
    if (stripsize == ((tmsize_t)(-1)))
535
        return ((tmsize_t)(-1));
536

537
    /* shortcut to avoid an extra memcpy() */
538
    if (td->td_compression == COMPRESSION_NONE && size != (tmsize_t)(-1) &&
539
        size >= stripsize && !isMapped(tif) &&
540
        ((tif->tif_flags & TIFF_NOREADRAW) == 0))
541
    {
542
        if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize)
543
            return ((tmsize_t)(-1));
544

545
        if (!isFillOrder(tif, td->td_fillorder) &&
546
            (tif->tif_flags & TIFF_NOBITREV) == 0)
547
            TIFFReverseBits(buf, stripsize);
548

549
        (*tif->tif_postdecode)(tif, buf, stripsize);
550
        return (stripsize);
551
    }
552

553
    if ((size != (tmsize_t)(-1)) && (size < stripsize))
554
        stripsize = size;
555
    if (!TIFFFillStrip(tif, strip))
556
    {
557
        memset(buf, 0, (size_t)stripsize);
558
        return ((tmsize_t)(-1));
559
    }
560
    if ((*tif->tif_decodestrip)(tif, buf, stripsize, plane) <= 0)
561
        return ((tmsize_t)(-1));
562
    (*tif->tif_postdecode)(tif, buf, stripsize);
563
    return (stripsize);
564
}
565

566
/* Variant of TIFFReadEncodedStrip() that does
567
 * * if *buf == NULL, *buf = _TIFFmallocExt(tif, bufsizetoalloc) only after
568
 * TIFFFillStrip() has succeeded. This avoid excessive memory allocation in case
569
 * of truncated file.
570
 * * calls regular TIFFReadEncodedStrip() if *buf != NULL
571
 */
572
tmsize_t _TIFFReadEncodedStripAndAllocBuffer(TIFF *tif, uint32_t strip,
573
                                             void **buf,
574
                                             tmsize_t bufsizetoalloc,
575
                                             tmsize_t size_to_read)
576
{
577
    tmsize_t this_stripsize;
578
    uint16_t plane;
579

580
    if (*buf != NULL)
581
    {
582
        return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read);
583
    }
584

585
    this_stripsize = TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
586
    if (this_stripsize == ((tmsize_t)(-1)))
587
        return ((tmsize_t)(-1));
588

589
    if ((size_to_read != (tmsize_t)(-1)) && (size_to_read < this_stripsize))
590
        this_stripsize = size_to_read;
591
    if (!TIFFFillStrip(tif, strip))
592
        return ((tmsize_t)(-1));
593

594
    *buf = _TIFFmallocExt(tif, bufsizetoalloc);
595
    if (*buf == NULL)
596
    {
597
        TIFFErrorExtR(tif, TIFFFileName(tif), "No space for strip buffer");
598
        return ((tmsize_t)(-1));
599
    }
600
    _TIFFmemset(*buf, 0, bufsizetoalloc);
601

602
    if ((*tif->tif_decodestrip)(tif, *buf, this_stripsize, plane) <= 0)
603
        return ((tmsize_t)(-1));
604
    (*tif->tif_postdecode)(tif, *buf, this_stripsize);
605
    return (this_stripsize);
606
}
607

608
static tmsize_t TIFFReadRawStrip1(TIFF *tif, uint32_t strip, void *buf,
609
                                  tmsize_t size, const char *module)
610
{
611
    assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
612
    if (!isMapped(tif))
613
    {
614
        tmsize_t cc;
615

616
        if (!SeekOK(tif, TIFFGetStrileOffset(tif, strip)))
617
        {
618
            TIFFErrorExtR(tif, module,
619
                          "Seek error at scanline %" PRIu32 ", strip %" PRIu32,
620
                          tif->tif_row, strip);
621
            return ((tmsize_t)(-1));
622
        }
623
        cc = TIFFReadFile(tif, buf, size);
624
        if (cc != size)
625
        {
626
            TIFFErrorExtR(tif, module,
627
                          "Read error at scanline %" PRIu32
628
                          "; got %" TIFF_SSIZE_FORMAT
629
                          " bytes, expected %" TIFF_SSIZE_FORMAT,
630
                          tif->tif_row, cc, size);
631
            return ((tmsize_t)(-1));
632
        }
633
    }
634
    else
635
    {
636
        tmsize_t ma = 0;
637
        tmsize_t n;
638
        if ((TIFFGetStrileOffset(tif, strip) > (uint64_t)TIFF_TMSIZE_T_MAX) ||
639
            ((ma = (tmsize_t)TIFFGetStrileOffset(tif, strip)) > tif->tif_size))
640
        {
641
            n = 0;
642
        }
643
        else if (ma > TIFF_TMSIZE_T_MAX - size)
644
        {
645
            n = 0;
646
        }
647
        else
648
        {
649
            tmsize_t mb = ma + size;
650
            if (mb > tif->tif_size)
651
                n = tif->tif_size - ma;
652
            else
653
                n = size;
654
        }
655
        if (n != size)
656
        {
657
            TIFFErrorExtR(tif, module,
658
                          "Read error at scanline %" PRIu32 ", strip %" PRIu32
659
                          "; got %" TIFF_SSIZE_FORMAT
660
                          " bytes, expected %" TIFF_SSIZE_FORMAT,
661
                          tif->tif_row, strip, n, size);
662
            return ((tmsize_t)(-1));
663
        }
664
        _TIFFmemcpy(buf, tif->tif_base + ma, size);
665
    }
666
    return (size);
667
}
668

669
static tmsize_t TIFFReadRawStripOrTile2(TIFF *tif, uint32_t strip_or_tile,
670
                                        int is_strip, tmsize_t size,
671
                                        const char *module)
672
{
673
    assert(!isMapped(tif));
674
    assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
675

676
    if (!SeekOK(tif, TIFFGetStrileOffset(tif, strip_or_tile)))
677
    {
678
        if (is_strip)
679
        {
680
            TIFFErrorExtR(tif, module,
681
                          "Seek error at scanline %" PRIu32 ", strip %" PRIu32,
682
                          tif->tif_row, strip_or_tile);
683
        }
684
        else
685
        {
686
            TIFFErrorExtR(tif, module,
687
                          "Seek error at row %" PRIu32 ", col %" PRIu32
688
                          ", tile %" PRIu32,
689
                          tif->tif_row, tif->tif_col, strip_or_tile);
690
        }
691
        return ((tmsize_t)(-1));
692
    }
693

694
    if (!TIFFReadAndRealloc(tif, size, 0, is_strip, strip_or_tile, module))
695
    {
696
        return ((tmsize_t)(-1));
697
    }
698

699
    return (size);
700
}
701

702
/*
703
 * Read a strip of data from the file.
704
 */
705
tmsize_t TIFFReadRawStrip(TIFF *tif, uint32_t strip, void *buf, tmsize_t size)
706
{
707
    static const char module[] = "TIFFReadRawStrip";
708
    TIFFDirectory *td = &tif->tif_dir;
709
    uint64_t bytecount64;
710
    tmsize_t bytecountm;
711

712
    if (!TIFFCheckRead(tif, 0))
713
        return ((tmsize_t)(-1));
714
    if (strip >= td->td_nstrips)
715
    {
716
        TIFFErrorExtR(tif, module,
717
                      "%" PRIu32 ": Strip out of range, max %" PRIu32, strip,
718
                      td->td_nstrips);
719
        return ((tmsize_t)(-1));
720
    }
721
    if (tif->tif_flags & TIFF_NOREADRAW)
722
    {
723
        TIFFErrorExtR(tif, module,
724
                      "Compression scheme does not support access to raw "
725
                      "uncompressed data");
726
        return ((tmsize_t)(-1));
727
    }
728
    bytecount64 = TIFFGetStrileByteCount(tif, strip);
729
    if (size != (tmsize_t)(-1) && (uint64_t)size <= bytecount64)
730
        bytecountm = size;
731
    else
732
        bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
733
    if (bytecountm == 0)
734
    {
735
        return ((tmsize_t)(-1));
736
    }
737
    return (TIFFReadRawStrip1(tif, strip, buf, bytecountm, module));
738
}
739

740
TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
741
static uint64_t NoSanitizeSubUInt64(uint64_t a, uint64_t b) { return a - b; }
742

743
/*
744
 * Read the specified strip and setup for decoding. The data buffer is
745
 * expanded, as necessary, to hold the strip's data.
746
 */
747
int TIFFFillStrip(TIFF *tif, uint32_t strip)
748
{
749
    static const char module[] = "TIFFFillStrip";
750
    TIFFDirectory *td = &tif->tif_dir;
751

752
    if ((tif->tif_flags & TIFF_NOREADRAW) == 0)
753
    {
754
        uint64_t bytecount = TIFFGetStrileByteCount(tif, strip);
755
        if (bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX)
756
        {
757
            TIFFErrorExtR(tif, module,
758
                          "Invalid strip byte count %" PRIu64
759
                          ", strip %" PRIu32,
760
                          bytecount, strip);
761
            return (0);
762
        }
763

764
        /* To avoid excessive memory allocations: */
765
        /* Byte count should normally not be larger than a number of */
766
        /* times the uncompressed size plus some margin */
767
        if (bytecount > 1024 * 1024)
768
        {
769
            /* 10 and 4096 are just values that could be adjusted. */
770
            /* Hopefully they are safe enough for all codecs */
771
            tmsize_t stripsize = TIFFStripSize(tif);
772
            if (stripsize != 0 && (bytecount - 4096) / 10 > (uint64_t)stripsize)
773
            {
774
                uint64_t newbytecount = (uint64_t)stripsize * 10 + 4096;
775
                TIFFErrorExtR(tif, module,
776
                              "Too large strip byte count %" PRIu64
777
                              ", strip %" PRIu32 ". Limiting to %" PRIu64,
778
                              bytecount, strip, newbytecount);
779
                bytecount = newbytecount;
780
            }
781
        }
782

783
        if (isMapped(tif))
784
        {
785
            /*
786
             * We must check for overflow, potentially causing
787
             * an OOB read. Instead of simple
788
             *
789
             *  TIFFGetStrileOffset(tif, strip)+bytecount > tif->tif_size
790
             *
791
             * comparison (which can overflow) we do the following
792
             * two comparisons:
793
             */
794
            if (bytecount > (uint64_t)tif->tif_size ||
795
                TIFFGetStrileOffset(tif, strip) >
796
                    (uint64_t)tif->tif_size - bytecount)
797
            {
798
                /*
799
                 * This error message might seem strange, but
800
                 * it's what would happen if a read were done
801
                 * instead.
802
                 */
803
                TIFFErrorExtR(
804
                    tif, module,
805

806
                    "Read error on strip %" PRIu32 "; "
807
                    "got %" PRIu64 " bytes, expected %" PRIu64,
808
                    strip,
809
                    NoSanitizeSubUInt64(tif->tif_size,
810
                                        TIFFGetStrileOffset(tif, strip)),
811
                    bytecount);
812
                tif->tif_curstrip = NOSTRIP;
813
                return (0);
814
            }
815
        }
816

817
        if (isMapped(tif) && (isFillOrder(tif, td->td_fillorder) ||
818
                              (tif->tif_flags & TIFF_NOBITREV)))
819
        {
820
            /*
821
             * The image is mapped into memory and we either don't
822
             * need to flip bits or the compression routine is
823
             * going to handle this operation itself.  In this
824
             * case, avoid copying the raw data and instead just
825
             * reference the data from the memory mapped file
826
             * image.  This assumes that the decompression
827
             * routines do not modify the contents of the raw data
828
             * buffer (if they try to, the application will get a
829
             * fault since the file is mapped read-only).
830
             */
831
            if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
832
            {
833
                _TIFFfreeExt(tif, tif->tif_rawdata);
834
                tif->tif_rawdata = NULL;
835
                tif->tif_rawdatasize = 0;
836
            }
837
            tif->tif_flags &= ~TIFF_MYBUFFER;
838
            tif->tif_rawdatasize = (tmsize_t)bytecount;
839
            tif->tif_rawdata =
840
                tif->tif_base + (tmsize_t)TIFFGetStrileOffset(tif, strip);
841
            tif->tif_rawdataoff = 0;
842
            tif->tif_rawdataloaded = (tmsize_t)bytecount;
843

844
            /*
845
             * When we have tif_rawdata reference directly into the memory
846
             * mapped file we need to be pretty careful about how we use the
847
             * rawdata.  It is not a general purpose working buffer as it
848
             * normally otherwise is.  So we keep track of this fact to avoid
849
             * using it improperly.
850
             */
851
            tif->tif_flags |= TIFF_BUFFERMMAP;
852
        }
853
        else
854
        {
855
            /*
856
             * Expand raw data buffer, if needed, to hold data
857
             * strip coming from file (perhaps should set upper
858
             * bound on the size of a buffer we'll use?).
859
             */
860
            tmsize_t bytecountm;
861
            bytecountm = (tmsize_t)bytecount;
862
            if ((uint64_t)bytecountm != bytecount)
863
            {
864
                TIFFErrorExtR(tif, module, "Integer overflow");
865
                return (0);
866
            }
867
            if (bytecountm > tif->tif_rawdatasize)
868
            {
869
                tif->tif_curstrip = NOSTRIP;
870
                if ((tif->tif_flags & TIFF_MYBUFFER) == 0)
871
                {
872
                    TIFFErrorExtR(
873
                        tif, module,
874
                        "Data buffer too small to hold strip %" PRIu32, strip);
875
                    return (0);
876
                }
877
            }
878
            if (tif->tif_flags & TIFF_BUFFERMMAP)
879
            {
880
                tif->tif_curstrip = NOSTRIP;
881
                tif->tif_rawdata = NULL;
882
                tif->tif_rawdatasize = 0;
883
                tif->tif_flags &= ~TIFF_BUFFERMMAP;
884
            }
885

886
            if (isMapped(tif))
887
            {
888
                if (bytecountm > tif->tif_rawdatasize &&
889
                    !TIFFReadBufferSetup(tif, 0, bytecountm))
890
                {
891
                    return (0);
892
                }
893
                if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata, bytecountm,
894
                                      module) != bytecountm)
895
                {
896
                    return (0);
897
                }
898
            }
899
            else
900
            {
901
                if (TIFFReadRawStripOrTile2(tif, strip, 1, bytecountm,
902
                                            module) != bytecountm)
903
                {
904
                    return (0);
905
                }
906
            }
907

908
            tif->tif_rawdataoff = 0;
909
            tif->tif_rawdataloaded = bytecountm;
910

911
            if (!isFillOrder(tif, td->td_fillorder) &&
912
                (tif->tif_flags & TIFF_NOBITREV) == 0)
913
                TIFFReverseBits(tif->tif_rawdata, bytecountm);
914
        }
915
    }
916
    return (TIFFStartStrip(tif, strip));
917
}
918

919
/*
920
 * Tile-oriented Read Support
921
 * Contributed by Nancy Cam (Silicon Graphics).
922
 */
923

924
/*
925
 * Read and decompress a tile of data.  The
926
 * tile is selected by the (x,y,z,s) coordinates.
927
 */
928
tmsize_t TIFFReadTile(TIFF *tif, void *buf, uint32_t x, uint32_t y, uint32_t z,
929
                      uint16_t s)
930
{
931
    if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
932
        return ((tmsize_t)(-1));
933
    return (TIFFReadEncodedTile(tif, TIFFComputeTile(tif, x, y, z, s), buf,
934
                                (tmsize_t)(-1)));
935
}
936

937
/*
938
 * Read a tile of data and decompress the specified
939
 * amount into the user-supplied buffer.
940
 */
941
tmsize_t TIFFReadEncodedTile(TIFF *tif, uint32_t tile, void *buf, tmsize_t size)
942
{
943
    static const char module[] = "TIFFReadEncodedTile";
944
    TIFFDirectory *td = &tif->tif_dir;
945
    tmsize_t tilesize = tif->tif_tilesize;
946

947
    if (!TIFFCheckRead(tif, 1))
948
        return ((tmsize_t)(-1));
949
    if (tile >= td->td_nstrips)
950
    {
951
        TIFFErrorExtR(tif, module,
952
                      "%" PRIu32 ": Tile out of range, max %" PRIu32, tile,
953
                      td->td_nstrips);
954
        return ((tmsize_t)(-1));
955
    }
956

957
    /* shortcut to avoid an extra memcpy() */
958
    if (td->td_compression == COMPRESSION_NONE && size != (tmsize_t)(-1) &&
959
        size >= tilesize && !isMapped(tif) &&
960
        ((tif->tif_flags & TIFF_NOREADRAW) == 0))
961
    {
962
        if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize)
963
            return ((tmsize_t)(-1));
964

965
        if (!isFillOrder(tif, td->td_fillorder) &&
966
            (tif->tif_flags & TIFF_NOBITREV) == 0)
967
            TIFFReverseBits(buf, tilesize);
968

969
        (*tif->tif_postdecode)(tif, buf, tilesize);
970
        return (tilesize);
971
    }
972

973
    if (size == (tmsize_t)(-1))
974
        size = tilesize;
975
    else if (size > tilesize)
976
        size = tilesize;
977
    if (!TIFFFillTile(tif, tile))
978
    {
979
        memset(buf, 0, (size_t)size);
980
        return ((tmsize_t)(-1));
981
    }
982
    else if ((*tif->tif_decodetile)(tif, (uint8_t *)buf, size,
983
                                    (uint16_t)(tile / td->td_stripsperimage)))
984
    {
985
        (*tif->tif_postdecode)(tif, (uint8_t *)buf, size);
986
        return (size);
987
    }
988
    else
989
        return ((tmsize_t)(-1));
990
}
991

992
/* Variant of TIFFReadTile() that does
993
 * * if *buf == NULL, *buf = _TIFFmallocExt(tif, bufsizetoalloc) only after
994
 * TIFFFillTile() has succeeded. This avoid excessive memory allocation in case
995
 * of truncated file.
996
 * * calls regular TIFFReadEncodedTile() if *buf != NULL
997
 */
998
tmsize_t _TIFFReadTileAndAllocBuffer(TIFF *tif, void **buf,
999
                                     tmsize_t bufsizetoalloc, uint32_t x,
1000
                                     uint32_t y, uint32_t z, uint16_t s)
1001
{
1002
    if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
1003
        return ((tmsize_t)(-1));
1004
    return (_TIFFReadEncodedTileAndAllocBuffer(
1005
        tif, TIFFComputeTile(tif, x, y, z, s), buf, bufsizetoalloc,
1006
        (tmsize_t)(-1)));
1007
}
1008

1009
/* Variant of TIFFReadEncodedTile() that does
1010
 * * if *buf == NULL, *buf = _TIFFmallocExt(tif, bufsizetoalloc) only after
1011
 * TIFFFillTile() has succeeded. This avoid excessive memory allocation in case
1012
 * of truncated file.
1013
 * * calls regular TIFFReadEncodedTile() if *buf != NULL
1014
 */
1015
tmsize_t _TIFFReadEncodedTileAndAllocBuffer(TIFF *tif, uint32_t tile,
1016
                                            void **buf, tmsize_t bufsizetoalloc,
1017
                                            tmsize_t size_to_read)
1018
{
1019
    static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer";
1020
    TIFFDirectory *td = &tif->tif_dir;
1021
    tmsize_t tilesize = tif->tif_tilesize;
1022

1023
    if (*buf != NULL)
1024
    {
1025
        return TIFFReadEncodedTile(tif, tile, *buf, size_to_read);
1026
    }
1027

1028
    if (!TIFFCheckRead(tif, 1))
1029
        return ((tmsize_t)(-1));
1030
    if (tile >= td->td_nstrips)
1031
    {
1032
        TIFFErrorExtR(tif, module,
1033
                      "%" PRIu32 ": Tile out of range, max %" PRIu32, tile,
1034
                      td->td_nstrips);
1035
        return ((tmsize_t)(-1));
1036
    }
1037

1038
    if (!TIFFFillTile(tif, tile))
1039
        return ((tmsize_t)(-1));
1040

1041
    /* Sanity checks to avoid excessive memory allocation */
1042
    /* Cf https://gitlab.com/libtiff/libtiff/-/issues/479 */
1043
    if (td->td_compression == COMPRESSION_NONE)
1044
    {
1045
        if (tif->tif_rawdatasize != tilesize)
1046
        {
1047
            TIFFErrorExtR(tif, TIFFFileName(tif),
1048
                          "Invalid tile byte count for tile %u. "
1049
                          "Expected %" PRIu64 ", got %" PRIu64,
1050
                          tile, (uint64_t)tilesize,
1051
                          (uint64_t)tif->tif_rawdatasize);
1052
            return ((tmsize_t)(-1));
1053
        }
1054
    }
1055
    else
1056
    {
1057
        /* Max compression ratio experimentally determined. Might be fragile...
1058
         * Only apply this heuristics to situations where the memory allocation
1059
         * would be big, to avoid breaking nominal use cases.
1060
         */
1061
        const int maxCompressionRatio =
1062
            td->td_compression == COMPRESSION_ZSTD ? 33000
1063
            : td->td_compression == COMPRESSION_JXL
1064
                ?
1065
                /* Evaluated on a 8000x8000 tile */
1066
                25000 * (td->td_planarconfig == PLANARCONFIG_CONTIG
1067
                             ? td->td_samplesperpixel
1068
                             : 1)
1069
                : td->td_compression == COMPRESSION_LZMA ? 7000 : 1000;
1070
        if (bufsizetoalloc > 100 * 1000 * 1000 &&
1071
            tif->tif_rawdatasize < tilesize / maxCompressionRatio)
1072
        {
1073
            TIFFErrorExtR(tif, TIFFFileName(tif),
1074
                          "Likely invalid tile byte count for tile %u. "
1075
                          "Uncompressed tile size is %" PRIu64 ", "
1076
                          "compressed one is %" PRIu64,
1077
                          tile, (uint64_t)tilesize,
1078
                          (uint64_t)tif->tif_rawdatasize);
1079
            return ((tmsize_t)(-1));
1080
        }
1081
    }
1082

1083
    *buf = _TIFFmallocExt(tif, bufsizetoalloc);
1084
    if (*buf == NULL)
1085
    {
1086
        TIFFErrorExtR(tif, TIFFFileName(tif), "No space for tile buffer");
1087
        return ((tmsize_t)(-1));
1088
    }
1089
    _TIFFmemset(*buf, 0, bufsizetoalloc);
1090

1091
    if (size_to_read == (tmsize_t)(-1))
1092
        size_to_read = tilesize;
1093
    else if (size_to_read > tilesize)
1094
        size_to_read = tilesize;
1095
    if ((*tif->tif_decodetile)(tif, (uint8_t *)*buf, size_to_read,
1096
                               (uint16_t)(tile / td->td_stripsperimage)))
1097
    {
1098
        (*tif->tif_postdecode)(tif, (uint8_t *)*buf, size_to_read);
1099
        return (size_to_read);
1100
    }
1101
    else
1102
        return ((tmsize_t)(-1));
1103
}
1104

1105
static tmsize_t TIFFReadRawTile1(TIFF *tif, uint32_t tile, void *buf,
1106
                                 tmsize_t size, const char *module)
1107
{
1108
    assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
1109
    if (!isMapped(tif))
1110
    {
1111
        tmsize_t cc;
1112

1113
        if (!SeekOK(tif, TIFFGetStrileOffset(tif, tile)))
1114
        {
1115
            TIFFErrorExtR(tif, module,
1116
                          "Seek error at row %" PRIu32 ", col %" PRIu32
1117
                          ", tile %" PRIu32,
1118
                          tif->tif_row, tif->tif_col, tile);
1119
            return ((tmsize_t)(-1));
1120
        }
1121
        cc = TIFFReadFile(tif, buf, size);
1122
        if (cc != size)
1123
        {
1124
            TIFFErrorExtR(tif, module,
1125
                          "Read error at row %" PRIu32 ", col %" PRIu32
1126
                          "; got %" TIFF_SSIZE_FORMAT
1127
                          " bytes, expected %" TIFF_SSIZE_FORMAT,
1128
                          tif->tif_row, tif->tif_col, cc, size);
1129
            return ((tmsize_t)(-1));
1130
        }
1131
    }
1132
    else
1133
    {
1134
        tmsize_t ma, mb;
1135
        tmsize_t n;
1136
        ma = (tmsize_t)TIFFGetStrileOffset(tif, tile);
1137
        mb = ma + size;
1138
        if ((TIFFGetStrileOffset(tif, tile) > (uint64_t)TIFF_TMSIZE_T_MAX) ||
1139
            (ma > tif->tif_size))
1140
            n = 0;
1141
        else if ((mb < ma) || (mb < size) || (mb > tif->tif_size))
1142
            n = tif->tif_size - ma;
1143
        else
1144
            n = size;
1145
        if (n != size)
1146
        {
1147
            TIFFErrorExtR(tif, module,
1148
                          "Read error at row %" PRIu32 ", col %" PRIu32
1149
                          ", tile %" PRIu32 "; got %" TIFF_SSIZE_FORMAT
1150
                          " bytes, expected %" TIFF_SSIZE_FORMAT,
1151
                          tif->tif_row, tif->tif_col, tile, n, size);
1152
            return ((tmsize_t)(-1));
1153
        }
1154
        _TIFFmemcpy(buf, tif->tif_base + ma, size);
1155
    }
1156
    return (size);
1157
}
1158

1159
/*
1160
 * Read a tile of data from the file.
1161
 */
1162
tmsize_t TIFFReadRawTile(TIFF *tif, uint32_t tile, void *buf, tmsize_t size)
1163
{
1164
    static const char module[] = "TIFFReadRawTile";
1165
    TIFFDirectory *td = &tif->tif_dir;
1166
    uint64_t bytecount64;
1167
    tmsize_t bytecountm;
1168

1169
    if (!TIFFCheckRead(tif, 1))
1170
        return ((tmsize_t)(-1));
1171
    if (tile >= td->td_nstrips)
1172
    {
1173
        TIFFErrorExtR(tif, module,
1174
                      "%" PRIu32 ": Tile out of range, max %" PRIu32, tile,
1175
                      td->td_nstrips);
1176
        return ((tmsize_t)(-1));
1177
    }
1178
    if (tif->tif_flags & TIFF_NOREADRAW)
1179
    {
1180
        TIFFErrorExtR(tif, module,
1181
                      "Compression scheme does not support access to raw "
1182
                      "uncompressed data");
1183
        return ((tmsize_t)(-1));
1184
    }
1185
    bytecount64 = TIFFGetStrileByteCount(tif, tile);
1186
    if (size != (tmsize_t)(-1) && (uint64_t)size <= bytecount64)
1187
        bytecountm = size;
1188
    else
1189
        bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
1190
    if (bytecountm == 0)
1191
    {
1192
        return ((tmsize_t)(-1));
1193
    }
1194
    return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
1195
}
1196

1197
/*
1198
 * Read the specified tile and setup for decoding. The data buffer is
1199
 * expanded, as necessary, to hold the tile's data.
1200
 */
1201
int TIFFFillTile(TIFF *tif, uint32_t tile)
1202
{
1203
    static const char module[] = "TIFFFillTile";
1204
    TIFFDirectory *td = &tif->tif_dir;
1205

1206
    if ((tif->tif_flags & TIFF_NOREADRAW) == 0)
1207
    {
1208
        uint64_t bytecount = TIFFGetStrileByteCount(tif, tile);
1209
        if (bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX)
1210
        {
1211
            TIFFErrorExtR(tif, module,
1212
                          "%" PRIu64 ": Invalid tile byte count, tile %" PRIu32,
1213
                          bytecount, tile);
1214
            return (0);
1215
        }
1216

1217
        /* To avoid excessive memory allocations: */
1218
        /* Byte count should normally not be larger than a number of */
1219
        /* times the uncompressed size plus some margin */
1220
        if (bytecount > 1024 * 1024)
1221
        {
1222
            /* 10 and 4096 are just values that could be adjusted. */
1223
            /* Hopefully they are safe enough for all codecs */
1224
            tmsize_t stripsize = TIFFTileSize(tif);
1225
            if (stripsize != 0 && (bytecount - 4096) / 10 > (uint64_t)stripsize)
1226
            {
1227
                uint64_t newbytecount = (uint64_t)stripsize * 10 + 4096;
1228
                TIFFErrorExtR(tif, module,
1229
                              "Too large tile byte count %" PRIu64
1230
                              ", tile %" PRIu32 ". Limiting to %" PRIu64,
1231
                              bytecount, tile, newbytecount);
1232
                bytecount = newbytecount;
1233
            }
1234
        }
1235

1236
        if (isMapped(tif))
1237
        {
1238
            /*
1239
             * We must check for overflow, potentially causing
1240
             * an OOB read. Instead of simple
1241
             *
1242
             *  TIFFGetStrileOffset(tif, tile)+bytecount > tif->tif_size
1243
             *
1244
             * comparison (which can overflow) we do the following
1245
             * two comparisons:
1246
             */
1247
            if (bytecount > (uint64_t)tif->tif_size ||
1248
                TIFFGetStrileOffset(tif, tile) >
1249
                    (uint64_t)tif->tif_size - bytecount)
1250
            {
1251
                tif->tif_curtile = NOTILE;
1252
                return (0);
1253
            }
1254
        }
1255

1256
        if (isMapped(tif) && (isFillOrder(tif, td->td_fillorder) ||
1257
                              (tif->tif_flags & TIFF_NOBITREV)))
1258
        {
1259
            /*
1260
             * The image is mapped into memory and we either don't
1261
             * need to flip bits or the compression routine is
1262
             * going to handle this operation itself.  In this
1263
             * case, avoid copying the raw data and instead just
1264
             * reference the data from the memory mapped file
1265
             * image.  This assumes that the decompression
1266
             * routines do not modify the contents of the raw data
1267
             * buffer (if they try to, the application will get a
1268
             * fault since the file is mapped read-only).
1269
             */
1270
            if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
1271
            {
1272
                _TIFFfreeExt(tif, tif->tif_rawdata);
1273
                tif->tif_rawdata = NULL;
1274
                tif->tif_rawdatasize = 0;
1275
            }
1276
            tif->tif_flags &= ~TIFF_MYBUFFER;
1277

1278
            tif->tif_rawdatasize = (tmsize_t)bytecount;
1279
            tif->tif_rawdata =
1280
                tif->tif_base + (tmsize_t)TIFFGetStrileOffset(tif, tile);
1281
            tif->tif_rawdataoff = 0;
1282
            tif->tif_rawdataloaded = (tmsize_t)bytecount;
1283
            tif->tif_flags |= TIFF_BUFFERMMAP;
1284
        }
1285
        else
1286
        {
1287
            /*
1288
             * Expand raw data buffer, if needed, to hold data
1289
             * tile coming from file (perhaps should set upper
1290
             * bound on the size of a buffer we'll use?).
1291
             */
1292
            tmsize_t bytecountm;
1293
            bytecountm = (tmsize_t)bytecount;
1294
            if ((uint64_t)bytecountm != bytecount)
1295
            {
1296
                TIFFErrorExtR(tif, module, "Integer overflow");
1297
                return (0);
1298
            }
1299
            if (bytecountm > tif->tif_rawdatasize)
1300
            {
1301
                tif->tif_curtile = NOTILE;
1302
                if ((tif->tif_flags & TIFF_MYBUFFER) == 0)
1303
                {
1304
                    TIFFErrorExtR(tif, module,
1305
                                  "Data buffer too small to hold tile %" PRIu32,
1306
                                  tile);
1307
                    return (0);
1308
                }
1309
            }
1310
            if (tif->tif_flags & TIFF_BUFFERMMAP)
1311
            {
1312
                tif->tif_curtile = NOTILE;
1313
                tif->tif_rawdata = NULL;
1314
                tif->tif_rawdatasize = 0;
1315
                tif->tif_flags &= ~TIFF_BUFFERMMAP;
1316
            }
1317

1318
            if (isMapped(tif))
1319
            {
1320
                if (bytecountm > tif->tif_rawdatasize &&
1321
                    !TIFFReadBufferSetup(tif, 0, bytecountm))
1322
                {
1323
                    return (0);
1324
                }
1325
                if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata, bytecountm,
1326
                                     module) != bytecountm)
1327
                {
1328
                    return (0);
1329
                }
1330
            }
1331
            else
1332
            {
1333
                if (TIFFReadRawStripOrTile2(tif, tile, 0, bytecountm, module) !=
1334
                    bytecountm)
1335
                {
1336
                    return (0);
1337
                }
1338
            }
1339

1340
            tif->tif_rawdataoff = 0;
1341
            tif->tif_rawdataloaded = bytecountm;
1342

1343
            if (tif->tif_rawdata != NULL &&
1344
                !isFillOrder(tif, td->td_fillorder) &&
1345
                (tif->tif_flags & TIFF_NOBITREV) == 0)
1346
                TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdataloaded);
1347
        }
1348
    }
1349
    return (TIFFStartTile(tif, tile));
1350
}
1351

1352
/*
1353
 * Setup the raw data buffer in preparation for
1354
 * reading a strip of raw data.  If the buffer
1355
 * is specified as zero, then a buffer of appropriate
1356
 * size is allocated by the library.  Otherwise,
1357
 * the client must guarantee that the buffer is
1358
 * large enough to hold any individual strip of
1359
 * raw data.
1360
 */
1361
int TIFFReadBufferSetup(TIFF *tif, void *bp, tmsize_t size)
1362
{
1363
    static const char module[] = "TIFFReadBufferSetup";
1364

1365
    assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
1366
    tif->tif_flags &= ~TIFF_BUFFERMMAP;
1367

1368
    if (tif->tif_rawdata)
1369
    {
1370
        if (tif->tif_flags & TIFF_MYBUFFER)
1371
            _TIFFfreeExt(tif, tif->tif_rawdata);
1372
        tif->tif_rawdata = NULL;
1373
        tif->tif_rawdatasize = 0;
1374
    }
1375
    if (bp)
1376
    {
1377
        tif->tif_rawdatasize = size;
1378
        tif->tif_rawdata = (uint8_t *)bp;
1379
        tif->tif_flags &= ~TIFF_MYBUFFER;
1380
    }
1381
    else
1382
    {
1383
        tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64((uint64_t)size, 1024);
1384
        if (tif->tif_rawdatasize == 0)
1385
        {
1386
            TIFFErrorExtR(tif, module, "Invalid buffer size");
1387
            return (0);
1388
        }
1389
        /* Initialize to zero to avoid uninitialized buffers in case of */
1390
        /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
1391
        tif->tif_rawdata =
1392
            (uint8_t *)_TIFFcallocExt(tif, 1, tif->tif_rawdatasize);
1393
        tif->tif_flags |= TIFF_MYBUFFER;
1394
    }
1395
    if (tif->tif_rawdata == NULL)
1396
    {
1397
        TIFFErrorExtR(tif, module,
1398
                      "No space for data buffer at scanline %" PRIu32,
1399
                      tif->tif_row);
1400
        tif->tif_rawdatasize = 0;
1401
        return (0);
1402
    }
1403
    return (1);
1404
}
1405

1406
/*
1407
 * Set state to appear as if a
1408
 * strip has just been read in.
1409
 */
1410
static int TIFFStartStrip(TIFF *tif, uint32_t strip)
1411
{
1412
    TIFFDirectory *td = &tif->tif_dir;
1413

1414
    if ((tif->tif_flags & TIFF_CODERSETUP) == 0)
1415
    {
1416
        if (!(*tif->tif_setupdecode)(tif))
1417
            return (0);
1418
        tif->tif_flags |= TIFF_CODERSETUP;
1419
    }
1420
    tif->tif_curstrip = strip;
1421
    tif->tif_row = (strip % td->td_stripsperimage) * td->td_rowsperstrip;
1422
    tif->tif_flags &= ~TIFF_BUF4WRITE;
1423

1424
    if (tif->tif_flags & TIFF_NOREADRAW)
1425
    {
1426
        tif->tif_rawcp = NULL;
1427
        tif->tif_rawcc = 0;
1428
    }
1429
    else
1430
    {
1431
        tif->tif_rawcp = tif->tif_rawdata;
1432
        if (tif->tif_rawdataloaded > 0)
1433
            tif->tif_rawcc = tif->tif_rawdataloaded;
1434
        else
1435
            tif->tif_rawcc = (tmsize_t)TIFFGetStrileByteCount(tif, strip);
1436
    }
1437
    if ((*tif->tif_predecode)(tif, (uint16_t)(strip / td->td_stripsperimage)) ==
1438
        0)
1439
    {
1440
        /* Needed for example for scanline access, if tif_predecode */
1441
        /* fails, and we try to read the same strip again. Without invalidating
1442
         */
1443
        /* tif_curstrip, we'd call tif_decoderow() on a possibly invalid */
1444
        /* codec state. */
1445
        tif->tif_curstrip = NOSTRIP;
1446
        return 0;
1447
    }
1448
    return 1;
1449
}
1450

1451
/*
1452
 * Set state to appear as if a
1453
 * tile has just been read in.
1454
 */
1455
static int TIFFStartTile(TIFF *tif, uint32_t tile)
1456
{
1457
    static const char module[] = "TIFFStartTile";
1458
    TIFFDirectory *td = &tif->tif_dir;
1459
    uint32_t howmany32;
1460

1461
    if ((tif->tif_flags & TIFF_CODERSETUP) == 0)
1462
    {
1463
        if (!(*tif->tif_setupdecode)(tif))
1464
            return (0);
1465
        tif->tif_flags |= TIFF_CODERSETUP;
1466
    }
1467
    tif->tif_curtile = tile;
1468
    if (td->td_tilewidth == 0)
1469
    {
1470
        TIFFErrorExtR(tif, module, "Zero tilewidth");
1471
        return 0;
1472
    }
1473
    howmany32 = TIFFhowmany_32(td->td_imagewidth, td->td_tilewidth);
1474
    if (howmany32 == 0)
1475
    {
1476
        TIFFErrorExtR(tif, module, "Zero tiles");
1477
        return 0;
1478
    }
1479
    tif->tif_row = (tile % howmany32) * td->td_tilelength;
1480
    howmany32 = TIFFhowmany_32(td->td_imagelength, td->td_tilelength);
1481
    if (howmany32 == 0)
1482
    {
1483
        TIFFErrorExtR(tif, module, "Zero tiles");
1484
        return 0;
1485
    }
1486
    tif->tif_col = (tile % howmany32) * td->td_tilewidth;
1487
    tif->tif_flags &= ~TIFF_BUF4WRITE;
1488
    if (tif->tif_flags & TIFF_NOREADRAW)
1489
    {
1490
        tif->tif_rawcp = NULL;
1491
        tif->tif_rawcc = 0;
1492
    }
1493
    else
1494
    {
1495
        tif->tif_rawcp = tif->tif_rawdata;
1496
        if (tif->tif_rawdataloaded > 0)
1497
            tif->tif_rawcc = tif->tif_rawdataloaded;
1498
        else
1499
            tif->tif_rawcc = (tmsize_t)TIFFGetStrileByteCount(tif, tile);
1500
    }
1501
    return (
1502
        (*tif->tif_predecode)(tif, (uint16_t)(tile / td->td_stripsperimage)));
1503
}
1504

1505
static int TIFFCheckRead(TIFF *tif, int tiles)
1506
{
1507
    if (tif->tif_mode == O_WRONLY)
1508
    {
1509
        TIFFErrorExtR(tif, tif->tif_name, "File not open for reading");
1510
        return (0);
1511
    }
1512
    if (tiles ^ isTiled(tif))
1513
    {
1514
        TIFFErrorExtR(tif, tif->tif_name,
1515
                      tiles ? "Can not read tiles from a striped image"
1516
                            : "Can not read scanlines from a tiled image");
1517
        return (0);
1518
    }
1519
    return (1);
1520
}
1521

1522
/* Use the provided input buffer (inbuf, insize) and decompress it into
1523
 * (outbuf, outsize).
1524
 * This function replaces the use of
1525
 * TIFFReadEncodedStrip()/TIFFReadEncodedTile() when the user can provide the
1526
 * buffer for the input data, for example when he wants to avoid libtiff to read
1527
 * the strile offset/count values from the [Strip|Tile][Offsets/ByteCounts]
1528
 * array. inbuf content must be writable (if bit reversal is needed) Returns 1
1529
 * in case of success, 0 otherwise.
1530
 */
1531
int TIFFReadFromUserBuffer(TIFF *tif, uint32_t strile, void *inbuf,
1532
                           tmsize_t insize, void *outbuf, tmsize_t outsize)
1533
{
1534
    static const char module[] = "TIFFReadFromUserBuffer";
1535
    TIFFDirectory *td = &tif->tif_dir;
1536
    int ret = 1;
1537
    uint32_t old_tif_flags = tif->tif_flags;
1538
    tmsize_t old_rawdatasize = tif->tif_rawdatasize;
1539
    void *old_rawdata = tif->tif_rawdata;
1540

1541
    if (tif->tif_mode == O_WRONLY)
1542
    {
1543
        TIFFErrorExtR(tif, tif->tif_name, "File not open for reading");
1544
        return 0;
1545
    }
1546
    if (tif->tif_flags & TIFF_NOREADRAW)
1547
    {
1548
        TIFFErrorExtR(tif, module,
1549
                      "Compression scheme does not support access to raw "
1550
                      "uncompressed data");
1551
        return 0;
1552
    }
1553

1554
    tif->tif_flags &= ~TIFF_MYBUFFER;
1555
    tif->tif_flags |= TIFF_BUFFERMMAP;
1556
    tif->tif_rawdatasize = insize;
1557
    tif->tif_rawdata = inbuf;
1558
    tif->tif_rawdataoff = 0;
1559
    tif->tif_rawdataloaded = insize;
1560

1561
    if (!isFillOrder(tif, td->td_fillorder) &&
1562
        (tif->tif_flags & TIFF_NOBITREV) == 0)
1563
    {
1564
        TIFFReverseBits(inbuf, insize);
1565
    }
1566

1567
    if (TIFFIsTiled(tif))
1568
    {
1569
        if (!TIFFStartTile(tif, strile))
1570
        {
1571
            ret = 0;
1572
            memset(outbuf, 0, (size_t)outsize);
1573
        }
1574
        else if (!(*tif->tif_decodetile)(
1575
                     tif, (uint8_t *)outbuf, outsize,
1576
                     (uint16_t)(strile / td->td_stripsperimage)))
1577
        {
1578
            ret = 0;
1579
        }
1580
    }
1581
    else
1582
    {
1583
        uint32_t rowsperstrip = td->td_rowsperstrip;
1584
        uint32_t stripsperplane;
1585
        if (rowsperstrip > td->td_imagelength)
1586
            rowsperstrip = td->td_imagelength;
1587
        if (rowsperstrip == 0)
1588
        {
1589
            TIFFErrorExtR(tif, module, "rowsperstrip is zero");
1590
            ret = 0;
1591
        }
1592
        else
1593
        {
1594
            stripsperplane =
1595
                TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
1596
            if (!TIFFStartStrip(tif, strile))
1597
            {
1598
                ret = 0;
1599
                memset(outbuf, 0, (size_t)outsize);
1600
            }
1601
            else if (!(*tif->tif_decodestrip)(
1602
                         tif, (uint8_t *)outbuf, outsize,
1603
                         (uint16_t)(strile / stripsperplane)))
1604
            {
1605
                ret = 0;
1606
            }
1607
        }
1608
    }
1609
    if (ret)
1610
    {
1611
        (*tif->tif_postdecode)(tif, (uint8_t *)outbuf, outsize);
1612
    }
1613

1614
    if (!isFillOrder(tif, td->td_fillorder) &&
1615
        (tif->tif_flags & TIFF_NOBITREV) == 0)
1616
    {
1617
        TIFFReverseBits(inbuf, insize);
1618
    }
1619

1620
    tif->tif_flags = (old_tif_flags & (TIFF_MYBUFFER | TIFF_BUFFERMMAP)) |
1621
                     (tif->tif_flags & ~(TIFF_MYBUFFER | TIFF_BUFFERMMAP));
1622
    tif->tif_rawdatasize = old_rawdatasize;
1623
    tif->tif_rawdata = old_rawdata;
1624
    tif->tif_rawdataoff = 0;
1625
    tif->tif_rawdataloaded = 0;
1626

1627
    return ret;
1628
}
1629

1630
void _TIFFNoPostDecode(TIFF *tif, uint8_t *buf, tmsize_t cc)
1631
{
1632
    (void)tif;
1633
    (void)buf;
1634
    (void)cc;
1635
}
1636

1637
void _TIFFSwab16BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1638
{
1639
    (void)tif;
1640
    assert((cc & 1) == 0);
1641
    TIFFSwabArrayOfShort((uint16_t *)buf, cc / 2);
1642
}
1643

1644
void _TIFFSwab24BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1645
{
1646
    (void)tif;
1647
    assert((cc % 3) == 0);
1648
    TIFFSwabArrayOfTriples((uint8_t *)buf, cc / 3);
1649
}
1650

1651
void _TIFFSwab32BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1652
{
1653
    (void)tif;
1654
    assert((cc & 3) == 0);
1655
    TIFFSwabArrayOfLong((uint32_t *)buf, cc / 4);
1656
}
1657

1658
void _TIFFSwab64BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1659
{
1660
    (void)tif;
1661
    assert((cc & 7) == 0);
1662
    TIFFSwabArrayOfDouble((double *)buf, cc / 8);
1663
}
1664

1665