1
/*
2
 * Copyright (c) 1988-1997 Sam Leffler
3
 * Copyright (c) 1991-1997 Silicon Graphics, Inc.
4
 *
5
 * Permission to use, copy, modify, distribute, and sell this software and
6
 * its documentation for any purpose is hereby granted without fee, provided
7
 * that (i) the above copyright notices and this permission notice appear in
8
 * all copies of the software and related documentation, and (ii) the names of
9
 * Sam Leffler and Silicon Graphics may not be used in any advertising or
10
 * publicity relating to the software without the specific, prior written
11
 * permission of Sam Leffler and Silicon Graphics.
12
 *
13
 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
14
 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
15
 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
16
 *
17
 * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
18
 * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
19
 * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
20
 * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
21
 * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
22
 * OF THIS SOFTWARE.
23
 */
24

25
/*
26
 * TIFF Library.
27
 * Scanline-oriented Read Support
28
 */
29
#include "tiffiop.h"
30
#include <stdio.h>
31

32
int TIFFFillStrip(TIFF *tif, uint32_t strip);
33
int TIFFFillTile(TIFF *tif, uint32_t tile);
34
static int TIFFStartStrip(TIFF *tif, uint32_t strip);
35
static int TIFFStartTile(TIFF *tif, uint32_t tile);
36
static int TIFFCheckRead(TIFF *, int);
37
static tmsize_t TIFFReadRawStrip1(TIFF *tif, uint32_t strip, void *buf,
38
                                  tmsize_t size, const char *module);
39
static tmsize_t TIFFReadRawTile1(TIFF *tif, uint32_t tile, void *buf,
40
                                 tmsize_t size, const char *module);
41

42
#define NOSTRIP ((uint32_t)(-1)) /* undefined state */
43
#define NOTILE ((uint32_t)(-1))  /* undefined state */
44

45
#define INITIAL_THRESHOLD (1024 * 1024)
46
#define THRESHOLD_MULTIPLIER 10
47
#define MAX_THRESHOLD                                                          \
48
    (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER *      \
49
     INITIAL_THRESHOLD)
50

51
#define TIFF_INT64_MAX ((((int64_t)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
52

53
/* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
54
 * Returns 1 in case of success, 0 otherwise. */
55
static int TIFFReadAndRealloc(TIFF *tif, tmsize_t size, tmsize_t rawdata_offset,
56
                              int is_strip, uint32_t strip_or_tile,
57
                              const char *module)
58
{
59
#if SIZEOF_SIZE_T == 8
60
    tmsize_t threshold = INITIAL_THRESHOLD;
61
#endif
62
    tmsize_t already_read = 0;
63

64
#if SIZEOF_SIZE_T != 8
65
    /* On 32 bit processes, if the request is large enough, check against */
66
    /* file size */
67
    if (size > 1000 * 1000 * 1000)
68
    {
69
        uint64_t filesize = TIFFGetFileSize(tif);
70
        if ((uint64_t)size >= filesize)
71
        {
72
            TIFFErrorExtR(tif, module,
73
                          "Chunk size requested is larger than file size.");
74
            return 0;
75
        }
76
    }
77
#endif
78

79
    /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
80
    /* so as to avoid allocating too much memory in case the file is too */
81
    /* short. We could ask for the file size, but this might be */
82
    /* expensive with some I/O layers (think of reading a gzipped file) */
83
    /* Restrict to 64 bit processes, so as to avoid reallocs() */
84
    /* on 32 bit processes where virtual memory is scarce.  */
85
    while (already_read < size)
86
    {
87
        tmsize_t bytes_read;
88
        tmsize_t to_read = size - already_read;
89
#if SIZEOF_SIZE_T == 8
90
        if (to_read >= threshold && threshold < MAX_THRESHOLD &&
91
            already_read + to_read + rawdata_offset > tif->tif_rawdatasize)
92
        {
93
            to_read = threshold;
94
            threshold *= THRESHOLD_MULTIPLIER;
95
        }
96
#endif
97
        if (already_read + to_read + rawdata_offset > tif->tif_rawdatasize)
98
        {
99
            uint8_t *new_rawdata;
100
            assert((tif->tif_flags & TIFF_MYBUFFER) != 0);
101
            tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64(
102
                (uint64_t)already_read + to_read + rawdata_offset, 1024);
103
            if (tif->tif_rawdatasize == 0)
104
            {
105
                TIFFErrorExtR(tif, module, "Invalid buffer size");
106
                return 0;
107
            }
108
            new_rawdata = (uint8_t *)_TIFFreallocExt(tif, tif->tif_rawdata,
109
                                                     tif->tif_rawdatasize);
110
            if (new_rawdata == 0)
111
            {
112
                TIFFErrorExtR(tif, module,
113
                              "No space for data buffer at scanline %" PRIu32,
114
                              tif->tif_row);
115
                _TIFFfreeExt(tif, tif->tif_rawdata);
116
                tif->tif_rawdata = 0;
117
                tif->tif_rawdatasize = 0;
118
                return 0;
119
            }
120
            tif->tif_rawdata = new_rawdata;
121
        }
122
        if (tif->tif_rawdata == NULL)
123
        {
124
            /* should not happen in practice but helps CoverityScan */
125
            return 0;
126
        }
127

128
        bytes_read = TIFFReadFile(
129
            tif, tif->tif_rawdata + rawdata_offset + already_read, to_read);
130
        already_read += bytes_read;
131
        if (bytes_read != to_read)
132
        {
133
            memset(tif->tif_rawdata + rawdata_offset + already_read, 0,
134
                   tif->tif_rawdatasize - rawdata_offset - already_read);
135
            if (is_strip)
136
            {
137
                TIFFErrorExtR(tif, module,
138
                              "Read error at scanline %" PRIu32
139
                              "; got %" TIFF_SSIZE_FORMAT " bytes, "
140
                              "expected %" TIFF_SSIZE_FORMAT,
141
                              tif->tif_row, already_read, size);
142
            }
143
            else
144
            {
145
                TIFFErrorExtR(tif, module,
146
                              "Read error at row %" PRIu32 ", col %" PRIu32
147
                              ", tile %" PRIu32 "; "
148
                              "got %" TIFF_SSIZE_FORMAT
149
                              " bytes, expected %" TIFF_SSIZE_FORMAT "",
150
                              tif->tif_row, tif->tif_col, strip_or_tile,
151
                              already_read, size);
152
            }
153
            return 0;
154
        }
155
    }
156
    return 1;
157
}
158

159
static int TIFFFillStripPartial(TIFF *tif, int strip, tmsize_t read_ahead,
160
                                int restart)
161
{
162
    static const char module[] = "TIFFFillStripPartial";
163
    register TIFFDirectory *td = &tif->tif_dir;
164
    tmsize_t unused_data;
165
    uint64_t read_offset;
166
    tmsize_t to_read;
167
    tmsize_t read_ahead_mod;
168
    /* tmsize_t bytecountm; */
169

170
    /*
171
     * Expand raw data buffer, if needed, to hold data
172
     * strip coming from file (perhaps should set upper
173
     * bound on the size of a buffer we'll use?).
174
     */
175

176
    /* bytecountm=(tmsize_t) TIFFGetStrileByteCount(tif, strip); */
177

178
    /* Not completely sure where the * 2 comes from, but probably for */
179
    /* an exponentional growth strategy of tif_rawdatasize */
180
    if (read_ahead < TIFF_TMSIZE_T_MAX / 2)
181
        read_ahead_mod = read_ahead * 2;
182
    else
183
        read_ahead_mod = read_ahead;
184
    if (read_ahead_mod > tif->tif_rawdatasize)
185
    {
186
        assert(restart);
187

188
        tif->tif_curstrip = NOSTRIP;
189
        if ((tif->tif_flags & TIFF_MYBUFFER) == 0)
190
        {
191
            TIFFErrorExtR(tif, module,
192
                          "Data buffer too small to hold part of strip %d",
193
                          strip);
194
            return (0);
195
        }
196
    }
197

198
    if (restart)
199
    {
200
        tif->tif_rawdataloaded = 0;
201
        tif->tif_rawdataoff = 0;
202
    }
203

204
    /*
205
    ** If we are reading more data, move any unused data to the
206
    ** start of the buffer.
207
    */
208
    if (tif->tif_rawdataloaded > 0)
209
        unused_data =
210
            tif->tif_rawdataloaded - (tif->tif_rawcp - tif->tif_rawdata);
211
    else
212
        unused_data = 0;
213

214
    if (unused_data > 0)
215
    {
216
        assert((tif->tif_flags & TIFF_BUFFERMMAP) == 0);
217
        memmove(tif->tif_rawdata, tif->tif_rawcp, unused_data);
218
    }
219

220
    /*
221
    ** Seek to the point in the file where more data should be read.
222
    */
223
    read_offset = TIFFGetStrileOffset(tif, strip) + tif->tif_rawdataoff +
224
                  tif->tif_rawdataloaded;
225

226
    if (!SeekOK(tif, read_offset))
227
    {
228
        TIFFErrorExtR(tif, module,
229
                      "Seek error at scanline %" PRIu32 ", strip %d",
230
                      tif->tif_row, strip);
231
        return 0;
232
    }
233

234
    /*
235
    ** How much do we want to read?
236
    */
237
    if (read_ahead_mod > tif->tif_rawdatasize)
238
        to_read = read_ahead_mod - unused_data;
239
    else
240
        to_read = tif->tif_rawdatasize - unused_data;
241
    if ((uint64_t)to_read > TIFFGetStrileByteCount(tif, strip) -
242
                                tif->tif_rawdataoff - tif->tif_rawdataloaded)
243
    {
244
        to_read = (tmsize_t)TIFFGetStrileByteCount(tif, strip) -
245
                  tif->tif_rawdataoff - tif->tif_rawdataloaded;
246
    }
247

248
    assert((tif->tif_flags & TIFF_BUFFERMMAP) == 0);
249
    if (!TIFFReadAndRealloc(tif, to_read, unused_data, 1, /* is_strip */
250
                            0,                            /* strip_or_tile */
251
                            module))
252
    {
253
        return 0;
254
    }
255

256
    tif->tif_rawdataoff =
257
        tif->tif_rawdataoff + tif->tif_rawdataloaded - unused_data;
258
    tif->tif_rawdataloaded = unused_data + to_read;
259

260
    tif->tif_rawcc = tif->tif_rawdataloaded;
261
    tif->tif_rawcp = tif->tif_rawdata;
262

263
    if (!isFillOrder(tif, td->td_fillorder) &&
264
        (tif->tif_flags & TIFF_NOBITREV) == 0)
265
    {
266
        assert((tif->tif_flags & TIFF_BUFFERMMAP) == 0);
267
        TIFFReverseBits(tif->tif_rawdata + unused_data, to_read);
268
    }
269

270
    /*
271
    ** When starting a strip from the beginning we need to
272
    ** restart the decoder.
273
    */
274
    if (restart)
275
    {
276

277
#ifdef JPEG_SUPPORT
278
        /* A bit messy since breaks the codec abstraction. Ultimately */
279
        /* there should be a function pointer for that, but it seems */
280
        /* only JPEG is affected. */
281
        /* For JPEG, if there are multiple scans (can generally be known */
282
        /* with the  read_ahead used), we need to read the whole strip */
283
        if (tif->tif_dir.td_compression == COMPRESSION_JPEG &&
284
            (uint64_t)tif->tif_rawcc < TIFFGetStrileByteCount(tif, strip))
285
        {
286
            if (TIFFJPEGIsFullStripRequired(tif))
287
            {
288
                return TIFFFillStrip(tif, strip);
289
            }
290
        }
291
#endif
292

293
        return TIFFStartStrip(tif, strip);
294
    }
295
    else
296
    {
297
        return 1;
298
    }
299
}
300

301
/*
302
 * Seek to a random row+sample in a file.
303
 *
304
 * Only used by TIFFReadScanline, and is only used on
305
 * strip organized files.  We do some tricky stuff to try
306
 * and avoid reading the whole compressed raw data for big
307
 * strips.
308
 */
309
static int TIFFSeek(TIFF *tif, uint32_t row, uint16_t sample)
310
{
311
    register TIFFDirectory *td = &tif->tif_dir;
312
    uint32_t strip;
313
    int whole_strip;
314
    tmsize_t read_ahead = 0;
315

316
    /*
317
    ** Establish what strip we are working from.
318
    */
319
    if (row >= td->td_imagelength)
320
    { /* out of range */
321
        TIFFErrorExtR(tif, tif->tif_name,
322
                      "%" PRIu32 ": Row out of range, max %" PRIu32 "", row,
323
                      td->td_imagelength);
324
        return (0);
325
    }
326
    if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
327
    {
328
        if (sample >= td->td_samplesperpixel)
329
        {
330
            TIFFErrorExtR(tif, tif->tif_name,
331
                          "%" PRIu16 ": Sample out of range, max %" PRIu16 "",
332
                          sample, td->td_samplesperpixel);
333
            return (0);
334
        }
335
        strip = (uint32_t)sample * td->td_stripsperimage +
336
                row / td->td_rowsperstrip;
337
    }
338
    else
339
        strip = row / td->td_rowsperstrip;
340

341
        /*
342
         * Do we want to treat this strip as one whole chunk or
343
         * read it a few lines at a time?
344
         */
345
#if defined(CHUNKY_STRIP_READ_SUPPORT)
346
    whole_strip = TIFFGetStrileByteCount(tif, strip) < 10 || isMapped(tif);
347
    if (td->td_compression == COMPRESSION_LERC ||
348
        td->td_compression == COMPRESSION_JBIG)
349
    {
350
        /* Ideally plugins should have a way to declare they don't support
351
         * chunk strip */
352
        whole_strip = 1;
353
    }
354

355
    if (!whole_strip)
356
    {
357
        /* 16 is for YCbCr mode where we may need to read 16 */
358
        /* lines at a time to get a decompressed line, and 5000 */
359
        /* is some constant value, for example for JPEG tables */
360

361
        /* coverity[dead_error_line:SUPPRESS] */
362
        if (tif->tif_scanlinesize < TIFF_TMSIZE_T_MAX / 16 &&
363
            tif->tif_scanlinesize * 16 < TIFF_TMSIZE_T_MAX - 5000)
364
        {
365
            read_ahead = tif->tif_scanlinesize * 16 + 5000;
366
        }
367
        else
368
        {
369
            read_ahead = tif->tif_scanlinesize;
370
        }
371
    }
372
#else
373
    whole_strip = 1;
374
#endif
375

376
    /*
377
     * If we haven't loaded this strip, do so now, possibly
378
     * only reading the first part.
379
     */
380
    if (strip != tif->tif_curstrip)
381
    { /* different strip, refill */
382

383
        if (whole_strip)
384
        {
385
            if (!TIFFFillStrip(tif, strip))
386
                return (0);
387
        }
388
#if defined(CHUNKY_STRIP_READ_SUPPORT)
389
        else
390
        {
391
            if (!TIFFFillStripPartial(tif, strip, read_ahead, 1))
392
                return 0;
393
        }
394
#endif
395
    }
396

397
#if defined(CHUNKY_STRIP_READ_SUPPORT)
398
    /*
399
    ** If we already have some data loaded, do we need to read some more?
400
    */
401
    else if (!whole_strip)
402
    {
403
        /* coverity[dead_error_line:SUPPRESS] */
404
        if (((tif->tif_rawdata + tif->tif_rawdataloaded) - tif->tif_rawcp) <
405
                read_ahead &&
406
            (uint64_t)tif->tif_rawdataoff + tif->tif_rawdataloaded <
407
                TIFFGetStrileByteCount(tif, strip))
408
        {
409
            if (!TIFFFillStripPartial(tif, strip, read_ahead, 0))
410
                return 0;
411
        }
412
    }
413
#endif
414

415
    if (row < tif->tif_row)
416
    {
417
        /*
418
         * Moving backwards within the same strip: backup
419
         * to the start and then decode forward (below).
420
         *
421
         * NB: If you're planning on lots of random access within a
422
         * strip, it's better to just read and decode the entire
423
         * strip, and then access the decoded data in a random fashion.
424
         */
425

426
        if (tif->tif_rawdataoff != 0)
427
        {
428
            if (!TIFFFillStripPartial(tif, strip, read_ahead, 1))
429
                return 0;
430
        }
431
        else
432
        {
433
            if (!TIFFStartStrip(tif, strip))
434
                return (0);
435
        }
436
    }
437

438
    if (row != tif->tif_row)
439
    {
440
        /*
441
         * Seek forward to the desired row.
442
         */
443

444
        /* TODO: Will this really work with partial buffers? */
445

446
        if (!(*tif->tif_seek)(tif, row - tif->tif_row))
447
            return (0);
448
        tif->tif_row = row;
449
    }
450

451
    return (1);
452
}
453

454
int TIFFReadScanline(TIFF *tif, void *buf, uint32_t row, uint16_t sample)
455
{
456
    int e;
457

458
    if (!TIFFCheckRead(tif, 0))
459
        return (-1);
460
    if ((e = TIFFSeek(tif, row, sample)) != 0)
461
    {
462
        /*
463
         * Decompress desired row into user buffer.
464
         */
465
        e = (*tif->tif_decoderow)(tif, (uint8_t *)buf, tif->tif_scanlinesize,
466
                                  sample);
467

468
        /* we are now poised at the beginning of the next row */
469
        tif->tif_row = row + 1;
470

471
        if (e)
472
            (*tif->tif_postdecode)(tif, (uint8_t *)buf, tif->tif_scanlinesize);
473
    }
474
    else
475
    {
476
        /* See TIFFReadEncodedStrip comment regarding TIFFTAG_FAXFILLFUNC. */
477
        if (buf)
478
            memset(buf, 0, (size_t)tif->tif_scanlinesize);
479
    }
480
    return (e > 0 ? 1 : -1);
481
}
482

483
/*
484
 * Calculate the strip size according to the number of
485
 * rows in the strip (check for truncated last strip on any
486
 * of the separations).
487
 */
488
static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF *tif, uint32_t strip,
489
                                                 uint16_t *pplane)
490
{
491
    static const char module[] = "TIFFReadEncodedStrip";
492
    TIFFDirectory *td = &tif->tif_dir;
493
    uint32_t rowsperstrip;
494
    uint32_t stripsperplane;
495
    uint32_t stripinplane;
496
    uint32_t rows;
497
    tmsize_t stripsize;
498
    if (!TIFFCheckRead(tif, 0))
499
        return ((tmsize_t)(-1));
500
    if (strip >= td->td_nstrips)
501
    {
502
        TIFFErrorExtR(tif, module,
503
                      "%" PRIu32 ": Strip out of range, max %" PRIu32, strip,
504
                      td->td_nstrips);
505
        return ((tmsize_t)(-1));
506
    }
507

508
    rowsperstrip = td->td_rowsperstrip;
509
    if (rowsperstrip > td->td_imagelength)
510
        rowsperstrip = td->td_imagelength;
511
    if (rowsperstrip == 0)
512
    {
513
        TIFFErrorExtR(tif, module, "rowsperstrip is zero");
514
        return ((tmsize_t)(-1));
515
    }
516
    stripsperplane =
517
        TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
518
    stripinplane = (strip % stripsperplane);
519
    if (pplane)
520
        *pplane = (uint16_t)(strip / stripsperplane);
521
    rows = td->td_imagelength - stripinplane * rowsperstrip;
522
    if (rows > rowsperstrip)
523
        rows = rowsperstrip;
524
    stripsize = TIFFVStripSize(tif, rows);
525
    if (stripsize == 0)
526
        return ((tmsize_t)(-1));
527
    return stripsize;
528
}
529

530
/*
531
 * Read a strip of data and decompress the specified
532
 * amount into the user-supplied buffer.
533
 */
534
tmsize_t TIFFReadEncodedStrip(TIFF *tif, uint32_t strip, void *buf,
535
                              tmsize_t size)
536
{
537
    static const char module[] = "TIFFReadEncodedStrip";
538
    TIFFDirectory *td = &tif->tif_dir;
539
    tmsize_t stripsize;
540
    uint16_t plane;
541

542
    stripsize = TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
543
    if (stripsize == ((tmsize_t)(-1)))
544
        return ((tmsize_t)(-1));
545

546
    /* shortcut to avoid an extra memcpy() */
547
    if (td->td_compression == COMPRESSION_NONE && size != (tmsize_t)(-1) &&
548
        size >= stripsize && !isMapped(tif) &&
549
        ((tif->tif_flags & TIFF_NOREADRAW) == 0))
550
    {
551
        if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize)
552
            return ((tmsize_t)(-1));
553

554
        if (!isFillOrder(tif, td->td_fillorder) &&
555
            (tif->tif_flags & TIFF_NOBITREV) == 0)
556
            TIFFReverseBits(buf, stripsize);
557

558
        (*tif->tif_postdecode)(tif, buf, stripsize);
559
        return (stripsize);
560
    }
561

562
    if ((size != (tmsize_t)(-1)) && (size < stripsize))
563
        stripsize = size;
564
    if (!TIFFFillStrip(tif, strip))
565
    {
566
        /* The output buf may be NULL, in particular if TIFFTAG_FAXFILLFUNC
567
           is being used. Thus, memset must be conditional on buf not NULL. */
568
        if (buf)
569
            memset(buf, 0, (size_t)stripsize);
570
        return ((tmsize_t)(-1));
571
    }
572
    if ((*tif->tif_decodestrip)(tif, buf, stripsize, plane) <= 0)
573
        return ((tmsize_t)(-1));
574
    (*tif->tif_postdecode)(tif, buf, stripsize);
575
    return (stripsize);
576
}
577

578
/* Variant of TIFFReadEncodedStrip() that does
579
 * * if *buf == NULL, *buf = _TIFFmallocExt(tif, bufsizetoalloc) only after
580
 * TIFFFillStrip() has succeeded. This avoid excessive memory allocation in case
581
 * of truncated file.
582
 * * calls regular TIFFReadEncodedStrip() if *buf != NULL
583
 */
584
tmsize_t _TIFFReadEncodedStripAndAllocBuffer(TIFF *tif, uint32_t strip,
585
                                             void **buf,
586
                                             tmsize_t bufsizetoalloc,
587
                                             tmsize_t size_to_read)
588
{
589
    tmsize_t this_stripsize;
590
    uint16_t plane;
591

592
    if (*buf != NULL)
593
    {
594
        return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read);
595
    }
596

597
    this_stripsize = TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
598
    if (this_stripsize == ((tmsize_t)(-1)))
599
        return ((tmsize_t)(-1));
600

601
    if ((size_to_read != (tmsize_t)(-1)) && (size_to_read < this_stripsize))
602
        this_stripsize = size_to_read;
603
    if (!TIFFFillStrip(tif, strip))
604
        return ((tmsize_t)(-1));
605

606
    *buf = _TIFFmallocExt(tif, bufsizetoalloc);
607
    if (*buf == NULL)
608
    {
609
        TIFFErrorExtR(tif, TIFFFileName(tif), "No space for strip buffer");
610
        return ((tmsize_t)(-1));
611
    }
612
    _TIFFmemset(*buf, 0, bufsizetoalloc);
613

614
    if ((*tif->tif_decodestrip)(tif, *buf, this_stripsize, plane) <= 0)
615
        return ((tmsize_t)(-1));
616
    (*tif->tif_postdecode)(tif, *buf, this_stripsize);
617
    return (this_stripsize);
618
}
619

620
static tmsize_t TIFFReadRawStrip1(TIFF *tif, uint32_t strip, void *buf,
621
                                  tmsize_t size, const char *module)
622
{
623
    assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
624
    if (!isMapped(tif))
625
    {
626
        tmsize_t cc;
627

628
        if (!SeekOK(tif, TIFFGetStrileOffset(tif, strip)))
629
        {
630
            TIFFErrorExtR(tif, module,
631
                          "Seek error at scanline %" PRIu32 ", strip %" PRIu32,
632
                          tif->tif_row, strip);
633
            return ((tmsize_t)(-1));
634
        }
635
        cc = TIFFReadFile(tif, buf, size);
636
        if (cc != size)
637
        {
638
            TIFFErrorExtR(tif, module,
639
                          "Read error at scanline %" PRIu32
640
                          "; got %" TIFF_SSIZE_FORMAT
641
                          " bytes, expected %" TIFF_SSIZE_FORMAT,
642
                          tif->tif_row, cc, size);
643
            return ((tmsize_t)(-1));
644
        }
645
    }
646
    else
647
    {
648
        tmsize_t ma = 0;
649
        tmsize_t n;
650
        if ((TIFFGetStrileOffset(tif, strip) > (uint64_t)TIFF_TMSIZE_T_MAX) ||
651
            ((ma = (tmsize_t)TIFFGetStrileOffset(tif, strip)) > tif->tif_size))
652
        {
653
            n = 0;
654
        }
655
        else if (ma > TIFF_TMSIZE_T_MAX - size)
656
        {
657
            n = 0;
658
        }
659
        else
660
        {
661
            tmsize_t mb = ma + size;
662
            if (mb > tif->tif_size)
663
                n = tif->tif_size - ma;
664
            else
665
                n = size;
666
        }
667
        if (n != size)
668
        {
669
            TIFFErrorExtR(tif, module,
670
                          "Read error at scanline %" PRIu32 ", strip %" PRIu32
671
                          "; got %" TIFF_SSIZE_FORMAT
672
                          " bytes, expected %" TIFF_SSIZE_FORMAT,
673
                          tif->tif_row, strip, n, size);
674
            return ((tmsize_t)(-1));
675
        }
676
        _TIFFmemcpy(buf, tif->tif_base + ma, size);
677
    }
678
    return (size);
679
}
680

681
static tmsize_t TIFFReadRawStripOrTile2(TIFF *tif, uint32_t strip_or_tile,
682
                                        int is_strip, tmsize_t size,
683
                                        const char *module)
684
{
685
    assert(!isMapped(tif));
686
    assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
687

688
    if (!SeekOK(tif, TIFFGetStrileOffset(tif, strip_or_tile)))
689
    {
690
        if (is_strip)
691
        {
692
            TIFFErrorExtR(tif, module,
693
                          "Seek error at scanline %" PRIu32 ", strip %" PRIu32,
694
                          tif->tif_row, strip_or_tile);
695
        }
696
        else
697
        {
698
            TIFFErrorExtR(tif, module,
699
                          "Seek error at row %" PRIu32 ", col %" PRIu32
700
                          ", tile %" PRIu32,
701
                          tif->tif_row, tif->tif_col, strip_or_tile);
702
        }
703
        return ((tmsize_t)(-1));
704
    }
705

706
    if (!TIFFReadAndRealloc(tif, size, 0, is_strip, strip_or_tile, module))
707
    {
708
        return ((tmsize_t)(-1));
709
    }
710

711
    return (size);
712
}
713

714
/*
715
 * Read a strip of data from the file.
716
 */
717
tmsize_t TIFFReadRawStrip(TIFF *tif, uint32_t strip, void *buf, tmsize_t size)
718
{
719
    static const char module[] = "TIFFReadRawStrip";
720
    TIFFDirectory *td = &tif->tif_dir;
721
    uint64_t bytecount64;
722
    tmsize_t bytecountm;
723

724
    if (!TIFFCheckRead(tif, 0))
725
        return ((tmsize_t)(-1));
726
    if (strip >= td->td_nstrips)
727
    {
728
        TIFFErrorExtR(tif, module,
729
                      "%" PRIu32 ": Strip out of range, max %" PRIu32, strip,
730
                      td->td_nstrips);
731
        return ((tmsize_t)(-1));
732
    }
733
    if (tif->tif_flags & TIFF_NOREADRAW)
734
    {
735
        TIFFErrorExtR(tif, module,
736
                      "Compression scheme does not support access to raw "
737
                      "uncompressed data");
738
        return ((tmsize_t)(-1));
739
    }
740
    bytecount64 = TIFFGetStrileByteCount(tif, strip);
741
    if (size != (tmsize_t)(-1) && (uint64_t)size <= bytecount64)
742
        bytecountm = size;
743
    else
744
        bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
745
    if (bytecountm == 0)
746
    {
747
        return ((tmsize_t)(-1));
748
    }
749
    return (TIFFReadRawStrip1(tif, strip, buf, bytecountm, module));
750
}
751

752
TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
753
static uint64_t NoSanitizeSubUInt64(uint64_t a, uint64_t b) { return a - b; }
754

755
/*
756
 * Read the specified strip and setup for decoding. The data buffer is
757
 * expanded, as necessary, to hold the strip's data.
758
 */
759
int TIFFFillStrip(TIFF *tif, uint32_t strip)
760
{
761
    static const char module[] = "TIFFFillStrip";
762
    TIFFDirectory *td = &tif->tif_dir;
763

764
    if ((tif->tif_flags & TIFF_NOREADRAW) == 0)
765
    {
766
        uint64_t bytecount = TIFFGetStrileByteCount(tif, strip);
767
        if (bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX)
768
        {
769
            TIFFErrorExtR(tif, module,
770
                          "Invalid strip byte count %" PRIu64
771
                          ", strip %" PRIu32,
772
                          bytecount, strip);
773
            return (0);
774
        }
775

776
        /* To avoid excessive memory allocations: */
777
        /* Byte count should normally not be larger than a number of */
778
        /* times the uncompressed size plus some margin */
779
        if (bytecount > 1024 * 1024)
780
        {
781
            /* 10 and 4096 are just values that could be adjusted. */
782
            /* Hopefully they are safe enough for all codecs */
783
            tmsize_t stripsize = TIFFStripSize(tif);
784
            if (stripsize != 0 && (bytecount - 4096) / 10 > (uint64_t)stripsize)
785
            {
786
                uint64_t newbytecount = (uint64_t)stripsize * 10 + 4096;
787
                TIFFErrorExtR(tif, module,
788
                              "Too large strip byte count %" PRIu64
789
                              ", strip %" PRIu32 ". Limiting to %" PRIu64,
790
                              bytecount, strip, newbytecount);
791
                bytecount = newbytecount;
792
            }
793
        }
794

795
        if (isMapped(tif))
796
        {
797
            /*
798
             * We must check for overflow, potentially causing
799
             * an OOB read. Instead of simple
800
             *
801
             *  TIFFGetStrileOffset(tif, strip)+bytecount > tif->tif_size
802
             *
803
             * comparison (which can overflow) we do the following
804
             * two comparisons:
805
             */
806
            if (bytecount > (uint64_t)tif->tif_size ||
807
                TIFFGetStrileOffset(tif, strip) >
808
                    (uint64_t)tif->tif_size - bytecount)
809
            {
810
                /*
811
                 * This error message might seem strange, but
812
                 * it's what would happen if a read were done
813
                 * instead.
814
                 */
815
                TIFFErrorExtR(
816
                    tif, module,
817

818
                    "Read error on strip %" PRIu32 "; "
819
                    "got %" PRIu64 " bytes, expected %" PRIu64,
820
                    strip,
821
                    NoSanitizeSubUInt64(tif->tif_size,
822
                                        TIFFGetStrileOffset(tif, strip)),
823
                    bytecount);
824
                tif->tif_curstrip = NOSTRIP;
825
                return (0);
826
            }
827
        }
828

829
        if (isMapped(tif) && (isFillOrder(tif, td->td_fillorder) ||
830
                              (tif->tif_flags & TIFF_NOBITREV)))
831
        {
832
            /*
833
             * The image is mapped into memory and we either don't
834
             * need to flip bits or the compression routine is
835
             * going to handle this operation itself.  In this
836
             * case, avoid copying the raw data and instead just
837
             * reference the data from the memory mapped file
838
             * image.  This assumes that the decompression
839
             * routines do not modify the contents of the raw data
840
             * buffer (if they try to, the application will get a
841
             * fault since the file is mapped read-only).
842
             */
843
            if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
844
            {
845
                _TIFFfreeExt(tif, tif->tif_rawdata);
846
                tif->tif_rawdata = NULL;
847
                tif->tif_rawdatasize = 0;
848
            }
849
            tif->tif_flags &= ~TIFF_MYBUFFER;
850
            tif->tif_rawdatasize = (tmsize_t)bytecount;
851
            tif->tif_rawdata =
852
                tif->tif_base + (tmsize_t)TIFFGetStrileOffset(tif, strip);
853
            tif->tif_rawdataoff = 0;
854
            tif->tif_rawdataloaded = (tmsize_t)bytecount;
855

856
            /*
857
             * When we have tif_rawdata reference directly into the memory
858
             * mapped file we need to be pretty careful about how we use the
859
             * rawdata.  It is not a general purpose working buffer as it
860
             * normally otherwise is.  So we keep track of this fact to avoid
861
             * using it improperly.
862
             */
863
            tif->tif_flags |= TIFF_BUFFERMMAP;
864
        }
865
        else
866
        {
867
            /*
868
             * Expand raw data buffer, if needed, to hold data
869
             * strip coming from file (perhaps should set upper
870
             * bound on the size of a buffer we'll use?).
871
             */
872
            tmsize_t bytecountm;
873
            bytecountm = (tmsize_t)bytecount;
874
            if ((uint64_t)bytecountm != bytecount)
875
            {
876
                TIFFErrorExtR(tif, module, "Integer overflow");
877
                return (0);
878
            }
879
            if (bytecountm > tif->tif_rawdatasize)
880
            {
881
                tif->tif_curstrip = NOSTRIP;
882
                if ((tif->tif_flags & TIFF_MYBUFFER) == 0)
883
                {
884
                    TIFFErrorExtR(
885
                        tif, module,
886
                        "Data buffer too small to hold strip %" PRIu32, strip);
887
                    return (0);
888
                }
889
            }
890
            if (tif->tif_flags & TIFF_BUFFERMMAP)
891
            {
892
                tif->tif_curstrip = NOSTRIP;
893
                tif->tif_rawdata = NULL;
894
                tif->tif_rawdatasize = 0;
895
                tif->tif_flags &= ~TIFF_BUFFERMMAP;
896
            }
897

898
            if (isMapped(tif))
899
            {
900
                if (bytecountm > tif->tif_rawdatasize &&
901
                    !TIFFReadBufferSetup(tif, 0, bytecountm))
902
                {
903
                    return (0);
904
                }
905
                if (TIFFReadRawStrip1(tif, strip, tif->tif_rawdata, bytecountm,
906
                                      module) != bytecountm)
907
                {
908
                    return (0);
909
                }
910
            }
911
            else
912
            {
913
                if (TIFFReadRawStripOrTile2(tif, strip, 1, bytecountm,
914
                                            module) != bytecountm)
915
                {
916
                    return (0);
917
                }
918
            }
919

920
            tif->tif_rawdataoff = 0;
921
            tif->tif_rawdataloaded = bytecountm;
922

923
            if (!isFillOrder(tif, td->td_fillorder) &&
924
                (tif->tif_flags & TIFF_NOBITREV) == 0)
925
                TIFFReverseBits(tif->tif_rawdata, bytecountm);
926
        }
927
    }
928
    return (TIFFStartStrip(tif, strip));
929
}
930

931
/*
932
 * Tile-oriented Read Support
933
 * Contributed by Nancy Cam (Silicon Graphics).
934
 */
935

936
/*
937
 * Read and decompress a tile of data.  The
938
 * tile is selected by the (x,y,z,s) coordinates.
939
 */
940
tmsize_t TIFFReadTile(TIFF *tif, void *buf, uint32_t x, uint32_t y, uint32_t z,
941
                      uint16_t s)
942
{
943
    if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
944
        return ((tmsize_t)(-1));
945
    return (TIFFReadEncodedTile(tif, TIFFComputeTile(tif, x, y, z, s), buf,
946
                                (tmsize_t)(-1)));
947
}
948

949
/*
950
 * Read a tile of data and decompress the specified
951
 * amount into the user-supplied buffer.
952
 */
953
tmsize_t TIFFReadEncodedTile(TIFF *tif, uint32_t tile, void *buf, tmsize_t size)
954
{
955
    static const char module[] = "TIFFReadEncodedTile";
956
    TIFFDirectory *td = &tif->tif_dir;
957
    tmsize_t tilesize = tif->tif_tilesize;
958

959
    if (!TIFFCheckRead(tif, 1))
960
        return ((tmsize_t)(-1));
961
    if (tile >= td->td_nstrips)
962
    {
963
        TIFFErrorExtR(tif, module,
964
                      "%" PRIu32 ": Tile out of range, max %" PRIu32, tile,
965
                      td->td_nstrips);
966
        return ((tmsize_t)(-1));
967
    }
968

969
    /* shortcut to avoid an extra memcpy() */
970
    if (td->td_compression == COMPRESSION_NONE && size != (tmsize_t)(-1) &&
971
        size >= tilesize && !isMapped(tif) &&
972
        ((tif->tif_flags & TIFF_NOREADRAW) == 0))
973
    {
974
        if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize)
975
            return ((tmsize_t)(-1));
976

977
        if (!isFillOrder(tif, td->td_fillorder) &&
978
            (tif->tif_flags & TIFF_NOBITREV) == 0)
979
            TIFFReverseBits(buf, tilesize);
980

981
        (*tif->tif_postdecode)(tif, buf, tilesize);
982
        return (tilesize);
983
    }
984

985
    if (size == (tmsize_t)(-1))
986
        size = tilesize;
987
    else if (size > tilesize)
988
        size = tilesize;
989
    if (!TIFFFillTile(tif, tile))
990
    {
991
        /* See TIFFReadEncodedStrip comment regarding TIFFTAG_FAXFILLFUNC. */
992
        if (buf)
993
            memset(buf, 0, (size_t)size);
994
        return ((tmsize_t)(-1));
995
    }
996
    else if ((*tif->tif_decodetile)(tif, (uint8_t *)buf, size,
997
                                    (uint16_t)(tile / td->td_stripsperimage)))
998
    {
999
        (*tif->tif_postdecode)(tif, (uint8_t *)buf, size);
1000
        return (size);
1001
    }
1002
    else
1003
        return ((tmsize_t)(-1));
1004
}
1005

1006
/* Variant of TIFFReadTile() that does
1007
 * * if *buf == NULL, *buf = _TIFFmallocExt(tif, bufsizetoalloc) only after
1008
 * TIFFFillTile() has succeeded. This avoid excessive memory allocation in case
1009
 * of truncated file.
1010
 * * calls regular TIFFReadEncodedTile() if *buf != NULL
1011
 */
1012
tmsize_t _TIFFReadTileAndAllocBuffer(TIFF *tif, void **buf,
1013
                                     tmsize_t bufsizetoalloc, uint32_t x,
1014
                                     uint32_t y, uint32_t z, uint16_t s)
1015
{
1016
    if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
1017
        return ((tmsize_t)(-1));
1018
    return (_TIFFReadEncodedTileAndAllocBuffer(
1019
        tif, TIFFComputeTile(tif, x, y, z, s), buf, bufsizetoalloc,
1020
        (tmsize_t)(-1)));
1021
}
1022

1023
/* Variant of TIFFReadEncodedTile() that does
1024
 * * if *buf == NULL, *buf = _TIFFmallocExt(tif, bufsizetoalloc) only after
1025
 * TIFFFillTile() has succeeded. This avoid excessive memory allocation in case
1026
 * of truncated file.
1027
 * * calls regular TIFFReadEncodedTile() if *buf != NULL
1028
 */
1029
tmsize_t _TIFFReadEncodedTileAndAllocBuffer(TIFF *tif, uint32_t tile,
1030
                                            void **buf, tmsize_t bufsizetoalloc,
1031
                                            tmsize_t size_to_read)
1032
{
1033
    static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer";
1034
    TIFFDirectory *td = &tif->tif_dir;
1035
    tmsize_t tilesize = tif->tif_tilesize;
1036

1037
    if (*buf != NULL)
1038
    {
1039
        return TIFFReadEncodedTile(tif, tile, *buf, size_to_read);
1040
    }
1041

1042
    if (!TIFFCheckRead(tif, 1))
1043
        return ((tmsize_t)(-1));
1044
    if (tile >= td->td_nstrips)
1045
    {
1046
        TIFFErrorExtR(tif, module,
1047
                      "%" PRIu32 ": Tile out of range, max %" PRIu32, tile,
1048
                      td->td_nstrips);
1049
        return ((tmsize_t)(-1));
1050
    }
1051

1052
    if (!TIFFFillTile(tif, tile))
1053
        return ((tmsize_t)(-1));
1054

1055
    /* Sanity checks to avoid excessive memory allocation */
1056
    /* Cf https://gitlab.com/libtiff/libtiff/-/issues/479 */
1057
    if (td->td_compression == COMPRESSION_NONE)
1058
    {
1059
        if (tif->tif_rawdatasize != tilesize)
1060
        {
1061
            TIFFErrorExtR(tif, TIFFFileName(tif),
1062
                          "Invalid tile byte count for tile %u. "
1063
                          "Expected %" PRIu64 ", got %" PRIu64,
1064
                          tile, (uint64_t)tilesize,
1065
                          (uint64_t)tif->tif_rawdatasize);
1066
            return ((tmsize_t)(-1));
1067
        }
1068
    }
1069
    else
1070
    {
1071
        /* Max compression ratio experimentally determined. Might be fragile...
1072
         * Only apply this heuristics to situations where the memory allocation
1073
         * would be big, to avoid breaking nominal use cases.
1074
         */
1075
        const int maxCompressionRatio =
1076
            td->td_compression == COMPRESSION_ZSTD ? 33000
1077
            : td->td_compression == COMPRESSION_JXL
1078
                ?
1079
                /* Evaluated on a 8000x8000 tile */
1080
                25000 * (td->td_planarconfig == PLANARCONFIG_CONTIG
1081
                             ? td->td_samplesperpixel
1082
                             : 1)
1083
                : td->td_compression == COMPRESSION_LZMA ? 7000 : 1000;
1084
        if (bufsizetoalloc > 100 * 1000 * 1000 &&
1085
            tif->tif_rawdatasize < tilesize / maxCompressionRatio)
1086
        {
1087
            TIFFErrorExtR(tif, TIFFFileName(tif),
1088
                          "Likely invalid tile byte count for tile %u. "
1089
                          "Uncompressed tile size is %" PRIu64 ", "
1090
                          "compressed one is %" PRIu64,
1091
                          tile, (uint64_t)tilesize,
1092
                          (uint64_t)tif->tif_rawdatasize);
1093
            return ((tmsize_t)(-1));
1094
        }
1095
    }
1096

1097
    *buf = _TIFFmallocExt(tif, bufsizetoalloc);
1098
    if (*buf == NULL)
1099
    {
1100
        TIFFErrorExtR(tif, TIFFFileName(tif), "No space for tile buffer");
1101
        return ((tmsize_t)(-1));
1102
    }
1103
    _TIFFmemset(*buf, 0, bufsizetoalloc);
1104

1105
    if (size_to_read == (tmsize_t)(-1))
1106
        size_to_read = tilesize;
1107
    else if (size_to_read > tilesize)
1108
        size_to_read = tilesize;
1109
    if ((*tif->tif_decodetile)(tif, (uint8_t *)*buf, size_to_read,
1110
                               (uint16_t)(tile / td->td_stripsperimage)))
1111
    {
1112
        (*tif->tif_postdecode)(tif, (uint8_t *)*buf, size_to_read);
1113
        return (size_to_read);
1114
    }
1115
    else
1116
        return ((tmsize_t)(-1));
1117
}
1118

1119
static tmsize_t TIFFReadRawTile1(TIFF *tif, uint32_t tile, void *buf,
1120
                                 tmsize_t size, const char *module)
1121
{
1122
    assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
1123
    if (!isMapped(tif))
1124
    {
1125
        tmsize_t cc;
1126

1127
        if (!SeekOK(tif, TIFFGetStrileOffset(tif, tile)))
1128
        {
1129
            TIFFErrorExtR(tif, module,
1130
                          "Seek error at row %" PRIu32 ", col %" PRIu32
1131
                          ", tile %" PRIu32,
1132
                          tif->tif_row, tif->tif_col, tile);
1133
            return ((tmsize_t)(-1));
1134
        }
1135
        cc = TIFFReadFile(tif, buf, size);
1136
        if (cc != size)
1137
        {
1138
            TIFFErrorExtR(tif, module,
1139
                          "Read error at row %" PRIu32 ", col %" PRIu32
1140
                          "; got %" TIFF_SSIZE_FORMAT
1141
                          " bytes, expected %" TIFF_SSIZE_FORMAT,
1142
                          tif->tif_row, tif->tif_col, cc, size);
1143
            return ((tmsize_t)(-1));
1144
        }
1145
    }
1146
    else
1147
    {
1148
        tmsize_t ma, mb;
1149
        tmsize_t n;
1150
        ma = (tmsize_t)TIFFGetStrileOffset(tif, tile);
1151
        mb = ma + size;
1152
        if ((TIFFGetStrileOffset(tif, tile) > (uint64_t)TIFF_TMSIZE_T_MAX) ||
1153
            (ma > tif->tif_size))
1154
            n = 0;
1155
        else if ((mb < ma) || (mb < size) || (mb > tif->tif_size))
1156
            n = tif->tif_size - ma;
1157
        else
1158
            n = size;
1159
        if (n != size)
1160
        {
1161
            TIFFErrorExtR(tif, module,
1162
                          "Read error at row %" PRIu32 ", col %" PRIu32
1163
                          ", tile %" PRIu32 "; got %" TIFF_SSIZE_FORMAT
1164
                          " bytes, expected %" TIFF_SSIZE_FORMAT,
1165
                          tif->tif_row, tif->tif_col, tile, n, size);
1166
            return ((tmsize_t)(-1));
1167
        }
1168
        _TIFFmemcpy(buf, tif->tif_base + ma, size);
1169
    }
1170
    return (size);
1171
}
1172

1173
/*
1174
 * Read a tile of data from the file.
1175
 */
1176
tmsize_t TIFFReadRawTile(TIFF *tif, uint32_t tile, void *buf, tmsize_t size)
1177
{
1178
    static const char module[] = "TIFFReadRawTile";
1179
    TIFFDirectory *td = &tif->tif_dir;
1180
    uint64_t bytecount64;
1181
    tmsize_t bytecountm;
1182

1183
    if (!TIFFCheckRead(tif, 1))
1184
        return ((tmsize_t)(-1));
1185
    if (tile >= td->td_nstrips)
1186
    {
1187
        TIFFErrorExtR(tif, module,
1188
                      "%" PRIu32 ": Tile out of range, max %" PRIu32, tile,
1189
                      td->td_nstrips);
1190
        return ((tmsize_t)(-1));
1191
    }
1192
    if (tif->tif_flags & TIFF_NOREADRAW)
1193
    {
1194
        TIFFErrorExtR(tif, module,
1195
                      "Compression scheme does not support access to raw "
1196
                      "uncompressed data");
1197
        return ((tmsize_t)(-1));
1198
    }
1199
    bytecount64 = TIFFGetStrileByteCount(tif, tile);
1200
    if (size != (tmsize_t)(-1) && (uint64_t)size <= bytecount64)
1201
        bytecountm = size;
1202
    else
1203
        bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
1204
    if (bytecountm == 0)
1205
    {
1206
        return ((tmsize_t)(-1));
1207
    }
1208
    return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
1209
}
1210

1211
/*
1212
 * Read the specified tile and setup for decoding. The data buffer is
1213
 * expanded, as necessary, to hold the tile's data.
1214
 */
1215
int TIFFFillTile(TIFF *tif, uint32_t tile)
1216
{
1217
    static const char module[] = "TIFFFillTile";
1218
    TIFFDirectory *td = &tif->tif_dir;
1219

1220
    if ((tif->tif_flags & TIFF_NOREADRAW) == 0)
1221
    {
1222
        uint64_t bytecount = TIFFGetStrileByteCount(tif, tile);
1223
        if (bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX)
1224
        {
1225
            TIFFErrorExtR(tif, module,
1226
                          "%" PRIu64 ": Invalid tile byte count, tile %" PRIu32,
1227
                          bytecount, tile);
1228
            return (0);
1229
        }
1230

1231
        /* To avoid excessive memory allocations: */
1232
        /* Byte count should normally not be larger than a number of */
1233
        /* times the uncompressed size plus some margin */
1234
        if (bytecount > 1024 * 1024)
1235
        {
1236
            /* 10 and 4096 are just values that could be adjusted. */
1237
            /* Hopefully they are safe enough for all codecs */
1238
            tmsize_t stripsize = TIFFTileSize(tif);
1239
            if (stripsize != 0 && (bytecount - 4096) / 10 > (uint64_t)stripsize)
1240
            {
1241
                uint64_t newbytecount = (uint64_t)stripsize * 10 + 4096;
1242
                TIFFErrorExtR(tif, module,
1243
                              "Too large tile byte count %" PRIu64
1244
                              ", tile %" PRIu32 ". Limiting to %" PRIu64,
1245
                              bytecount, tile, newbytecount);
1246
                bytecount = newbytecount;
1247
            }
1248
        }
1249

1250
        if (isMapped(tif))
1251
        {
1252
            /*
1253
             * We must check for overflow, potentially causing
1254
             * an OOB read. Instead of simple
1255
             *
1256
             *  TIFFGetStrileOffset(tif, tile)+bytecount > tif->tif_size
1257
             *
1258
             * comparison (which can overflow) we do the following
1259
             * two comparisons:
1260
             */
1261
            if (bytecount > (uint64_t)tif->tif_size ||
1262
                TIFFGetStrileOffset(tif, tile) >
1263
                    (uint64_t)tif->tif_size - bytecount)
1264
            {
1265
                tif->tif_curtile = NOTILE;
1266
                return (0);
1267
            }
1268
        }
1269

1270
        if (isMapped(tif) && (isFillOrder(tif, td->td_fillorder) ||
1271
                              (tif->tif_flags & TIFF_NOBITREV)))
1272
        {
1273
            /*
1274
             * The image is mapped into memory and we either don't
1275
             * need to flip bits or the compression routine is
1276
             * going to handle this operation itself.  In this
1277
             * case, avoid copying the raw data and instead just
1278
             * reference the data from the memory mapped file
1279
             * image.  This assumes that the decompression
1280
             * routines do not modify the contents of the raw data
1281
             * buffer (if they try to, the application will get a
1282
             * fault since the file is mapped read-only).
1283
             */
1284
            if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
1285
            {
1286
                _TIFFfreeExt(tif, tif->tif_rawdata);
1287
                tif->tif_rawdata = NULL;
1288
                tif->tif_rawdatasize = 0;
1289
            }
1290
            tif->tif_flags &= ~TIFF_MYBUFFER;
1291

1292
            tif->tif_rawdatasize = (tmsize_t)bytecount;
1293
            tif->tif_rawdata =
1294
                tif->tif_base + (tmsize_t)TIFFGetStrileOffset(tif, tile);
1295
            tif->tif_rawdataoff = 0;
1296
            tif->tif_rawdataloaded = (tmsize_t)bytecount;
1297
            tif->tif_flags |= TIFF_BUFFERMMAP;
1298
        }
1299
        else
1300
        {
1301
            /*
1302
             * Expand raw data buffer, if needed, to hold data
1303
             * tile coming from file (perhaps should set upper
1304
             * bound on the size of a buffer we'll use?).
1305
             */
1306
            tmsize_t bytecountm;
1307
            bytecountm = (tmsize_t)bytecount;
1308
            if ((uint64_t)bytecountm != bytecount)
1309
            {
1310
                TIFFErrorExtR(tif, module, "Integer overflow");
1311
                return (0);
1312
            }
1313
            if (bytecountm > tif->tif_rawdatasize)
1314
            {
1315
                tif->tif_curtile = NOTILE;
1316
                if ((tif->tif_flags & TIFF_MYBUFFER) == 0)
1317
                {
1318
                    TIFFErrorExtR(tif, module,
1319
                                  "Data buffer too small to hold tile %" PRIu32,
1320
                                  tile);
1321
                    return (0);
1322
                }
1323
            }
1324
            if (tif->tif_flags & TIFF_BUFFERMMAP)
1325
            {
1326
                tif->tif_curtile = NOTILE;
1327
                tif->tif_rawdata = NULL;
1328
                tif->tif_rawdatasize = 0;
1329
                tif->tif_flags &= ~TIFF_BUFFERMMAP;
1330
            }
1331

1332
            if (isMapped(tif))
1333
            {
1334
                if (bytecountm > tif->tif_rawdatasize &&
1335
                    !TIFFReadBufferSetup(tif, 0, bytecountm))
1336
                {
1337
                    return (0);
1338
                }
1339
                if (TIFFReadRawTile1(tif, tile, tif->tif_rawdata, bytecountm,
1340
                                     module) != bytecountm)
1341
                {
1342
                    return (0);
1343
                }
1344
            }
1345
            else
1346
            {
1347
                if (TIFFReadRawStripOrTile2(tif, tile, 0, bytecountm, module) !=
1348
                    bytecountm)
1349
                {
1350
                    return (0);
1351
                }
1352
            }
1353

1354
            tif->tif_rawdataoff = 0;
1355
            tif->tif_rawdataloaded = bytecountm;
1356

1357
            if (tif->tif_rawdata != NULL &&
1358
                !isFillOrder(tif, td->td_fillorder) &&
1359
                (tif->tif_flags & TIFF_NOBITREV) == 0)
1360
                TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdataloaded);
1361
        }
1362
    }
1363
    return (TIFFStartTile(tif, tile));
1364
}
1365

1366
/*
1367
 * Setup the raw data buffer in preparation for
1368
 * reading a strip of raw data.  If the buffer
1369
 * is specified as zero, then a buffer of appropriate
1370
 * size is allocated by the library.  Otherwise,
1371
 * the client must guarantee that the buffer is
1372
 * large enough to hold any individual strip of
1373
 * raw data.
1374
 */
1375
int TIFFReadBufferSetup(TIFF *tif, void *bp, tmsize_t size)
1376
{
1377
    static const char module[] = "TIFFReadBufferSetup";
1378

1379
    assert((tif->tif_flags & TIFF_NOREADRAW) == 0);
1380
    tif->tif_flags &= ~TIFF_BUFFERMMAP;
1381

1382
    if (tif->tif_rawdata)
1383
    {
1384
        if (tif->tif_flags & TIFF_MYBUFFER)
1385
            _TIFFfreeExt(tif, tif->tif_rawdata);
1386
        tif->tif_rawdata = NULL;
1387
        tif->tif_rawdatasize = 0;
1388
    }
1389
    if (bp)
1390
    {
1391
        tif->tif_rawdatasize = size;
1392
        tif->tif_rawdata = (uint8_t *)bp;
1393
        tif->tif_flags &= ~TIFF_MYBUFFER;
1394
    }
1395
    else
1396
    {
1397
        tif->tif_rawdatasize = (tmsize_t)TIFFroundup_64((uint64_t)size, 1024);
1398
        if (tif->tif_rawdatasize == 0)
1399
        {
1400
            TIFFErrorExtR(tif, module, "Invalid buffer size");
1401
            return (0);
1402
        }
1403
        /* Initialize to zero to avoid uninitialized buffers in case of */
1404
        /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
1405
        tif->tif_rawdata =
1406
            (uint8_t *)_TIFFcallocExt(tif, 1, tif->tif_rawdatasize);
1407
        tif->tif_flags |= TIFF_MYBUFFER;
1408
    }
1409
    if (tif->tif_rawdata == NULL)
1410
    {
1411
        TIFFErrorExtR(tif, module,
1412
                      "No space for data buffer at scanline %" PRIu32,
1413
                      tif->tif_row);
1414
        tif->tif_rawdatasize = 0;
1415
        return (0);
1416
    }
1417
    return (1);
1418
}
1419

1420
/*
1421
 * Set state to appear as if a
1422
 * strip has just been read in.
1423
 */
1424
static int TIFFStartStrip(TIFF *tif, uint32_t strip)
1425
{
1426
    TIFFDirectory *td = &tif->tif_dir;
1427

1428
    if ((tif->tif_flags & TIFF_CODERSETUP) == 0)
1429
    {
1430
        if (!(*tif->tif_setupdecode)(tif))
1431
            return (0);
1432
        tif->tif_flags |= TIFF_CODERSETUP;
1433
    }
1434
    tif->tif_curstrip = strip;
1435
    tif->tif_row = (strip % td->td_stripsperimage) * td->td_rowsperstrip;
1436
    tif->tif_flags &= ~TIFF_BUF4WRITE;
1437

1438
    if (tif->tif_flags & TIFF_NOREADRAW)
1439
    {
1440
        tif->tif_rawcp = NULL;
1441
        tif->tif_rawcc = 0;
1442
    }
1443
    else
1444
    {
1445
        tif->tif_rawcp = tif->tif_rawdata;
1446
        if (tif->tif_rawdataloaded > 0)
1447
            tif->tif_rawcc = tif->tif_rawdataloaded;
1448
        else
1449
            tif->tif_rawcc = (tmsize_t)TIFFGetStrileByteCount(tif, strip);
1450
    }
1451
    if ((*tif->tif_predecode)(tif, (uint16_t)(strip / td->td_stripsperimage)) ==
1452
        0)
1453
    {
1454
        /* Needed for example for scanline access, if tif_predecode */
1455
        /* fails, and we try to read the same strip again. Without invalidating
1456
         */
1457
        /* tif_curstrip, we'd call tif_decoderow() on a possibly invalid */
1458
        /* codec state. */
1459
        tif->tif_curstrip = NOSTRIP;
1460
        return 0;
1461
    }
1462
    return 1;
1463
}
1464

1465
/*
1466
 * Set state to appear as if a
1467
 * tile has just been read in.
1468
 */
1469
static int TIFFStartTile(TIFF *tif, uint32_t tile)
1470
{
1471
    static const char module[] = "TIFFStartTile";
1472
    TIFFDirectory *td = &tif->tif_dir;
1473
    uint32_t howmany32;
1474

1475
    if ((tif->tif_flags & TIFF_CODERSETUP) == 0)
1476
    {
1477
        if (!(*tif->tif_setupdecode)(tif))
1478
            return (0);
1479
        tif->tif_flags |= TIFF_CODERSETUP;
1480
    }
1481
    tif->tif_curtile = tile;
1482
    if (td->td_tilewidth == 0)
1483
    {
1484
        TIFFErrorExtR(tif, module, "Zero tilewidth");
1485
        return 0;
1486
    }
1487
    howmany32 = TIFFhowmany_32(td->td_imagewidth, td->td_tilewidth);
1488
    if (howmany32 == 0)
1489
    {
1490
        TIFFErrorExtR(tif, module, "Zero tiles");
1491
        return 0;
1492
    }
1493
    tif->tif_row = (tile % howmany32) * td->td_tilelength;
1494
    howmany32 = TIFFhowmany_32(td->td_imagelength, td->td_tilelength);
1495
    if (howmany32 == 0)
1496
    {
1497
        TIFFErrorExtR(tif, module, "Zero tiles");
1498
        return 0;
1499
    }
1500
    tif->tif_col = (tile % howmany32) * td->td_tilewidth;
1501
    tif->tif_flags &= ~TIFF_BUF4WRITE;
1502
    if (tif->tif_flags & TIFF_NOREADRAW)
1503
    {
1504
        tif->tif_rawcp = NULL;
1505
        tif->tif_rawcc = 0;
1506
    }
1507
    else
1508
    {
1509
        tif->tif_rawcp = tif->tif_rawdata;
1510
        if (tif->tif_rawdataloaded > 0)
1511
            tif->tif_rawcc = tif->tif_rawdataloaded;
1512
        else
1513
            tif->tif_rawcc = (tmsize_t)TIFFGetStrileByteCount(tif, tile);
1514
    }
1515
    return (
1516
        (*tif->tif_predecode)(tif, (uint16_t)(tile / td->td_stripsperimage)));
1517
}
1518

1519
static int TIFFCheckRead(TIFF *tif, int tiles)
1520
{
1521
    if (tif->tif_mode == O_WRONLY)
1522
    {
1523
        TIFFErrorExtR(tif, tif->tif_name, "File not open for reading");
1524
        return (0);
1525
    }
1526
    if (tiles ^ isTiled(tif))
1527
    {
1528
        TIFFErrorExtR(tif, tif->tif_name,
1529
                      tiles ? "Can not read tiles from a striped image"
1530
                            : "Can not read scanlines from a tiled image");
1531
        return (0);
1532
    }
1533
    return (1);
1534
}
1535

1536
/* Use the provided input buffer (inbuf, insize) and decompress it into
1537
 * (outbuf, outsize).
1538
 * This function replaces the use of
1539
 * TIFFReadEncodedStrip()/TIFFReadEncodedTile() when the user can provide the
1540
 * buffer for the input data, for example when he wants to avoid libtiff to read
1541
 * the strile offset/count values from the [Strip|Tile][Offsets/ByteCounts]
1542
 * array. inbuf content must be writable (if bit reversal is needed) Returns 1
1543
 * in case of success, 0 otherwise.
1544
 */
1545
int TIFFReadFromUserBuffer(TIFF *tif, uint32_t strile, void *inbuf,
1546
                           tmsize_t insize, void *outbuf, tmsize_t outsize)
1547
{
1548
    static const char module[] = "TIFFReadFromUserBuffer";
1549
    TIFFDirectory *td = &tif->tif_dir;
1550
    int ret = 1;
1551
    uint32_t old_tif_flags = tif->tif_flags;
1552
    tmsize_t old_rawdatasize = tif->tif_rawdatasize;
1553
    void *old_rawdata = tif->tif_rawdata;
1554

1555
    if (tif->tif_mode == O_WRONLY)
1556
    {
1557
        TIFFErrorExtR(tif, tif->tif_name, "File not open for reading");
1558
        return 0;
1559
    }
1560
    if (tif->tif_flags & TIFF_NOREADRAW)
1561
    {
1562
        TIFFErrorExtR(tif, module,
1563
                      "Compression scheme does not support access to raw "
1564
                      "uncompressed data");
1565
        return 0;
1566
    }
1567

1568
    tif->tif_flags &= ~TIFF_MYBUFFER;
1569
    tif->tif_flags |= TIFF_BUFFERMMAP;
1570
    tif->tif_rawdatasize = insize;
1571
    tif->tif_rawdata = inbuf;
1572
    tif->tif_rawdataoff = 0;
1573
    tif->tif_rawdataloaded = insize;
1574

1575
    if (!isFillOrder(tif, td->td_fillorder) &&
1576
        (tif->tif_flags & TIFF_NOBITREV) == 0)
1577
    {
1578
        TIFFReverseBits(inbuf, insize);
1579
    }
1580

1581
    if (TIFFIsTiled(tif))
1582
    {
1583
        if (!TIFFStartTile(tif, strile))
1584
        {
1585
            ret = 0;
1586
            /* See related TIFFReadEncodedStrip comment. */
1587
            if (outbuf)
1588
                memset(outbuf, 0, (size_t)outsize);
1589
        }
1590
        else if (!(*tif->tif_decodetile)(
1591
                     tif, (uint8_t *)outbuf, outsize,
1592
                     (uint16_t)(strile / td->td_stripsperimage)))
1593
        {
1594
            ret = 0;
1595
        }
1596
    }
1597
    else
1598
    {
1599
        uint32_t rowsperstrip = td->td_rowsperstrip;
1600
        uint32_t stripsperplane;
1601
        if (rowsperstrip > td->td_imagelength)
1602
            rowsperstrip = td->td_imagelength;
1603
        if (rowsperstrip == 0)
1604
        {
1605
            TIFFErrorExtR(tif, module, "rowsperstrip is zero");
1606
            ret = 0;
1607
        }
1608
        else
1609
        {
1610
            stripsperplane =
1611
                TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
1612
            if (!TIFFStartStrip(tif, strile))
1613
            {
1614
                ret = 0;
1615
                /* See related TIFFReadEncodedStrip comment. */
1616
                if (outbuf)
1617
                    memset(outbuf, 0, (size_t)outsize);
1618
            }
1619
            else if (!(*tif->tif_decodestrip)(
1620
                         tif, (uint8_t *)outbuf, outsize,
1621
                         (uint16_t)(strile / stripsperplane)))
1622
            {
1623
                ret = 0;
1624
            }
1625
        }
1626
    }
1627
    if (ret)
1628
    {
1629
        (*tif->tif_postdecode)(tif, (uint8_t *)outbuf, outsize);
1630
    }
1631

1632
    if (!isFillOrder(tif, td->td_fillorder) &&
1633
        (tif->tif_flags & TIFF_NOBITREV) == 0)
1634
    {
1635
        TIFFReverseBits(inbuf, insize);
1636
    }
1637

1638
    tif->tif_flags = (old_tif_flags & (TIFF_MYBUFFER | TIFF_BUFFERMMAP)) |
1639
                     (tif->tif_flags & ~(TIFF_MYBUFFER | TIFF_BUFFERMMAP));
1640
    tif->tif_rawdatasize = old_rawdatasize;
1641
    tif->tif_rawdata = old_rawdata;
1642
    tif->tif_rawdataoff = 0;
1643
    tif->tif_rawdataloaded = 0;
1644

1645
    return ret;
1646
}
1647

1648
void _TIFFNoPostDecode(TIFF *tif, uint8_t *buf, tmsize_t cc)
1649
{
1650
    (void)tif;
1651
    (void)buf;
1652
    (void)cc;
1653
}
1654

1655
void _TIFFSwab16BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1656
{
1657
    (void)tif;
1658
    assert((cc & 1) == 0);
1659
    TIFFSwabArrayOfShort((uint16_t *)buf, cc / 2);
1660
}
1661

1662
void _TIFFSwab24BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1663
{
1664
    (void)tif;
1665
    assert((cc % 3) == 0);
1666
    TIFFSwabArrayOfTriples((uint8_t *)buf, cc / 3);
1667
}
1668

1669
void _TIFFSwab32BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1670
{
1671
    (void)tif;
1672
    assert((cc & 3) == 0);
1673
    TIFFSwabArrayOfLong((uint32_t *)buf, cc / 4);
1674
}
1675

1676
void _TIFFSwab64BitData(TIFF *tif, uint8_t *buf, tmsize_t cc)
1677
{
1678
    (void)tif;
1679
    assert((cc & 7) == 0);
1680
    TIFFSwabArrayOfDouble((double *)buf, cc / 8);
1681
}
1682

1683