--- tiff-v3.6.1/libtiff/tif_aux.c.alt-bound 2003-12-07 06:58:36.000000000 -0500 +++ tiff-v3.6.1/libtiff/tif_aux.c 2004-10-14 13:37:57.000000000 -0400 @@ -33,36 +33,59 @@ #include "tif_predict.h" #include -static void +static int TIFFDefaultTransferFunction(TIFFDirectory* td) { uint16 **tf = td->td_transferfunction; - long i, n = 1<td_bitspersample; + tsize_t i, n, nbytes; - tf[0] = (uint16 *)_TIFFmalloc(n * sizeof (uint16)); + tf[0] = tf[1] = tf[2] = 0; + if (td->td_bitspersample >= sizeof(tsize_t) * 8 - 2) + return 0; + + n = 1<td_bitspersample; + nbytes = n * sizeof (uint16); + if (!(tf[0] = (uint16 *)_TIFFmalloc(nbytes))) + return 0; tf[0][0] = 0; for (i = 1; i < n; i++) { double t = (double)i/((double) n-1.); tf[0][i] = (uint16)floor(65535.*pow(t, 2.2) + .5); } + if (td->td_samplesperpixel - td->td_extrasamples > 1) { - tf[1] = (uint16 *)_TIFFmalloc(n * sizeof (uint16)); - _TIFFmemcpy(tf[1], tf[0], n * sizeof (uint16)); - tf[2] = (uint16 *)_TIFFmalloc(n * sizeof (uint16)); - _TIFFmemcpy(tf[2], tf[0], n * sizeof (uint16)); + if (!(tf[1] = (uint16 *)_TIFFmalloc(nbytes))) + goto bad; + _TIFFmemcpy(tf[1], tf[0], nbytes); + if (!(tf[2] = (uint16 *)_TIFFmalloc(nbytes))) + goto bad; + _TIFFmemcpy(tf[2], tf[0], nbytes); } + return 1; + +bad: + if (tf[0]) + _TIFFfree(tf[0]); + if (tf[1]) + _TIFFfree(tf[1]); + if (tf[2]) + _TIFFfree(tf[2]); + tf[0] = tf[1] = tf[2] = 0; + return 0; } -static void +static int TIFFDefaultRefBlackWhite(TIFFDirectory* td) { int i; - td->td_refblackwhite = (float *)_TIFFmalloc(6*sizeof (float)); + if (!(td->td_refblackwhite = (float *)_TIFFmalloc(6*sizeof (float)))) + return 0; for (i = 0; i < 3; i++) { td->td_refblackwhite[2*i+0] = 0; td->td_refblackwhite[2*i+1] = (float)((1L<td_bitspersample)-1L); } + return 1; } /* @@ -155,6 +178,8 @@ if (!td->td_ycbcrcoeffs) { td->td_ycbcrcoeffs = (float *) _TIFFmalloc(3*sizeof (float)); + if (!td->td_ycbcrcoeffs) + return (0); /* defaults are from CCIR Recommendation 601-1 */ td->td_ycbcrcoeffs[0] = 0.299f; td->td_ycbcrcoeffs[1] = 0.587f; @@ -184,8 +209,11 @@ *va_arg(ap, float **) = td->td_whitepoint; return (1); case TIFFTAG_TRANSFERFUNCTION: - if (!td->td_transferfunction[0]) - TIFFDefaultTransferFunction(td); + if (!td->td_transferfunction[0] && + !TIFFDefaultTransferFunction(td)) { + TIFFError(tif->tif_name, "No space for \"TransferFunction\" tag"); + return (0); + } *va_arg(ap, uint16 **) = td->td_transferfunction[0]; if (td->td_samplesperpixel - td->td_extrasamples > 1) { *va_arg(ap, uint16 **) = td->td_transferfunction[1]; @@ -193,8 +221,8 @@ } return (1); case TIFFTAG_REFERENCEBLACKWHITE: - if (!td->td_refblackwhite) - TIFFDefaultRefBlackWhite(td); + if (!td->td_refblackwhite && !TIFFDefaultRefBlackWhite(td)) + return (0); *va_arg(ap, float **) = td->td_refblackwhite; return (1); } --- tiff-v3.6.1/libtiff/tif_compress.c.alt-bound 2002-04-09 13:51:29.000000000 -0400 +++ tiff-v3.6.1/libtiff/tif_compress.c 2004-10-14 13:37:57.000000000 -0400 @@ -210,9 +210,11 @@ cd->info->init = init; cd->next = registeredCODECS; registeredCODECS = cd; - } else + } else { TIFFError("TIFFRegisterCODEC", "No space to register compression scheme %s", name); + return NULL; + } return (cd->info); } --- tiff-v3.6.1/libtiff/tif_dir.c.alt-bound 2003-12-26 06:56:25.000000000 -0500 +++ tiff-v3.6.1/libtiff/tif_dir.c 2004-10-14 13:37:57.000000000 -0400 @@ -40,26 +40,33 @@ #define DATATYPE_UINT 2 /* !unsigned integer data */ #define DATATYPE_IEEEFP 3 /* !IEEE floating point data */ -void -_TIFFsetByteArray(void** vpp, void* vp, long n) +static void +setByteArray(void** vpp, void* vp, size_t nmemb, size_t elem_size) { if (*vpp) _TIFFfree(*vpp), *vpp = 0; - if (vp && (*vpp = (void*) _TIFFmalloc(n))) - _TIFFmemcpy(*vpp, vp, n); + if (vp) { + tsize_t bytes = nmemb * elem_size; + if (elem_size && bytes / elem_size == nmemb) + *vpp = (void*) _TIFFmalloc(bytes); + if (*vpp) + _TIFFmemcpy(*vpp, vp, bytes); + } } +void _TIFFsetByteArray(void** vpp, void* vp, long n) + { setByteArray(vpp, vp, n, 1); } void _TIFFsetString(char** cpp, char* cp) - { _TIFFsetByteArray((void**) cpp, (void*) cp, (long) (strlen(cp)+1)); } + { setByteArray((void**) cpp, (void*) cp, strlen(cp)+1, 1); } void _TIFFsetNString(char** cpp, char* cp, long n) - { _TIFFsetByteArray((void**) cpp, (void*) cp, n); } + { setByteArray((void**) cpp, (void*) cp, n, 1); } void _TIFFsetShortArray(uint16** wpp, uint16* wp, long n) - { _TIFFsetByteArray((void**) wpp, (void*) wp, n*sizeof (uint16)); } + { setByteArray((void**) wpp, (void*) wp, n, sizeof (uint16)); } void _TIFFsetLongArray(uint32** lpp, uint32* lp, long n) - { _TIFFsetByteArray((void**) lpp, (void*) lp, n*sizeof (uint32)); } + { setByteArray((void**) lpp, (void*) lp, n, sizeof (uint32)); } void _TIFFsetFloatArray(float** fpp, float* fp, long n) - { _TIFFsetByteArray((void**) fpp, (void*) fp, n*sizeof (float)); } + { setByteArray((void**) fpp, (void*) fp, n, sizeof (float)); } void _TIFFsetDoubleArray(double** dpp, double* dp, long n) - { _TIFFsetByteArray((void**) dpp, (void*) dp, n*sizeof (double)); } + { setByteArray((void**) dpp, (void*) dp, n, sizeof (double)); } /* * Install extra samples information. --- tiff-v3.6.1/libtiff/tif_dirinfo.c.alt-bound 2003-12-22 03:22:15.000000000 -0500 +++ tiff-v3.6.1/libtiff/tif_dirinfo.c 2004-10-14 13:37:57.000000000 -0400 @@ -31,6 +31,8 @@ */ #include "tiffiop.h" #include +#include +#include /* * NB: NB: THIS ARRAY IS ASSUMED TO BE SORTED BY TAG. @@ -309,6 +311,7 @@ tif->tif_fieldinfo = (TIFFFieldInfo**) _TIFFmalloc(n * sizeof (TIFFFieldInfo*)); } + assert(tif->tif_fieldinfo != NULL); tp = &tif->tif_fieldinfo[tif->tif_nfields]; for (i = 0; i < n; i++) tp[i] = (TIFFFieldInfo*) &info[i]; /* XXX */ @@ -376,7 +379,7 @@ TIFFDataType _TIFFSampleToTagType(TIFF* tif) { - int bps = (int) TIFFhowmany(tif->tif_dir.td_bitspersample, 8); + uint32 bps = TIFFhowmany8(tif->tif_dir.td_bitspersample); switch (tif->tif_dir.td_sampleformat) { case SAMPLEFORMAT_IEEEFP: @@ -422,9 +425,6 @@ return ((const TIFFFieldInfo *)0); } -#include -#include - const TIFFFieldInfo* _TIFFFieldWithTag(TIFF* tif, ttag_t tag) { --- tiff-v3.6.1/libtiff/tif_dirread.c.alt-bound 2003-12-22 03:22:15.000000000 -0500 +++ tiff-v3.6.1/libtiff/tif_dirread.c 2004-10-14 13:37:57.000000000 -0400 @@ -62,11 +62,17 @@ static void ChopUpSingleUncompressedStrip(TIFF*); static char * -CheckMalloc(TIFF* tif, tsize_t n, const char* what) +CheckMalloc(TIFF* tif, size_t nmemb, size_t elem_size, const char* what) { - char *cp = (char*)_TIFFmalloc(n); + char *cp = NULL; + tsize_t bytes = nmemb * elem_size; + + if (elem_size && bytes / elem_size == nmemb) + cp = (char*)_TIFFmalloc(bytes); + if (cp == NULL) TIFFError(tif->tif_name, "No space %s", what); + return (cp); } @@ -140,7 +146,7 @@ if (tif->tif_flags & TIFF_SWAB) TIFFSwabShort(&dircount); dir = (TIFFDirEntry *)CheckMalloc(tif, - dircount * sizeof (TIFFDirEntry), "to read TIFF directory"); + dircount, sizeof (TIFFDirEntry), "to read TIFF directory"); if (dir == NULL) return (0); if (!ReadOK(tif, dir, dircount*sizeof (TIFFDirEntry))) { @@ -167,7 +173,7 @@ if (tif->tif_flags & TIFF_SWAB) TIFFSwabShort(&dircount); dir = (TIFFDirEntry *)CheckMalloc(tif, - dircount * sizeof (TIFFDirEntry), "to read TIFF directory"); + dircount, sizeof (TIFFDirEntry), "to read TIFF directory"); if (dir == NULL) return (0); if (off + dircount*sizeof (TIFFDirEntry) > tif->tif_size) { @@ -390,6 +396,11 @@ td->td_nstrips = TIFFNumberOfTiles(tif); tif->tif_flags |= TIFF_ISTILED; } + if (!td->td_nstrips) { + TIFFError("TIFFReadDirectory", "%s: cannot handle zero number of %s", + tif->tif_name, isTiled(tif) ? "tiles" : "strips"); + goto bad; + } td->td_stripsperimage = td->td_nstrips; if (td->td_planarconfig == PLANARCONFIG_SEPARATE) td->td_stripsperimage /= td->td_samplesperpixel; @@ -466,7 +477,7 @@ break; } v *= sizeof (uint16); - cp = CheckMalloc(tif, dp->tdir_count * sizeof (uint16), + cp = CheckMalloc(tif, dp->tdir_count, sizeof (uint16), "to read \"TransferFunction\" tag"); if (cp != NULL) { if (TIFFFetchData(tif, dp, cp)) { @@ -573,8 +584,10 @@ if(EstimateStripByteCounts(tif, dir, dircount) < 0) goto bad; } - if (dir) + if (dir) { _TIFFfree((char *)dir); + dir = NULL; + } if (!TIFFFieldSet(tif, FIELD_MAXSAMPLEVALUE)) td->td_maxsamplevalue = (uint16)((1L<td_bitspersample)-1); /* @@ -603,6 +616,17 @@ tif->tif_curtile = (ttile_t) -1; tif->tif_tilesize = TIFFTileSize(tif); tif->tif_scanlinesize = TIFFScanlineSize(tif); + + if (!tif->tif_tilesize) { + TIFFError("TIFFReadDirectory", "%s: cannot handle zero tile size", + tif->tif_name); + return (0); + } + if (!tif->tif_scanlinesize) { + TIFFError("TIFFReadDirectory", "%s: cannot handle zero scanline size", + tif->tif_name); + return (0); + } return (1); bad: if (dir) @@ -622,7 +646,7 @@ if (td->td_stripbytecount) _TIFFfree(td->td_stripbytecount); td->td_stripbytecount = (uint32*) - CheckMalloc(tif, td->td_nstrips * sizeof (uint32), + CheckMalloc(tif, td->td_nstrips, sizeof (uint32), "for \"StripByteCounts\" array"); if (td->td_compression != COMPRESSION_NONE) { uint32 space = (uint32)(sizeof (TIFFHeader) @@ -931,7 +955,7 @@ uint32* l; l = (uint32*)CheckMalloc(tif, - dir->tdir_count*TIFFDataWidth((TIFFDataType) dir->tdir_type), + dir->tdir_count, TIFFDataWidth((TIFFDataType) dir->tdir_type), "to fetch array of rationals"); if (l) { if (TIFFFetchData(tif, dir, (char *)l)) { @@ -1087,35 +1111,35 @@ case TIFF_SBYTE: /* NB: always expand BYTE values to shorts */ cp = CheckMalloc(tif, - dp->tdir_count * sizeof (uint16), mesg); + dp->tdir_count, sizeof (uint16), mesg); ok = cp && TIFFFetchByteArray(tif, dp, (uint16*) cp); break; case TIFF_SHORT: case TIFF_SSHORT: cp = CheckMalloc(tif, - dp->tdir_count * sizeof (uint16), mesg); + dp->tdir_count, sizeof (uint16), mesg); ok = cp && TIFFFetchShortArray(tif, dp, (uint16*) cp); break; case TIFF_LONG: case TIFF_SLONG: cp = CheckMalloc(tif, - dp->tdir_count * sizeof (uint32), mesg); + dp->tdir_count, sizeof (uint32), mesg); ok = cp && TIFFFetchLongArray(tif, dp, (uint32*) cp); break; case TIFF_RATIONAL: case TIFF_SRATIONAL: cp = CheckMalloc(tif, - dp->tdir_count * sizeof (float), mesg); + dp->tdir_count, sizeof (float), mesg); ok = cp && TIFFFetchRationalArray(tif, dp, (float*) cp); break; case TIFF_FLOAT: cp = CheckMalloc(tif, - dp->tdir_count * sizeof (float), mesg); + dp->tdir_count, sizeof (float), mesg); ok = cp && TIFFFetchFloatArray(tif, dp, (float*) cp); break; case TIFF_DOUBLE: cp = CheckMalloc(tif, - dp->tdir_count * sizeof (double), mesg); + dp->tdir_count, sizeof (double), mesg); ok = cp && TIFFFetchDoubleArray(tif, dp, (double*) cp); break; case TIFF_ASCII: @@ -1124,7 +1148,7 @@ * Some vendors write strings w/o the trailing * NULL byte, so always append one just in case. */ - cp = CheckMalloc(tif, dp->tdir_count+1, mesg); + cp = CheckMalloc(tif, dp->tdir_count+1, 1, mesg); if( (ok = (cp && TIFFFetchString(tif, dp, cp))) != 0 ) cp[dp->tdir_count] = '\0'; /* XXX */ break; @@ -1226,8 +1250,9 @@ uint16* v = buf; if (samples > NITEMS(buf)) - v = (uint16*) _TIFFmalloc(samples * sizeof (uint16)); - if (TIFFFetchShortArray(tif, dir, v)) { + v = (uint16*) CheckMalloc(tif, samples, sizeof (uint16), + "to fetch per-sample values"); + if (v && TIFFFetchShortArray(tif, dir, v)) { int i; for (i = 1; i < samples; i++) if (v[i] != v[0]) { @@ -1240,7 +1265,7 @@ status = 1; } bad: - if (v != buf) + if (v && v != buf) _TIFFfree((char*) v); } return (status); @@ -1262,8 +1287,9 @@ double* v = buf; if (samples > NITEMS(buf)) - v = (double*) _TIFFmalloc(samples * sizeof (double)); - if (TIFFFetchAnyArray(tif, dir, v)) { + v = (double*) CheckMalloc(tif, samples, sizeof (double), + "to fetch per-sample values"); + if (v && TIFFFetchAnyArray(tif, dir, v)) { int i; for (i = 1; i < samples; i++) if (v[i] != v[0]) { @@ -1276,7 +1302,7 @@ status = 1; } bad: - if (v != buf) + if (v && v != buf) _TIFFfree(v); } return (status); @@ -1301,7 +1327,7 @@ */ if (*lpp == NULL && (*lpp = (uint32 *)CheckMalloc(tif, - nstrips * sizeof (uint32), "for strip array")) == NULL) + nstrips, sizeof (uint32), "for strip array")) == NULL) return (0); lp = *lpp; memset( lp, 0, sizeof(uint32) * nstrips ); @@ -1311,7 +1337,7 @@ * Handle uint16->uint32 expansion. */ uint16* dp = (uint16*) CheckMalloc(tif, - dir->tdir_count* sizeof (uint16), "to fetch strip tag"); + dir->tdir_count, sizeof (uint16), "to fetch strip tag"); if (dp == NULL) return (0); if( (status = TIFFFetchShortArray(tif, dir, dp)) != 0 ) { @@ -1328,7 +1354,7 @@ /* Special case to correct length */ uint32* dp = (uint32*) CheckMalloc(tif, - dir->tdir_count* sizeof (uint32), "to fetch strip tag"); + dir->tdir_count, sizeof (uint32), "to fetch strip tag"); if (dp == NULL) return (0); @@ -1360,8 +1386,12 @@ uint16* v = buf; int status; - if (dir->tdir_count > NITEMS(buf)) - v = (uint16*) _TIFFmalloc(dir->tdir_count * sizeof (uint16)); + if (dir->tdir_count > NITEMS(buf)) { + v = (uint16*) CheckMalloc(tif, dir->tdir_count, sizeof (uint16), + "to fetch extra samples"); + if (!v) + return (0); + } if (dir->tdir_type == TIFF_BYTE) status = TIFFFetchByteArray(tif, dir, v); else @@ -1390,10 +1420,10 @@ /* * Handle LONG's for backward compatibility. */ - cp = CheckMalloc(tif, dir->tdir_count * sizeof (uint32), mesg); + cp = CheckMalloc(tif, dir->tdir_count, sizeof (uint32), mesg); if( (ok = (cp && TIFFFetchLongArray(tif, dir, (uint32*) cp))) != 0) { float* fp = (float*) - CheckMalloc(tif, dir->tdir_count * sizeof (float), mesg); + CheckMalloc(tif, dir->tdir_count, sizeof (float), mesg); if( (ok = (fp != NULL)) != 0 ) { uint32 i; for (i = 0; i < dir->tdir_count; i++) @@ -1444,9 +1474,9 @@ if (rowsperstrip >= td->td_rowsperstrip) return; nstrips = (tstrip_t) TIFFhowmany(bytecount, stripbytes); - newcounts = (uint32*) CheckMalloc(tif, nstrips * sizeof (uint32), + newcounts = (uint32*) CheckMalloc(tif, nstrips, sizeof (uint32), "for chopped \"StripByteCounts\" array"); - newoffsets = (uint32*) CheckMalloc(tif, nstrips * sizeof (uint32), + newoffsets = (uint32*) CheckMalloc(tif, nstrips, sizeof (uint32), "for chopped \"StripOffsets\" array"); if (newcounts == NULL || newoffsets == NULL) { /* --- tiff-v3.6.1/libtiff/tif_dirwrite.c.alt-bound 2003-12-22 03:22:15.000000000 -0500 +++ tiff-v3.6.1/libtiff/tif_dirwrite.c 2004-10-14 13:37:57.000000000 -0400 @@ -692,8 +692,14 @@ uint16* w = buf; int i, status, samples = tif->tif_dir.td_samplesperpixel; - if (samples > NITEMS(buf)) + if (samples > NITEMS(buf)) { w = (uint16*) _TIFFmalloc(samples * sizeof (uint16)); + if (w == NULL) { + TIFFError(tif->tif_name, + "No space to write per-sample shorts"); + return (0); + } + } TIFFGetField(tif, tag, &v); for (i = 0; i < samples; i++) w[i] = v; @@ -717,8 +723,14 @@ int i, status; int samples = (int) tif->tif_dir.td_samplesperpixel; - if (samples > NITEMS(buf)) + if (samples > NITEMS(buf)) { w = (double*) _TIFFmalloc(samples * sizeof (double)); + if (w == NULL) { + TIFFError(tif->tif_name, + "No space to write per-sample values"); + return (0); + } + } TIFFGetField(tif, tag, &v); for (i = 0; i < samples; i++) w[i] = v; @@ -840,6 +852,11 @@ dir->tdir_type = (short) type; dir->tdir_count = n; t = (uint32*) _TIFFmalloc(2*n * sizeof (uint32)); + if (t == NULL) { + TIFFError(tif->tif_name, + "No space to write RATIONAL array"); + return (0); + } for (i = 0; i < n; i++) { float fv = v[i]; int sign = 1; @@ -910,8 +927,13 @@ char* w = buf; int i, status = 0; - if (n * TIFFDataWidth(type) > sizeof buf) + if (n * TIFFDataWidth(type) > sizeof buf) { w = (char*) _TIFFmalloc(n * TIFFDataWidth(type)); + if (w == NULL) { + TIFFError(tif->tif_name, "No space to write array"); + return (0); + } + } switch (type) { case TIFF_BYTE: { uint8* bp = (uint8*) w; --- tiff-v3.6.1/libtiff/tif_fax3.c.alt-bound 2004-10-14 13:37:57.000000000 -0400 +++ tiff-v3.6.1/libtiff/tif_fax3.c 2004-10-14 13:37:57.000000000 -0400 @@ -437,6 +437,21 @@ #undef ZERO #undef FILL +static char * +CheckMalloc(TIFF* tif, size_t nmemb, size_t elem_size, const char* what) +{ + char *cp = NULL; + tsize_t bytes = nmemb * elem_size; + + if (elem_size && bytes / elem_size == nmemb) + cp = (char*) _TIFFmalloc(bytes); + + if (cp == NULL) + TIFFError(tif->tif_name, "No space %s", what); + + return (cp); +} + /* * Setup G3/G4-related compression/decompression state * before data is processed. This routine is called once @@ -481,13 +496,10 @@ nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels; - dsp->runs = (uint32*) _TIFFmalloc((2*nruns+3)*sizeof (uint32)); - if (dsp->runs == NULL) { - TIFFError("Fax3SetupState", - "%s: No space for Group 3/4 run arrays", - tif->tif_name); - return (0); - } + dsp->runs = (uint32*) CheckMalloc(tif, 2*nruns+3, sizeof (uint32), + "for Group 3/4 run arrays"); + if (dsp->runs == NULL) + return (0); dsp->curruns = dsp->runs; if (needsRefLine) dsp->refruns = dsp->runs + (nruns>>1); --- tiff-v3.6.1/libtiff/tiffiop.h.alt-bound 2004-10-14 13:37:57.000000000 -0400 +++ tiff-v3.6.1/libtiff/tiffiop.h 2004-10-14 13:37:57.000000000 -0400 @@ -203,8 +203,9 @@ #endif /* NB: the uint32 casts are to silence certain ANSI-C compilers */ -#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) -#define TIFFroundup(x, y) (TIFFhowmany(x,y)*((uint32)(y))) +#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) +#define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) +#define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) #define TIFFmax(A,B) ((A)>(B)?(A):(B)) #define TIFFmin(A,B) ((A)<(B)?(A):(B)) --- tiff-v3.6.1/libtiff/tif_getimage.c.alt-bound 2003-12-22 03:22:15.000000000 -0500 +++ tiff-v3.6.1/libtiff/tif_getimage.c 2004-10-14 13:37:57.000000000 -0400 @@ -565,6 +565,7 @@ TIFFError(TIFFFileName(tif), "No space for tile buffer"); return (0); } + _TIFFmemset(buf, 0, TIFFTileSize(tif)); TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw); TIFFGetField(tif, TIFFTAG_TILELENGTH, &th); @@ -664,6 +665,7 @@ TIFFError(TIFFFileName(tif), "No space for tile buffer"); return (0); } + _TIFFmemset(buf, 0, 4*tilesize); r = buf; g = r + tilesize; b = g + tilesize; @@ -727,9 +729,7 @@ (*put)(img, raster+y*w+col, col, y, npix, nrow, fromskew, toskew + fromskew, r + pos, g + pos, b + pos, a + pos); - } - else - { + } else { (*put)(img, raster+y*w+col, col, y, tw, nrow, 0, toskew, r + pos, g + pos, b + pos, a + pos); } @@ -783,7 +783,7 @@ TIFFError(TIFFFileName(tif), "No space for strip buffer"); return (0); } - + _TIFFmemset(buf, 0, TIFFStripSize(tif)); flip = setorientation(img); if (flip & FLIP_VERTICALLY) { y = h - 1; @@ -865,6 +865,7 @@ TIFFError(TIFFFileName(tif), "No space for tile buffer"); return (0); } + _TIFFmemset(buf, 0, 4*stripsize); g = r + stripsize; b = g + stripsize; a = b + stripsize; --- tiff-v3.6.1/libtiff/tif_luv.c.alt-bound 2003-11-27 10:08:10.000000000 -0500 +++ tiff-v3.6.1/libtiff/tif_luv.c 2004-10-14 13:37:57.000000000 -0400 @@ -1161,6 +1161,17 @@ return (SGILOGDATAFMT_UNKNOWN); } +static uint32 +multiply(size_t m1, size_t m2) +{ + uint32 bytes = m1 * m2; + + if (m1 && bytes / m1 != m2) + bytes = 0; + + return bytes; +} + static int LogL16InitState(TIFF* tif) { @@ -1189,9 +1200,9 @@ "No support for converting user data format to LogL"); return (0); } - sp->tbuflen = td->td_imagewidth * td->td_rowsperstrip; - sp->tbuf = (tidata_t*) _TIFFmalloc(sp->tbuflen * sizeof (int16)); - if (sp->tbuf == NULL) { + sp->tbuflen = multiply(td->td_imagewidth, td->td_rowsperstrip); + if (multiply(sp->tbuflen, sizeof (int16)) == 0 || + (sp->tbuf = (tidata_t*) _TIFFmalloc(sp->tbuflen * sizeof (int16))) == NULL) { TIFFError(module, "%s: No space for SGILog translation buffer", tif->tif_name); return (0); @@ -1287,9 +1298,9 @@ "No support for converting user data format to LogLuv"); return (0); } - sp->tbuflen = td->td_imagewidth * td->td_rowsperstrip; - sp->tbuf = (tidata_t*) _TIFFmalloc(sp->tbuflen * sizeof (uint32)); - if (sp->tbuf == NULL) { + sp->tbuflen = multiply(td->td_imagewidth, td->td_rowsperstrip); + if (multiply(sp->tbuflen, sizeof (uint32)) == 0 || + (sp->tbuf = (tidata_t*) _TIFFmalloc(sp->tbuflen * sizeof (uint32))) == NULL) { TIFFError(module, "%s: No space for SGILog translation buffer", tif->tif_name); return (0); --- tiff-v3.6.1/libtiff/tif_pixarlog.c.alt-bound 2003-07-08 02:50:09.000000000 -0400 +++ tiff-v3.6.1/libtiff/tif_pixarlog.c 2004-10-14 13:37:57.000000000 -0400 @@ -630,11 +630,23 @@ return guess; } +static uint32 +multiply(size_t m1, size_t m2) +{ + uint32 bytes = m1 * m2; + + if (m1 && bytes / m1 != m2) + bytes = 0; + + return bytes; +} + static int PixarLogSetupDecode(TIFF* tif) { TIFFDirectory *td = &tif->tif_dir; PixarLogState* sp = DecoderState(tif); + tsize_t tbuf_size; static const char module[] = "PixarLogSetupDecode"; assert(sp != NULL); @@ -647,8 +659,13 @@ sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ? td->td_samplesperpixel : 1); - sp->tbuf = (uint16 *) _TIFFmalloc(sp->stride * - td->td_imagewidth * td->td_rowsperstrip * sizeof(uint16)); + tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth), + td->td_rowsperstrip), sizeof(uint16)); + if (tbuf_size == 0) + return (0); + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + if (sp->tbuf == NULL) + return (0); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { @@ -798,6 +815,7 @@ { TIFFDirectory *td = &tif->tif_dir; PixarLogState* sp = EncoderState(tif); + tsize_t tbuf_size; static const char module[] = "PixarLogSetupEncode"; assert(sp != NULL); @@ -806,8 +824,13 @@ sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG ? td->td_samplesperpixel : 1); - sp->tbuf = (uint16 *) _TIFFmalloc(sp->stride * - td->td_imagewidth * td->td_rowsperstrip * sizeof(uint16)); + tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth), + td->td_rowsperstrip), sizeof(uint16)); + if (tbuf_size == 0) + return (0); + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + if (sp->tbuf == NULL) + return (0); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { --- tiff-v3.6.1/libtiff/tif_strip.c.alt-bound 2003-11-11 10:43:10.000000000 -0500 +++ tiff-v3.6.1/libtiff/tif_strip.c 2004-10-14 13:38:08.000000000 -0400 @@ -31,6 +31,32 @@ */ #include "tiffiop.h" +static uint32 +summarize(TIFF* tif, size_t summand1, size_t summand2, const char* where) +{ + uint32 bytes = summand1 + summand2; + + if (bytes - summand1 != summand2) { + TIFFError(tif->tif_name, "Integer overflow in %s", where); + bytes = 0; + } + + return (bytes); +} + +static uint32 +multiply(TIFF* tif, size_t nmemb, size_t elem_size, const char* where) +{ + uint32 bytes = nmemb * elem_size; + + if (elem_size && bytes / elem_size != nmemb) { + TIFFError(tif->tif_name, "Integer overflow in %s", where); + bytes = 0; + } + + return (bytes); +} + /* * Compute which strip a (row,sample) value is in. */ @@ -66,7 +92,8 @@ (td->td_imagelength != 0 ? 1 : 0) : TIFFhowmany(td->td_imagelength, td->td_rowsperstrip)); if (td->td_planarconfig == PLANARCONFIG_SEPARATE) - nstrips *= td->td_samplesperpixel; + nstrips = multiply(tif, nstrips, td->td_samplesperpixel, + "TIFFNumberOfStrips"); return (nstrips); } @@ -100,15 +127,19 @@ ycbcrsubsampling + 1 ); w = TIFFroundup(td->td_imagewidth, ycbcrsubsampling[0]); - scanline = TIFFhowmany(w*td->td_bitspersample, 8); + scanline = + TIFFhowmany8(multiply(tif, w, td->td_bitspersample, "TIFFVStripSize")); samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ - return ((tsize_t) - (nrows*scanline + 2*(nrows*scanline / samplingarea))); + scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); + return ((tsize_t) + summarize(tif, scanline, + multiply(tif, 2, scanline / samplingarea, + "TIFFVStripSize"), "TIFFVStripSize")); } else #endif - return ((tsize_t)(nrows * TIFFScanlineSize(tif))); + return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif), "TIFFVStripSize")); } @@ -189,10 +220,12 @@ TIFFDirectory *td = &tif->tif_dir; tsize_t scanline; - scanline = td->td_bitspersample * td->td_imagewidth; + scanline = multiply (tif, td->td_bitspersample, td->td_imagewidth, + "TIFFScanlineSize"); if (td->td_planarconfig == PLANARCONFIG_CONTIG) - scanline *= td->td_samplesperpixel; - return ((tsize_t) TIFFhowmany(scanline, 8)); + scanline = multiply (tif, scanline, td->td_samplesperpixel, + "TIFFScanlineSize"); + return ((tsize_t) TIFFhowmany8(scanline)); } /* @@ -207,11 +240,14 @@ TIFFDirectory *td = &tif->tif_dir; tsize_t scanline; - scanline = td->td_bitspersample * td->td_imagewidth; + scanline = multiply (tif, td->td_bitspersample, td->td_imagewidth, + "TIFFRasterScanlineSize"); if (td->td_planarconfig == PLANARCONFIG_CONTIG) { - scanline *= td->td_samplesperpixel; - return ((tsize_t) TIFFhowmany(scanline, 8)); + scanline = multiply (tif, scanline, td->td_samplesperpixel, + "TIFFRasterScanlineSize"); + return ((tsize_t) TIFFhowmany8(scanline)); } else - return ((tsize_t) - TIFFhowmany(scanline, 8)*td->td_samplesperpixel); + return ((tsize_t) multiply (tif, TIFFhowmany8(scanline), + td->td_samplesperpixel, + "TIFFRasterScanlineSize")); } --- tiff-v3.6.1/libtiff/tif_tile.c.alt-bound 2003-11-11 10:43:10.000000000 -0500 +++ tiff-v3.6.1/libtiff/tif_tile.c 2004-10-14 13:37:57.000000000 -0400 @@ -31,6 +31,32 @@ */ #include "tiffiop.h" +static uint32 +summarize(TIFF* tif, size_t summand1, size_t summand2, const char* where) +{ + uint32 bytes = summand1 + summand2; + + if (bytes - summand1 != summand2) { + TIFFError(tif->tif_name, "Integer overflow in %s", where); + bytes = 0; + } + + return (bytes); +} + +static uint32 +multiply(TIFF* tif, size_t nmemb, size_t elem_size, const char* where) +{ + uint32 bytes = nmemb * elem_size; + + if (elem_size && bytes / elem_size != nmemb) { + TIFFError(tif->tif_name, "Integer overflow in %s", where); + bytes = 0; + } + + return (bytes); +} + /* * Compute which tile an (x,y,z,s) value is in. */ @@ -119,11 +145,13 @@ if (dz == (uint32) -1) dz = td->td_imagedepth; ntiles = (dx == 0 || dy == 0 || dz == 0) ? 0 : - (TIFFhowmany(td->td_imagewidth, dx) * - TIFFhowmany(td->td_imagelength, dy) * - TIFFhowmany(td->td_imagedepth, dz)); + multiply(tif, multiply(tif, TIFFhowmany(td->td_imagewidth, dx), + TIFFhowmany(td->td_imagelength, dy), + "TIFFNumberOfTiles"), + TIFFhowmany(td->td_imagedepth, dz), "TIFFNumberOfTiles"); if (td->td_planarconfig == PLANARCONFIG_SEPARATE) - ntiles *= td->td_samplesperpixel; + ntiles = multiply(tif, ntiles, td->td_samplesperpixel, + "TIFFNumberOfTiles"); return (ntiles); } @@ -138,10 +166,12 @@ if (td->td_tilelength == 0 || td->td_tilewidth == 0) return ((tsize_t) 0); - rowsize = td->td_bitspersample * td->td_tilewidth; + rowsize = multiply(tif, td->td_bitspersample, td->td_tilewidth, + "TIFFTileRowSize"); if (td->td_planarconfig == PLANARCONFIG_CONTIG) - rowsize *= td->td_samplesperpixel; - return ((tsize_t) TIFFhowmany(rowsize, 8)); + rowsize = multiply(tif, rowsize, td->td_samplesperpixel, + "TIFFTileRowSize"); + return ((tsize_t) TIFFhowmany8(rowsize)); } /* @@ -170,16 +200,24 @@ */ tsize_t w = TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); - tsize_t rowsize = TIFFhowmany(w*td->td_bitspersample, 8); + tsize_t rowsize = + TIFFhowmany8(multiply(tif, w, td->td_bitspersample, + "TIFFVTileSize")); tsize_t samplingarea = td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; nrows = TIFFroundup(nrows, td->td_ycbcrsubsampling[1]); /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ - tilesize = nrows*rowsize + 2*(nrows*rowsize / samplingarea); + tilesize = multiply(tif, nrows, rowsize, "TIFFVTileSize"); + tilesize = summarize(tif, tilesize, + multiply(tif, 2, tilesize / samplingarea, + "TIFFVTileSize"), + "TIFFVTileSize"); } else #endif - tilesize = nrows * TIFFTileRowSize(tif); - return ((tsize_t)(tilesize * td->td_tiledepth)); + tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), + "TIFFVTileSize"); + return ((tsize_t) + multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize")); } /* --- tiff-v3.6.1/libtiff/tif_write.c.alt-bound 2003-08-05 04:49:13.000000000 -0400 +++ tiff-v3.6.1/libtiff/tif_write.c 2004-10-14 13:37:57.000000000 -0400 @@ -597,21 +597,30 @@ static int TIFFGrowStrips(TIFF* tif, int delta, const char* module) { - TIFFDirectory *td = &tif->tif_dir; + TIFFDirectory *td = &tif->tif_dir; + uint32 *new_stripoffset, *new_stripbytecount; assert(td->td_planarconfig == PLANARCONFIG_CONTIG); - td->td_stripoffset = (uint32*)_TIFFrealloc(td->td_stripoffset, - (td->td_nstrips + delta) * sizeof (uint32)); - td->td_stripbytecount = (uint32*)_TIFFrealloc(td->td_stripbytecount, - (td->td_nstrips + delta) * sizeof (uint32)); - if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) { + new_stripoffset = (uint32*)_TIFFrealloc(td->td_stripoffset, + (td->td_nstrips + delta) * sizeof (uint32)); + new_stripbytecount = (uint32*)_TIFFrealloc(td->td_stripbytecount, + (td->td_nstrips + delta) * sizeof (uint32)); + if (new_stripoffset == NULL || new_stripbytecount == NULL) { + if (new_stripoffset) + _TIFFfree(new_stripoffset); + if (new_stripbytecount) + _TIFFfree(new_stripbytecount); td->td_nstrips = 0; TIFFError(module, "%s: No space to expand strip arrays", - tif->tif_name); + tif->tif_name); return (0); } - _TIFFmemset(td->td_stripoffset+td->td_nstrips, 0, delta*sizeof (uint32)); - _TIFFmemset(td->td_stripbytecount+td->td_nstrips, 0, delta*sizeof (uint32)); + td->td_stripoffset = new_stripoffset; + td->td_stripbytecount = new_stripbytecount; + _TIFFmemset(td->td_stripoffset + td->td_nstrips, + 0, delta*sizeof (uint32)); + _TIFFmemset(td->td_stripbytecount + td->td_nstrips, + 0, delta*sizeof (uint32)); td->td_nstrips += delta; return (1); }