summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch659
1 files changed, 659 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch
new file mode 100644
index 0000000000..760e20dd2b
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch
@@ -0,0 +1,659 @@
1From 226e336cdceec933da2e9f72b6578c7a1bea450b Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Thu, 13 Oct 2022 14:33:27 +0000
4Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271,
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
7CVE: CVE-2022-3570 CVE-2022-3598
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff
11Origin: https://gitlab.com/libtiff/libtiff/-/commit/24d3b2425af24432e0e4e2fd58b33f3b04c4bfa4
12Reviewed-by: Sylvain Beucler <beuc@debian.org>
13Last-Update: 2023-01-17
14
15 #381, #386, #388, #389, #435)
16
17---
18 tools/tiffcrop.c | 209 ++++++++++++++++++++++++++---------------------
19 1 file changed, 117 insertions(+), 92 deletions(-)
20
21diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
22index c7877aa..c923920 100644
23--- a/tools/tiffcrop.c
24+++ b/tools/tiffcrop.c
25@@ -126,6 +126,7 @@ static char tiffcrop_rev_date[] = "03-03-2010";
26
27 #ifdef HAVE_STDINT_H
28 # include <stdint.h>
29+# include <inttypes.h>
30 #endif
31
32 #ifndef HAVE_GETOPT
33@@ -212,6 +213,10 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
34
35 #define TIFF_DIR_MAX 65534
36
37+/* Some conversion subroutines require image buffers, which are at least 3 bytes
38+ * larger than the necessary size for the image itself. */
39+#define NUM_BUFF_OVERSIZE_BYTES 3
40+
41 /* Offsets into buffer for margins and fixed width and length segments */
42 struct offset {
43 uint32 tmargin;
44@@ -233,7 +238,7 @@ struct offset {
45 */
46
47 struct buffinfo {
48- uint32 size; /* size of this buffer */
49+ size_t size; /* size of this buffer */
50 unsigned char *buffer; /* address of the allocated buffer */
51 };
52
53@@ -771,8 +776,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
54 uint32 dst_rowsize, shift_width;
55 uint32 bytes_per_sample, bytes_per_pixel;
56 uint32 trailing_bits, prev_trailing_bits;
57- uint32 tile_rowsize = TIFFTileRowSize(in);
58- uint32 src_offset, dst_offset;
59+ tmsize_t tile_rowsize = TIFFTileRowSize(in);
60+ tmsize_t src_offset, dst_offset;
61 uint32 row_offset, col_offset;
62 uint8 *bufp = (uint8*) buf;
63 unsigned char *src = NULL;
64@@ -822,7 +827,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
65 TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
66 exit(-1);
67 }
68- tilebuf = _TIFFmalloc(tile_buffsize + 3);
69+ tilebuf = _TIFFmalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
70 if (tilebuf == 0)
71 return 0;
72 tilebuf[tile_buffsize] = 0;
73@@ -986,7 +991,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
74 for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
75 {
76 srcbuffs[sample] = NULL;
77- tbuff = (unsigned char *)_TIFFmalloc(tilesize + 8);
78+ tbuff = (unsigned char *)_TIFFmalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
79 if (!tbuff)
80 {
81 TIFFError ("readSeparateTilesIntoBuffer",
82@@ -1181,7 +1186,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
83 }
84 rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
85
86- obuf = _TIFFmalloc (rowstripsize);
87+ /* Add 3 padding bytes for extractContigSamples32bits */
88+ obuf = _TIFFmalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
89 if (obuf == NULL)
90 return 1;
91
92@@ -1194,7 +1200,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
93 stripsize = TIFFVStripSize(out, nrows);
94 src = buf + (row * rowsize);
95 total_bytes += stripsize;
96- memset (obuf, '\0', rowstripsize);
97+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
98 if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
99 {
100 _TIFFfree(obuf);
101@@ -1202,10 +1208,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
102 }
103 if ((dump->outfile != NULL) && (dump->level == 1))
104 {
105- dump_info(dump->outfile, dump->format,"",
106+ if ((uint64_t)scanlinesize > 0x0ffffffffULL) {
107+ dump_info(dump->infile, dump->format, "loadImage",
108+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
109+ (uint64_t)scanlinesize);
110+ }
111+ dump_info(dump->outfile, dump->format,"",
112 "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
113- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
114- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
115+ s + 1, strip + 1, stripsize, row + 1, (uint32)scanlinesize, src - buf);
116+ dump_buffer(dump->outfile, dump->format, nrows, (uint32)scanlinesize, row, obuf);
117 }
118
119 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
120@@ -1232,7 +1243,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
121 uint32 tl, tw;
122 uint32 row, col, nrow, ncol;
123 uint32 src_rowsize, col_offset;
124- uint32 tile_rowsize = TIFFTileRowSize(out);
125+ tmsize_t tile_rowsize = TIFFTileRowSize(out);
126 uint8* bufp = (uint8*) buf;
127 tsize_t tile_buffsize = 0;
128 tsize_t tilesize = TIFFTileSize(out);
129@@ -1275,9 +1286,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
130 }
131 src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
132
133- tilebuf = _TIFFmalloc(tile_buffsize);
134+ /* Add 3 padding bytes for extractContigSamples32bits */
135+ tilebuf = _TIFFmalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
136 if (tilebuf == 0)
137 return 1;
138+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
139 for (row = 0; row < imagelength; row += tl)
140 {
141 nrow = (row + tl > imagelength) ? imagelength - row : tl;
142@@ -1323,7 +1336,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength
143 uint32 imagewidth, tsample_t spp,
144 struct dump_opts * dump)
145 {
146- tdata_t obuf = _TIFFmalloc(TIFFTileSize(out));
147+ /* Add 3 padding bytes for extractContigSamples32bits */
148+ tdata_t obuf = _TIFFmalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
149 uint32 tl, tw;
150 uint32 row, col, nrow, ncol;
151 uint32 src_rowsize, col_offset;
152@@ -1333,6 +1347,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength
153
154 if (obuf == NULL)
155 return 1;
156+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
157
158 TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
159 TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
160@@ -1754,14 +1769,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
161
162 *opt_offset = '\0';
163 /* convert option to lowercase */
164- end = strlen (opt_ptr);
165+ end = (unsigned int)strlen (opt_ptr);
166 for (i = 0; i < end; i++)
167 *(opt_ptr + i) = tolower((int) *(opt_ptr + i));
168 /* Look for dump format specification */
169 if (strncmp(opt_ptr, "for", 3) == 0)
170 {
171 /* convert value to lowercase */
172- end = strlen (opt_offset + 1);
173+ end = (unsigned int)strlen (opt_offset + 1);
174 for (i = 1; i <= end; i++)
175 *(opt_offset + i) = tolower((int) *(opt_offset + i));
176 /* check dump format value */
177@@ -2213,6 +2228,8 @@ main(int argc, char* argv[])
178 size_t length;
179 char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
180
181+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
182+
183 little_endian = *((unsigned char *)&little_endian) & '1';
184
185 initImageData(&image);
186@@ -3114,13 +3131,13 @@ extractContigSamples32bits (uint8 *in, uint8 *out, uint32 cols,
187 /* If we have a full buffer's worth, write it out */
188 if (ready_bits >= 32)
189 {
190- bytebuff1 = (buff2 >> 56);
191+ bytebuff1 = (uint8)(buff2 >> 56);
192 *dst++ = bytebuff1;
193- bytebuff2 = (buff2 >> 48);
194+ bytebuff2 = (uint8)(buff2 >> 48);
195 *dst++ = bytebuff2;
196- bytebuff3 = (buff2 >> 40);
197+ bytebuff3 = (uint8)(buff2 >> 40);
198 *dst++ = bytebuff3;
199- bytebuff4 = (buff2 >> 32);
200+ bytebuff4 = (uint8)(buff2 >> 32);
201 *dst++ = bytebuff4;
202 ready_bits -= 32;
203
204@@ -3495,13 +3512,13 @@ extractContigSamplesShifted32bits (uint8 *in, uint8 *out, uint32 cols,
205 }
206 else /* If we have a full buffer's worth, write it out */
207 {
208- bytebuff1 = (buff2 >> 56);
209+ bytebuff1 = (uint8)(buff2 >> 56);
210 *dst++ = bytebuff1;
211- bytebuff2 = (buff2 >> 48);
212+ bytebuff2 = (uint8)(buff2 >> 48);
213 *dst++ = bytebuff2;
214- bytebuff3 = (buff2 >> 40);
215+ bytebuff3 = (uint8)(buff2 >> 40);
216 *dst++ = bytebuff3;
217- bytebuff4 = (buff2 >> 32);
218+ bytebuff4 = (uint8)(buff2 >> 32);
219 *dst++ = bytebuff4;
220 ready_bits -= 32;
221
222@@ -3678,10 +3695,10 @@ extractContigSamplesToTileBuffer(uint8 *out, uint8 *in, uint32 rows, uint32 cols
223 static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
224 {
225 uint8* bufp = buf;
226- int32 bytes_read = 0;
227+ tmsize_t bytes_read = 0;
228 uint32 strip, nstrips = TIFFNumberOfStrips(in);
229- uint32 stripsize = TIFFStripSize(in);
230- uint32 rows = 0;
231+ tmsize_t stripsize = TIFFStripSize(in);
232+ tmsize_t rows = 0;
233 uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
234 tsize_t scanline_size = TIFFScanlineSize(in);
235
236@@ -3694,13 +3711,12 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
237 bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
238 rows = bytes_read / scanline_size;
239 if ((strip < (nstrips - 1)) && (bytes_read != (int32)stripsize))
240- TIFFError("", "Strip %d: read %lu bytes, strip size %lu",
241- (int)strip + 1, (unsigned long) bytes_read,
242- (unsigned long)stripsize);
243+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
244+ strip + 1, bytes_read, stripsize);
245
246 if (bytes_read < 0 && !ignore) {
247- TIFFError("", "Error reading strip %lu after %lu rows",
248- (unsigned long) strip, (unsigned long)rows);
249+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
250+ strip, rows);
251 return 0;
252 }
253 bufp += stripsize;
254@@ -4164,13 +4180,13 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
255 /* If we have a full buffer's worth, write it out */
256 if (ready_bits >= 32)
257 {
258- bytebuff1 = (buff2 >> 56);
259+ bytebuff1 = (uint8)(buff2 >> 56);
260 *dst++ = bytebuff1;
261- bytebuff2 = (buff2 >> 48);
262+ bytebuff2 = (uint8)(buff2 >> 48);
263 *dst++ = bytebuff2;
264- bytebuff3 = (buff2 >> 40);
265+ bytebuff3 = (uint8)(buff2 >> 40);
266 *dst++ = bytebuff3;
267- bytebuff4 = (buff2 >> 32);
268+ bytebuff4 = (uint8)(buff2 >> 32);
269 *dst++ = bytebuff4;
270 ready_bits -= 32;
271
272@@ -4213,10 +4229,10 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
273 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
274 row + 1, col + 1, src_byte, src_bit, dst - out);
275
276- dump_long (dumpfile, format, "Match bits ", matchbits);
277+ dump_wide (dumpfile, format, "Match bits ", matchbits);
278 dump_data (dumpfile, format, "Src bits ", src, 4);
279- dump_long (dumpfile, format, "Buff1 bits ", buff1);
280- dump_long (dumpfile, format, "Buff2 bits ", buff2);
281+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
282+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
283 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
284 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
285 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
286@@ -4689,13 +4705,13 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
287 /* If we have a full buffer's worth, write it out */
288 if (ready_bits >= 32)
289 {
290- bytebuff1 = (buff2 >> 56);
291+ bytebuff1 = (uint8)(buff2 >> 56);
292 *dst++ = bytebuff1;
293- bytebuff2 = (buff2 >> 48);
294+ bytebuff2 = (uint8)(buff2 >> 48);
295 *dst++ = bytebuff2;
296- bytebuff3 = (buff2 >> 40);
297+ bytebuff3 = (uint8)(buff2 >> 40);
298 *dst++ = bytebuff3;
299- bytebuff4 = (buff2 >> 32);
300+ bytebuff4 = (uint8)(buff2 >> 32);
301 *dst++ = bytebuff4;
302 ready_bits -= 32;
303
304@@ -4738,10 +4754,10 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
305 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
306 row + 1, col + 1, src_byte, src_bit, dst - out);
307
308- dump_long (dumpfile, format, "Match bits ", matchbits);
309+ dump_wide (dumpfile, format, "Match bits ", matchbits);
310 dump_data (dumpfile, format, "Src bits ", src, 4);
311- dump_long (dumpfile, format, "Buff1 bits ", buff1);
312- dump_long (dumpfile, format, "Buff2 bits ", buff2);
313+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
314+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
315 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
316 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
317 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
318@@ -4764,7 +4780,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
319 {
320 int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
321 uint32 j;
322- int32 bytes_read = 0;
323+ tmsize_t bytes_read = 0;
324 uint16 bps = 0, planar;
325 uint32 nstrips;
326 uint32 strips_per_sample;
327@@ -4830,7 +4846,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
328 for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
329 {
330 srcbuffs[s] = NULL;
331- buff = _TIFFmalloc(stripsize + 3);
332+ buff = _TIFFmalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
333 if (!buff)
334 {
335 TIFFError ("readSeparateStripsIntoBuffer",
336@@ -4853,7 +4869,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
337 buff = srcbuffs[s];
338 strip = (s * strips_per_sample) + j;
339 bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
340- rows_this_strip = bytes_read / src_rowsize;
341+ rows_this_strip = (uint32)(bytes_read / src_rowsize);
342 if (bytes_read < 0 && !ignore)
343 {
344 TIFFError(TIFFFileName(in),
345@@ -5860,13 +5876,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
346 uint16 input_compression = 0, input_photometric = 0;
347 uint16 subsampling_horiz, subsampling_vert;
348 uint32 width = 0, length = 0;
349- uint32 stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
350+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
351+ tmsize_t scanlinesize = 0;
352 uint32 tw = 0, tl = 0; /* Tile width and length */
353- uint32 tile_rowsize = 0;
354+ tmsize_t tile_rowsize = 0;
355 unsigned char *read_buff = NULL;
356 unsigned char *new_buff = NULL;
357 int readunit = 0;
358- static uint32 prev_readsize = 0;
359+ static tmsize_t prev_readsize = 0;
360
361 TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
362 TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
363@@ -6168,7 +6185,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
364 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
365 return (-1);
366 }
367- read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
368+ read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
369 }
370 else
371 {
372@@ -6179,11 +6196,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
373 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
374 return (-1);
375 }
376- new_buff = _TIFFrealloc(read_buff, buffsize+3);
377+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
378 if (!new_buff)
379 {
380 free (read_buff);
381- read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
382+ read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
383 }
384 else
385 read_buff = new_buff;
386@@ -6256,8 +6273,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
387 dump_info (dump->infile, dump->format, "",
388 "Bits per sample %d, Samples per pixel %d", bps, spp);
389
390+ if ((uint64_t)scanlinesize > 0x0ffffffffULL) {
391+ dump_info(dump->infile, dump->format, "loadImage",
392+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
393+ (uint64_t)scanlinesize);
394+ }
395 for (i = 0; i < length; i++)
396- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
397+ dump_buffer(dump->infile, dump->format, 1, (uint32)scanlinesize,
398 i, read_buff + (i * scanlinesize));
399 }
400 return (0);
401@@ -7277,13 +7299,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
402 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
403 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
404 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
405- int inknameslen = strlen(inknames) + 1;
406+ int inknameslen = (int)strlen(inknames) + 1;
407 const char* cp = inknames;
408 while (ninks > 1) {
409 cp = strchr(cp, '\0');
410 if (cp) {
411 cp++;
412- inknameslen += (strlen(cp) + 1);
413+ inknameslen += ((int)strlen(cp) + 1);
414 }
415 ninks--;
416 }
417@@ -7346,23 +7368,23 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
418
419 if (!sect_buff)
420 {
421- sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
422+ sect_buff = (unsigned char *)_TIFFmalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
423 if (!sect_buff)
424 {
425 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
426 return (-1);
427 }
428- _TIFFmemset(sect_buff, 0, sectsize);
429+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
430 }
431 else
432 {
433 if (prev_sectsize < sectsize)
434 {
435- new_buff = _TIFFrealloc(sect_buff, sectsize);
436+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
437 if (!new_buff)
438 {
439 free (sect_buff);
440- sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
441+ sect_buff = (unsigned char *)_TIFFmalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
442 }
443 else
444 sect_buff = new_buff;
445@@ -7372,7 +7394,7 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
446 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
447 return (-1);
448 }
449- _TIFFmemset(sect_buff, 0, sectsize);
450+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
451 }
452 }
453
454@@ -7403,17 +7425,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
455 cropsize = crop->bufftotal;
456 crop_buff = seg_buffs[0].buffer;
457 if (!crop_buff)
458- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
459+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
460 else
461 {
462 prev_cropsize = seg_buffs[0].size;
463 if (prev_cropsize < cropsize)
464 {
465- next_buff = _TIFFrealloc(crop_buff, cropsize);
466+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
467 if (! next_buff)
468 {
469 _TIFFfree (crop_buff);
470- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
471+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
472 }
473 else
474 crop_buff = next_buff;
475@@ -7426,7 +7448,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
476 return (-1);
477 }
478
479- _TIFFmemset(crop_buff, 0, cropsize);
480+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
481 seg_buffs[0].buffer = crop_buff;
482 seg_buffs[0].size = cropsize;
483
484@@ -7505,17 +7527,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
485 cropsize = crop->bufftotal;
486 crop_buff = seg_buffs[i].buffer;
487 if (!crop_buff)
488- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
489+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
490 else
491 {
492 prev_cropsize = seg_buffs[0].size;
493 if (prev_cropsize < cropsize)
494 {
495- next_buff = _TIFFrealloc(crop_buff, cropsize);
496+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
497 if (! next_buff)
498 {
499 _TIFFfree (crop_buff);
500- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
501+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
502 }
503 else
504 crop_buff = next_buff;
505@@ -7528,7 +7550,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
506 return (-1);
507 }
508
509- _TIFFmemset(crop_buff, 0, cropsize);
510+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
511 seg_buffs[i].buffer = crop_buff;
512 seg_buffs[i].size = cropsize;
513
514@@ -7641,24 +7663,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
515 crop_buff = *crop_buff_ptr;
516 if (!crop_buff)
517 {
518- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
519+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
520 if (!crop_buff)
521 {
522 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
523 return (-1);
524 }
525- _TIFFmemset(crop_buff, 0, cropsize);
526+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
527 prev_cropsize = cropsize;
528 }
529 else
530 {
531 if (prev_cropsize < cropsize)
532 {
533- new_buff = _TIFFrealloc(crop_buff, cropsize);
534+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
535 if (!new_buff)
536 {
537 free (crop_buff);
538- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
539+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
540 }
541 else
542 crop_buff = new_buff;
543@@ -7667,7 +7689,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
544 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
545 return (-1);
546 }
547- _TIFFmemset(crop_buff, 0, cropsize);
548+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
549 }
550 }
551
552@@ -7965,13 +7987,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
553 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
554 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
555 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
556- int inknameslen = strlen(inknames) + 1;
557+ int inknameslen = (int)strlen(inknames) + 1;
558 const char* cp = inknames;
559 while (ninks > 1) {
560 cp = strchr(cp, '\0');
561 if (cp) {
562 cp++;
563- inknameslen += (strlen(cp) + 1);
564+ inknameslen += ((int)strlen(cp) + 1);
565 }
566 ninks--;
567 }
568@@ -8356,13 +8378,13 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
569 }
570 else /* If we have a full buffer's worth, write it out */
571 {
572- bytebuff1 = (buff2 >> 56);
573+ bytebuff1 = (uint8)(buff2 >> 56);
574 *dst++ = bytebuff1;
575- bytebuff2 = (buff2 >> 48);
576+ bytebuff2 = (uint8)(buff2 >> 48);
577 *dst++ = bytebuff2;
578- bytebuff3 = (buff2 >> 40);
579+ bytebuff3 = (uint8)(buff2 >> 40);
580 *dst++ = bytebuff3;
581- bytebuff4 = (buff2 >> 32);
582+ bytebuff4 = (uint8)(buff2 >> 32);
583 *dst++ = bytebuff4;
584 ready_bits -= 32;
585
586@@ -8431,12 +8453,13 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
587 return (-1);
588 }
589
590- if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize)))
591+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
592+ if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
593 {
594- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
595+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
596 return (-1);
597 }
598- _TIFFmemset(rbuff, '\0', buffsize);
599+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
600
601 ibuff = *ibuff_ptr;
602 switch (rotation)
603@@ -8964,13 +8987,13 @@ reverseSamples32bits (uint16 spp, uint16 bps, uint32 width,
604 }
605 else /* If we have a full buffer's worth, write it out */
606 {
607- bytebuff1 = (buff2 >> 56);
608+ bytebuff1 = (uint8)(buff2 >> 56);
609 *dst++ = bytebuff1;
610- bytebuff2 = (buff2 >> 48);
611+ bytebuff2 = (uint8)(buff2 >> 48);
612 *dst++ = bytebuff2;
613- bytebuff3 = (buff2 >> 40);
614+ bytebuff3 = (uint8)(buff2 >> 40);
615 *dst++ = bytebuff3;
616- bytebuff4 = (buff2 >> 32);
617+ bytebuff4 = (uint8)(buff2 >> 32);
618 *dst++ = bytebuff4;
619 ready_bits -= 32;
620
621@@ -9061,12 +9084,13 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
622 {
623 case MIRROR_BOTH:
624 case MIRROR_VERT:
625- line_buff = (unsigned char *)_TIFFmalloc(rowsize);
626+ line_buff = (unsigned char *)_TIFFmalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
627 if (line_buff == NULL)
628 {
629- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
630+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
631 return (-1);
632 }
633+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
634
635 dst = ibuff + (rowsize * (length - 1));
636 for (row = 0; row < length / 2; row++)
637@@ -9098,11 +9122,12 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
638 }
639 else
640 { /* non 8 bit per sample data */
641- if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + 1)))
642+ if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
643 {
644 TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
645 return (-1);
646 }
647+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
648 bytes_per_sample = (bps + 7) / 8;
649 bytes_per_pixel = ((bps * spp) + 7) / 8;
650 if (bytes_per_pixel < (bytes_per_sample + 1))
651@@ -9114,7 +9139,7 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
652 {
653 row_offset = row * rowsize;
654 src = ibuff + row_offset;
655- _TIFFmemset (line_buff, '\0', rowsize);
656+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
657 switch (shift_width)
658 {
659 case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-13 16:46:51 +0000