Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(522)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/libtiff/tif_luv.c

Issue 2054993002: Apply security fixes to libtiff that are not in 4.0.6. (Closed) Base URL: https://pdfium.googlesource.com/pdfium@master
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/libtiff/tif_getimage.c ('k') | third_party/libtiff/tif_next.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */ 1 /* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
2 2
3 /* 3 /*
4 * Copyright (c) 1997 Greg Ward Larson 4 * Copyright (c) 1997 Greg Ward Larson
5 * Copyright (c) 1997 Silicon Graphics, Inc. 5 * Copyright (c) 1997 Silicon Graphics, Inc.
6 * 6 *
7 * Permission to use, copy, modify, distribute, and sell this software and 7 * Permission to use, copy, modify, distribute, and sell this software and
8 * its documentation for any purpose is hereby granted without fee, provided 8 * its documentation for any purpose is hereby granted without fee, provided
9 * that (i) the above copyright notices and this permission notice appear in 9 * that (i) the above copyright notices and this permission notice appear in
10 * all copies of the software and related documentation, and (ii) the names of 10 * all copies of the software and related documentation, and (ii) the names of
(...skipping 184 matching lines...) Expand 10 before | Expand all | Expand 10 after
195 int rc; 195 int rc;
196 196
197 assert(s == 0); 197 assert(s == 0);
198 assert(sp != NULL); 198 assert(sp != NULL);
199 199
200 npixels = occ / sp->pixel_size; 200 npixels = occ / sp->pixel_size;
201 201
202 if (sp->user_datafmt == SGILOGDATAFMT_16BIT) 202 if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
203 tp = (int16*) op; 203 tp = (int16*) op;
204 else { 204 else {
205 » » assert(sp->tbuflen >= npixels); 205 » » if(sp->tbuflen < npixels) {
206 » » » TIFFErrorExt(tif->tif_clientdata, module,
207 » » » » » » "Translation buffer too short") ;
208 » » » return (0);
209 » » }
206 tp = (int16*) sp->tbuf; 210 tp = (int16*) sp->tbuf;
207 } 211 }
208 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); 212 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
209 213
210 bp = (unsigned char*) tif->tif_rawcp; 214 bp = (unsigned char*) tif->tif_rawcp;
211 cc = tif->tif_rawcc; 215 cc = tif->tif_rawcc;
212 /* get each byte string */ 216 /* get each byte string */
213 for (shft = 2*8; (shft -= 8) >= 0; ) { 217 for (shft = 2*8; (shft -= 8) >= 0; ) {
214 » » for (i = 0; i < npixels && cc > 0; ) 218 » » for (i = 0; i < npixels && cc > 0; ) {
215 if (*bp >= 128) { /* run */ 219 if (*bp >= 128) { /* run */
216 » » » » rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ 220 » » » » if( cc < 2 )
221 » » » » » break;
222 » » » » rc = *bp++ + (2-128);
217 b = (int16)(*bp++ << shft); 223 b = (int16)(*bp++ << shft);
218 cc -= 2; 224 cc -= 2;
219 while (rc-- && i < npixels) 225 while (rc-- && i < npixels)
220 tp[i++] |= b; 226 tp[i++] |= b;
221 } else { /* non-run */ 227 } else { /* non-run */
222 rc = *bp++; /* nul is noop */ 228 rc = *bp++; /* nul is noop */
223 while (--cc && rc-- && i < npixels) 229 while (--cc && rc-- && i < npixels)
224 tp[i++] |= (int16)*bp++ << shft; 230 tp[i++] |= (int16)*bp++ << shft;
225 } 231 }
232 }
226 if (i != npixels) { 233 if (i != npixels) {
227 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 234 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
228 TIFFErrorExt(tif->tif_clientdata, module, 235 TIFFErrorExt(tif->tif_clientdata, module,
229 "Not enough data at row %lu (short %I64d pixels)", 236 "Not enough data at row %lu (short %I64d pixels)",
230 (unsigned long) tif->tif_row, 237 (unsigned long) tif->tif_row,
231 (unsigned __int64) (npixels - i)); 238 (unsigned __int64) (npixels - i));
232 #else 239 #else
233 TIFFErrorExt(tif->tif_clientdata, module, 240 TIFFErrorExt(tif->tif_clientdata, module,
234 "Not enough data at row %lu (short %llu pixels)", 241 "Not enough data at row %lu (short %llu pixels)",
235 (unsigned long) tif->tif_row, 242 (unsigned long) tif->tif_row,
(...skipping 25 matching lines...) Expand all
261 uint32* tp; 268 uint32* tp;
262 269
263 assert(s == 0); 270 assert(s == 0);
264 assert(sp != NULL); 271 assert(sp != NULL);
265 272
266 npixels = occ / sp->pixel_size; 273 npixels = occ / sp->pixel_size;
267 274
268 if (sp->user_datafmt == SGILOGDATAFMT_RAW) 275 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
269 tp = (uint32 *)op; 276 tp = (uint32 *)op;
270 else { 277 else {
271 » » assert(sp->tbuflen >= npixels); 278 » » if(sp->tbuflen < npixels) {
279 » » » TIFFErrorExt(tif->tif_clientdata, module,
280 » » » » » » "Translation buffer too short") ;
281 » » » return (0);
282 » » }
272 tp = (uint32 *) sp->tbuf; 283 tp = (uint32 *) sp->tbuf;
273 } 284 }
274 /* copy to array of uint32 */ 285 /* copy to array of uint32 */
275 bp = (unsigned char*) tif->tif_rawcp; 286 bp = (unsigned char*) tif->tif_rawcp;
276 cc = tif->tif_rawcc; 287 cc = tif->tif_rawcc;
277 » for (i = 0; i < npixels && cc > 0; i++) { 288 » for (i = 0; i < npixels && cc >= 3; i++) {
278 tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; 289 tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
279 bp += 3; 290 bp += 3;
280 cc -= 3; 291 cc -= 3;
281 } 292 }
282 tif->tif_rawcp = (uint8*) bp; 293 tif->tif_rawcp = (uint8*) bp;
283 tif->tif_rawcc = cc; 294 tif->tif_rawcc = cc;
284 if (i != npixels) { 295 if (i != npixels) {
285 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 296 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
286 TIFFErrorExt(tif->tif_clientdata, module, 297 TIFFErrorExt(tif->tif_clientdata, module,
287 "Not enough data at row %lu (short %I64d pixels)", 298 "Not enough data at row %lu (short %I64d pixels)",
(...skipping 30 matching lines...) Expand all
318 329
319 assert(s == 0); 330 assert(s == 0);
320 sp = DecoderState(tif); 331 sp = DecoderState(tif);
321 assert(sp != NULL); 332 assert(sp != NULL);
322 333
323 npixels = occ / sp->pixel_size; 334 npixels = occ / sp->pixel_size;
324 335
325 if (sp->user_datafmt == SGILOGDATAFMT_RAW) 336 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
326 tp = (uint32*) op; 337 tp = (uint32*) op;
327 else { 338 else {
328 » » assert(sp->tbuflen >= npixels); 339 » » if(sp->tbuflen < npixels) {
340 » » » TIFFErrorExt(tif->tif_clientdata, module,
341 » » » » » » "Translation buffer too short") ;
342 » » » return (0);
343 » » }
329 tp = (uint32*) sp->tbuf; 344 tp = (uint32*) sp->tbuf;
330 } 345 }
331 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); 346 _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
332 347
333 bp = (unsigned char*) tif->tif_rawcp; 348 bp = (unsigned char*) tif->tif_rawcp;
334 cc = tif->tif_rawcc; 349 cc = tif->tif_rawcc;
335 /* get each byte string */ 350 /* get each byte string */
336 for (shft = 4*8; (shft -= 8) >= 0; ) { 351 for (shft = 4*8; (shft -= 8) >= 0; ) {
337 » » for (i = 0; i < npixels && cc > 0; ) 352 » » for (i = 0; i < npixels && cc > 0; ) {
338 if (*bp >= 128) { /* run */ 353 if (*bp >= 128) { /* run */
354 if( cc < 2 )
355 break;
339 rc = *bp++ + (2-128); 356 rc = *bp++ + (2-128);
340 b = (uint32)*bp++ << shft; 357 b = (uint32)*bp++ << shft;
341 » » » » cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ 358 » » » » cc -= 2;
342 while (rc-- && i < npixels) 359 while (rc-- && i < npixels)
343 tp[i++] |= b; 360 tp[i++] |= b;
344 } else { /* non-run */ 361 } else { /* non-run */
345 rc = *bp++; /* nul is noop */ 362 rc = *bp++; /* nul is noop */
346 while (--cc && rc-- && i < npixels) 363 while (--cc && rc-- && i < npixels)
347 tp[i++] |= (uint32)*bp++ << shft; 364 tp[i++] |= (uint32)*bp++ << shft;
348 } 365 }
366 }
349 if (i != npixels) { 367 if (i != npixels) {
350 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) 368 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
351 TIFFErrorExt(tif->tif_clientdata, module, 369 TIFFErrorExt(tif->tif_clientdata, module,
352 "Not enough data at row %lu (short %I64d pixels)", 370 "Not enough data at row %lu (short %I64d pixels)",
353 (unsigned long) tif->tif_row, 371 (unsigned long) tif->tif_row,
354 (unsigned __int64) (npixels - i)); 372 (unsigned __int64) (npixels - i));
355 #else 373 #else
356 TIFFErrorExt(tif->tif_clientdata, module, 374 TIFFErrorExt(tif->tif_clientdata, module,
357 "Not enough data at row %lu (short %llu pixels)", 375 "Not enough data at row %lu (short %llu pixels)",
358 (unsigned long) tif->tif_row, 376 (unsigned long) tif->tif_row,
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after
406 bp += rowlen, cc -= rowlen; 424 bp += rowlen, cc -= rowlen;
407 return (cc == 0); 425 return (cc == 0);
408 } 426 }
409 427
410 /* 428 /*
411 * Encode a row of 16-bit pixels. 429 * Encode a row of 16-bit pixels.
412 */ 430 */
413 static int 431 static int
414 LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) 432 LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
415 { 433 {
434 static const char module[] = "LogL16Encode";
416 LogLuvState* sp = EncoderState(tif); 435 LogLuvState* sp = EncoderState(tif);
417 int shft; 436 int shft;
418 tmsize_t i; 437 tmsize_t i;
419 tmsize_t j; 438 tmsize_t j;
420 tmsize_t npixels; 439 tmsize_t npixels;
421 uint8* op; 440 uint8* op;
422 int16* tp; 441 int16* tp;
423 int16 b; 442 int16 b;
424 tmsize_t occ; 443 tmsize_t occ;
425 int rc=0, mask; 444 int rc=0, mask;
426 tmsize_t beg; 445 tmsize_t beg;
427 446
428 assert(s == 0); 447 assert(s == 0);
429 assert(sp != NULL); 448 assert(sp != NULL);
430 npixels = cc / sp->pixel_size; 449 npixels = cc / sp->pixel_size;
431 450
432 if (sp->user_datafmt == SGILOGDATAFMT_16BIT) 451 if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
433 tp = (int16*) bp; 452 tp = (int16*) bp;
434 else { 453 else {
435 tp = (int16*) sp->tbuf; 454 tp = (int16*) sp->tbuf;
436 » » assert(sp->tbuflen >= npixels); 455 » » if(sp->tbuflen < npixels) {
456 » » » TIFFErrorExt(tif->tif_clientdata, module,
457 » » » » » » "Translation buffer too short") ;
458 » » » return (0);
459 » » }
437 (*sp->tfunc)(sp, bp, npixels); 460 (*sp->tfunc)(sp, bp, npixels);
438 } 461 }
439 /* compress each byte string */ 462 /* compress each byte string */
440 op = tif->tif_rawcp; 463 op = tif->tif_rawcp;
441 occ = tif->tif_rawdatasize - tif->tif_rawcc; 464 occ = tif->tif_rawdatasize - tif->tif_rawcc;
442 for (shft = 2*8; (shft -= 8) >= 0; ) 465 for (shft = 2*8; (shft -= 8) >= 0; )
443 for (i = 0; i < npixels; i += rc) { 466 for (i = 0; i < npixels; i += rc) {
444 if (occ < 4) { 467 if (occ < 4) {
445 tif->tif_rawcp = op; 468 tif->tif_rawcp = op;
446 tif->tif_rawcc = tif->tif_rawdatasize - occ; 469 tif->tif_rawcc = tif->tif_rawdatasize - occ;
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after
499 522
500 return (1); 523 return (1);
501 } 524 }
502 525
503 /* 526 /*
504 * Encode a row of 24-bit pixels. 527 * Encode a row of 24-bit pixels.
505 */ 528 */
506 static int 529 static int
507 LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) 530 LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
508 { 531 {
532 static const char module[] = "LogLuvEncode24";
509 LogLuvState* sp = EncoderState(tif); 533 LogLuvState* sp = EncoderState(tif);
510 tmsize_t i; 534 tmsize_t i;
511 tmsize_t npixels; 535 tmsize_t npixels;
512 tmsize_t occ; 536 tmsize_t occ;
513 uint8* op; 537 uint8* op;
514 uint32* tp; 538 uint32* tp;
515 539
516 assert(s == 0); 540 assert(s == 0);
517 assert(sp != NULL); 541 assert(sp != NULL);
518 npixels = cc / sp->pixel_size; 542 npixels = cc / sp->pixel_size;
519 543
520 if (sp->user_datafmt == SGILOGDATAFMT_RAW) 544 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
521 tp = (uint32*) bp; 545 tp = (uint32*) bp;
522 else { 546 else {
523 tp = (uint32*) sp->tbuf; 547 tp = (uint32*) sp->tbuf;
524 » » assert(sp->tbuflen >= npixels); 548 » » if(sp->tbuflen < npixels) {
549 » » » TIFFErrorExt(tif->tif_clientdata, module,
550 » » » » » » "Translation buffer too short") ;
551 » » » return (0);
552 » » }
525 (*sp->tfunc)(sp, bp, npixels); 553 (*sp->tfunc)(sp, bp, npixels);
526 } 554 }
527 /* write out encoded pixels */ 555 /* write out encoded pixels */
528 op = tif->tif_rawcp; 556 op = tif->tif_rawcp;
529 occ = tif->tif_rawdatasize - tif->tif_rawcc; 557 occ = tif->tif_rawdatasize - tif->tif_rawcc;
530 for (i = npixels; i--; ) { 558 for (i = npixels; i--; ) {
531 if (occ < 3) { 559 if (occ < 3) {
532 tif->tif_rawcp = op; 560 tif->tif_rawcp = op;
533 tif->tif_rawcc = tif->tif_rawdatasize - occ; 561 tif->tif_rawcc = tif->tif_rawdatasize - occ;
534 if (!TIFFFlushData1(tif)) 562 if (!TIFFFlushData1(tif))
(...skipping 11 matching lines...) Expand all
546 574
547 return (1); 575 return (1);
548 } 576 }
549 577
550 /* 578 /*
551 * Encode a row of 32-bit pixels. 579 * Encode a row of 32-bit pixels.
552 */ 580 */
553 static int 581 static int
554 LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) 582 LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
555 { 583 {
584 static const char module[] = "LogLuvEncode32";
556 LogLuvState* sp = EncoderState(tif); 585 LogLuvState* sp = EncoderState(tif);
557 int shft; 586 int shft;
558 tmsize_t i; 587 tmsize_t i;
559 tmsize_t j; 588 tmsize_t j;
560 tmsize_t npixels; 589 tmsize_t npixels;
561 uint8* op; 590 uint8* op;
562 uint32* tp; 591 uint32* tp;
563 uint32 b; 592 uint32 b;
564 tmsize_t occ; 593 tmsize_t occ;
565 int rc=0, mask; 594 int rc=0, mask;
566 tmsize_t beg; 595 tmsize_t beg;
567 596
568 assert(s == 0); 597 assert(s == 0);
569 assert(sp != NULL); 598 assert(sp != NULL);
570 599
571 npixels = cc / sp->pixel_size; 600 npixels = cc / sp->pixel_size;
572 601
573 if (sp->user_datafmt == SGILOGDATAFMT_RAW) 602 if (sp->user_datafmt == SGILOGDATAFMT_RAW)
574 tp = (uint32*) bp; 603 tp = (uint32*) bp;
575 else { 604 else {
576 tp = (uint32*) sp->tbuf; 605 tp = (uint32*) sp->tbuf;
577 » » assert(sp->tbuflen >= npixels); 606 » » if(sp->tbuflen < npixels) {
607 » » » TIFFErrorExt(tif->tif_clientdata, module,
608 » » » » » » "Translation buffer too short") ;
609 » » » return (0);
610 » » }
578 (*sp->tfunc)(sp, bp, npixels); 611 (*sp->tfunc)(sp, bp, npixels);
579 } 612 }
580 /* compress each byte string */ 613 /* compress each byte string */
581 op = tif->tif_rawcp; 614 op = tif->tif_rawcp;
582 occ = tif->tif_rawdatasize - tif->tif_rawcc; 615 occ = tif->tif_rawdatasize - tif->tif_rawcc;
583 for (shft = 4*8; (shft -= 8) >= 0; ) 616 for (shft = 4*8; (shft -= 8) >= 0; )
584 for (i = 0; i < npixels; i += rc) { 617 for (i = 0; i < npixels; i += rc) {
585 if (occ < 4) { 618 if (occ < 4) {
586 tif->tif_rawcp = op; 619 tif->tif_rawcp = op;
587 tif->tif_rawcc = tif->tif_rawdatasize - occ; 620 tif->tif_rawcc = tif->tif_rawdatasize - occ;
(...skipping 1100 matching lines...) Expand 10 before | Expand all | Expand 10 after
1688 #endif /* LOGLUV_SUPPORT */ 1721 #endif /* LOGLUV_SUPPORT */
1689 1722
1690 /* vim: set ts=8 sts=8 sw=8 noet: */ 1723 /* vim: set ts=8 sts=8 sw=8 noet: */
1691 /* 1724 /*
1692 * Local Variables: 1725 * Local Variables:
1693 * mode: c 1726 * mode: c
1694 * c-basic-offset: 8 1727 * c-basic-offset: 8
1695 * fill-column: 78 1728 * fill-column: 78
1696 * End: 1729 * End:
1697 */ 1730 */
OLDNEW
« no previous file with comments | « third_party/libtiff/tif_getimage.c ('k') | third_party/libtiff/tif_next.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698