mv Index: tools/tiff2pdf.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v retrieving revision 1.37.2.19 diff -c -r1.37.2.19 tiff2pdf.c *** tools/tiff2pdf.c 13 Dec 2010 05:41:11 -0000 1.37.2.19 --- tools/tiff2pdf.c 17 Apr 2012 20:15:03 -0000 *************** *** 431,436 **** --- 431,464 ---- (void) handle, (void) data, (void) offset; } + static uint64 + checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p) + { + uint64 bytes = summand1 + summand2; + + if (bytes - summand1 != summand2) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + bytes = 0; + } + + return bytes; + } + + static uint64 + checkMultiply64(uint64 first, uint64 second, T2P* t2p) + { + uint64 bytes = first * second; + + if (second && bytes / second != first) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + bytes = 0; + } + + return bytes; + } + /* This is the main function. *************** *** 1773,1781 **** tstrip_t i=0; tstrip_t stripcount=0; #endif ! #ifdef OJPEG_SUPPORT ! tsize_t k = 0; ! #endif if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ #ifdef CCITT_SUPPORT --- 1801,1807 ---- tstrip_t i=0; tstrip_t stripcount=0; #endif ! uint64 k = 0; if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ #ifdef CCITT_SUPPORT *************** *** 1803,1821 **** } stripcount=TIFFNumberOfStrips(input); for(i=0;itiff_dataoffset))){ if(t2p->tiff_dataoffset != 0){ if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ if(t2p->tiff_datasize < k) { - t2p->pdf_ojpegiflength=t2p->tiff_datasize; - t2p->tiff_datasize+=k; - t2p->tiff_datasize+=6; - t2p->tiff_datasize+=2*stripcount; TIFFWarning(TIFF2PDF_MODULE, "Input file %s has short JPEG interchange file byte count", TIFFFileName(input)); return; } return; --- 1829,1853 ---- } stripcount=TIFFNumberOfStrips(input); for(i=0;itiff_dataoffset))){ if(t2p->tiff_dataoffset != 0){ if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ if(t2p->tiff_datasize < k) { TIFFWarning(TIFF2PDF_MODULE, "Input file %s has short JPEG interchange file byte count", TIFFFileName(input)); + t2p->pdf_ojpegiflength=t2p->tiff_datasize; + k = checkAdd64(k, t2p->tiff_datasize, t2p); + k = checkAdd64(k, 6, t2p); + k = checkAdd64(k, stripcount, t2p); + k = checkAdd64(k, stripcount, t2p); + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } return; } return; *************** *** 1828,1836 **** } } } ! t2p->tiff_datasize+=k; ! t2p->tiff_datasize+=2*stripcount; ! t2p->tiff_datasize+=2048; return; } #endif --- 1860,1873 ---- } } } ! k = checkAdd64(k, stripcount, t2p); ! k = checkAdd64(k, stripcount, t2p); ! k = checkAdd64(k, 2048, t2p); ! t2p->tiff_datasize = (tsize_t) k; ! if ((uint64) t2p->tiff_datasize != k) { ! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ! t2p->t2p_error = T2P_ERR_ERROR; ! } return; } #endif *************** *** 1839,1849 **** uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ if(count > 4){ ! t2p->tiff_datasize += count; ! t2p->tiff_datasize -= 2; /* don't use EOI of header */ } } else { ! t2p->tiff_datasize = 2; /* SOI for first strip */ } stripcount=TIFFNumberOfStrips(input); if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ --- 1876,1886 ---- uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ if(count > 4){ ! k += count; ! k -= 2; /* don't use EOI of header */ } } else { ! k = 2; /* SOI for first strip */ } stripcount=TIFFNumberOfStrips(input); if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ *************** *** 1854,1871 **** return; } for(i=0;itiff_datasize += sbc[i]; ! t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */ } - t2p->tiff_datasize +=2; /* use EOI of last strip */ return; } #endif (void) 0; } ! t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length; if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ ! t2p->tiff_datasize*= t2p->tiff_samplesperpixel; } return; --- 1891,1923 ---- return; } for(i=0;itiff_datasize = (tsize_t) k; ! if ((uint64) t2p->tiff_datasize != k) { ! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ! t2p->t2p_error = T2P_ERR_ERROR; } return; } #endif (void) 0; } ! k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ ! k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ! } ! if (k == 0) { ! /* Assume we had overflow inside TIFFScanlineSize */ ! t2p->t2p_error = T2P_ERR_ERROR; ! } ! ! t2p->tiff_datasize = (tsize_t) k; ! if ((uint64) t2p->tiff_datasize != k) { ! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ! t2p->t2p_error = T2P_ERR_ERROR; } return; *************** *** 1883,1888 **** --- 1935,1941 ---- #ifdef JPEG_SUPPORT unsigned char* jpt; #endif + uint64 k; edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); *************** *** 1894,1907 **** #endif ){ t2p->tiff_datasize=TIFFTileSize(input); return; } else { TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); ! t2p->tiff_datasize=tbc[tile]; #ifdef OJPEG_SUPPORT if(t2p->tiff_compression==COMPRESSION_OJPEG){ ! t2p->tiff_datasize+=2048; ! return; } #endif #ifdef JPEG_SUPPORT --- 1947,1963 ---- #endif ){ t2p->tiff_datasize=TIFFTileSize(input); + if (t2p->tiff_datasize == 0) { + /* Assume we had overflow inside TIFFTileSize */ + t2p->t2p_error = T2P_ERR_ERROR; + } return; } else { TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); ! k=tbc[tile]; #ifdef OJPEG_SUPPORT if(t2p->tiff_compression==COMPRESSION_OJPEG){ ! k = checkAdd64(k, 2048, t2p); } #endif #ifdef JPEG_SUPPORT *************** *** 1909,1926 **** uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ if(count > 4){ ! t2p->tiff_datasize += count; ! t2p->tiff_datasize -= 2; /* don't use EOI of header or SOI of tile */ } } } #endif return; } } ! t2p->tiff_datasize=TIFFTileSize(input); if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ ! t2p->tiff_datasize*= t2p->tiff_samplesperpixel; } return; --- 1965,1997 ---- uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ if(count > 4){ ! k = checkAdd64(k, count, t2p); ! k -= 2; /* don't use EOI of header or SOI of tile */ } } } #endif + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } return; } } ! k = TIFFTileSize(input); if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ ! k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ! } ! if (k == 0) { ! /* Assume we had overflow inside TIFFTileSize */ ! t2p->t2p_error = T2P_ERR_ERROR; ! } ! ! t2p->tiff_datasize = (tsize_t) k; ! if ((uint64) t2p->tiff_datasize != k) { ! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ! t2p->t2p_error = T2P_ERR_ERROR; } return; *************** *** 2013,2018 **** --- 2084,2093 ---- uint32 max_striplength=0; #endif + /* Fail if prior error (in particular, can't trust tiff_datasize) */ + if (t2p->t2p_error != T2P_ERR_OK) + return(0); + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ #ifdef CCITT_SUPPORT if(t2p->pdf_compression == T2P_COMPRESS_G4){ *************** *** 2586,2591 **** --- 2661,2670 ---- uint32 xuint32=0; #endif + /* Fail if prior error (in particular, can't trust tiff_datasize) */ + if (t2p->t2p_error != T2P_ERR_OK) + return(0); + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);