Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
tiff.26987
tiff-CVE-2022-3598,3570.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tiff-CVE-2022-3598,3570.patch of Package tiff.26987
--- tiff-4.0.9/man/tiffcrop.1 2022-11-17 08:28:10.110681393 +0100 +++ tiff-4.0.9/man/tiffcrop.1 2022-11-17 09:14:34.552680320 +0100 @@ -352,6 +352,10 @@ .B \-i Ignore non\-fatal read errors and continue processing of the input file. .TP +.B "\-k size" +Set maximum memory allocation size (in MiB). The default is 256MiB. +Set to 0 to disable the limit. +.TP .B \-l Specify the length of a tile (in pixels). .I Tiffcrop --- tiff-4.0.9/tools/tiffcrop.c 2022-11-17 08:28:09.974680521 +0100 +++ tiff-4.0.9/tools/tiffcrop.c 2022-11-17 09:23:28.028284215 +0100 @@ -219,6 +219,10 @@ #define TIFF_DIR_MAX 65534 +/* Some conversion subroutines require image buffers, which are at least 3 bytes + * larger than the necessary size for the image itself. */ +#define NUM_BUFF_OVERSIZE_BYTES 3 + /* Offsets into buffer for margins and fixed width and length segments */ struct offset { uint32 tmargin; @@ -240,7 +244,7 @@ */ struct buffinfo { - uint32 size; /* size of this buffer */ + size_t size; /* size of this buffer */ unsigned char *buffer; /* address of the allocated buffer */ }; @@ -340,7 +344,7 @@ /* European page sizes corrected from update sent by * thomas . jarosch @ intra2net . com on 5/7/2010 * Paper Size Width Length Aspect Ratio */ -struct paperdef PaperTable[MAX_PAPERNAMES] = { +const struct paperdef PaperTable[MAX_PAPERNAMES] = { {"default", 8.500, 14.000, 0.607}, {"pa4", 8.264, 11.000, 0.751}, {"letter", 8.500, 11.000, 0.773}, @@ -624,6 +628,27 @@ /* Functions derived in whole or in part from tiffcp */ /* The following functions are taken largely intact from tiffcp */ +#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) + +/* malloc size limit (in bytes) + * disabled when set to 0 */ +static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; + +/** + * This custom malloc function enforce a maximum allocation size + */ +static void* limitMalloc(tmsize_t s) +{ + if (maxMalloc && (s > maxMalloc)) { + fprintf(stderr, "MemoryLimitError: allocation of " TIFF_UINT64_FORMAT " bytes is forbidden. Limit is " TIFF_UINT64_FORMAT ".\n", + (uint64)s, (uint64)maxMalloc); + fprintf(stderr, " use -k option to change limit.\n"); return NULL; + } + return _TIFFmalloc(s); +} + + + static char* usage_info[] = { "usage: tiffcrop [options] source1 ... sourceN destination", "where options are:", @@ -637,6 +662,7 @@ " -s Write output in strips", " -t Write output in tiles", " -i Ignore read errors", +" -k size set the memory allocation limit in MiB. 0 to disable limit", " ", " -r # Make each strip have no more than # rows", " -w # Set output tile width (pixels)", @@ -783,8 +809,8 @@ uint32 dst_rowsize, shift_width; uint32 bytes_per_sample, bytes_per_pixel; uint32 trailing_bits, prev_trailing_bits; - uint32 tile_rowsize = TIFFTileRowSize(in); - uint32 src_offset, dst_offset; + tmsize_t tile_rowsize = TIFFTileRowSize(in); + tmsize_t src_offset, dst_offset; uint32 row_offset, col_offset; uint8 *bufp = (uint8*) buf; unsigned char *src = NULL; @@ -834,7 +860,7 @@ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); exit(-1); } - tilebuf = _TIFFmalloc(tile_buffsize + 3); + tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); if (tilebuf == 0) return 0; tilebuf[tile_buffsize] = 0; @@ -998,7 +1024,7 @@ for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++) { srcbuffs[sample] = NULL; - tbuff = (unsigned char *)_TIFFmalloc(tilesize + 8); + tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES); if (!tbuff) { TIFFError ("readSeparateTilesIntoBuffer", @@ -1193,7 +1219,8 @@ } rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); - obuf = _TIFFmalloc (rowstripsize); + /* Add 3 padding bytes for extractContigSamples32bits */ + obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES); if (obuf == NULL) return 1; @@ -1206,7 +1233,7 @@ stripsize = TIFFVStripSize(out, nrows); src = buf + (row * rowsize); total_bytes += stripsize; - memset (obuf, '\0', rowstripsize); + memset (obuf, '\0', rowstripsize + NUM_BUFF_OVERSIZE_BYTES); if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) { _TIFFfree(obuf); @@ -1214,10 +1241,15 @@ } if ((dump->outfile != NULL) && (dump->level == 1)) { + if (scanlinesize > 0x0ffffffffULL) { + dump_info(dump->infile, dump->format, "loadImage", + "Attention: scanlinesize %lu is larger than UINT32_MAX.\nFollowing dump might be wrong.", + scanlinesize); + } dump_info(dump->outfile, dump->format,"", "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", - s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf); - dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf); + s + 1, strip + 1, stripsize, row + 1, (uint32)scanlinesize, src - buf); + dump_buffer(dump->outfile, dump->format, nrows, (uint32)scanlinesize, row, obuf); } if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) @@ -1244,7 +1276,7 @@ uint32 tl, tw; uint32 row, col, nrow, ncol; uint32 src_rowsize, col_offset; - uint32 tile_rowsize = TIFFTileRowSize(out); + tmsize_t tile_rowsize = TIFFTileRowSize(out); uint8* bufp = (uint8*) buf; tsize_t tile_buffsize = 0; tsize_t tilesize = TIFFTileSize(out); @@ -1287,9 +1319,11 @@ } src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; - tilebuf = _TIFFmalloc(tile_buffsize); + /* Add 3 padding bytes for extractContigSamples32bits */ + tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); if (tilebuf == 0) return 1; + memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); for (row = 0; row < imagelength; row += tl) { nrow = (row + tl > imagelength) ? imagelength - row : tl; @@ -1335,7 +1369,8 @@ uint32 imagewidth, tsample_t spp, struct dump_opts * dump) { - tdata_t obuf = _TIFFmalloc(TIFFTileSize(out)); + /* Add 3 padding bytes for extractContigSamples32bits */ + tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); uint32 tl, tw; uint32 row, col, nrow, ncol; uint32 src_rowsize, col_offset; @@ -1345,6 +1380,7 @@ if (obuf == NULL) return 1; + memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); @@ -1623,7 +1659,7 @@ *mp++ = 'w'; *mp = '\0'; while ((c = getopt(argc, argv, - "ac:d:e:f:hil:m:p:r:stvw:z:BCD:E:F:H:I:J:K:LMN:O:P:R:S:U:V:X:Y:Z:")) != -1) + "ac:d:e:f:hik:l:m:p:r:stvw:z:BCD:E:F:H:I:J:K:LMN:O:P:R:S:U:V:X:Y:Z:")) != -1) { good_args++; switch (c) { @@ -1682,6 +1718,8 @@ break; case 'i': ignore = TRUE; /* ignore errors */ break; + case 'k': maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; + break; case 'l': outtiled = TRUE; /* tile length */ *deftilelength = atoi(optarg); break; @@ -1766,14 +1804,14 @@ *opt_offset = '\0'; /* convert option to lowercase */ - end = strlen (opt_ptr); + end = (unsigned int)strlen (opt_ptr); for (i = 0; i < end; i++) *(opt_ptr + i) = tolower((int) *(opt_ptr + i)); /* Look for dump format specification */ if (strncmp(opt_ptr, "for", 3) == 0) { /* convert value to lowercase */ - end = strlen (opt_offset + 1); + end = (unsigned int)strlen (opt_offset + 1); for (i = 1; i <= end; i++) *(opt_offset + i) = tolower((int) *(opt_offset + i)); /* check dump format value */ @@ -2243,6 +2281,8 @@ int seg, length; char temp_filename[PATH_MAX + 1]; + assert(NUM_BUFF_OVERSIZE_BYTES >= 3); + little_endian = *((unsigned char *)&little_endian) & '1'; initImageData(&image); @@ -3146,13 +3186,13 @@ /* If we have a full buffer's worth, write it out */ if (ready_bits >= 32) { - bytebuff1 = (buff2 >> 56); + bytebuff1 = (uint8_t)(buff2 >> 56); *dst++ = bytebuff1; - bytebuff2 = (buff2 >> 48); + bytebuff2 = (uint8_t)(buff2 >> 48); *dst++ = bytebuff2; - bytebuff3 = (buff2 >> 40); + bytebuff3 = (uint8_t)(buff2 >> 40); *dst++ = bytebuff3; - bytebuff4 = (buff2 >> 32); + bytebuff4 = (uint8_t)(buff2 >> 32); *dst++ = bytebuff4; ready_bits -= 32; @@ -3527,13 +3567,13 @@ } else /* If we have a full buffer's worth, write it out */ { - bytebuff1 = (buff2 >> 56); + bytebuff1 = (uint8_t)(buff2 >> 56); *dst++ = bytebuff1; - bytebuff2 = (buff2 >> 48); + bytebuff2 = (uint8_t)(buff2 >> 48); *dst++ = bytebuff2; - bytebuff3 = (buff2 >> 40); + bytebuff3 = (uint8_t)(buff2 >> 40); *dst++ = bytebuff3; - bytebuff4 = (buff2 >> 32); + bytebuff4 = (uint8_t)(buff2 >> 32); *dst++ = bytebuff4; ready_bits -= 32; @@ -3710,10 +3750,10 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf) { uint8* bufp = buf; - int32 bytes_read = 0; + tmsize_t bytes_read = 0; uint32 strip, nstrips = TIFFNumberOfStrips(in); - uint32 stripsize = TIFFStripSize(in); - uint32 rows = 0; + tmsize_t stripsize = TIFFStripSize(in); + tmsize_t rows = 0; uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); tsize_t scanline_size = TIFFScanlineSize(in); @@ -4196,13 +4236,13 @@ /* If we have a full buffer's worth, write it out */ if (ready_bits >= 32) { - bytebuff1 = (buff2 >> 56); + bytebuff1 = (uint8_t)(buff2 >> 56); *dst++ = bytebuff1; - bytebuff2 = (buff2 >> 48); + bytebuff2 = (uint8_t)(buff2 >> 48); *dst++ = bytebuff2; - bytebuff3 = (buff2 >> 40); + bytebuff3 = (uint8_t)(buff2 >> 40); *dst++ = bytebuff3; - bytebuff4 = (buff2 >> 32); + bytebuff4 = (uint8_t)(buff2 >> 32); *dst++ = bytebuff4; ready_bits -= 32; @@ -4245,10 +4285,10 @@ "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", row + 1, col + 1, src_byte, src_bit, dst - out); - dump_long (dumpfile, format, "Match bits ", matchbits); + dump_wide (dumpfile, format, "Match bits ", matchbits); dump_data (dumpfile, format, "Src bits ", src, 4); - dump_long (dumpfile, format, "Buff1 bits ", buff1); - dump_long (dumpfile, format, "Buff2 bits ", buff2); + dump_wide (dumpfile, format, "Buff1 bits ", buff1); + dump_wide (dumpfile, format, "Buff2 bits ", buff2); dump_byte (dumpfile, format, "Write bits1", bytebuff1); dump_byte (dumpfile, format, "Write bits2", bytebuff2); dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); @@ -4721,13 +4761,13 @@ /* If we have a full buffer's worth, write it out */ if (ready_bits >= 32) { - bytebuff1 = (buff2 >> 56); + bytebuff1 = (uint8_t)(buff2 >> 56); *dst++ = bytebuff1; - bytebuff2 = (buff2 >> 48); + bytebuff2 = (uint8_t)(buff2 >> 48); *dst++ = bytebuff2; - bytebuff3 = (buff2 >> 40); + bytebuff3 = (uint8_t)(buff2 >> 40); *dst++ = bytebuff3; - bytebuff4 = (buff2 >> 32); + bytebuff4 = (uint8_t)(buff2 >> 32); *dst++ = bytebuff4; ready_bits -= 32; @@ -4770,10 +4810,10 @@ "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", row + 1, col + 1, src_byte, src_bit, dst - out); - dump_long (dumpfile, format, "Match bits ", matchbits); + dump_wide (dumpfile, format, "Match bits ", matchbits); dump_data (dumpfile, format, "Src bits ", src, 4); - dump_long (dumpfile, format, "Buff1 bits ", buff1); - dump_long (dumpfile, format, "Buff2 bits ", buff2); + dump_wide (dumpfile, format, "Buff1 bits ", buff1); + dump_wide (dumpfile, format, "Buff2 bits ", buff2); dump_byte (dumpfile, format, "Write bits1", bytebuff1); dump_byte (dumpfile, format, "Write bits2", bytebuff2); dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); @@ -4796,7 +4836,7 @@ { int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; uint32 j; - int32 bytes_read = 0; + tmsize_t bytes_read = 0; uint16 bps = 0, planar; uint32 nstrips; uint32 strips_per_sample; @@ -4862,7 +4902,7 @@ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) { srcbuffs[s] = NULL; - buff = _TIFFmalloc(stripsize + 3); + buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES); if (!buff) { TIFFError ("readSeparateStripsIntoBuffer", @@ -4885,7 +4925,7 @@ buff = srcbuffs[s]; strip = (s * strips_per_sample) + j; bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); - rows_this_strip = bytes_read / src_rowsize; + rows_this_strip = (uint32)(bytes_read / src_rowsize); if (bytes_read < 0 && !ignore) { TIFFError(TIFFFileName(in), @@ -5872,13 +5912,14 @@ uint16 input_compression = 0, input_photometric = 0; uint16 subsampling_horiz, subsampling_vert; uint32 width = 0, length = 0; - uint32 stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0; + tmsize_t stsize = 0, tlsize = 0, buffsize = 0; + tmsize_t scanlinesize = 0; uint32 tw = 0, tl = 0; /* Tile width and length */ - uint32 tile_rowsize = 0; + tmsize_t tile_rowsize = 0; unsigned char *read_buff = NULL; unsigned char *new_buff = NULL; int readunit = 0; - static uint32 prev_readsize = 0; + static tmsize_t prev_readsize = 0; TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); @@ -6132,9 +6173,15 @@ TIFFError("loadImage", "Integer overflow detected."); exit(-1); } - if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) + /* The buffsize_check and the possible adaptation of buffsize + * has to account also for padding of each line to a byte boundary. + * This is assumed by mirrorImage() and rotateImage(). + * Otherwise buffer-overflow might occur there. + */ + buffsize_check = length * (uint32)(((width * spp * bps) + 7) / 8); + if (buffsize < buffsize_check) { - buffsize = ((length * width * spp * bps) + 7) / 8; + buffsize = buffsize_check; #ifdef DEBUG2 TIFFError("loadImage", "Stripsize %u is too small, using imagelength * width * spp * bps / 8 = %lu", @@ -6180,7 +6227,7 @@ TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); return (-1); } - read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); + read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); } else { @@ -6191,11 +6238,11 @@ TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); return (-1); } - new_buff = _TIFFrealloc(read_buff, buffsize+3); + new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); if (!new_buff) { free (read_buff); - read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); + read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); } else read_buff = new_buff; @@ -6268,8 +6315,13 @@ dump_info (dump->infile, dump->format, "", "Bits per sample %d, Samples per pixel %d", bps, spp); + if (scanlinesize > 0x0ffffffffULL) { + dump_info(dump->infile, dump->format, "loadImage", + "Attention: scanlinesize %lu is larger than UINT32_MAX.\nFollowing dump might be wrong.", + scanlinesize); + } for (i = 0; i < length; i++) - dump_buffer(dump->infile, dump->format, 1, scanlinesize, + dump_buffer(dump->infile, dump->format, 1, (uint32)scanlinesize, i, read_buff + (i * scanlinesize)); } return (0); @@ -7289,13 +7341,13 @@ if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { - int inknameslen = strlen(inknames) + 1; + int inknameslen = (int)strlen(inknames) + 1; const char* cp = inknames; while (ninks > 1) { cp = strchr(cp, '\0'); if (cp) { cp++; - inknameslen += (strlen(cp) + 1); + inknameslen += ((int)strlen(cp) + 1); } ninks--; } @@ -7358,32 +7410,36 @@ if (!sect_buff) { - sect_buff = (unsigned char *)_TIFFmalloc(sectsize); - *sect_buff_ptr = sect_buff; + sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); + if (!sect_buff) + { + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); + return (-1); + } _TIFFmemset(sect_buff, 0, sectsize); } else { - if (prev_sectsize < sectsize) + if (prev_sectsize < sectsize + NUM_BUFF_OVERSIZE_BYTES) { - new_buff = _TIFFrealloc(sect_buff, sectsize); + new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES); if (!new_buff) { - free (sect_buff); - sect_buff = (unsigned char *)_TIFFmalloc(sectsize); + _TIFFfree (sect_buff); + sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); } else sect_buff = new_buff; - _TIFFmemset(sect_buff, 0, sectsize); - } - } - if (!sect_buff) { TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); return (-1); } + _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); + } + } + prev_sectsize = sectsize; *sect_buff_ptr = sect_buff; @@ -7411,17 +7467,17 @@ cropsize = crop->bufftotal; crop_buff = seg_buffs[0].buffer; if (!crop_buff) - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); else { prev_cropsize = seg_buffs[0].size; if (prev_cropsize < cropsize) { - next_buff = _TIFFrealloc(crop_buff, cropsize); + next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); if (! next_buff) { _TIFFfree (crop_buff); - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); } else crop_buff = next_buff; @@ -7434,7 +7490,7 @@ return (-1); } - _TIFFmemset(crop_buff, 0, cropsize); + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); seg_buffs[0].buffer = crop_buff; seg_buffs[0].size = cropsize; @@ -7513,17 +7569,17 @@ cropsize = crop->bufftotal; crop_buff = seg_buffs[i].buffer; if (!crop_buff) - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); else { prev_cropsize = seg_buffs[0].size; if (prev_cropsize < cropsize) { - next_buff = _TIFFrealloc(crop_buff, cropsize); + next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); if (! next_buff) { _TIFFfree (crop_buff); - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); } else crop_buff = next_buff; @@ -7536,7 +7592,7 @@ return (-1); } - _TIFFmemset(crop_buff, 0, cropsize); + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); seg_buffs[i].buffer = crop_buff; seg_buffs[i].size = cropsize; @@ -7649,32 +7705,36 @@ crop_buff = *crop_buff_ptr; if (!crop_buff) { - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); - *crop_buff_ptr = crop_buff; - _TIFFmemset(crop_buff, 0, cropsize); + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (!crop_buff) + { + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); + return (-1); + } + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); prev_cropsize = cropsize; } else { if (prev_cropsize < cropsize) { - new_buff = _TIFFrealloc(crop_buff, cropsize); + new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); if (!new_buff) { free (crop_buff); - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); } else crop_buff = new_buff; - _TIFFmemset(crop_buff, 0, cropsize); - } - } - if (!crop_buff) { TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); return (-1); } + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + } + *crop_buff_ptr = crop_buff; if (crop->crop_mode & CROP_INVERT) @@ -7969,13 +8029,13 @@ if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { - int inknameslen = strlen(inknames) + 1; + int inknameslen = (int)strlen(inknames) + 1; const char* cp = inknames; while (ninks > 1) { cp = strchr(cp, '\0'); if (cp) { cp++; - inknameslen += (strlen(cp) + 1); + inknameslen += ((int)strlen(cp) + 1); } ninks--; } @@ -8360,13 +8420,13 @@ } else /* If we have a full buffer's worth, write it out */ { - bytebuff1 = (buff2 >> 56); + bytebuff1 = (uint8_t)(buff2 >> 56); *dst++ = bytebuff1; - bytebuff2 = (buff2 >> 48); + bytebuff2 = (uint8_t)(buff2 >> 48); *dst++ = bytebuff2; - bytebuff3 = (buff2 >> 40); + bytebuff3 = (uint8_t)(buff2 >> 40); *dst++ = bytebuff3; - bytebuff4 = (buff2 >> 32); + bytebuff4 = (uint8_t)(buff2 >> 32); *dst++ = bytebuff4; ready_bits -= 32; @@ -8435,12 +8495,13 @@ return (-1); } - if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize))) + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ + if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) { - TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize); + TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); return (-1); } - _TIFFmemset(rbuff, '\0', buffsize); + _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); ibuff = *ibuff_ptr; switch (rotation) @@ -8968,13 +9029,13 @@ } else /* If we have a full buffer's worth, write it out */ { - bytebuff1 = (buff2 >> 56); + bytebuff1 = (uint8_t)(buff2 >> 56); *dst++ = bytebuff1; - bytebuff2 = (buff2 >> 48); + bytebuff2 = (uint8_t)(buff2 >> 48); *dst++ = bytebuff2; - bytebuff3 = (buff2 >> 40); + bytebuff3 = (uint8_t)(buff2 >> 40); *dst++ = bytebuff3; - bytebuff4 = (buff2 >> 32); + bytebuff4 = (uint8_t)(buff2 >> 32); *dst++ = bytebuff4; ready_bits -= 32; @@ -9065,12 +9126,13 @@ { case MIRROR_BOTH: case MIRROR_VERT: - line_buff = (unsigned char *)_TIFFmalloc(rowsize); + line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES); if (line_buff == NULL) { - TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize); + TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES); return (-1); } + _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); dst = ibuff + (rowsize * (length - 1)); for (row = 0; row < length / 2; row++) @@ -9101,11 +9163,12 @@ } else { /* non 8 bit per sample data */ - if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + 1))) + if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES))) { TIFFError("mirrorImage", "Unable to allocate mirror line buffer"); return (-1); } + _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); bytes_per_sample = (bps + 7) / 8; bytes_per_pixel = ((bps * spp) + 7) / 8; if (bytes_per_pixel < (bytes_per_sample + 1)) @@ -9117,7 +9180,7 @@ { row_offset = row * rowsize; src = ibuff + row_offset; - _TIFFmemset (line_buff, '\0', rowsize); + _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); switch (shift_width) { case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
