1 /*
2  * Copyright (c) 1988-1997 Sam Leffler
3  * Copyright (c) 1991-1997 Silicon Graphics, Inc.
4  *
5  * Permission to use, copy, modify, distribute, and sell this software and
6  * its documentation for any purpose is hereby granted without fee, provided
7  * that (i) the above copyright notices and this permission notice appear in
8  * all copies of the software and related documentation, and (ii) the names of
9  * Sam Leffler and Silicon Graphics may not be used in any advertising or
10  * publicity relating to the software without the specific, prior written
11  * permission of Sam Leffler and Silicon Graphics.
12  *
13  * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
14  * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
15  * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
16  *
17  * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
18  * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
19  * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
20  * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
21  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
22  * OF THIS SOFTWARE.
23  */
24 
25 /*
26  * TIFF Library.
27  *
28  * Directory Tag Get & Set Routines.
29  * (and also some miscellaneous stuff)
30  */
31 #include "tiffiop.h"
32 #include <float.h> /*--: for Rational2Double */
33 #include <limits.h>
34 
35 /*
36  * These are used in the backwards compatibility code...
37  */
38 #define DATATYPE_VOID 0   /* !untyped data */
39 #define DATATYPE_INT 1    /* !signed integer data */
40 #define DATATYPE_UINT 2   /* !unsigned integer data */
41 #define DATATYPE_IEEEFP 3 /* !IEEE floating point data */
42 
setByteArray(TIFF * tif,void ** vpp,const void * vp,size_t nmemb,size_t elem_size)43 static void setByteArray(TIFF *tif, void **vpp, const void *vp, size_t nmemb,
44                          size_t elem_size)
45 {
46     if (*vpp)
47     {
48         _TIFFfreeExt(tif, *vpp);
49         *vpp = 0;
50     }
51     if (vp)
52     {
53         tmsize_t bytes = _TIFFMultiplySSize(NULL, nmemb, elem_size, NULL);
54         if (bytes)
55             *vpp = (void *)_TIFFmallocExt(tif, bytes);
56         if (*vpp)
57             _TIFFmemcpy(*vpp, vp, bytes);
58     }
59 }
_TIFFsetByteArray(void ** vpp,const void * vp,uint32_t n)60 void _TIFFsetByteArray(void **vpp, const void *vp, uint32_t n)
61 {
62     setByteArray(NULL, vpp, vp, n, 1);
63 }
_TIFFsetByteArrayExt(TIFF * tif,void ** vpp,const void * vp,uint32_t n)64 void _TIFFsetByteArrayExt(TIFF *tif, void **vpp, const void *vp, uint32_t n)
65 {
66     setByteArray(tif, vpp, vp, n, 1);
67 }
68 
_TIFFsetNString(TIFF * tif,char ** cpp,const char * cp,uint32_t n)69 static void _TIFFsetNString(TIFF *tif, char **cpp, const char *cp, uint32_t n)
70 {
71     setByteArray(tif, (void **)cpp, cp, n, 1);
72 }
73 
_TIFFsetShortArray(uint16_t ** wpp,const uint16_t * wp,uint32_t n)74 void _TIFFsetShortArray(uint16_t **wpp, const uint16_t *wp, uint32_t n)
75 {
76     setByteArray(NULL, (void **)wpp, wp, n, sizeof(uint16_t));
77 }
_TIFFsetShortArrayExt(TIFF * tif,uint16_t ** wpp,const uint16_t * wp,uint32_t n)78 void _TIFFsetShortArrayExt(TIFF *tif, uint16_t **wpp, const uint16_t *wp,
79                            uint32_t n)
80 {
81     setByteArray(tif, (void **)wpp, wp, n, sizeof(uint16_t));
82 }
83 
_TIFFsetLongArray(uint32_t ** lpp,const uint32_t * lp,uint32_t n)84 void _TIFFsetLongArray(uint32_t **lpp, const uint32_t *lp, uint32_t n)
85 {
86     setByteArray(NULL, (void **)lpp, lp, n, sizeof(uint32_t));
87 }
_TIFFsetLongArrayExt(TIFF * tif,uint32_t ** lpp,const uint32_t * lp,uint32_t n)88 void _TIFFsetLongArrayExt(TIFF *tif, uint32_t **lpp, const uint32_t *lp,
89                           uint32_t n)
90 {
91     setByteArray(tif, (void **)lpp, lp, n, sizeof(uint32_t));
92 }
93 
_TIFFsetLong8Array(TIFF * tif,uint64_t ** lpp,const uint64_t * lp,uint32_t n)94 static void _TIFFsetLong8Array(TIFF *tif, uint64_t **lpp, const uint64_t *lp,
95                                uint32_t n)
96 {
97     setByteArray(tif, (void **)lpp, lp, n, sizeof(uint64_t));
98 }
99 
_TIFFsetFloatArray(float ** fpp,const float * fp,uint32_t n)100 void _TIFFsetFloatArray(float **fpp, const float *fp, uint32_t n)
101 {
102     setByteArray(NULL, (void **)fpp, fp, n, sizeof(float));
103 }
_TIFFsetFloatArrayExt(TIFF * tif,float ** fpp,const float * fp,uint32_t n)104 void _TIFFsetFloatArrayExt(TIFF *tif, float **fpp, const float *fp, uint32_t n)
105 {
106     setByteArray(tif, (void **)fpp, fp, n, sizeof(float));
107 }
108 
_TIFFsetDoubleArray(double ** dpp,const double * dp,uint32_t n)109 void _TIFFsetDoubleArray(double **dpp, const double *dp, uint32_t n)
110 {
111     setByteArray(NULL, (void **)dpp, dp, n, sizeof(double));
112 }
_TIFFsetDoubleArrayExt(TIFF * tif,double ** dpp,const double * dp,uint32_t n)113 void _TIFFsetDoubleArrayExt(TIFF *tif, double **dpp, const double *dp,
114                             uint32_t n)
115 {
116     setByteArray(tif, (void **)dpp, dp, n, sizeof(double));
117 }
118 
setDoubleArrayOneValue(TIFF * tif,double ** vpp,double value,size_t nmemb)119 static void setDoubleArrayOneValue(TIFF *tif, double **vpp, double value,
120                                    size_t nmemb)
121 {
122     if (*vpp)
123         _TIFFfreeExt(tif, *vpp);
124     *vpp = _TIFFmallocExt(tif, nmemb * sizeof(double));
125     if (*vpp)
126     {
127         while (nmemb--)
128             ((double *)*vpp)[nmemb] = value;
129     }
130 }
131 
132 /*
133  * Install extra samples information.
134  */
setExtraSamples(TIFF * tif,va_list ap,uint32_t * v)135 static int setExtraSamples(TIFF *tif, va_list ap, uint32_t *v)
136 {
137 /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
138 #define EXTRASAMPLE_COREL_UNASSALPHA 999
139 
140     uint16_t *va;
141     uint32_t i;
142     TIFFDirectory *td = &tif->tif_dir;
143     static const char module[] = "setExtraSamples";
144 
145     *v = (uint16_t)va_arg(ap, uint16_vap);
146     if ((uint16_t)*v > td->td_samplesperpixel)
147         return 0;
148     va = va_arg(ap, uint16_t *);
149     if (*v > 0 && va == NULL) /* typically missing param */
150         return 0;
151     for (i = 0; i < *v; i++)
152     {
153         if (va[i] > EXTRASAMPLE_UNASSALPHA)
154         {
155             /*
156              * XXX: Corel Draw is known to produce incorrect
157              * ExtraSamples tags which must be patched here if we
158              * want to be able to open some of the damaged TIFF
159              * files:
160              */
161             if (va[i] == EXTRASAMPLE_COREL_UNASSALPHA)
162                 va[i] = EXTRASAMPLE_UNASSALPHA;
163             else
164                 return 0;
165         }
166     }
167 
168     if (td->td_transferfunction[0] != NULL &&
169         (td->td_samplesperpixel - *v > 1) &&
170         !(td->td_samplesperpixel - td->td_extrasamples > 1))
171     {
172         TIFFWarningExtR(tif, module,
173                         "ExtraSamples tag value is changing, "
174                         "but TransferFunction was read with a different value. "
175                         "Canceling it");
176         TIFFClrFieldBit(tif, FIELD_TRANSFERFUNCTION);
177         _TIFFfreeExt(tif, td->td_transferfunction[0]);
178         td->td_transferfunction[0] = NULL;
179     }
180 
181     td->td_extrasamples = (uint16_t)*v;
182     _TIFFsetShortArrayExt(tif, &td->td_sampleinfo, va, td->td_extrasamples);
183     return 1;
184 
185 #undef EXTRASAMPLE_COREL_UNASSALPHA
186 }
187 
188 /*
189  * Count ink names separated by \0.  Returns
190  * zero if the ink names are not as expected.
191  */
countInkNamesString(TIFF * tif,uint32_t slen,const char * s)192 static uint16_t countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
193 {
194     uint16_t i = 0;
195     const char *ep = s + slen;
196     const char *cp = s;
197 
198     if (slen > 0)
199     {
200         do
201         {
202             for (; cp < ep && *cp != '\0'; cp++)
203             {
204             }
205             if (cp >= ep)
206                 goto bad;
207             cp++; /* skip \0 */
208             i++;
209         } while (cp < ep);
210         return (i);
211     }
212 bad:
213     TIFFErrorExtR(tif, "TIFFSetField",
214                   "%s: Invalid InkNames value; no NUL at given buffer end "
215                   "location %" PRIu32 ", after %" PRIu16 " ink",
216                   tif->tif_name, slen, i);
217     return (0);
218 }
219 
_TIFFVSetField(TIFF * tif,uint32_t tag,va_list ap)220 static int _TIFFVSetField(TIFF *tif, uint32_t tag, va_list ap)
221 {
222     static const char module[] = "_TIFFVSetField";
223 
224     TIFFDirectory *td = &tif->tif_dir;
225     int status = 1;
226     uint32_t v32, v;
227     double dblval;
228     char *s;
229     const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
230     uint32_t standard_tag = tag;
231     if (fip == NULL) /* cannot happen since OkToChangeTag() already checks it */
232         return 0;
233     /*
234      * We want to force the custom code to be used for custom
235      * fields even if the tag happens to match a well known
236      * one - important for reinterpreted handling of standard
237      * tag values in custom directories (i.e. EXIF)
238      */
239     if (fip->field_bit == FIELD_CUSTOM)
240     {
241         standard_tag = 0;
242     }
243 
244     switch (standard_tag)
245     {
246         case TIFFTAG_SUBFILETYPE:
247             td->td_subfiletype = (uint32_t)va_arg(ap, uint32_t);
248             break;
249         case TIFFTAG_IMAGEWIDTH:
250             td->td_imagewidth = (uint32_t)va_arg(ap, uint32_t);
251             break;
252         case TIFFTAG_IMAGELENGTH:
253             td->td_imagelength = (uint32_t)va_arg(ap, uint32_t);
254             break;
255         case TIFFTAG_BITSPERSAMPLE:
256             td->td_bitspersample = (uint16_t)va_arg(ap, uint16_vap);
257             /*
258              * If the data require post-decoding processing to byte-swap
259              * samples, set it up here.  Note that since tags are required
260              * to be ordered, compression code can override this behavior
261              * in the setup method if it wants to roll the post decoding
262              * work in with its normal work.
263              */
264             if (tif->tif_flags & TIFF_SWAB)
265             {
266                 if (td->td_bitspersample == 8)
267                     tif->tif_postdecode = _TIFFNoPostDecode;
268                 else if (td->td_bitspersample == 16)
269                     tif->tif_postdecode = _TIFFSwab16BitData;
270                 else if (td->td_bitspersample == 24)
271                     tif->tif_postdecode = _TIFFSwab24BitData;
272                 else if (td->td_bitspersample == 32)
273                     tif->tif_postdecode = _TIFFSwab32BitData;
274                 else if (td->td_bitspersample == 64)
275                     tif->tif_postdecode = _TIFFSwab64BitData;
276                 else if (td->td_bitspersample == 128) /* two 64's */
277                     tif->tif_postdecode = _TIFFSwab64BitData;
278             }
279             break;
280         case TIFFTAG_COMPRESSION:
281             v = (uint16_t)va_arg(ap, uint16_vap);
282             /*
283              * If we're changing the compression scheme, notify the
284              * previous module so that it can cleanup any state it's
285              * setup.
286              */
287             if (TIFFFieldSet(tif, FIELD_COMPRESSION))
288             {
289                 if ((uint32_t)td->td_compression == v)
290                     break;
291                 (*tif->tif_cleanup)(tif);
292                 tif->tif_flags &= ~TIFF_CODERSETUP;
293             }
294             /*
295              * Setup new compression routine state.
296              */
297             if ((status = TIFFSetCompressionScheme(tif, v)) != 0)
298                 td->td_compression = (uint16_t)v;
299             else
300                 status = 0;
301             break;
302         case TIFFTAG_PHOTOMETRIC:
303             td->td_photometric = (uint16_t)va_arg(ap, uint16_vap);
304             break;
305         case TIFFTAG_THRESHHOLDING:
306             td->td_threshholding = (uint16_t)va_arg(ap, uint16_vap);
307             break;
308         case TIFFTAG_FILLORDER:
309             v = (uint16_t)va_arg(ap, uint16_vap);
310             if (v != FILLORDER_LSB2MSB && v != FILLORDER_MSB2LSB)
311                 goto badvalue;
312             td->td_fillorder = (uint16_t)v;
313             break;
314         case TIFFTAG_ORIENTATION:
315             v = (uint16_t)va_arg(ap, uint16_vap);
316             if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v)
317                 goto badvalue;
318             else
319                 td->td_orientation = (uint16_t)v;
320             break;
321         case TIFFTAG_SAMPLESPERPIXEL:
322             v = (uint16_t)va_arg(ap, uint16_vap);
323             if (v == 0)
324                 goto badvalue;
325             if (v != td->td_samplesperpixel)
326             {
327                 /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
328                 if (td->td_sminsamplevalue != NULL)
329                 {
330                     TIFFWarningExtR(tif, module,
331                                     "SamplesPerPixel tag value is changing, "
332                                     "but SMinSampleValue tag was read with a "
333                                     "different value. Canceling it");
334                     TIFFClrFieldBit(tif, FIELD_SMINSAMPLEVALUE);
335                     _TIFFfreeExt(tif, td->td_sminsamplevalue);
336                     td->td_sminsamplevalue = NULL;
337                 }
338                 if (td->td_smaxsamplevalue != NULL)
339                 {
340                     TIFFWarningExtR(tif, module,
341                                     "SamplesPerPixel tag value is changing, "
342                                     "but SMaxSampleValue tag was read with a "
343                                     "different value. Canceling it");
344                     TIFFClrFieldBit(tif, FIELD_SMAXSAMPLEVALUE);
345                     _TIFFfreeExt(tif, td->td_smaxsamplevalue);
346                     td->td_smaxsamplevalue = NULL;
347                 }
348                 /* Test if 3 transfer functions instead of just one are now
349                    needed See http://bugzilla.maptools.org/show_bug.cgi?id=2820
350                  */
351                 if (td->td_transferfunction[0] != NULL &&
352                     (v - td->td_extrasamples > 1) &&
353                     !(td->td_samplesperpixel - td->td_extrasamples > 1))
354                 {
355                     TIFFWarningExtR(tif, module,
356                                     "SamplesPerPixel tag value is changing, "
357                                     "but TransferFunction was read with a "
358                                     "different value. Canceling it");
359                     TIFFClrFieldBit(tif, FIELD_TRANSFERFUNCTION);
360                     _TIFFfreeExt(tif, td->td_transferfunction[0]);
361                     td->td_transferfunction[0] = NULL;
362                 }
363             }
364             td->td_samplesperpixel = (uint16_t)v;
365             break;
366         case TIFFTAG_ROWSPERSTRIP:
367             v32 = (uint32_t)va_arg(ap, uint32_t);
368             if (v32 == 0)
369                 goto badvalue32;
370             td->td_rowsperstrip = v32;
371             if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS))
372             {
373                 td->td_tilelength = v32;
374                 td->td_tilewidth = td->td_imagewidth;
375             }
376             break;
377         case TIFFTAG_MINSAMPLEVALUE:
378             td->td_minsamplevalue = (uint16_t)va_arg(ap, uint16_vap);
379             break;
380         case TIFFTAG_MAXSAMPLEVALUE:
381             td->td_maxsamplevalue = (uint16_t)va_arg(ap, uint16_vap);
382             break;
383         case TIFFTAG_SMINSAMPLEVALUE:
384             if (tif->tif_flags & TIFF_PERSAMPLE)
385                 _TIFFsetDoubleArrayExt(tif, &td->td_sminsamplevalue,
386                                        va_arg(ap, double *),
387                                        td->td_samplesperpixel);
388             else
389                 setDoubleArrayOneValue(tif, &td->td_sminsamplevalue,
390                                        va_arg(ap, double),
391                                        td->td_samplesperpixel);
392             break;
393         case TIFFTAG_SMAXSAMPLEVALUE:
394             if (tif->tif_flags & TIFF_PERSAMPLE)
395                 _TIFFsetDoubleArrayExt(tif, &td->td_smaxsamplevalue,
396                                        va_arg(ap, double *),
397                                        td->td_samplesperpixel);
398             else
399                 setDoubleArrayOneValue(tif, &td->td_smaxsamplevalue,
400                                        va_arg(ap, double),
401                                        td->td_samplesperpixel);
402             break;
403         case TIFFTAG_XRESOLUTION:
404             dblval = va_arg(ap, double);
405             if (dblval != dblval || dblval < 0)
406                 goto badvaluedouble;
407             td->td_xresolution = _TIFFClampDoubleToFloat(dblval);
408             break;
409         case TIFFTAG_YRESOLUTION:
410             dblval = va_arg(ap, double);
411             if (dblval != dblval || dblval < 0)
412                 goto badvaluedouble;
413             td->td_yresolution = _TIFFClampDoubleToFloat(dblval);
414             break;
415         case TIFFTAG_PLANARCONFIG:
416             v = (uint16_t)va_arg(ap, uint16_vap);
417             if (v != PLANARCONFIG_CONTIG && v != PLANARCONFIG_SEPARATE)
418                 goto badvalue;
419             td->td_planarconfig = (uint16_t)v;
420             break;
421         case TIFFTAG_XPOSITION:
422             td->td_xposition = _TIFFClampDoubleToFloat(va_arg(ap, double));
423             break;
424         case TIFFTAG_YPOSITION:
425             td->td_yposition = _TIFFClampDoubleToFloat(va_arg(ap, double));
426             break;
427         case TIFFTAG_RESOLUTIONUNIT:
428             v = (uint16_t)va_arg(ap, uint16_vap);
429             if (v < RESUNIT_NONE || RESUNIT_CENTIMETER < v)
430                 goto badvalue;
431             td->td_resolutionunit = (uint16_t)v;
432             break;
433         case TIFFTAG_PAGENUMBER:
434             td->td_pagenumber[0] = (uint16_t)va_arg(ap, uint16_vap);
435             td->td_pagenumber[1] = (uint16_t)va_arg(ap, uint16_vap);
436             break;
437         case TIFFTAG_HALFTONEHINTS:
438             td->td_halftonehints[0] = (uint16_t)va_arg(ap, uint16_vap);
439             td->td_halftonehints[1] = (uint16_t)va_arg(ap, uint16_vap);
440             break;
441         case TIFFTAG_COLORMAP:
442             v32 = (uint32_t)(1L << td->td_bitspersample);
443             _TIFFsetShortArrayExt(tif, &td->td_colormap[0],
444                                   va_arg(ap, uint16_t *), v32);
445             _TIFFsetShortArrayExt(tif, &td->td_colormap[1],
446                                   va_arg(ap, uint16_t *), v32);
447             _TIFFsetShortArrayExt(tif, &td->td_colormap[2],
448                                   va_arg(ap, uint16_t *), v32);
449             break;
450         case TIFFTAG_EXTRASAMPLES:
451             if (!setExtraSamples(tif, ap, &v))
452                 goto badvalue;
453             break;
454         case TIFFTAG_MATTEING:
455             td->td_extrasamples = (((uint16_t)va_arg(ap, uint16_vap)) != 0);
456             if (td->td_extrasamples)
457             {
458                 uint16_t sv = EXTRASAMPLE_ASSOCALPHA;
459                 _TIFFsetShortArrayExt(tif, &td->td_sampleinfo, &sv, 1);
460             }
461             break;
462         case TIFFTAG_TILEWIDTH:
463             v32 = (uint32_t)va_arg(ap, uint32_t);
464             if (v32 % 16)
465             {
466                 if (tif->tif_mode != O_RDONLY)
467                     goto badvalue32;
468                 TIFFWarningExtR(
469                     tif, tif->tif_name,
470                     "Nonstandard tile width %" PRIu32 ", convert file", v32);
471             }
472             td->td_tilewidth = v32;
473             tif->tif_flags |= TIFF_ISTILED;
474             break;
475         case TIFFTAG_TILELENGTH:
476             v32 = (uint32_t)va_arg(ap, uint32_t);
477             if (v32 % 16)
478             {
479                 if (tif->tif_mode != O_RDONLY)
480                     goto badvalue32;
481                 TIFFWarningExtR(
482                     tif, tif->tif_name,
483                     "Nonstandard tile length %" PRIu32 ", convert file", v32);
484             }
485             td->td_tilelength = v32;
486             tif->tif_flags |= TIFF_ISTILED;
487             break;
488         case TIFFTAG_TILEDEPTH:
489             v32 = (uint32_t)va_arg(ap, uint32_t);
490             if (v32 == 0)
491                 goto badvalue32;
492             td->td_tiledepth = v32;
493             break;
494         case TIFFTAG_DATATYPE:
495             v = (uint16_t)va_arg(ap, uint16_vap);
496             switch (v)
497             {
498                 case DATATYPE_VOID:
499                     v = SAMPLEFORMAT_VOID;
500                     break;
501                 case DATATYPE_INT:
502                     v = SAMPLEFORMAT_INT;
503                     break;
504                 case DATATYPE_UINT:
505                     v = SAMPLEFORMAT_UINT;
506                     break;
507                 case DATATYPE_IEEEFP:
508                     v = SAMPLEFORMAT_IEEEFP;
509                     break;
510                 default:
511                     goto badvalue;
512             }
513             td->td_sampleformat = (uint16_t)v;
514             break;
515         case TIFFTAG_SAMPLEFORMAT:
516             v = (uint16_t)va_arg(ap, uint16_vap);
517             if (v < SAMPLEFORMAT_UINT || SAMPLEFORMAT_COMPLEXIEEEFP < v)
518                 goto badvalue;
519             td->td_sampleformat = (uint16_t)v;
520 
521             /*  Try to fix up the SWAB function for complex data. */
522             if (td->td_sampleformat == SAMPLEFORMAT_COMPLEXINT &&
523                 td->td_bitspersample == 32 &&
524                 tif->tif_postdecode == _TIFFSwab32BitData)
525                 tif->tif_postdecode = _TIFFSwab16BitData;
526             else if ((td->td_sampleformat == SAMPLEFORMAT_COMPLEXINT ||
527                       td->td_sampleformat == SAMPLEFORMAT_COMPLEXIEEEFP) &&
528                      td->td_bitspersample == 64 &&
529                      tif->tif_postdecode == _TIFFSwab64BitData)
530                 tif->tif_postdecode = _TIFFSwab32BitData;
531             break;
532         case TIFFTAG_IMAGEDEPTH:
533             td->td_imagedepth = (uint32_t)va_arg(ap, uint32_t);
534             break;
535         case TIFFTAG_SUBIFD:
536             if ((tif->tif_flags & TIFF_INSUBIFD) == 0)
537             {
538                 td->td_nsubifd = (uint16_t)va_arg(ap, uint16_vap);
539                 _TIFFsetLong8Array(tif, &td->td_subifd,
540                                    (uint64_t *)va_arg(ap, uint64_t *),
541                                    (uint32_t)td->td_nsubifd);
542             }
543             else
544             {
545                 TIFFErrorExtR(tif, module, "%s: Sorry, cannot nest SubIFDs",
546                               tif->tif_name);
547                 status = 0;
548             }
549             break;
550         case TIFFTAG_YCBCRPOSITIONING:
551             td->td_ycbcrpositioning = (uint16_t)va_arg(ap, uint16_vap);
552             break;
553         case TIFFTAG_YCBCRSUBSAMPLING:
554             td->td_ycbcrsubsampling[0] = (uint16_t)va_arg(ap, uint16_vap);
555             td->td_ycbcrsubsampling[1] = (uint16_t)va_arg(ap, uint16_vap);
556             break;
557         case TIFFTAG_TRANSFERFUNCTION:
558         {
559             uint32_t i;
560             v = (td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1;
561             for (i = 0; i < v; i++)
562                 _TIFFsetShortArrayExt(tif, &td->td_transferfunction[i],
563                                       va_arg(ap, uint16_t *),
564                                       1U << td->td_bitspersample);
565             break;
566         }
567         case TIFFTAG_REFERENCEBLACKWHITE:
568             /* XXX should check for null range */
569             _TIFFsetFloatArrayExt(tif, &td->td_refblackwhite,
570                                   va_arg(ap, float *), 6);
571             break;
572         case TIFFTAG_INKNAMES:
573         {
574             v = (uint16_t)va_arg(ap, uint16_vap);
575             s = va_arg(ap, char *);
576             uint16_t ninksinstring;
577             ninksinstring = countInkNamesString(tif, v, s);
578             status = ninksinstring > 0;
579             if (ninksinstring > 0)
580             {
581                 _TIFFsetNString(tif, &td->td_inknames, s, v);
582                 td->td_inknameslen = v;
583                 /* Set NumberOfInks to the value ninksinstring */
584                 if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
585                 {
586                     if (td->td_numberofinks != ninksinstring)
587                     {
588                         TIFFErrorExtR(
589                             tif, module,
590                             "Warning %s; Tag %s:\n  Value %" PRIu16
591                             " of NumberOfInks is different from the number of "
592                             "inks %" PRIu16
593                             ".\n  -> NumberOfInks value adapted to %" PRIu16 "",
594                             tif->tif_name, fip->field_name, td->td_numberofinks,
595                             ninksinstring, ninksinstring);
596                         td->td_numberofinks = ninksinstring;
597                     }
598                 }
599                 else
600                 {
601                     td->td_numberofinks = ninksinstring;
602                     TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
603                 }
604                 if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
605                 {
606                     if (td->td_numberofinks != td->td_samplesperpixel)
607                     {
608                         TIFFErrorExtR(tif, module,
609                                       "Warning %s; Tag %s:\n  Value %" PRIu16
610                                       " of NumberOfInks is different from the "
611                                       "SamplesPerPixel value %" PRIu16 "",
612                                       tif->tif_name, fip->field_name,
613                                       td->td_numberofinks,
614                                       td->td_samplesperpixel);
615                     }
616                 }
617             }
618         }
619         break;
620         case TIFFTAG_NUMBEROFINKS:
621             v = (uint16_t)va_arg(ap, uint16_vap);
622             /* If InkNames already set also NumberOfInks is set accordingly and
623              * should be equal */
624             if (TIFFFieldSet(tif, FIELD_INKNAMES))
625             {
626                 if (v != td->td_numberofinks)
627                 {
628                     TIFFErrorExtR(
629                         tif, module,
630                         "Error %s; Tag %s:\n  It is not possible to set the "
631                         "value %" PRIu32
632                         " for NumberOfInks\n  which is different from the "
633                         "number of inks in the InkNames tag (%" PRIu16 ")",
634                         tif->tif_name, fip->field_name, v, td->td_numberofinks);
635                     /* Do not set / overwrite number of inks already set by
636                      * InkNames case accordingly. */
637                     status = 0;
638                 }
639             }
640             else
641             {
642                 td->td_numberofinks = (uint16_t)v;
643                 if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
644                 {
645                     if (td->td_numberofinks != td->td_samplesperpixel)
646                     {
647                         TIFFErrorExtR(tif, module,
648                                       "Warning %s; Tag %s:\n  Value %" PRIu32
649                                       " of NumberOfInks is different from the "
650                                       "SamplesPerPixel value %" PRIu16 "",
651                                       tif->tif_name, fip->field_name, v,
652                                       td->td_samplesperpixel);
653                     }
654                 }
655             }
656             break;
657         case TIFFTAG_PERSAMPLE:
658             v = (uint16_t)va_arg(ap, uint16_vap);
659             if (v == PERSAMPLE_MULTI)
660                 tif->tif_flags |= TIFF_PERSAMPLE;
661             else
662                 tif->tif_flags &= ~TIFF_PERSAMPLE;
663             break;
664         default:
665         {
666             TIFFTagValue *tv;
667             int tv_size, iCustom;
668 
669             /*
670              * This can happen if multiple images are open with different
671              * codecs which have private tags.  The global tag information
672              * table may then have tags that are valid for one file but not
673              * the other. If the client tries to set a tag that is not valid
674              * for the image's codec then we'll arrive here.  This
675              * happens, for example, when tiffcp is used to convert between
676              * compression schemes and codec-specific tags are blindly copied.
677              *
678              * This also happens when a FIELD_IGNORE tag is written.
679              */
680             if (fip->field_bit == FIELD_IGNORE)
681             {
682                 TIFFErrorExtR(
683                     tif, module,
684                     "%s: Ignored %stag \"%s\" (not supported by libtiff)",
685                     tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
686                     fip->field_name);
687                 status = 0;
688                 break;
689             }
690             if (fip->field_bit != FIELD_CUSTOM)
691             {
692                 TIFFErrorExtR(
693                     tif, module,
694                     "%s: Invalid %stag \"%s\" (not supported by codec)",
695                     tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
696                     fip->field_name);
697                 status = 0;
698                 break;
699             }
700 
701             /*
702              * Find the existing entry for this custom value.
703              */
704             tv = NULL;
705             for (iCustom = 0; iCustom < td->td_customValueCount; iCustom++)
706             {
707                 if (td->td_customValues[iCustom].info->field_tag == tag)
708                 {
709                     tv = td->td_customValues + iCustom;
710                     if (tv->value != NULL)
711                     {
712                         _TIFFfreeExt(tif, tv->value);
713                         tv->value = NULL;
714                     }
715                     break;
716                 }
717             }
718 
719             /*
720              * Grow the custom list if the entry was not found.
721              */
722             if (tv == NULL)
723             {
724                 TIFFTagValue *new_customValues;
725 
726                 td->td_customValueCount++;
727                 new_customValues = (TIFFTagValue *)_TIFFreallocExt(
728                     tif, td->td_customValues,
729                     sizeof(TIFFTagValue) * td->td_customValueCount);
730                 if (!new_customValues)
731                 {
732                     TIFFErrorExtR(tif, module,
733                                   "%s: Failed to allocate space for list of "
734                                   "custom values",
735                                   tif->tif_name);
736                     status = 0;
737                     goto end;
738                 }
739 
740                 td->td_customValues = new_customValues;
741 
742                 tv = td->td_customValues + (td->td_customValueCount - 1);
743                 tv->info = fip;
744                 tv->value = NULL;
745                 tv->count = 0;
746             }
747 
748             /*
749              * Set custom value ... save a copy of the custom tag value.
750              */
751             /*--: Rational2Double: For Rationals evaluate "set_field_type" to
752              * determine internal storage size. */
753             tv_size = TIFFFieldSetGetSize(fip);
754             if (tv_size == 0)
755             {
756                 status = 0;
757                 TIFFErrorExtR(tif, module, "%s: Bad field type %d for \"%s\"",
758                               tif->tif_name, fip->field_type, fip->field_name);
759                 goto end;
760             }
761 
762             if (fip->field_type == TIFF_ASCII)
763             {
764                 uint32_t ma;
765                 const char *mb;
766                 if (fip->field_passcount)
767                 {
768                     assert(fip->field_writecount == TIFF_VARIABLE2);
769                     ma = (uint32_t)va_arg(ap, uint32_t);
770                     mb = (const char *)va_arg(ap, const char *);
771                 }
772                 else
773                 {
774                     mb = (const char *)va_arg(ap, const char *);
775                     size_t len = strlen(mb) + 1;
776                     if (len >= 0x80000000U)
777                     {
778                         status = 0;
779                         TIFFErrorExtR(tif, module,
780                                       "%s: Too long string value for \"%s\". "
781                                       "Maximum supported is 2147483647 bytes",
782                                       tif->tif_name, fip->field_name);
783                         goto end;
784                     }
785                     ma = (uint32_t)len;
786                 }
787                 tv->count = ma;
788                 setByteArray(tif, &tv->value, mb, ma, 1);
789             }
790             else
791             {
792                 if (fip->field_passcount)
793                 {
794                     if (fip->field_writecount == TIFF_VARIABLE2)
795                         tv->count = (uint32_t)va_arg(ap, uint32_t);
796                     else
797                         tv->count = (int)va_arg(ap, int);
798                 }
799                 else if (fip->field_writecount == TIFF_VARIABLE ||
800                          fip->field_writecount == TIFF_VARIABLE2)
801                     tv->count = 1;
802                 else if (fip->field_writecount == TIFF_SPP)
803                     tv->count = td->td_samplesperpixel;
804                 else
805                     tv->count = fip->field_writecount;
806 
807                 if (tv->count == 0)
808                 {
809                     status = 0;
810                     TIFFErrorExtR(tif, module,
811                                   "%s: Null count for \"%s\" (type "
812                                   "%d, writecount %d, passcount %d)",
813                                   tif->tif_name, fip->field_name,
814                                   fip->field_type, fip->field_writecount,
815                                   fip->field_passcount);
816                     goto end;
817                 }
818 
819                 tv->value = _TIFFCheckMalloc(tif, tv->count, tv_size,
820                                              "custom tag binary object");
821                 if (!tv->value)
822                 {
823                     status = 0;
824                     goto end;
825                 }
826 
827                 if (fip->field_tag == TIFFTAG_DOTRANGE &&
828                     strcmp(fip->field_name, "DotRange") == 0)
829                 {
830                     /* TODO: This is an evil exception and should not have been
831                        handled this way ... likely best if we move it into
832                        the directory structure with an explicit field in
833                        libtiff 4.1 and assign it a FIELD_ value */
834                     uint16_t v2[2];
835                     v2[0] = (uint16_t)va_arg(ap, int);
836                     v2[1] = (uint16_t)va_arg(ap, int);
837                     _TIFFmemcpy(tv->value, &v2, 4);
838                 }
839 
840                 else if (fip->field_passcount ||
841                          fip->field_writecount == TIFF_VARIABLE ||
842                          fip->field_writecount == TIFF_VARIABLE2 ||
843                          fip->field_writecount == TIFF_SPP || tv->count > 1)
844                 {
845                     /*--: Rational2Double: For Rationals tv_size is set above to
846                      * 4 or 8 according to fip->set_field_type! */
847                     _TIFFmemcpy(tv->value, va_arg(ap, void *),
848                                 tv->count * tv_size);
849                     /* Test here for too big values for LONG8, SLONG8 in
850                      * ClassicTIFF and delete custom field from custom list */
851                     if (!(tif->tif_flags & TIFF_BIGTIFF))
852                     {
853                         if (tv->info->field_type == TIFF_LONG8)
854                         {
855                             uint64_t *pui64 = (uint64_t *)tv->value;
856                             for (int i = 0; i < tv->count; i++)
857                             {
858                                 if (pui64[i] > 0xffffffffu)
859                                 {
860                                     TIFFErrorExtR(
861                                         tif, module,
862                                         "%s: Bad LONG8 value %" PRIu64
863                                         " at %d. array position for \"%s\" tag "
864                                         "%d in ClassicTIFF. Tag won't be "
865                                         "written to file",
866                                         tif->tif_name, pui64[i], i,
867                                         fip->field_name, tag);
868                                     goto badvalueifd8long8;
869                                 }
870                             }
871                         }
872                         else if (tv->info->field_type == TIFF_SLONG8)
873                         {
874                             int64_t *pi64 = (int64_t *)tv->value;
875                             for (int i = 0; i < tv->count; i++)
876                             {
877                                 if (pi64[i] > 2147483647 ||
878                                     pi64[i] < (-2147483647 - 1))
879                                 {
880                                     TIFFErrorExtR(
881                                         tif, module,
882                                         "%s: Bad SLONG8 value %" PRIi64
883                                         " at %d. array position for \"%s\" tag "
884                                         "%d in ClassicTIFF. Tag won't be "
885                                         "written to file",
886                                         tif->tif_name, pi64[i], i,
887                                         fip->field_name, tag);
888                                     goto badvalueifd8long8;
889                                 }
890                             }
891                         }
892                     }
893                 }
894                 else
895                 {
896                     char *val = (char *)tv->value;
897                     assert(tv->count == 1);
898 
899                     switch (fip->field_type)
900                     {
901                         case TIFF_BYTE:
902                         case TIFF_UNDEFINED:
903                         {
904                             uint8_t v2 = (uint8_t)va_arg(ap, int);
905                             _TIFFmemcpy(val, &v2, tv_size);
906                         }
907                         break;
908                         case TIFF_SBYTE:
909                         {
910                             int8_t v2 = (int8_t)va_arg(ap, int);
911                             _TIFFmemcpy(val, &v2, tv_size);
912                         }
913                         break;
914                         case TIFF_SHORT:
915                         {
916                             uint16_t v2 = (uint16_t)va_arg(ap, int);
917                             _TIFFmemcpy(val, &v2, tv_size);
918                         }
919                         break;
920                         case TIFF_SSHORT:
921                         {
922                             int16_t v2 = (int16_t)va_arg(ap, int);
923                             _TIFFmemcpy(val, &v2, tv_size);
924                         }
925                         break;
926                         case TIFF_LONG:
927                         case TIFF_IFD:
928                         {
929                             uint32_t v2 = va_arg(ap, uint32_t);
930                             _TIFFmemcpy(val, &v2, tv_size);
931                         }
932                         break;
933                         case TIFF_SLONG:
934                         {
935                             int32_t v2 = va_arg(ap, int32_t);
936                             _TIFFmemcpy(val, &v2, tv_size);
937                         }
938                         break;
939                         case TIFF_LONG8:
940                         case TIFF_IFD8:
941                         {
942                             uint64_t v2 = va_arg(ap, uint64_t);
943                             _TIFFmemcpy(val, &v2, tv_size);
944                             /* Test here for too big values for ClassicTIFF and
945                              * delete custom field from custom list */
946                             if (!(tif->tif_flags & TIFF_BIGTIFF) &&
947                                 (v2 > 0xffffffffu))
948                             {
949                                 TIFFErrorExtR(
950                                     tif, module,
951                                     "%s: Bad LONG8 or IFD8 value %" PRIu64
952                                     " for \"%s\" tag %d in ClassicTIFF. Tag "
953                                     "won't be written to file",
954                                     tif->tif_name, v2, fip->field_name, tag);
955                                 goto badvalueifd8long8;
956                             }
957                         }
958                         break;
959                         case TIFF_SLONG8:
960                         {
961                             int64_t v2 = va_arg(ap, int64_t);
962                             _TIFFmemcpy(val, &v2, tv_size);
963                             /* Test here for too big values for ClassicTIFF and
964                              * delete custom field from custom list */
965                             if (!(tif->tif_flags & TIFF_BIGTIFF) &&
966                                 ((v2 > 2147483647) || (v2 < (-2147483647 - 1))))
967                             {
968                                 TIFFErrorExtR(
969                                     tif, module,
970                                     "%s: Bad SLONG8 value %" PRIi64
971                                     " for \"%s\" tag %d in ClassicTIFF. Tag "
972                                     "won't be written to file",
973                                     tif->tif_name, v2, fip->field_name, tag);
974                                 goto badvalueifd8long8;
975                             }
976                         }
977                         break;
978                         case TIFF_RATIONAL:
979                         case TIFF_SRATIONAL:
980                             /*-- Rational2Double: For Rationals tv_size is set
981                              * above to 4 or 8 according to fip->set_field_type!
982                              */
983                             {
984                                 if (tv_size == 8)
985                                 {
986                                     double v2 = va_arg(ap, double);
987                                     _TIFFmemcpy(val, &v2, tv_size);
988                                 }
989                                 else
990                                 {
991                                     /*-- default should be tv_size == 4 */
992                                     float v3 = (float)va_arg(ap, double);
993                                     _TIFFmemcpy(val, &v3, tv_size);
994                                     /*-- ToDo: After Testing, this should be
995                                      * removed and tv_size==4 should be set as
996                                      * default. */
997                                     if (tv_size != 4)
998                                     {
999                                         TIFFErrorExtR(
1000                                             tif, module,
1001                                             "Rational2Double: .set_field_type "
1002                                             "in not 4 but %d",
1003                                             tv_size);
1004                                     }
1005                                 }
1006                             }
1007                             break;
1008                         case TIFF_FLOAT:
1009                         {
1010                             float v2 =
1011                                 _TIFFClampDoubleToFloat(va_arg(ap, double));
1012                             _TIFFmemcpy(val, &v2, tv_size);
1013                         }
1014                         break;
1015                         case TIFF_DOUBLE:
1016                         {
1017                             double v2 = va_arg(ap, double);
1018                             _TIFFmemcpy(val, &v2, tv_size);
1019                         }
1020                         break;
1021                         default:
1022                             _TIFFmemset(val, 0, tv_size);
1023                             status = 0;
1024                             break;
1025                     }
1026                 }
1027             }
1028         }
1029     }
1030     if (status)
1031     {
1032         const TIFFField *fip2 = TIFFFieldWithTag(tif, tag);
1033         if (fip2)
1034             TIFFSetFieldBit(tif, fip2->field_bit);
1035         tif->tif_flags |= TIFF_DIRTYDIRECT;
1036     }
1037 
1038 end:
1039     va_end(ap);
1040     return (status);
1041 badvalue:
1042 {
1043     const TIFFField *fip2 = TIFFFieldWithTag(tif, tag);
1044     TIFFErrorExtR(tif, module, "%s: Bad value %" PRIu32 " for \"%s\" tag",
1045                   tif->tif_name, v, fip2 ? fip2->field_name : "Unknown");
1046     va_end(ap);
1047 }
1048     return (0);
1049 badvalue32:
1050 {
1051     const TIFFField *fip2 = TIFFFieldWithTag(tif, tag);
1052     TIFFErrorExtR(tif, module, "%s: Bad value %" PRIu32 " for \"%s\" tag",
1053                   tif->tif_name, v32, fip2 ? fip2->field_name : "Unknown");
1054     va_end(ap);
1055 }
1056     return (0);
1057 badvaluedouble:
1058 {
1059     const TIFFField *fip2 = TIFFFieldWithTag(tif, tag);
1060     TIFFErrorExtR(tif, module, "%s: Bad value %f for \"%s\" tag", tif->tif_name,
1061                   dblval, fip2 ? fip2->field_name : "Unknown");
1062     va_end(ap);
1063 }
1064     return (0);
1065 badvalueifd8long8:
1066 {
1067     /* Error message issued already above. */
1068     TIFFTagValue *tv2 = NULL;
1069     int iCustom2, iC2;
1070     /* Find the existing entry for this custom value. */
1071     for (iCustom2 = 0; iCustom2 < td->td_customValueCount; iCustom2++)
1072     {
1073         if (td->td_customValues[iCustom2].info->field_tag == tag)
1074         {
1075             tv2 = td->td_customValues + (iCustom2);
1076             break;
1077         }
1078     }
1079     if (tv2 != NULL)
1080     {
1081         /* Remove custom field from custom list */
1082         if (tv2->value != NULL)
1083         {
1084             _TIFFfreeExt(tif, tv2->value);
1085             tv2->value = NULL;
1086         }
1087         /* Shorten list and close gap in customValues list.
1088          * Re-allocation of td_customValues not necessary here. */
1089         td->td_customValueCount--;
1090         for (iC2 = iCustom2; iC2 < td->td_customValueCount; iC2++)
1091         {
1092             td->td_customValues[iC2] = td->td_customValues[iC2 + 1];
1093         }
1094     }
1095     else
1096     {
1097         assert(0);
1098     }
1099     va_end(ap);
1100 }
1101     return (0);
1102 } /*-- _TIFFVSetField() --*/
1103 
1104 /*
1105  * Return 1/0 according to whether or not
1106  * it is permissible to set the tag's value.
1107  * Note that we allow ImageLength to be changed
1108  * so that we can append and extend to images.
1109  * Any other tag may not be altered once writing
1110  * has commenced, unless its value has no effect
1111  * on the format of the data that is written.
1112  */
OkToChangeTag(TIFF * tif,uint32_t tag)1113 static int OkToChangeTag(TIFF *tif, uint32_t tag)
1114 {
1115     const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
1116     if (!fip)
1117     { /* unknown tag */
1118         TIFFErrorExtR(tif, "TIFFSetField", "%s: Unknown %stag %" PRIu32,
1119                       tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", tag);
1120         return (0);
1121     }
1122     if (tag != TIFFTAG_IMAGELENGTH && (tif->tif_flags & TIFF_BEENWRITING) &&
1123         !fip->field_oktochange)
1124     {
1125         /*
1126          * Consult info table to see if tag can be changed
1127          * after we've started writing.  We only allow changes
1128          * to those tags that don't/shouldn't affect the
1129          * compression and/or format of the data.
1130          */
1131         TIFFErrorExtR(tif, "TIFFSetField",
1132                       "%s: Cannot modify tag \"%s\" while writing",
1133                       tif->tif_name, fip->field_name);
1134         return (0);
1135     }
1136     return (1);
1137 }
1138 
1139 /*
1140  * Record the value of a field in the
1141  * internal directory structure.  The
1142  * field will be written to the file
1143  * when/if the directory structure is
1144  * updated.
1145  */
TIFFSetField(TIFF * tif,uint32_t tag,...)1146 int TIFFSetField(TIFF *tif, uint32_t tag, ...)
1147 {
1148     va_list ap;
1149     int status;
1150 
1151     va_start(ap, tag);
1152     status = TIFFVSetField(tif, tag, ap);
1153     va_end(ap);
1154     return (status);
1155 }
1156 
1157 /*
1158  * Clear the contents of the field in the internal structure.
1159  */
TIFFUnsetField(TIFF * tif,uint32_t tag)1160 int TIFFUnsetField(TIFF *tif, uint32_t tag)
1161 {
1162     const TIFFField *fip = TIFFFieldWithTag(tif, tag);
1163     TIFFDirectory *td = &tif->tif_dir;
1164 
1165     if (!fip)
1166         return 0;
1167 
1168     if (fip->field_bit != FIELD_CUSTOM)
1169         TIFFClrFieldBit(tif, fip->field_bit);
1170     else
1171     {
1172         TIFFTagValue *tv = NULL;
1173         int i;
1174 
1175         for (i = 0; i < td->td_customValueCount; i++)
1176         {
1177 
1178             tv = td->td_customValues + i;
1179             if (tv->info->field_tag == tag)
1180                 break;
1181         }
1182 
1183         if (i < td->td_customValueCount)
1184         {
1185             _TIFFfreeExt(tif, tv->value);
1186             for (; i < td->td_customValueCount - 1; i++)
1187             {
1188                 td->td_customValues[i] = td->td_customValues[i + 1];
1189             }
1190             td->td_customValueCount--;
1191         }
1192     }
1193 
1194     tif->tif_flags |= TIFF_DIRTYDIRECT;
1195 
1196     return (1);
1197 }
1198 
1199 /*
1200  * Like TIFFSetField, but taking a varargs
1201  * parameter list.  This routine is useful
1202  * for building higher-level interfaces on
1203  * top of the library.
1204  */
TIFFVSetField(TIFF * tif,uint32_t tag,va_list ap)1205 int TIFFVSetField(TIFF *tif, uint32_t tag, va_list ap)
1206 {
1207     return OkToChangeTag(tif, tag)
1208                ? (*tif->tif_tagmethods.vsetfield)(tif, tag, ap)
1209                : 0;
1210 }
1211 
_TIFFVGetField(TIFF * tif,uint32_t tag,va_list ap)1212 static int _TIFFVGetField(TIFF *tif, uint32_t tag, va_list ap)
1213 {
1214     TIFFDirectory *td = &tif->tif_dir;
1215     int ret_val = 1;
1216     uint32_t standard_tag = tag;
1217     const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
1218     if (fip == NULL) /* cannot happen since TIFFGetField() already checks it */
1219         return 0;
1220 
1221     /*
1222      * We want to force the custom code to be used for custom
1223      * fields even if the tag happens to match a well known
1224      * one - important for reinterpreted handling of standard
1225      * tag values in custom directories (i.e. EXIF)
1226      */
1227     if (fip->field_bit == FIELD_CUSTOM)
1228     {
1229         standard_tag = 0;
1230     }
1231 
1232     switch (standard_tag)
1233     {
1234         case TIFFTAG_SUBFILETYPE:
1235             *va_arg(ap, uint32_t *) = td->td_subfiletype;
1236             break;
1237         case TIFFTAG_IMAGEWIDTH:
1238             *va_arg(ap, uint32_t *) = td->td_imagewidth;
1239             break;
1240         case TIFFTAG_IMAGELENGTH:
1241             *va_arg(ap, uint32_t *) = td->td_imagelength;
1242             break;
1243         case TIFFTAG_BITSPERSAMPLE:
1244             *va_arg(ap, uint16_t *) = td->td_bitspersample;
1245             break;
1246         case TIFFTAG_COMPRESSION:
1247             *va_arg(ap, uint16_t *) = td->td_compression;
1248             break;
1249         case TIFFTAG_PHOTOMETRIC:
1250             *va_arg(ap, uint16_t *) = td->td_photometric;
1251             break;
1252         case TIFFTAG_THRESHHOLDING:
1253             *va_arg(ap, uint16_t *) = td->td_threshholding;
1254             break;
1255         case TIFFTAG_FILLORDER:
1256             *va_arg(ap, uint16_t *) = td->td_fillorder;
1257             break;
1258         case TIFFTAG_ORIENTATION:
1259             *va_arg(ap, uint16_t *) = td->td_orientation;
1260             break;
1261         case TIFFTAG_SAMPLESPERPIXEL:
1262             *va_arg(ap, uint16_t *) = td->td_samplesperpixel;
1263             break;
1264         case TIFFTAG_ROWSPERSTRIP:
1265             *va_arg(ap, uint32_t *) = td->td_rowsperstrip;
1266             break;
1267         case TIFFTAG_MINSAMPLEVALUE:
1268             *va_arg(ap, uint16_t *) = td->td_minsamplevalue;
1269             break;
1270         case TIFFTAG_MAXSAMPLEVALUE:
1271             *va_arg(ap, uint16_t *) = td->td_maxsamplevalue;
1272             break;
1273         case TIFFTAG_SMINSAMPLEVALUE:
1274             if (tif->tif_flags & TIFF_PERSAMPLE)
1275                 *va_arg(ap, double **) = td->td_sminsamplevalue;
1276             else
1277             {
1278                 /* libtiff historically treats this as a single value. */
1279                 uint16_t i;
1280                 double v = td->td_sminsamplevalue[0];
1281                 for (i = 1; i < td->td_samplesperpixel; ++i)
1282                     if (td->td_sminsamplevalue[i] < v)
1283                         v = td->td_sminsamplevalue[i];
1284                 *va_arg(ap, double *) = v;
1285             }
1286             break;
1287         case TIFFTAG_SMAXSAMPLEVALUE:
1288             if (tif->tif_flags & TIFF_PERSAMPLE)
1289                 *va_arg(ap, double **) = td->td_smaxsamplevalue;
1290             else
1291             {
1292                 /* libtiff historically treats this as a single value. */
1293                 uint16_t i;
1294                 double v = td->td_smaxsamplevalue[0];
1295                 for (i = 1; i < td->td_samplesperpixel; ++i)
1296                     if (td->td_smaxsamplevalue[i] > v)
1297                         v = td->td_smaxsamplevalue[i];
1298                 *va_arg(ap, double *) = v;
1299             }
1300             break;
1301         case TIFFTAG_XRESOLUTION:
1302             *va_arg(ap, float *) = td->td_xresolution;
1303             break;
1304         case TIFFTAG_YRESOLUTION:
1305             *va_arg(ap, float *) = td->td_yresolution;
1306             break;
1307         case TIFFTAG_PLANARCONFIG:
1308             *va_arg(ap, uint16_t *) = td->td_planarconfig;
1309             break;
1310         case TIFFTAG_XPOSITION:
1311             *va_arg(ap, float *) = td->td_xposition;
1312             break;
1313         case TIFFTAG_YPOSITION:
1314             *va_arg(ap, float *) = td->td_yposition;
1315             break;
1316         case TIFFTAG_RESOLUTIONUNIT:
1317             *va_arg(ap, uint16_t *) = td->td_resolutionunit;
1318             break;
1319         case TIFFTAG_PAGENUMBER:
1320             *va_arg(ap, uint16_t *) = td->td_pagenumber[0];
1321             *va_arg(ap, uint16_t *) = td->td_pagenumber[1];
1322             break;
1323         case TIFFTAG_HALFTONEHINTS:
1324             *va_arg(ap, uint16_t *) = td->td_halftonehints[0];
1325             *va_arg(ap, uint16_t *) = td->td_halftonehints[1];
1326             break;
1327         case TIFFTAG_COLORMAP:
1328             *va_arg(ap, const uint16_t **) = td->td_colormap[0];
1329             *va_arg(ap, const uint16_t **) = td->td_colormap[1];
1330             *va_arg(ap, const uint16_t **) = td->td_colormap[2];
1331             break;
1332         case TIFFTAG_STRIPOFFSETS:
1333         case TIFFTAG_TILEOFFSETS:
1334             _TIFFFillStriles(tif);
1335             *va_arg(ap, const uint64_t **) = td->td_stripoffset_p;
1336             if (td->td_stripoffset_p == NULL)
1337                 ret_val = 0;
1338             break;
1339         case TIFFTAG_STRIPBYTECOUNTS:
1340         case TIFFTAG_TILEBYTECOUNTS:
1341             _TIFFFillStriles(tif);
1342             *va_arg(ap, const uint64_t **) = td->td_stripbytecount_p;
1343             if (td->td_stripbytecount_p == NULL)
1344                 ret_val = 0;
1345             break;
1346         case TIFFTAG_MATTEING:
1347             *va_arg(ap, uint16_t *) =
1348                 (td->td_extrasamples == 1 &&
1349                  td->td_sampleinfo[0] == EXTRASAMPLE_ASSOCALPHA);
1350             break;
1351         case TIFFTAG_EXTRASAMPLES:
1352             *va_arg(ap, uint16_t *) = td->td_extrasamples;
1353             *va_arg(ap, const uint16_t **) = td->td_sampleinfo;
1354             break;
1355         case TIFFTAG_TILEWIDTH:
1356             *va_arg(ap, uint32_t *) = td->td_tilewidth;
1357             break;
1358         case TIFFTAG_TILELENGTH:
1359             *va_arg(ap, uint32_t *) = td->td_tilelength;
1360             break;
1361         case TIFFTAG_TILEDEPTH:
1362             *va_arg(ap, uint32_t *) = td->td_tiledepth;
1363             break;
1364         case TIFFTAG_DATATYPE:
1365             switch (td->td_sampleformat)
1366             {
1367                 case SAMPLEFORMAT_UINT:
1368                     *va_arg(ap, uint16_t *) = DATATYPE_UINT;
1369                     break;
1370                 case SAMPLEFORMAT_INT:
1371                     *va_arg(ap, uint16_t *) = DATATYPE_INT;
1372                     break;
1373                 case SAMPLEFORMAT_IEEEFP:
1374                     *va_arg(ap, uint16_t *) = DATATYPE_IEEEFP;
1375                     break;
1376                 case SAMPLEFORMAT_VOID:
1377                     *va_arg(ap, uint16_t *) = DATATYPE_VOID;
1378                     break;
1379             }
1380             break;
1381         case TIFFTAG_SAMPLEFORMAT:
1382             *va_arg(ap, uint16_t *) = td->td_sampleformat;
1383             break;
1384         case TIFFTAG_IMAGEDEPTH:
1385             *va_arg(ap, uint32_t *) = td->td_imagedepth;
1386             break;
1387         case TIFFTAG_SUBIFD:
1388             *va_arg(ap, uint16_t *) = td->td_nsubifd;
1389             *va_arg(ap, const uint64_t **) = td->td_subifd;
1390             break;
1391         case TIFFTAG_YCBCRPOSITIONING:
1392             *va_arg(ap, uint16_t *) = td->td_ycbcrpositioning;
1393             break;
1394         case TIFFTAG_YCBCRSUBSAMPLING:
1395             *va_arg(ap, uint16_t *) = td->td_ycbcrsubsampling[0];
1396             *va_arg(ap, uint16_t *) = td->td_ycbcrsubsampling[1];
1397             break;
1398         case TIFFTAG_TRANSFERFUNCTION:
1399             *va_arg(ap, const uint16_t **) = td->td_transferfunction[0];
1400             if (td->td_samplesperpixel - td->td_extrasamples > 1)
1401             {
1402                 *va_arg(ap, const uint16_t **) = td->td_transferfunction[1];
1403                 *va_arg(ap, const uint16_t **) = td->td_transferfunction[2];
1404             }
1405             else
1406             {
1407                 *va_arg(ap, const uint16_t **) = NULL;
1408                 *va_arg(ap, const uint16_t **) = NULL;
1409             }
1410             break;
1411         case TIFFTAG_REFERENCEBLACKWHITE:
1412             *va_arg(ap, const float **) = td->td_refblackwhite;
1413             break;
1414         case TIFFTAG_INKNAMES:
1415             *va_arg(ap, const char **) = td->td_inknames;
1416             break;
1417         case TIFFTAG_NUMBEROFINKS:
1418             *va_arg(ap, uint16_t *) = td->td_numberofinks;
1419             break;
1420         default:
1421         {
1422             int i;
1423 
1424             /*
1425              * This can happen if multiple images are open
1426              * with different codecs which have private
1427              * tags.  The global tag information table may
1428              * then have tags that are valid for one file
1429              * but not the other. If the client tries to
1430              * get a tag that is not valid for the image's
1431              * codec then we'll arrive here.
1432              */
1433             if (fip->field_bit != FIELD_CUSTOM)
1434             {
1435                 TIFFErrorExtR(tif, "_TIFFVGetField",
1436                               "%s: Invalid %stag \"%s\" "
1437                               "(not supported by codec)",
1438                               tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
1439                               fip->field_name);
1440                 ret_val = 0;
1441                 break;
1442             }
1443 
1444             /*
1445              * Do we have a custom value?
1446              */
1447             ret_val = 0;
1448             for (i = 0; i < td->td_customValueCount; i++)
1449             {
1450                 TIFFTagValue *tv = td->td_customValues + i;
1451 
1452                 if (tv->info->field_tag != tag)
1453                     continue;
1454 
1455                 if (fip->field_passcount)
1456                 {
1457                     if (fip->field_readcount == TIFF_VARIABLE2)
1458                         *va_arg(ap, uint32_t *) = (uint32_t)tv->count;
1459                     else /* Assume TIFF_VARIABLE */
1460                         *va_arg(ap, uint16_t *) = (uint16_t)tv->count;
1461                     *va_arg(ap, const void **) = tv->value;
1462                     ret_val = 1;
1463                 }
1464                 else if (fip->field_tag == TIFFTAG_DOTRANGE &&
1465                          strcmp(fip->field_name, "DotRange") == 0)
1466                 {
1467                     /* TODO: This is an evil exception and should not have been
1468                        handled this way ... likely best if we move it into
1469                        the directory structure with an explicit field in
1470                        libtiff 4.1 and assign it a FIELD_ value */
1471                     *va_arg(ap, uint16_t *) = ((uint16_t *)tv->value)[0];
1472                     *va_arg(ap, uint16_t *) = ((uint16_t *)tv->value)[1];
1473                     ret_val = 1;
1474                 }
1475                 else
1476                 {
1477                     if (fip->field_type == TIFF_ASCII ||
1478                         fip->field_readcount == TIFF_VARIABLE ||
1479                         fip->field_readcount == TIFF_VARIABLE2 ||
1480                         fip->field_readcount == TIFF_SPP || tv->count > 1)
1481                     {
1482                         *va_arg(ap, void **) = tv->value;
1483                         ret_val = 1;
1484                     }
1485                     else
1486                     {
1487                         char *val = (char *)tv->value;
1488                         assert(tv->count == 1);
1489                         switch (fip->field_type)
1490                         {
1491                             case TIFF_BYTE:
1492                             case TIFF_UNDEFINED:
1493                                 *va_arg(ap, uint8_t *) = *(uint8_t *)val;
1494                                 ret_val = 1;
1495                                 break;
1496                             case TIFF_SBYTE:
1497                                 *va_arg(ap, int8_t *) = *(int8_t *)val;
1498                                 ret_val = 1;
1499                                 break;
1500                             case TIFF_SHORT:
1501                                 *va_arg(ap, uint16_t *) = *(uint16_t *)val;
1502                                 ret_val = 1;
1503                                 break;
1504                             case TIFF_SSHORT:
1505                                 *va_arg(ap, int16_t *) = *(int16_t *)val;
1506                                 ret_val = 1;
1507                                 break;
1508                             case TIFF_LONG:
1509                             case TIFF_IFD:
1510                                 *va_arg(ap, uint32_t *) = *(uint32_t *)val;
1511                                 ret_val = 1;
1512                                 break;
1513                             case TIFF_SLONG:
1514                                 *va_arg(ap, int32_t *) = *(int32_t *)val;
1515                                 ret_val = 1;
1516                                 break;
1517                             case TIFF_LONG8:
1518                             case TIFF_IFD8:
1519                                 *va_arg(ap, uint64_t *) = *(uint64_t *)val;
1520                                 ret_val = 1;
1521                                 break;
1522                             case TIFF_SLONG8:
1523                                 *va_arg(ap, int64_t *) = *(int64_t *)val;
1524                                 ret_val = 1;
1525                                 break;
1526                             case TIFF_RATIONAL:
1527                             case TIFF_SRATIONAL:
1528                             {
1529                                 /*-- Rational2Double: For Rationals evaluate
1530                                  * "set_field_type" to determine internal
1531                                  * storage size and return value size. */
1532                                 int tv_size = TIFFFieldSetGetSize(fip);
1533                                 if (tv_size == 8)
1534                                 {
1535                                     *va_arg(ap, double *) = *(double *)val;
1536                                     ret_val = 1;
1537                                 }
1538                                 else
1539                                 {
1540                                     /*-- default should be tv_size == 4  */
1541                                     *va_arg(ap, float *) = *(float *)val;
1542                                     ret_val = 1;
1543                                     /*-- ToDo: After Testing, this should be
1544                                      * removed and tv_size==4 should be set as
1545                                      * default. */
1546                                     if (tv_size != 4)
1547                                     {
1548                                         TIFFErrorExtR(
1549                                             tif, "_TIFFVGetField",
1550                                             "Rational2Double: .set_field_type "
1551                                             "in not 4 but %d",
1552                                             tv_size);
1553                                     }
1554                                 }
1555                             }
1556                             break;
1557                             case TIFF_FLOAT:
1558                                 *va_arg(ap, float *) = *(float *)val;
1559                                 ret_val = 1;
1560                                 break;
1561                             case TIFF_DOUBLE:
1562                                 *va_arg(ap, double *) = *(double *)val;
1563                                 ret_val = 1;
1564                                 break;
1565                             default:
1566                                 ret_val = 0;
1567                                 break;
1568                         }
1569                     }
1570                 }
1571                 break;
1572             }
1573         }
1574     }
1575     return (ret_val);
1576 }
1577 
1578 /*
1579  * Return the value of a field in the
1580  * internal directory structure.
1581  */
TIFFGetField(TIFF * tif,uint32_t tag,...)1582 int TIFFGetField(TIFF *tif, uint32_t tag, ...)
1583 {
1584     int status;
1585     va_list ap;
1586 
1587     va_start(ap, tag);
1588     status = TIFFVGetField(tif, tag, ap);
1589     va_end(ap);
1590     return (status);
1591 }
1592 
1593 /*
1594  * Like TIFFGetField, but taking a varargs
1595  * parameter list.  This routine is useful
1596  * for building higher-level interfaces on
1597  * top of the library.
1598  */
TIFFVGetField(TIFF * tif,uint32_t tag,va_list ap)1599 int TIFFVGetField(TIFF *tif, uint32_t tag, va_list ap)
1600 {
1601     const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
1602     return (fip && (isPseudoTag(tag) || TIFFFieldSet(tif, fip->field_bit))
1603                 ? (*tif->tif_tagmethods.vgetfield)(tif, tag, ap)
1604                 : 0);
1605 }
1606 
1607 #define CleanupField(member)                                                   \
1608     {                                                                          \
1609         if (td->member)                                                        \
1610         {                                                                      \
1611             _TIFFfreeExt(tif, td->member);                                     \
1612             td->member = 0;                                                    \
1613         }                                                                      \
1614     }
1615 
1616 /*
1617  * Release storage associated with a directory.
1618  */
TIFFFreeDirectory(TIFF * tif)1619 void TIFFFreeDirectory(TIFF *tif)
1620 {
1621     TIFFDirectory *td = &tif->tif_dir;
1622     int i;
1623 
1624     _TIFFmemset(td->td_fieldsset, 0, FIELD_SETLONGS);
1625     CleanupField(td_sminsamplevalue);
1626     CleanupField(td_smaxsamplevalue);
1627     CleanupField(td_colormap[0]);
1628     CleanupField(td_colormap[1]);
1629     CleanupField(td_colormap[2]);
1630     CleanupField(td_sampleinfo);
1631     CleanupField(td_subifd);
1632     CleanupField(td_inknames);
1633     CleanupField(td_refblackwhite);
1634     CleanupField(td_transferfunction[0]);
1635     CleanupField(td_transferfunction[1]);
1636     CleanupField(td_transferfunction[2]);
1637     CleanupField(td_stripoffset_p);
1638     CleanupField(td_stripbytecount_p);
1639     td->td_stripoffsetbyteallocsize = 0;
1640     TIFFClrFieldBit(tif, FIELD_YCBCRSUBSAMPLING);
1641     TIFFClrFieldBit(tif, FIELD_YCBCRPOSITIONING);
1642 
1643     /* Cleanup custom tag values */
1644     for (i = 0; i < td->td_customValueCount; i++)
1645     {
1646         if (td->td_customValues[i].value)
1647             _TIFFfreeExt(tif, td->td_customValues[i].value);
1648     }
1649 
1650     td->td_customValueCount = 0;
1651     CleanupField(td_customValues);
1652 
1653     _TIFFmemset(&(td->td_stripoffset_entry), 0, sizeof(TIFFDirEntry));
1654     _TIFFmemset(&(td->td_stripbytecount_entry), 0, sizeof(TIFFDirEntry));
1655 }
1656 #undef CleanupField
1657 
1658 /*
1659  * Client Tag extension support (from Niles Ritter).
1660  */
1661 static TIFFExtendProc _TIFFextender = (TIFFExtendProc)NULL;
1662 
TIFFSetTagExtender(TIFFExtendProc extender)1663 TIFFExtendProc TIFFSetTagExtender(TIFFExtendProc extender)
1664 {
1665     TIFFExtendProc prev = _TIFFextender;
1666     _TIFFextender = extender;
1667     return (prev);
1668 }
1669 
1670 /*
1671  * Setup for a new directory.  Should we automatically call
1672  * TIFFWriteDirectory() if the current one is dirty?
1673  *
1674  * The newly created directory will not exist on the file till
1675  * TIFFWriteDirectory(), TIFFFlush() or TIFFClose() is called.
1676  */
TIFFCreateDirectory(TIFF * tif)1677 int TIFFCreateDirectory(TIFF *tif)
1678 {
1679     TIFFDefaultDirectory(tif);
1680     tif->tif_diroff = 0;
1681     tif->tif_nextdiroff = 0;
1682     tif->tif_curoff = 0;
1683     tif->tif_row = (uint32_t)-1;
1684     tif->tif_curstrip = (uint32_t)-1;
1685 
1686     return 0;
1687 }
1688 
TIFFCreateCustomDirectory(TIFF * tif,const TIFFFieldArray * infoarray)1689 int TIFFCreateCustomDirectory(TIFF *tif, const TIFFFieldArray *infoarray)
1690 {
1691     TIFFDefaultDirectory(tif);
1692 
1693     /*
1694      * Reset the field definitions to match the application provided list.
1695      * Hopefully TIFFDefaultDirectory() won't have done anything irreversible
1696      * based on it's assumption this is an image directory.
1697      */
1698     _TIFFSetupFields(tif, infoarray);
1699 
1700     tif->tif_diroff = 0;
1701     tif->tif_nextdiroff = 0;
1702     tif->tif_curoff = 0;
1703     tif->tif_row = (uint32_t)-1;
1704     tif->tif_curstrip = (uint32_t)-1;
1705 
1706     return 0;
1707 }
1708 
TIFFCreateEXIFDirectory(TIFF * tif)1709 int TIFFCreateEXIFDirectory(TIFF *tif)
1710 {
1711     const TIFFFieldArray *exifFieldArray;
1712     exifFieldArray = _TIFFGetExifFields();
1713     return TIFFCreateCustomDirectory(tif, exifFieldArray);
1714 }
1715 
1716 /*
1717  * Creates the EXIF GPS custom directory
1718  */
TIFFCreateGPSDirectory(TIFF * tif)1719 int TIFFCreateGPSDirectory(TIFF *tif)
1720 {
1721     const TIFFFieldArray *gpsFieldArray;
1722     gpsFieldArray = _TIFFGetGpsFields();
1723     return TIFFCreateCustomDirectory(tif, gpsFieldArray);
1724 }
1725 
1726 /*
1727  * Setup a default directory structure.
1728  */
TIFFDefaultDirectory(TIFF * tif)1729 int TIFFDefaultDirectory(TIFF *tif)
1730 {
1731     register TIFFDirectory *td = &tif->tif_dir;
1732     const TIFFFieldArray *tiffFieldArray;
1733 
1734     tiffFieldArray = _TIFFGetFields();
1735     _TIFFSetupFields(tif, tiffFieldArray);
1736 
1737     _TIFFmemset(td, 0, sizeof(*td));
1738     td->td_fillorder = FILLORDER_MSB2LSB;
1739     td->td_bitspersample = 1;
1740     td->td_threshholding = THRESHHOLD_BILEVEL;
1741     td->td_orientation = ORIENTATION_TOPLEFT;
1742     td->td_samplesperpixel = 1;
1743     td->td_rowsperstrip = (uint32_t)-1;
1744     td->td_tilewidth = 0;
1745     td->td_tilelength = 0;
1746     td->td_tiledepth = 1;
1747 #ifdef STRIPBYTECOUNTSORTED_UNUSED
1748     td->td_stripbytecountsorted = 1; /* Our own arrays always sorted. */
1749 #endif
1750     td->td_resolutionunit = RESUNIT_INCH;
1751     td->td_sampleformat = SAMPLEFORMAT_UINT;
1752     td->td_imagedepth = 1;
1753     td->td_ycbcrsubsampling[0] = 2;
1754     td->td_ycbcrsubsampling[1] = 2;
1755     td->td_ycbcrpositioning = YCBCRPOSITION_CENTERED;
1756     tif->tif_postdecode = _TIFFNoPostDecode;
1757     tif->tif_foundfield = NULL;
1758     tif->tif_tagmethods.vsetfield = _TIFFVSetField;
1759     tif->tif_tagmethods.vgetfield = _TIFFVGetField;
1760     tif->tif_tagmethods.printdir = NULL;
1761     /* additional default values */
1762     td->td_planarconfig = PLANARCONFIG_CONTIG;
1763     td->td_compression = COMPRESSION_NONE;
1764     td->td_subfiletype = 0;
1765     td->td_minsamplevalue = 0;
1766     /* td_bitspersample=1 is always set in TIFFDefaultDirectory().
1767      * Therefore, td_maxsamplevalue has to be re-calculated in
1768      * TIFFGetFieldDefaulted(). */
1769     td->td_maxsamplevalue = 1; /* Default for td_bitspersample=1 */
1770     td->td_extrasamples = 0;
1771     td->td_sampleinfo = NULL;
1772 
1773     /*
1774      *  Give client code a chance to install their own
1775      *  tag extensions & methods, prior to compression overloads,
1776      *  but do some prior cleanup first.
1777      * (http://trac.osgeo.org/gdal/ticket/5054)
1778      */
1779     if (tif->tif_nfieldscompat > 0)
1780     {
1781         uint32_t i;
1782 
1783         for (i = 0; i < tif->tif_nfieldscompat; i++)
1784         {
1785             if (tif->tif_fieldscompat[i].allocated_size)
1786                 _TIFFfreeExt(tif, tif->tif_fieldscompat[i].fields);
1787         }
1788         _TIFFfreeExt(tif, tif->tif_fieldscompat);
1789         tif->tif_nfieldscompat = 0;
1790         tif->tif_fieldscompat = NULL;
1791     }
1792     if (_TIFFextender)
1793         (*_TIFFextender)(tif);
1794     (void)TIFFSetField(tif, TIFFTAG_COMPRESSION, COMPRESSION_NONE);
1795     /*
1796      * NB: The directory is marked dirty as a result of setting
1797      * up the default compression scheme.  However, this really
1798      * isn't correct -- we want TIFF_DIRTYDIRECT to be set only
1799      * if the user does something.  We could just do the setup
1800      * by hand, but it seems better to use the normal mechanism
1801      * (i.e. TIFFSetField).
1802      */
1803     tif->tif_flags &= ~TIFF_DIRTYDIRECT;
1804 
1805     /*
1806      * As per http://bugzilla.remotesensing.org/show_bug.cgi?id=19
1807      * we clear the ISTILED flag when setting up a new directory.
1808      * Should we also be clearing stuff like INSUBIFD?
1809      */
1810     tif->tif_flags &= ~TIFF_ISTILED;
1811 
1812     return (1);
1813 }
1814 
TIFFAdvanceDirectory(TIFF * tif,uint64_t * nextdiroff,uint64_t * off,tdir_t * nextdirnum)1815 static int TIFFAdvanceDirectory(TIFF *tif, uint64_t *nextdiroff, uint64_t *off,
1816                                 tdir_t *nextdirnum)
1817 {
1818     static const char module[] = "TIFFAdvanceDirectory";
1819 
1820     /* Add this directory to the directory list, if not already in. */
1821     if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff))
1822     {
1823         TIFFErrorExtR(tif, module,
1824                       "Starting directory %u at offset 0x%" PRIx64 " (%" PRIu64
1825                       ") might cause an IFD loop",
1826                       *nextdirnum, *nextdiroff, *nextdiroff);
1827         *nextdiroff = 0;
1828         *nextdirnum = 0;
1829         return (0);
1830     }
1831 
1832     if (isMapped(tif))
1833     {
1834         uint64_t poff = *nextdiroff;
1835         if (!(tif->tif_flags & TIFF_BIGTIFF))
1836         {
1837             tmsize_t poffa, poffb, poffc, poffd;
1838             uint16_t dircount;
1839             uint32_t nextdir32;
1840             poffa = (tmsize_t)poff;
1841             poffb = poffa + sizeof(uint16_t);
1842             if (((uint64_t)poffa != poff) || (poffb < poffa) ||
1843                 (poffb < (tmsize_t)sizeof(uint16_t)) || (poffb > tif->tif_size))
1844             {
1845                 TIFFErrorExtR(tif, module, "Error fetching directory count");
1846                 *nextdiroff = 0;
1847                 return (0);
1848             }
1849             _TIFFmemcpy(&dircount, tif->tif_base + poffa, sizeof(uint16_t));
1850             if (tif->tif_flags & TIFF_SWAB)
1851                 TIFFSwabShort(&dircount);
1852             poffc = poffb + dircount * 12;
1853             poffd = poffc + sizeof(uint32_t);
1854             if ((poffc < poffb) || (poffc < dircount * 12) || (poffd < poffc) ||
1855                 (poffd < (tmsize_t)sizeof(uint32_t)) || (poffd > tif->tif_size))
1856             {
1857                 TIFFErrorExtR(tif, module, "Error fetching directory link");
1858                 return (0);
1859             }
1860             if (off != NULL)
1861                 *off = (uint64_t)poffc;
1862             _TIFFmemcpy(&nextdir32, tif->tif_base + poffc, sizeof(uint32_t));
1863             if (tif->tif_flags & TIFF_SWAB)
1864                 TIFFSwabLong(&nextdir32);
1865             *nextdiroff = nextdir32;
1866         }
1867         else
1868         {
1869             tmsize_t poffa, poffb, poffc, poffd;
1870             uint64_t dircount64;
1871             uint16_t dircount16;
1872             if (poff > (uint64_t)TIFF_TMSIZE_T_MAX - sizeof(uint64_t))
1873             {
1874                 TIFFErrorExtR(tif, module, "Error fetching directory count");
1875                 return (0);
1876             }
1877             poffa = (tmsize_t)poff;
1878             poffb = poffa + sizeof(uint64_t);
1879             if (poffb > tif->tif_size)
1880             {
1881                 TIFFErrorExtR(tif, module, "Error fetching directory count");
1882                 return (0);
1883             }
1884             _TIFFmemcpy(&dircount64, tif->tif_base + poffa, sizeof(uint64_t));
1885             if (tif->tif_flags & TIFF_SWAB)
1886                 TIFFSwabLong8(&dircount64);
1887             if (dircount64 > 0xFFFF)
1888             {
1889                 TIFFErrorExtR(tif, module,
1890                               "Sanity check on directory count failed");
1891                 return (0);
1892             }
1893             dircount16 = (uint16_t)dircount64;
1894             if (poffb > TIFF_TMSIZE_T_MAX - (tmsize_t)(dircount16 * 20) -
1895                             (tmsize_t)sizeof(uint64_t))
1896             {
1897                 TIFFErrorExtR(tif, module, "Error fetching directory link");
1898                 return (0);
1899             }
1900             poffc = poffb + dircount16 * 20;
1901             poffd = poffc + sizeof(uint64_t);
1902             if (poffd > tif->tif_size)
1903             {
1904                 TIFFErrorExtR(tif, module, "Error fetching directory link");
1905                 return (0);
1906             }
1907             if (off != NULL)
1908                 *off = (uint64_t)poffc;
1909             _TIFFmemcpy(nextdiroff, tif->tif_base + poffc, sizeof(uint64_t));
1910             if (tif->tif_flags & TIFF_SWAB)
1911                 TIFFSwabLong8(nextdiroff);
1912         }
1913     }
1914     else
1915     {
1916         if (!(tif->tif_flags & TIFF_BIGTIFF))
1917         {
1918             uint16_t dircount;
1919             uint32_t nextdir32;
1920             if (!SeekOK(tif, *nextdiroff) ||
1921                 !ReadOK(tif, &dircount, sizeof(uint16_t)))
1922             {
1923                 TIFFErrorExtR(tif, module, "%s: Error fetching directory count",
1924                               tif->tif_name);
1925                 return (0);
1926             }
1927             if (tif->tif_flags & TIFF_SWAB)
1928                 TIFFSwabShort(&dircount);
1929             if (off != NULL)
1930                 *off = TIFFSeekFile(tif, dircount * 12, SEEK_CUR);
1931             else
1932                 (void)TIFFSeekFile(tif, dircount * 12, SEEK_CUR);
1933             if (!ReadOK(tif, &nextdir32, sizeof(uint32_t)))
1934             {
1935                 TIFFErrorExtR(tif, module, "%s: Error fetching directory link",
1936                               tif->tif_name);
1937                 return (0);
1938             }
1939             if (tif->tif_flags & TIFF_SWAB)
1940                 TIFFSwabLong(&nextdir32);
1941             *nextdiroff = nextdir32;
1942         }
1943         else
1944         {
1945             uint64_t dircount64;
1946             uint16_t dircount16;
1947             if (!SeekOK(tif, *nextdiroff) ||
1948                 !ReadOK(tif, &dircount64, sizeof(uint64_t)))
1949             {
1950                 TIFFErrorExtR(tif, module, "%s: Error fetching directory count",
1951                               tif->tif_name);
1952                 return (0);
1953             }
1954             if (tif->tif_flags & TIFF_SWAB)
1955                 TIFFSwabLong8(&dircount64);
1956             if (dircount64 > 0xFFFF)
1957             {
1958                 TIFFErrorExtR(tif, module, "Error fetching directory count");
1959                 return (0);
1960             }
1961             dircount16 = (uint16_t)dircount64;
1962             if (off != NULL)
1963                 *off = TIFFSeekFile(tif, dircount16 * 20, SEEK_CUR);
1964             else
1965                 (void)TIFFSeekFile(tif, dircount16 * 20, SEEK_CUR);
1966             if (!ReadOK(tif, nextdiroff, sizeof(uint64_t)))
1967             {
1968                 TIFFErrorExtR(tif, module, "%s: Error fetching directory link",
1969                               tif->tif_name);
1970                 return (0);
1971             }
1972             if (tif->tif_flags & TIFF_SWAB)
1973                 TIFFSwabLong8(nextdiroff);
1974         }
1975     }
1976     if (*nextdiroff != 0)
1977     {
1978         (*nextdirnum)++;
1979         /* Check next directory for IFD looping and if so, set it as last
1980          * directory. */
1981         if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff))
1982         {
1983             TIFFWarningExtR(
1984                 tif, module,
1985                 "the next directory %u at offset 0x%" PRIx64 " (%" PRIu64
1986                 ") might be an IFD loop. Treating directory %d as "
1987                 "last directory",
1988                 *nextdirnum, *nextdiroff, *nextdiroff, (int)(*nextdirnum) - 1);
1989             *nextdiroff = 0;
1990             (*nextdirnum)--;
1991         }
1992     }
1993     return (1);
1994 }
1995 
1996 /*
1997  * Count the number of directories in a file.
1998  */
TIFFNumberOfDirectories(TIFF * tif)1999 tdir_t TIFFNumberOfDirectories(TIFF *tif)
2000 {
2001     uint64_t nextdiroff;
2002     tdir_t nextdirnum;
2003     tdir_t n;
2004     if (!(tif->tif_flags & TIFF_BIGTIFF))
2005         nextdiroff = tif->tif_header.classic.tiff_diroff;
2006     else
2007         nextdiroff = tif->tif_header.big.tiff_diroff;
2008     nextdirnum = 0;
2009     n = 0;
2010     while (nextdiroff != 0 &&
2011            TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum))
2012     {
2013         ++n;
2014     }
2015     return (n);
2016 }
2017 
2018 /*
2019  * Set the n-th directory as the current directory.
2020  * NB: Directories are numbered starting at 0.
2021  */
TIFFSetDirectory(TIFF * tif,tdir_t dirn)2022 int TIFFSetDirectory(TIFF *tif, tdir_t dirn)
2023 {
2024     uint64_t nextdiroff;
2025     tdir_t nextdirnum;
2026     tdir_t n;
2027 
2028     if (!(tif->tif_flags & TIFF_BIGTIFF))
2029         nextdiroff = tif->tif_header.classic.tiff_diroff;
2030     else
2031         nextdiroff = tif->tif_header.big.tiff_diroff;
2032     nextdirnum = 0;
2033     for (n = dirn; n > 0 && nextdiroff != 0; n--)
2034         if (!TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum))
2035             return (0);
2036     /* If the n-th directory could not be reached (does not exist),
2037      * return here without touching anything further. */
2038     if (nextdiroff == 0 || n > 0)
2039         return (0);
2040 
2041     tif->tif_nextdiroff = nextdiroff;
2042     /*
2043      * Set curdir to the actual directory index.  The
2044      * -1 is because TIFFReadDirectory will increment
2045      * tif_curdir after successfully reading the directory.
2046      */
2047     tif->tif_curdir = (dirn - n) - 1;
2048     return (TIFFReadDirectory(tif));
2049 }
2050 
2051 /*
2052  * Set the current directory to be the directory
2053  * located at the specified file offset.  This interface
2054  * is used mainly to access directories linked with
2055  * the SubIFD tag (e.g. thumbnail images).
2056  */
TIFFSetSubDirectory(TIFF * tif,uint64_t diroff)2057 int TIFFSetSubDirectory(TIFF *tif, uint64_t diroff)
2058 {
2059     /* Match nextdiroff and curdir for consistent IFD-loop checking.
2060      * Only with TIFFSetSubDirectory() the IFD list can be corrupted with
2061      * invalid offsets within the main IFD tree. In the case of several subIFDs
2062      * of a main image, there are two possibilities that are not even mutually
2063      * exclusive. a.) The subIFD tag contains an array with all offsets of the
2064      * subIFDs. b.) The SubIFDs are concatenated with their NextIFD parameters.
2065      * (refer to
2066      * https://www.awaresystems.be/imaging/tiff/specification/TIFFPM6.pdf.)
2067      */
2068     int retval;
2069     uint32_t curdir = 0;
2070     int8_t probablySubIFD = 0;
2071     if (diroff == 0)
2072     {
2073         /* Special case to invalidate the tif_lastdiroff member. */
2074         tif->tif_curdir = TIFF_NON_EXISTENT_DIR_NUMBER;
2075     }
2076     else
2077     {
2078         if (!_TIFFGetDirNumberFromOffset(tif, diroff, &curdir))
2079         {
2080             /* Non-existing offsets might point to a SubIFD or invalid IFD.*/
2081             probablySubIFD = 1;
2082         }
2083         /* -1 because TIFFReadDirectory() will increment tif_curdir. */
2084         tif->tif_curdir =
2085             curdir == 0 ? TIFF_NON_EXISTENT_DIR_NUMBER : curdir - 1;
2086     }
2087 
2088     tif->tif_nextdiroff = diroff;
2089     retval = TIFFReadDirectory(tif);
2090     /* If failed, curdir was not incremented in TIFFReadDirectory(), so set it
2091      * back. */
2092     if (!retval)
2093     {
2094         if (tif->tif_curdir == TIFF_NON_EXISTENT_DIR_NUMBER)
2095             tif->tif_curdir = 0;
2096         else
2097             tif->tif_curdir++;
2098     }
2099     if (retval && probablySubIFD)
2100     {
2101         /* Reset IFD list to start new one for SubIFD chain and also start
2102          * SubIFD chain with tif_curdir=0. */
2103         tif->tif_dirnumber = 0;
2104         tif->tif_curdir = 0; /* first directory of new chain */
2105         /* add this offset to new IFD list */
2106         _TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir, diroff);
2107     }
2108     return (retval);
2109 }
2110 
2111 /*
2112  * Return file offset of the current directory.
2113  */
TIFFCurrentDirOffset(TIFF * tif)2114 uint64_t TIFFCurrentDirOffset(TIFF *tif) { return (tif->tif_diroff); }
2115 
2116 /*
2117  * Return an indication of whether or not we are
2118  * at the last directory in the file.
2119  */
TIFFLastDirectory(TIFF * tif)2120 int TIFFLastDirectory(TIFF *tif) { return (tif->tif_nextdiroff == 0); }
2121 
2122 /*
2123  * Unlink the specified directory from the directory chain.
2124  * Note: First directory starts with number dirn=1.
2125  * This is different to TIFFSetDirectory() where the first directory starts with
2126  * zero.
2127  */
TIFFUnlinkDirectory(TIFF * tif,tdir_t dirn)2128 int TIFFUnlinkDirectory(TIFF *tif, tdir_t dirn)
2129 {
2130     static const char module[] = "TIFFUnlinkDirectory";
2131     uint64_t nextdir;
2132     tdir_t nextdirnum;
2133     uint64_t off;
2134     tdir_t n;
2135 
2136     if (tif->tif_mode == O_RDONLY)
2137     {
2138         TIFFErrorExtR(tif, module,
2139                       "Can not unlink directory in read-only file");
2140         return (0);
2141     }
2142     /*
2143      * Go to the directory before the one we want
2144      * to unlink and nab the offset of the link
2145      * field we'll need to patch.
2146      */
2147     if (!(tif->tif_flags & TIFF_BIGTIFF))
2148     {
2149         nextdir = tif->tif_header.classic.tiff_diroff;
2150         off = 4;
2151     }
2152     else
2153     {
2154         nextdir = tif->tif_header.big.tiff_diroff;
2155         off = 8;
2156     }
2157     nextdirnum = 0; /* First directory is dirn=0 */
2158 
2159     for (n = dirn - 1; n > 0; n--)
2160     {
2161         if (nextdir == 0)
2162         {
2163             TIFFErrorExtR(tif, module, "Directory %u does not exist", dirn);
2164             return (0);
2165         }
2166         if (!TIFFAdvanceDirectory(tif, &nextdir, &off, &nextdirnum))
2167             return (0);
2168     }
2169     /*
2170      * Advance to the directory to be unlinked and fetch
2171      * the offset of the directory that follows.
2172      */
2173     if (!TIFFAdvanceDirectory(tif, &nextdir, NULL, &nextdirnum))
2174         return (0);
2175     /*
2176      * Go back and patch the link field of the preceding
2177      * directory to point to the offset of the directory
2178      * that follows.
2179      */
2180     (void)TIFFSeekFile(tif, off, SEEK_SET);
2181     if (!(tif->tif_flags & TIFF_BIGTIFF))
2182     {
2183         uint32_t nextdir32;
2184         nextdir32 = (uint32_t)nextdir;
2185         assert((uint64_t)nextdir32 == nextdir);
2186         if (tif->tif_flags & TIFF_SWAB)
2187             TIFFSwabLong(&nextdir32);
2188         if (!WriteOK(tif, &nextdir32, sizeof(uint32_t)))
2189         {
2190             TIFFErrorExtR(tif, module, "Error writing directory link");
2191             return (0);
2192         }
2193     }
2194     else
2195     {
2196         if (tif->tif_flags & TIFF_SWAB)
2197             TIFFSwabLong8(&nextdir);
2198         if (!WriteOK(tif, &nextdir, sizeof(uint64_t)))
2199         {
2200             TIFFErrorExtR(tif, module, "Error writing directory link");
2201             return (0);
2202         }
2203     }
2204     /*
2205      * Leave directory state setup safely.  We don't have
2206      * facilities for doing inserting and removing directories,
2207      * so it's safest to just invalidate everything.  This
2208      * means that the caller can only append to the directory
2209      * chain.
2210      */
2211     (*tif->tif_cleanup)(tif);
2212     if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
2213     {
2214         _TIFFfreeExt(tif, tif->tif_rawdata);
2215         tif->tif_rawdata = NULL;
2216         tif->tif_rawcc = 0;
2217         tif->tif_rawdataoff = 0;
2218         tif->tif_rawdataloaded = 0;
2219     }
2220     tif->tif_flags &= ~(TIFF_BEENWRITING | TIFF_BUFFERSETUP | TIFF_POSTENCODE |
2221                         TIFF_BUF4WRITE);
2222     TIFFFreeDirectory(tif);
2223     TIFFDefaultDirectory(tif);
2224     tif->tif_diroff = 0;     /* force link on next write */
2225     tif->tif_nextdiroff = 0; /* next write must be at end */
2226     tif->tif_lastdiroff = 0; /* will be updated on next link */
2227     tif->tif_curoff = 0;
2228     tif->tif_row = (uint32_t)-1;
2229     tif->tif_curstrip = (uint32_t)-1;
2230     return (1);
2231 }
2232