1 /*
2  * Copyright (c) 1988-1997 Sam Leffler
3  * Copyright (c) 1991-1997 Silicon Graphics, Inc.
4  *
5  * Permission to use, copy, modify, distribute, and sell this software and
6  * its documentation for any purpose is hereby granted without fee, provided
7  * that (i) the above copyright notices and this permission notice appear in
8  * all copies of the software and related documentation, and (ii) the names of
9  * Sam Leffler and Silicon Graphics may not be used in any advertising or
10  * publicity relating to the software without the specific, prior written
11  * permission of Sam Leffler and Silicon Graphics.
12  *
13  * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
14  * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
15  * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
16  *
17  * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
18  * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
19  * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
20  * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
21  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
22  * OF THIS SOFTWARE.
23  */
24 
25 /*
26  * TIFF Library.
27  *
28  * Directory Read Support Routines.
29  */
30 
31 /* Suggested pending improvements:
32  * - add a field 'field_info' to the TIFFDirEntry structure, and set that with
33  *   the pointer to the appropriate TIFFField structure early on in
34  *   TIFFReadDirectory, so as to eliminate current possibly repetitive lookup.
35  */
36 
37 #include "tiffconf.h"
38 #include "tiffiop.h"
39 #include <float.h>
40 #include <limits.h>
41 #include <stdlib.h>
42 #include <string.h>
43 
44 #define FAILED_FII ((uint32_t)-1)
45 
46 #ifdef HAVE_IEEEFP
47 #define TIFFCvtIEEEFloatToNative(tif, n, fp)
48 #define TIFFCvtIEEEDoubleToNative(tif, n, dp)
49 #else
50 extern void TIFFCvtIEEEFloatToNative(TIFF *, uint32_t, float *);
51 extern void TIFFCvtIEEEDoubleToNative(TIFF *, uint32_t, double *);
52 #endif
53 
54 enum TIFFReadDirEntryErr
55 {
56     TIFFReadDirEntryErrOk = 0,
57     TIFFReadDirEntryErrCount = 1,
58     TIFFReadDirEntryErrType = 2,
59     TIFFReadDirEntryErrIo = 3,
60     TIFFReadDirEntryErrRange = 4,
61     TIFFReadDirEntryErrPsdif = 5,
62     TIFFReadDirEntryErrSizesan = 6,
63     TIFFReadDirEntryErrAlloc = 7,
64 };
65 
66 static enum TIFFReadDirEntryErr
67 TIFFReadDirEntryByte(TIFF *tif, TIFFDirEntry *direntry, uint8_t *value);
68 static enum TIFFReadDirEntryErr
69 TIFFReadDirEntrySbyte(TIFF *tif, TIFFDirEntry *direntry, int8_t *value);
70 static enum TIFFReadDirEntryErr
71 TIFFReadDirEntryShort(TIFF *tif, TIFFDirEntry *direntry, uint16_t *value);
72 static enum TIFFReadDirEntryErr
73 TIFFReadDirEntrySshort(TIFF *tif, TIFFDirEntry *direntry, int16_t *value);
74 static enum TIFFReadDirEntryErr
75 TIFFReadDirEntryLong(TIFF *tif, TIFFDirEntry *direntry, uint32_t *value);
76 static enum TIFFReadDirEntryErr
77 TIFFReadDirEntrySlong(TIFF *tif, TIFFDirEntry *direntry, int32_t *value);
78 static enum TIFFReadDirEntryErr
79 TIFFReadDirEntryLong8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value);
80 static enum TIFFReadDirEntryErr
81 TIFFReadDirEntrySlong8(TIFF *tif, TIFFDirEntry *direntry, int64_t *value);
82 static enum TIFFReadDirEntryErr
83 TIFFReadDirEntryFloat(TIFF *tif, TIFFDirEntry *direntry, float *value);
84 static enum TIFFReadDirEntryErr
85 TIFFReadDirEntryDouble(TIFF *tif, TIFFDirEntry *direntry, double *value);
86 static enum TIFFReadDirEntryErr
87 TIFFReadDirEntryIfd8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value);
88 
89 static enum TIFFReadDirEntryErr
90 TIFFReadDirEntryArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t *count,
91                       uint32_t desttypesize, void **value);
92 static enum TIFFReadDirEntryErr
93 TIFFReadDirEntryByteArray(TIFF *tif, TIFFDirEntry *direntry, uint8_t **value);
94 static enum TIFFReadDirEntryErr
95 TIFFReadDirEntrySbyteArray(TIFF *tif, TIFFDirEntry *direntry, int8_t **value);
96 static enum TIFFReadDirEntryErr
97 TIFFReadDirEntryShortArray(TIFF *tif, TIFFDirEntry *direntry, uint16_t **value);
98 static enum TIFFReadDirEntryErr
99 TIFFReadDirEntrySshortArray(TIFF *tif, TIFFDirEntry *direntry, int16_t **value);
100 static enum TIFFReadDirEntryErr
101 TIFFReadDirEntryLongArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t **value);
102 static enum TIFFReadDirEntryErr
103 TIFFReadDirEntrySlongArray(TIFF *tif, TIFFDirEntry *direntry, int32_t **value);
104 static enum TIFFReadDirEntryErr
105 TIFFReadDirEntryLong8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value);
106 static enum TIFFReadDirEntryErr
107 TIFFReadDirEntrySlong8Array(TIFF *tif, TIFFDirEntry *direntry, int64_t **value);
108 static enum TIFFReadDirEntryErr
109 TIFFReadDirEntryFloatArray(TIFF *tif, TIFFDirEntry *direntry, float **value);
110 static enum TIFFReadDirEntryErr
111 TIFFReadDirEntryDoubleArray(TIFF *tif, TIFFDirEntry *direntry, double **value);
112 static enum TIFFReadDirEntryErr
113 TIFFReadDirEntryIfd8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value);
114 
115 static enum TIFFReadDirEntryErr
116 TIFFReadDirEntryPersampleShort(TIFF *tif, TIFFDirEntry *direntry,
117                                uint16_t *value);
118 
119 static void TIFFReadDirEntryCheckedByte(TIFF *tif, TIFFDirEntry *direntry,
120                                         uint8_t *value);
121 static void TIFFReadDirEntryCheckedSbyte(TIFF *tif, TIFFDirEntry *direntry,
122                                          int8_t *value);
123 static void TIFFReadDirEntryCheckedShort(TIFF *tif, TIFFDirEntry *direntry,
124                                          uint16_t *value);
125 static void TIFFReadDirEntryCheckedSshort(TIFF *tif, TIFFDirEntry *direntry,
126                                           int16_t *value);
127 static void TIFFReadDirEntryCheckedLong(TIFF *tif, TIFFDirEntry *direntry,
128                                         uint32_t *value);
129 static void TIFFReadDirEntryCheckedSlong(TIFF *tif, TIFFDirEntry *direntry,
130                                          int32_t *value);
131 static enum TIFFReadDirEntryErr
132 TIFFReadDirEntryCheckedLong8(TIFF *tif, TIFFDirEntry *direntry,
133                              uint64_t *value);
134 static enum TIFFReadDirEntryErr
135 TIFFReadDirEntryCheckedSlong8(TIFF *tif, TIFFDirEntry *direntry,
136                               int64_t *value);
137 static enum TIFFReadDirEntryErr
138 TIFFReadDirEntryCheckedRational(TIFF *tif, TIFFDirEntry *direntry,
139                                 double *value);
140 static enum TIFFReadDirEntryErr
141 TIFFReadDirEntryCheckedSrational(TIFF *tif, TIFFDirEntry *direntry,
142                                  double *value);
143 static void TIFFReadDirEntryCheckedFloat(TIFF *tif, TIFFDirEntry *direntry,
144                                          float *value);
145 static enum TIFFReadDirEntryErr
146 TIFFReadDirEntryCheckedDouble(TIFF *tif, TIFFDirEntry *direntry, double *value);
147 #if 0
148 static enum TIFFReadDirEntryErr
149 TIFFReadDirEntryCheckedRationalDirect(TIFF *tif, TIFFDirEntry *direntry,
150                                       TIFFRational_t *value);
151 #endif
152 static enum TIFFReadDirEntryErr
153 TIFFReadDirEntryCheckRangeByteSbyte(int8_t value);
154 static enum TIFFReadDirEntryErr
155 TIFFReadDirEntryCheckRangeByteShort(uint16_t value);
156 static enum TIFFReadDirEntryErr
157 TIFFReadDirEntryCheckRangeByteSshort(int16_t value);
158 static enum TIFFReadDirEntryErr
159 TIFFReadDirEntryCheckRangeByteLong(uint32_t value);
160 static enum TIFFReadDirEntryErr
161 TIFFReadDirEntryCheckRangeByteSlong(int32_t value);
162 static enum TIFFReadDirEntryErr
163 TIFFReadDirEntryCheckRangeByteLong8(uint64_t value);
164 static enum TIFFReadDirEntryErr
165 TIFFReadDirEntryCheckRangeByteSlong8(int64_t value);
166 
167 static enum TIFFReadDirEntryErr
168 TIFFReadDirEntryCheckRangeSbyteByte(uint8_t value);
169 static enum TIFFReadDirEntryErr
170 TIFFReadDirEntryCheckRangeSbyteShort(uint16_t value);
171 static enum TIFFReadDirEntryErr
172 TIFFReadDirEntryCheckRangeSbyteSshort(int16_t value);
173 static enum TIFFReadDirEntryErr
174 TIFFReadDirEntryCheckRangeSbyteLong(uint32_t value);
175 static enum TIFFReadDirEntryErr
176 TIFFReadDirEntryCheckRangeSbyteSlong(int32_t value);
177 static enum TIFFReadDirEntryErr
178 TIFFReadDirEntryCheckRangeSbyteLong8(uint64_t value);
179 static enum TIFFReadDirEntryErr
180 TIFFReadDirEntryCheckRangeSbyteSlong8(int64_t value);
181 
182 static enum TIFFReadDirEntryErr
183 TIFFReadDirEntryCheckRangeShortSbyte(int8_t value);
184 static enum TIFFReadDirEntryErr
185 TIFFReadDirEntryCheckRangeShortSshort(int16_t value);
186 static enum TIFFReadDirEntryErr
187 TIFFReadDirEntryCheckRangeShortLong(uint32_t value);
188 static enum TIFFReadDirEntryErr
189 TIFFReadDirEntryCheckRangeShortSlong(int32_t value);
190 static enum TIFFReadDirEntryErr
191 TIFFReadDirEntryCheckRangeShortLong8(uint64_t value);
192 static enum TIFFReadDirEntryErr
193 TIFFReadDirEntryCheckRangeShortSlong8(int64_t value);
194 
195 static enum TIFFReadDirEntryErr
196 TIFFReadDirEntryCheckRangeSshortShort(uint16_t value);
197 static enum TIFFReadDirEntryErr
198 TIFFReadDirEntryCheckRangeSshortLong(uint32_t value);
199 static enum TIFFReadDirEntryErr
200 TIFFReadDirEntryCheckRangeSshortSlong(int32_t value);
201 static enum TIFFReadDirEntryErr
202 TIFFReadDirEntryCheckRangeSshortLong8(uint64_t value);
203 static enum TIFFReadDirEntryErr
204 TIFFReadDirEntryCheckRangeSshortSlong8(int64_t value);
205 
206 static enum TIFFReadDirEntryErr
207 TIFFReadDirEntryCheckRangeLongSbyte(int8_t value);
208 static enum TIFFReadDirEntryErr
209 TIFFReadDirEntryCheckRangeLongSshort(int16_t value);
210 static enum TIFFReadDirEntryErr
211 TIFFReadDirEntryCheckRangeLongSlong(int32_t value);
212 static enum TIFFReadDirEntryErr
213 TIFFReadDirEntryCheckRangeLongLong8(uint64_t value);
214 static enum TIFFReadDirEntryErr
215 TIFFReadDirEntryCheckRangeLongSlong8(int64_t value);
216 
217 static enum TIFFReadDirEntryErr
218 TIFFReadDirEntryCheckRangeSlongLong(uint32_t value);
219 static enum TIFFReadDirEntryErr
220 TIFFReadDirEntryCheckRangeSlongLong8(uint64_t value);
221 static enum TIFFReadDirEntryErr
222 TIFFReadDirEntryCheckRangeSlongSlong8(int64_t value);
223 
224 static enum TIFFReadDirEntryErr
225 TIFFReadDirEntryCheckRangeLong8Sbyte(int8_t value);
226 static enum TIFFReadDirEntryErr
227 TIFFReadDirEntryCheckRangeLong8Sshort(int16_t value);
228 static enum TIFFReadDirEntryErr
229 TIFFReadDirEntryCheckRangeLong8Slong(int32_t value);
230 static enum TIFFReadDirEntryErr
231 TIFFReadDirEntryCheckRangeLong8Slong8(int64_t value);
232 
233 static enum TIFFReadDirEntryErr
234 TIFFReadDirEntryCheckRangeSlong8Long8(uint64_t value);
235 
236 static enum TIFFReadDirEntryErr TIFFReadDirEntryData(TIFF *tif, uint64_t offset,
237                                                      tmsize_t size, void *dest);
238 static void TIFFReadDirEntryOutputErr(TIFF *tif, enum TIFFReadDirEntryErr err,
239                                       const char *module, const char *tagname,
240                                       int recover);
241 
242 static void TIFFReadDirectoryCheckOrder(TIFF *tif, TIFFDirEntry *dir,
243                                         uint16_t dircount);
244 static TIFFDirEntry *TIFFReadDirectoryFindEntry(TIFF *tif, TIFFDirEntry *dir,
245                                                 uint16_t dircount,
246                                                 uint16_t tagid);
247 static void TIFFReadDirectoryFindFieldInfo(TIFF *tif, uint16_t tagid,
248                                            uint32_t *fii);
249 
250 static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
251                                    uint16_t dircount);
252 static void MissingRequired(TIFF *, const char *);
253 static int CheckDirCount(TIFF *, TIFFDirEntry *, uint32_t);
254 static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
255                                    TIFFDirEntry **pdir, uint64_t *nextdiroff);
256 static int TIFFFetchNormalTag(TIFF *, TIFFDirEntry *, int recover);
257 static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
258                                uint64_t **lpp);
259 static int TIFFFetchSubjectDistance(TIFF *, TIFFDirEntry *);
260 static void ChopUpSingleUncompressedStrip(TIFF *);
261 static void TryChopUpUncompressedBigTiff(TIFF *);
262 static uint64_t TIFFReadUInt64(const uint8_t *value);
263 static int _TIFFGetMaxColorChannels(uint16_t photometric);
264 
265 static int _TIFFFillStrilesInternal(TIFF *tif, int loadStripByteCount);
266 
267 typedef union _UInt64Aligned_t
268 {
269     double d;
270     uint64_t l;
271     uint32_t i[2];
272     uint16_t s[4];
273     uint8_t c[8];
274 } UInt64Aligned_t;
275 
276 /*
277   Unaligned safe copy of a uint64_t value from an octet array.
278 */
TIFFReadUInt64(const uint8_t * value)279 static uint64_t TIFFReadUInt64(const uint8_t *value)
280 {
281     UInt64Aligned_t result;
282 
283     result.c[0] = value[0];
284     result.c[1] = value[1];
285     result.c[2] = value[2];
286     result.c[3] = value[3];
287     result.c[4] = value[4];
288     result.c[5] = value[5];
289     result.c[6] = value[6];
290     result.c[7] = value[7];
291 
292     return result.l;
293 }
294 
295 static enum TIFFReadDirEntryErr
TIFFReadDirEntryByte(TIFF * tif,TIFFDirEntry * direntry,uint8_t * value)296 TIFFReadDirEntryByte(TIFF *tif, TIFFDirEntry *direntry, uint8_t *value)
297 {
298     enum TIFFReadDirEntryErr err;
299     if (direntry->tdir_count != 1)
300         return (TIFFReadDirEntryErrCount);
301     switch (direntry->tdir_type)
302     {
303         case TIFF_BYTE:
304         case TIFF_UNDEFINED: /* Support to read TIFF_UNDEFINED with
305                                 field_readcount==1 */
306             TIFFReadDirEntryCheckedByte(tif, direntry, value);
307             return (TIFFReadDirEntryErrOk);
308         case TIFF_SBYTE:
309         {
310             int8_t m;
311             TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
312             err = TIFFReadDirEntryCheckRangeByteSbyte(m);
313             if (err != TIFFReadDirEntryErrOk)
314                 return (err);
315             *value = (uint8_t)m;
316             return (TIFFReadDirEntryErrOk);
317         }
318         case TIFF_SHORT:
319         {
320             uint16_t m;
321             TIFFReadDirEntryCheckedShort(tif, direntry, &m);
322             err = TIFFReadDirEntryCheckRangeByteShort(m);
323             if (err != TIFFReadDirEntryErrOk)
324                 return (err);
325             *value = (uint8_t)m;
326             return (TIFFReadDirEntryErrOk);
327         }
328         case TIFF_SSHORT:
329         {
330             int16_t m;
331             TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
332             err = TIFFReadDirEntryCheckRangeByteSshort(m);
333             if (err != TIFFReadDirEntryErrOk)
334                 return (err);
335             *value = (uint8_t)m;
336             return (TIFFReadDirEntryErrOk);
337         }
338         case TIFF_LONG:
339         {
340             uint32_t m;
341             TIFFReadDirEntryCheckedLong(tif, direntry, &m);
342             err = TIFFReadDirEntryCheckRangeByteLong(m);
343             if (err != TIFFReadDirEntryErrOk)
344                 return (err);
345             *value = (uint8_t)m;
346             return (TIFFReadDirEntryErrOk);
347         }
348         case TIFF_SLONG:
349         {
350             int32_t m;
351             TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
352             err = TIFFReadDirEntryCheckRangeByteSlong(m);
353             if (err != TIFFReadDirEntryErrOk)
354                 return (err);
355             *value = (uint8_t)m;
356             return (TIFFReadDirEntryErrOk);
357         }
358         case TIFF_LONG8:
359         {
360             uint64_t m;
361             err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
362             if (err != TIFFReadDirEntryErrOk)
363                 return (err);
364             err = TIFFReadDirEntryCheckRangeByteLong8(m);
365             if (err != TIFFReadDirEntryErrOk)
366                 return (err);
367             *value = (uint8_t)m;
368             return (TIFFReadDirEntryErrOk);
369         }
370         case TIFF_SLONG8:
371         {
372             int64_t m;
373             err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
374             if (err != TIFFReadDirEntryErrOk)
375                 return (err);
376             err = TIFFReadDirEntryCheckRangeByteSlong8(m);
377             if (err != TIFFReadDirEntryErrOk)
378                 return (err);
379             *value = (uint8_t)m;
380             return (TIFFReadDirEntryErrOk);
381         }
382         default:
383             return (TIFFReadDirEntryErrType);
384     }
385 }
386 
387 static enum TIFFReadDirEntryErr
TIFFReadDirEntrySbyte(TIFF * tif,TIFFDirEntry * direntry,int8_t * value)388 TIFFReadDirEntrySbyte(TIFF *tif, TIFFDirEntry *direntry, int8_t *value)
389 {
390     enum TIFFReadDirEntryErr err;
391     if (direntry->tdir_count != 1)
392         return (TIFFReadDirEntryErrCount);
393     switch (direntry->tdir_type)
394     {
395         case TIFF_BYTE:
396         case TIFF_UNDEFINED: /* Support to read TIFF_UNDEFINED with
397                                 field_readcount==1 */
398         {
399             uint8_t m;
400             TIFFReadDirEntryCheckedByte(tif, direntry, &m);
401             err = TIFFReadDirEntryCheckRangeSbyteByte(m);
402             if (err != TIFFReadDirEntryErrOk)
403                 return (err);
404             *value = (int8_t)m;
405             return (TIFFReadDirEntryErrOk);
406         }
407         case TIFF_SBYTE:
408         {
409             TIFFReadDirEntryCheckedSbyte(tif, direntry, value);
410             return (TIFFReadDirEntryErrOk);
411         }
412         case TIFF_SHORT:
413         {
414             uint16_t m;
415             TIFFReadDirEntryCheckedShort(tif, direntry, &m);
416             err = TIFFReadDirEntryCheckRangeSbyteShort(m);
417             if (err != TIFFReadDirEntryErrOk)
418                 return (err);
419             *value = (int8_t)m;
420             return (TIFFReadDirEntryErrOk);
421         }
422         case TIFF_SSHORT:
423         {
424             int16_t m;
425             TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
426             err = TIFFReadDirEntryCheckRangeSbyteSshort(m);
427             if (err != TIFFReadDirEntryErrOk)
428                 return (err);
429             *value = (int8_t)m;
430             return (TIFFReadDirEntryErrOk);
431         }
432         case TIFF_LONG:
433         {
434             uint32_t m;
435             TIFFReadDirEntryCheckedLong(tif, direntry, &m);
436             err = TIFFReadDirEntryCheckRangeSbyteLong(m);
437             if (err != TIFFReadDirEntryErrOk)
438                 return (err);
439             *value = (int8_t)m;
440             return (TIFFReadDirEntryErrOk);
441         }
442         case TIFF_SLONG:
443         {
444             int32_t m;
445             TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
446             err = TIFFReadDirEntryCheckRangeSbyteSlong(m);
447             if (err != TIFFReadDirEntryErrOk)
448                 return (err);
449             *value = (int8_t)m;
450             return (TIFFReadDirEntryErrOk);
451         }
452         case TIFF_LONG8:
453         {
454             uint64_t m;
455             err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
456             if (err != TIFFReadDirEntryErrOk)
457                 return (err);
458             err = TIFFReadDirEntryCheckRangeSbyteLong8(m);
459             if (err != TIFFReadDirEntryErrOk)
460                 return (err);
461             *value = (int8_t)m;
462             return (TIFFReadDirEntryErrOk);
463         }
464         case TIFF_SLONG8:
465         {
466             int64_t m;
467             err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
468             if (err != TIFFReadDirEntryErrOk)
469                 return (err);
470             err = TIFFReadDirEntryCheckRangeSbyteSlong8(m);
471             if (err != TIFFReadDirEntryErrOk)
472                 return (err);
473             *value = (int8_t)m;
474             return (TIFFReadDirEntryErrOk);
475         }
476         default:
477             return (TIFFReadDirEntryErrType);
478     }
479 } /*-- TIFFReadDirEntrySbyte() --*/
480 
481 static enum TIFFReadDirEntryErr
TIFFReadDirEntryShort(TIFF * tif,TIFFDirEntry * direntry,uint16_t * value)482 TIFFReadDirEntryShort(TIFF *tif, TIFFDirEntry *direntry, uint16_t *value)
483 {
484     enum TIFFReadDirEntryErr err;
485     if (direntry->tdir_count != 1)
486         return (TIFFReadDirEntryErrCount);
487     switch (direntry->tdir_type)
488     {
489         case TIFF_BYTE:
490         {
491             uint8_t m;
492             TIFFReadDirEntryCheckedByte(tif, direntry, &m);
493             *value = (uint16_t)m;
494             return (TIFFReadDirEntryErrOk);
495         }
496         case TIFF_SBYTE:
497         {
498             int8_t m;
499             TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
500             err = TIFFReadDirEntryCheckRangeShortSbyte(m);
501             if (err != TIFFReadDirEntryErrOk)
502                 return (err);
503             *value = (uint16_t)m;
504             return (TIFFReadDirEntryErrOk);
505         }
506         case TIFF_SHORT:
507             TIFFReadDirEntryCheckedShort(tif, direntry, value);
508             return (TIFFReadDirEntryErrOk);
509         case TIFF_SSHORT:
510         {
511             int16_t m;
512             TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
513             err = TIFFReadDirEntryCheckRangeShortSshort(m);
514             if (err != TIFFReadDirEntryErrOk)
515                 return (err);
516             *value = (uint16_t)m;
517             return (TIFFReadDirEntryErrOk);
518         }
519         case TIFF_LONG:
520         {
521             uint32_t m;
522             TIFFReadDirEntryCheckedLong(tif, direntry, &m);
523             err = TIFFReadDirEntryCheckRangeShortLong(m);
524             if (err != TIFFReadDirEntryErrOk)
525                 return (err);
526             *value = (uint16_t)m;
527             return (TIFFReadDirEntryErrOk);
528         }
529         case TIFF_SLONG:
530         {
531             int32_t m;
532             TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
533             err = TIFFReadDirEntryCheckRangeShortSlong(m);
534             if (err != TIFFReadDirEntryErrOk)
535                 return (err);
536             *value = (uint16_t)m;
537             return (TIFFReadDirEntryErrOk);
538         }
539         case TIFF_LONG8:
540         {
541             uint64_t m;
542             err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
543             if (err != TIFFReadDirEntryErrOk)
544                 return (err);
545             err = TIFFReadDirEntryCheckRangeShortLong8(m);
546             if (err != TIFFReadDirEntryErrOk)
547                 return (err);
548             *value = (uint16_t)m;
549             return (TIFFReadDirEntryErrOk);
550         }
551         case TIFF_SLONG8:
552         {
553             int64_t m;
554             err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
555             if (err != TIFFReadDirEntryErrOk)
556                 return (err);
557             err = TIFFReadDirEntryCheckRangeShortSlong8(m);
558             if (err != TIFFReadDirEntryErrOk)
559                 return (err);
560             *value = (uint16_t)m;
561             return (TIFFReadDirEntryErrOk);
562         }
563         default:
564             return (TIFFReadDirEntryErrType);
565     }
566 } /*-- TIFFReadDirEntryShort() --*/
567 
568 static enum TIFFReadDirEntryErr
TIFFReadDirEntrySshort(TIFF * tif,TIFFDirEntry * direntry,int16_t * value)569 TIFFReadDirEntrySshort(TIFF *tif, TIFFDirEntry *direntry, int16_t *value)
570 {
571     enum TIFFReadDirEntryErr err;
572     if (direntry->tdir_count != 1)
573         return (TIFFReadDirEntryErrCount);
574     switch (direntry->tdir_type)
575     {
576         case TIFF_BYTE:
577         {
578             uint8_t m;
579             TIFFReadDirEntryCheckedByte(tif, direntry, &m);
580             *value = (int16_t)m;
581             return (TIFFReadDirEntryErrOk);
582         }
583         case TIFF_SBYTE:
584         {
585             int8_t m;
586             TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
587             *value = (int16_t)m;
588             return (TIFFReadDirEntryErrOk);
589         }
590         case TIFF_SHORT:
591         {
592             uint16_t m;
593             TIFFReadDirEntryCheckedShort(tif, direntry, &m);
594             err = TIFFReadDirEntryCheckRangeSshortShort(m);
595             if (err != TIFFReadDirEntryErrOk)
596                 return (err);
597             *value = (uint16_t)m;
598             return (TIFFReadDirEntryErrOk);
599         }
600         case TIFF_SSHORT:
601             TIFFReadDirEntryCheckedSshort(tif, direntry, value);
602             return (TIFFReadDirEntryErrOk);
603         case TIFF_LONG:
604         {
605             uint32_t m;
606             TIFFReadDirEntryCheckedLong(tif, direntry, &m);
607             err = TIFFReadDirEntryCheckRangeSshortLong(m);
608             if (err != TIFFReadDirEntryErrOk)
609                 return (err);
610             *value = (int16_t)m;
611             return (TIFFReadDirEntryErrOk);
612         }
613         case TIFF_SLONG:
614         {
615             int32_t m;
616             TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
617             err = TIFFReadDirEntryCheckRangeSshortSlong(m);
618             if (err != TIFFReadDirEntryErrOk)
619                 return (err);
620             *value = (int16_t)m;
621             return (TIFFReadDirEntryErrOk);
622         }
623         case TIFF_LONG8:
624         {
625             uint64_t m;
626             err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
627             if (err != TIFFReadDirEntryErrOk)
628                 return (err);
629             err = TIFFReadDirEntryCheckRangeSshortLong8(m);
630             if (err != TIFFReadDirEntryErrOk)
631                 return (err);
632             *value = (int16_t)m;
633             return (TIFFReadDirEntryErrOk);
634         }
635         case TIFF_SLONG8:
636         {
637             int64_t m;
638             err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
639             if (err != TIFFReadDirEntryErrOk)
640                 return (err);
641             err = TIFFReadDirEntryCheckRangeSshortSlong8(m);
642             if (err != TIFFReadDirEntryErrOk)
643                 return (err);
644             *value = (int16_t)m;
645             return (TIFFReadDirEntryErrOk);
646         }
647         default:
648             return (TIFFReadDirEntryErrType);
649     }
650 } /*-- TIFFReadDirEntrySshort() --*/
651 
652 static enum TIFFReadDirEntryErr
TIFFReadDirEntryLong(TIFF * tif,TIFFDirEntry * direntry,uint32_t * value)653 TIFFReadDirEntryLong(TIFF *tif, TIFFDirEntry *direntry, uint32_t *value)
654 {
655     enum TIFFReadDirEntryErr err;
656     if (direntry->tdir_count != 1)
657         return (TIFFReadDirEntryErrCount);
658     switch (direntry->tdir_type)
659     {
660         case TIFF_BYTE:
661         {
662             uint8_t m;
663             TIFFReadDirEntryCheckedByte(tif, direntry, &m);
664             *value = (uint32_t)m;
665             return (TIFFReadDirEntryErrOk);
666         }
667         case TIFF_SBYTE:
668         {
669             int8_t m;
670             TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
671             err = TIFFReadDirEntryCheckRangeLongSbyte(m);
672             if (err != TIFFReadDirEntryErrOk)
673                 return (err);
674             *value = (uint32_t)m;
675             return (TIFFReadDirEntryErrOk);
676         }
677         case TIFF_SHORT:
678         {
679             uint16_t m;
680             TIFFReadDirEntryCheckedShort(tif, direntry, &m);
681             *value = (uint32_t)m;
682             return (TIFFReadDirEntryErrOk);
683         }
684         case TIFF_SSHORT:
685         {
686             int16_t m;
687             TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
688             err = TIFFReadDirEntryCheckRangeLongSshort(m);
689             if (err != TIFFReadDirEntryErrOk)
690                 return (err);
691             *value = (uint32_t)m;
692             return (TIFFReadDirEntryErrOk);
693         }
694         case TIFF_LONG:
695             TIFFReadDirEntryCheckedLong(tif, direntry, value);
696             return (TIFFReadDirEntryErrOk);
697         case TIFF_SLONG:
698         {
699             int32_t m;
700             TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
701             err = TIFFReadDirEntryCheckRangeLongSlong(m);
702             if (err != TIFFReadDirEntryErrOk)
703                 return (err);
704             *value = (uint32_t)m;
705             return (TIFFReadDirEntryErrOk);
706         }
707         case TIFF_LONG8:
708         {
709             uint64_t m;
710             err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
711             if (err != TIFFReadDirEntryErrOk)
712                 return (err);
713             err = TIFFReadDirEntryCheckRangeLongLong8(m);
714             if (err != TIFFReadDirEntryErrOk)
715                 return (err);
716             *value = (uint32_t)m;
717             return (TIFFReadDirEntryErrOk);
718         }
719         case TIFF_SLONG8:
720         {
721             int64_t m;
722             err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
723             if (err != TIFFReadDirEntryErrOk)
724                 return (err);
725             err = TIFFReadDirEntryCheckRangeLongSlong8(m);
726             if (err != TIFFReadDirEntryErrOk)
727                 return (err);
728             *value = (uint32_t)m;
729             return (TIFFReadDirEntryErrOk);
730         }
731         default:
732             return (TIFFReadDirEntryErrType);
733     }
734 } /*-- TIFFReadDirEntryLong() --*/
735 
736 static enum TIFFReadDirEntryErr
TIFFReadDirEntrySlong(TIFF * tif,TIFFDirEntry * direntry,int32_t * value)737 TIFFReadDirEntrySlong(TIFF *tif, TIFFDirEntry *direntry, int32_t *value)
738 {
739     enum TIFFReadDirEntryErr err;
740     if (direntry->tdir_count != 1)
741         return (TIFFReadDirEntryErrCount);
742     switch (direntry->tdir_type)
743     {
744         case TIFF_BYTE:
745         {
746             uint8_t m;
747             TIFFReadDirEntryCheckedByte(tif, direntry, &m);
748             *value = (int32_t)m;
749             return (TIFFReadDirEntryErrOk);
750         }
751         case TIFF_SBYTE:
752         {
753             int8_t m;
754             TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
755             *value = (int32_t)m;
756             return (TIFFReadDirEntryErrOk);
757         }
758         case TIFF_SHORT:
759         {
760             uint16_t m;
761             TIFFReadDirEntryCheckedShort(tif, direntry, &m);
762             *value = (int32_t)m;
763             return (TIFFReadDirEntryErrOk);
764         }
765         case TIFF_SSHORT:
766         {
767             int16_t m;
768             TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
769             *value = (int32_t)m;
770             return (TIFFReadDirEntryErrOk);
771         }
772         case TIFF_LONG:
773         {
774             uint32_t m;
775             TIFFReadDirEntryCheckedLong(tif, direntry, &m);
776             err = TIFFReadDirEntryCheckRangeSlongLong(m);
777             if (err != TIFFReadDirEntryErrOk)
778                 return (err);
779             *value = (int32_t)m;
780             return (TIFFReadDirEntryErrOk);
781         }
782         case TIFF_SLONG:
783             TIFFReadDirEntryCheckedSlong(tif, direntry, value);
784             return (TIFFReadDirEntryErrOk);
785         case TIFF_LONG8:
786         {
787             uint64_t m;
788             err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
789             if (err != TIFFReadDirEntryErrOk)
790                 return (err);
791             err = TIFFReadDirEntryCheckRangeSlongLong8(m);
792             if (err != TIFFReadDirEntryErrOk)
793                 return (err);
794             *value = (int32_t)m;
795             return (TIFFReadDirEntryErrOk);
796         }
797         case TIFF_SLONG8:
798         {
799             int64_t m;
800             err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
801             if (err != TIFFReadDirEntryErrOk)
802                 return (err);
803             err = TIFFReadDirEntryCheckRangeSlongSlong8(m);
804             if (err != TIFFReadDirEntryErrOk)
805                 return (err);
806             *value = (int32_t)m;
807             return (TIFFReadDirEntryErrOk);
808         }
809         default:
810             return (TIFFReadDirEntryErrType);
811     }
812 } /*-- TIFFReadDirEntrySlong() --*/
813 
814 static enum TIFFReadDirEntryErr
TIFFReadDirEntryLong8(TIFF * tif,TIFFDirEntry * direntry,uint64_t * value)815 TIFFReadDirEntryLong8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value)
816 {
817     enum TIFFReadDirEntryErr err;
818     if (direntry->tdir_count != 1)
819         return (TIFFReadDirEntryErrCount);
820     switch (direntry->tdir_type)
821     {
822         case TIFF_BYTE:
823         {
824             uint8_t m;
825             TIFFReadDirEntryCheckedByte(tif, direntry, &m);
826             *value = (uint64_t)m;
827             return (TIFFReadDirEntryErrOk);
828         }
829         case TIFF_SBYTE:
830         {
831             int8_t m;
832             TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
833             err = TIFFReadDirEntryCheckRangeLong8Sbyte(m);
834             if (err != TIFFReadDirEntryErrOk)
835                 return (err);
836             *value = (uint64_t)m;
837             return (TIFFReadDirEntryErrOk);
838         }
839         case TIFF_SHORT:
840         {
841             uint16_t m;
842             TIFFReadDirEntryCheckedShort(tif, direntry, &m);
843             *value = (uint64_t)m;
844             return (TIFFReadDirEntryErrOk);
845         }
846         case TIFF_SSHORT:
847         {
848             int16_t m;
849             TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
850             err = TIFFReadDirEntryCheckRangeLong8Sshort(m);
851             if (err != TIFFReadDirEntryErrOk)
852                 return (err);
853             *value = (uint64_t)m;
854             return (TIFFReadDirEntryErrOk);
855         }
856         case TIFF_LONG:
857         {
858             uint32_t m;
859             TIFFReadDirEntryCheckedLong(tif, direntry, &m);
860             *value = (uint64_t)m;
861             return (TIFFReadDirEntryErrOk);
862         }
863         case TIFF_SLONG:
864         {
865             int32_t m;
866             TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
867             err = TIFFReadDirEntryCheckRangeLong8Slong(m);
868             if (err != TIFFReadDirEntryErrOk)
869                 return (err);
870             *value = (uint64_t)m;
871             return (TIFFReadDirEntryErrOk);
872         }
873         case TIFF_LONG8:
874             err = TIFFReadDirEntryCheckedLong8(tif, direntry, value);
875             return (err);
876         case TIFF_SLONG8:
877         {
878             int64_t m;
879             err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
880             if (err != TIFFReadDirEntryErrOk)
881                 return (err);
882             err = TIFFReadDirEntryCheckRangeLong8Slong8(m);
883             if (err != TIFFReadDirEntryErrOk)
884                 return (err);
885             *value = (uint64_t)m;
886             return (TIFFReadDirEntryErrOk);
887         }
888         default:
889             return (TIFFReadDirEntryErrType);
890     }
891 } /*-- TIFFReadDirEntryLong8() --*/
892 
893 static enum TIFFReadDirEntryErr
TIFFReadDirEntrySlong8(TIFF * tif,TIFFDirEntry * direntry,int64_t * value)894 TIFFReadDirEntrySlong8(TIFF *tif, TIFFDirEntry *direntry, int64_t *value)
895 {
896     enum TIFFReadDirEntryErr err;
897     if (direntry->tdir_count != 1)
898         return (TIFFReadDirEntryErrCount);
899     switch (direntry->tdir_type)
900     {
901         case TIFF_BYTE:
902         {
903             uint8_t m;
904             TIFFReadDirEntryCheckedByte(tif, direntry, &m);
905             *value = (int64_t)m;
906             return (TIFFReadDirEntryErrOk);
907         }
908         case TIFF_SBYTE:
909         {
910             int8_t m;
911             TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
912             *value = (int64_t)m;
913             return (TIFFReadDirEntryErrOk);
914         }
915         case TIFF_SHORT:
916         {
917             uint16_t m;
918             TIFFReadDirEntryCheckedShort(tif, direntry, &m);
919             *value = (int64_t)m;
920             return (TIFFReadDirEntryErrOk);
921         }
922         case TIFF_SSHORT:
923         {
924             int16_t m;
925             TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
926             *value = (int64_t)m;
927             return (TIFFReadDirEntryErrOk);
928         }
929         case TIFF_LONG:
930         {
931             uint32_t m;
932             TIFFReadDirEntryCheckedLong(tif, direntry, &m);
933             *value = (int64_t)m;
934             return (TIFFReadDirEntryErrOk);
935         }
936         case TIFF_SLONG:
937         {
938             int32_t m;
939             TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
940             *value = (int64_t)m;
941             return (TIFFReadDirEntryErrOk);
942         }
943         case TIFF_LONG8:
944         {
945             uint64_t m;
946             err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
947             if (err != TIFFReadDirEntryErrOk)
948                 return (err);
949             err = TIFFReadDirEntryCheckRangeSlong8Long8(m);
950             if (err != TIFFReadDirEntryErrOk)
951                 return (err);
952             *value = (int64_t)m;
953             return (TIFFReadDirEntryErrOk);
954         }
955         case TIFF_SLONG8:
956             err = TIFFReadDirEntryCheckedSlong8(tif, direntry, value);
957             return (err);
958         default:
959             return (TIFFReadDirEntryErrType);
960     }
961 } /*-- TIFFReadDirEntrySlong8() --*/
962 
963 static enum TIFFReadDirEntryErr
TIFFReadDirEntryFloat(TIFF * tif,TIFFDirEntry * direntry,float * value)964 TIFFReadDirEntryFloat(TIFF *tif, TIFFDirEntry *direntry, float *value)
965 {
966     enum TIFFReadDirEntryErr err;
967     if (direntry->tdir_count != 1)
968         return (TIFFReadDirEntryErrCount);
969     switch (direntry->tdir_type)
970     {
971         case TIFF_BYTE:
972         {
973             uint8_t m;
974             TIFFReadDirEntryCheckedByte(tif, direntry, &m);
975             *value = (float)m;
976             return (TIFFReadDirEntryErrOk);
977         }
978         case TIFF_SBYTE:
979         {
980             int8_t m;
981             TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
982             *value = (float)m;
983             return (TIFFReadDirEntryErrOk);
984         }
985         case TIFF_SHORT:
986         {
987             uint16_t m;
988             TIFFReadDirEntryCheckedShort(tif, direntry, &m);
989             *value = (float)m;
990             return (TIFFReadDirEntryErrOk);
991         }
992         case TIFF_SSHORT:
993         {
994             int16_t m;
995             TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
996             *value = (float)m;
997             return (TIFFReadDirEntryErrOk);
998         }
999         case TIFF_LONG:
1000         {
1001             uint32_t m;
1002             TIFFReadDirEntryCheckedLong(tif, direntry, &m);
1003             *value = (float)m;
1004             return (TIFFReadDirEntryErrOk);
1005         }
1006         case TIFF_SLONG:
1007         {
1008             int32_t m;
1009             TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
1010             *value = (float)m;
1011             return (TIFFReadDirEntryErrOk);
1012         }
1013         case TIFF_LONG8:
1014         {
1015             uint64_t m;
1016             err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
1017             if (err != TIFFReadDirEntryErrOk)
1018                 return (err);
1019 #if defined(__WIN32__) && (_MSC_VER < 1500)
1020             /*
1021              * XXX: MSVC 6.0 does not support conversion
1022              * of 64-bit integers into floating point
1023              * values.
1024              */
1025             *value = _TIFFUInt64ToFloat(m);
1026 #else
1027             *value = (float)m;
1028 #endif
1029             return (TIFFReadDirEntryErrOk);
1030         }
1031         case TIFF_SLONG8:
1032         {
1033             int64_t m;
1034             err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
1035             if (err != TIFFReadDirEntryErrOk)
1036                 return (err);
1037             *value = (float)m;
1038             return (TIFFReadDirEntryErrOk);
1039         }
1040         case TIFF_RATIONAL:
1041         {
1042             double m;
1043             err = TIFFReadDirEntryCheckedRational(tif, direntry, &m);
1044             if (err != TIFFReadDirEntryErrOk)
1045                 return (err);
1046             *value = (float)m;
1047             return (TIFFReadDirEntryErrOk);
1048         }
1049         case TIFF_SRATIONAL:
1050         {
1051             double m;
1052             err = TIFFReadDirEntryCheckedSrational(tif, direntry, &m);
1053             if (err != TIFFReadDirEntryErrOk)
1054                 return (err);
1055             *value = (float)m;
1056             return (TIFFReadDirEntryErrOk);
1057         }
1058         case TIFF_FLOAT:
1059             TIFFReadDirEntryCheckedFloat(tif, direntry, value);
1060             return (TIFFReadDirEntryErrOk);
1061         case TIFF_DOUBLE:
1062         {
1063             double m;
1064             err = TIFFReadDirEntryCheckedDouble(tif, direntry, &m);
1065             if (err != TIFFReadDirEntryErrOk)
1066                 return (err);
1067             if ((m > FLT_MAX) || (m < -FLT_MAX))
1068                 return (TIFFReadDirEntryErrRange);
1069             *value = (float)m;
1070             return (TIFFReadDirEntryErrOk);
1071         }
1072         default:
1073             return (TIFFReadDirEntryErrType);
1074     }
1075 }
1076 
1077 static enum TIFFReadDirEntryErr
TIFFReadDirEntryDouble(TIFF * tif,TIFFDirEntry * direntry,double * value)1078 TIFFReadDirEntryDouble(TIFF *tif, TIFFDirEntry *direntry, double *value)
1079 {
1080     enum TIFFReadDirEntryErr err;
1081     if (direntry->tdir_count != 1)
1082         return (TIFFReadDirEntryErrCount);
1083     switch (direntry->tdir_type)
1084     {
1085         case TIFF_BYTE:
1086         {
1087             uint8_t m;
1088             TIFFReadDirEntryCheckedByte(tif, direntry, &m);
1089             *value = (double)m;
1090             return (TIFFReadDirEntryErrOk);
1091         }
1092         case TIFF_SBYTE:
1093         {
1094             int8_t m;
1095             TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
1096             *value = (double)m;
1097             return (TIFFReadDirEntryErrOk);
1098         }
1099         case TIFF_SHORT:
1100         {
1101             uint16_t m;
1102             TIFFReadDirEntryCheckedShort(tif, direntry, &m);
1103             *value = (double)m;
1104             return (TIFFReadDirEntryErrOk);
1105         }
1106         case TIFF_SSHORT:
1107         {
1108             int16_t m;
1109             TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
1110             *value = (double)m;
1111             return (TIFFReadDirEntryErrOk);
1112         }
1113         case TIFF_LONG:
1114         {
1115             uint32_t m;
1116             TIFFReadDirEntryCheckedLong(tif, direntry, &m);
1117             *value = (double)m;
1118             return (TIFFReadDirEntryErrOk);
1119         }
1120         case TIFF_SLONG:
1121         {
1122             int32_t m;
1123             TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
1124             *value = (double)m;
1125             return (TIFFReadDirEntryErrOk);
1126         }
1127         case TIFF_LONG8:
1128         {
1129             uint64_t m;
1130             err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
1131             if (err != TIFFReadDirEntryErrOk)
1132                 return (err);
1133 #if defined(__WIN32__) && (_MSC_VER < 1500)
1134             /*
1135              * XXX: MSVC 6.0 does not support conversion
1136              * of 64-bit integers into floating point
1137              * values.
1138              */
1139             *value = _TIFFUInt64ToDouble(m);
1140 #else
1141             *value = (double)m;
1142 #endif
1143             return (TIFFReadDirEntryErrOk);
1144         }
1145         case TIFF_SLONG8:
1146         {
1147             int64_t m;
1148             err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
1149             if (err != TIFFReadDirEntryErrOk)
1150                 return (err);
1151             *value = (double)m;
1152             return (TIFFReadDirEntryErrOk);
1153         }
1154         case TIFF_RATIONAL:
1155             err = TIFFReadDirEntryCheckedRational(tif, direntry, value);
1156             return (err);
1157         case TIFF_SRATIONAL:
1158             err = TIFFReadDirEntryCheckedSrational(tif, direntry, value);
1159             return (err);
1160         case TIFF_FLOAT:
1161         {
1162             float m;
1163             TIFFReadDirEntryCheckedFloat(tif, direntry, &m);
1164             *value = (double)m;
1165             return (TIFFReadDirEntryErrOk);
1166         }
1167         case TIFF_DOUBLE:
1168             err = TIFFReadDirEntryCheckedDouble(tif, direntry, value);
1169             return (err);
1170         default:
1171             return (TIFFReadDirEntryErrType);
1172     }
1173 }
1174 
1175 static enum TIFFReadDirEntryErr
TIFFReadDirEntryIfd8(TIFF * tif,TIFFDirEntry * direntry,uint64_t * value)1176 TIFFReadDirEntryIfd8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value)
1177 {
1178     enum TIFFReadDirEntryErr err;
1179     if (direntry->tdir_count != 1)
1180         return (TIFFReadDirEntryErrCount);
1181     switch (direntry->tdir_type)
1182     {
1183         case TIFF_LONG:
1184         case TIFF_IFD:
1185         {
1186             uint32_t m;
1187             TIFFReadDirEntryCheckedLong(tif, direntry, &m);
1188             *value = (uint64_t)m;
1189             return (TIFFReadDirEntryErrOk);
1190         }
1191         case TIFF_LONG8:
1192         case TIFF_IFD8:
1193             err = TIFFReadDirEntryCheckedLong8(tif, direntry, value);
1194             return (err);
1195         default:
1196             return (TIFFReadDirEntryErrType);
1197     }
1198 }
1199 
1200 #define INITIAL_THRESHOLD (1024 * 1024)
1201 #define THRESHOLD_MULTIPLIER 10
1202 #define MAX_THRESHOLD                                                          \
1203     (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER *      \
1204      INITIAL_THRESHOLD)
1205 
TIFFReadDirEntryDataAndRealloc(TIFF * tif,uint64_t offset,tmsize_t size,void ** pdest)1206 static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc(TIFF *tif,
1207                                                                uint64_t offset,
1208                                                                tmsize_t size,
1209                                                                void **pdest)
1210 {
1211 #if SIZEOF_SIZE_T == 8
1212     tmsize_t threshold = INITIAL_THRESHOLD;
1213 #endif
1214     tmsize_t already_read = 0;
1215 
1216     assert(!isMapped(tif));
1217 
1218     if (!SeekOK(tif, offset))
1219         return (TIFFReadDirEntryErrIo);
1220 
1221     /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
1222     /* so as to avoid allocating too much memory in case the file is too */
1223     /* short. We could ask for the file size, but this might be */
1224     /* expensive with some I/O layers (think of reading a gzipped file) */
1225     /* Restrict to 64 bit processes, so as to avoid reallocs() */
1226     /* on 32 bit processes where virtual memory is scarce.  */
1227     while (already_read < size)
1228     {
1229         void *new_dest;
1230         tmsize_t bytes_read;
1231         tmsize_t to_read = size - already_read;
1232 #if SIZEOF_SIZE_T == 8
1233         if (to_read >= threshold && threshold < MAX_THRESHOLD)
1234         {
1235             to_read = threshold;
1236             threshold *= THRESHOLD_MULTIPLIER;
1237         }
1238 #endif
1239 
1240         new_dest =
1241             (uint8_t *)_TIFFreallocExt(tif, *pdest, already_read + to_read);
1242         if (new_dest == NULL)
1243         {
1244             TIFFErrorExtR(tif, tif->tif_name,
1245                           "Failed to allocate memory for %s "
1246                           "(%" TIFF_SSIZE_FORMAT
1247                           " elements of %" TIFF_SSIZE_FORMAT " bytes each)",
1248                           "TIFFReadDirEntryArray", (tmsize_t)1,
1249                           already_read + to_read);
1250             return TIFFReadDirEntryErrAlloc;
1251         }
1252         *pdest = new_dest;
1253 
1254         bytes_read = TIFFReadFile(tif, (char *)*pdest + already_read, to_read);
1255         already_read += bytes_read;
1256         if (bytes_read != to_read)
1257         {
1258             return TIFFReadDirEntryErrIo;
1259         }
1260     }
1261     return TIFFReadDirEntryErrOk;
1262 }
1263 
1264 /* Caution: if raising that value, make sure int32 / uint32 overflows can't
1265  * occur elsewhere */
1266 #define MAX_SIZE_TAG_DATA 2147483647U
1267 
1268 static enum TIFFReadDirEntryErr
TIFFReadDirEntryArrayWithLimit(TIFF * tif,TIFFDirEntry * direntry,uint32_t * count,uint32_t desttypesize,void ** value,uint64_t maxcount)1269 TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
1270                                uint32_t *count, uint32_t desttypesize,
1271                                void **value, uint64_t maxcount)
1272 {
1273     int typesize;
1274     uint32_t datasize;
1275     void *data;
1276     uint64_t target_count64;
1277     int original_datasize_clamped;
1278     typesize = TIFFDataWidth(direntry->tdir_type);
1279 
1280     target_count64 =
1281         (direntry->tdir_count > maxcount) ? maxcount : direntry->tdir_count;
1282 
1283     if ((target_count64 == 0) || (typesize == 0))
1284     {
1285         *value = 0;
1286         return (TIFFReadDirEntryErrOk);
1287     }
1288     (void)desttypesize;
1289 
1290     /* We just want to know if the original tag size is more than 4 bytes
1291      * (classic TIFF) or 8 bytes (BigTIFF)
1292      */
1293     original_datasize_clamped =
1294         ((direntry->tdir_count > 10) ? 10 : (int)direntry->tdir_count) *
1295         typesize;
1296 
1297     /*
1298      * As a sanity check, make sure we have no more than a 2GB tag array
1299      * in either the current data type or the dest data type.  This also
1300      * avoids problems with overflow of tmsize_t on 32bit systems.
1301      */
1302     if ((uint64_t)(MAX_SIZE_TAG_DATA / typesize) < target_count64)
1303         return (TIFFReadDirEntryErrSizesan);
1304     if ((uint64_t)(MAX_SIZE_TAG_DATA / desttypesize) < target_count64)
1305         return (TIFFReadDirEntryErrSizesan);
1306 
1307     *count = (uint32_t)target_count64;
1308     datasize = (*count) * typesize;
1309     assert((tmsize_t)datasize > 0);
1310 
1311     if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
1312         return TIFFReadDirEntryErrIo;
1313 
1314     if (!isMapped(tif) && (((tif->tif_flags & TIFF_BIGTIFF) && datasize > 8) ||
1315                            (!(tif->tif_flags & TIFF_BIGTIFF) && datasize > 4)))
1316     {
1317         data = NULL;
1318     }
1319     else
1320     {
1321         data = _TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");
1322         if (data == 0)
1323             return (TIFFReadDirEntryErrAlloc);
1324     }
1325     if (!(tif->tif_flags & TIFF_BIGTIFF))
1326     {
1327         /* Only the condition on original_datasize_clamped. The second
1328          * one is implied, but Coverity Scan cannot see it. */
1329         if (original_datasize_clamped <= 4 && datasize <= 4)
1330             _TIFFmemcpy(data, &direntry->tdir_offset, datasize);
1331         else
1332         {
1333             enum TIFFReadDirEntryErr err;
1334             uint32_t offset = direntry->tdir_offset.toff_long;
1335             if (tif->tif_flags & TIFF_SWAB)
1336                 TIFFSwabLong(&offset);
1337             if (isMapped(tif))
1338                 err = TIFFReadDirEntryData(tif, (uint64_t)offset,
1339                                            (tmsize_t)datasize, data);
1340             else
1341                 err = TIFFReadDirEntryDataAndRealloc(tif, (uint64_t)offset,
1342                                                      (tmsize_t)datasize, &data);
1343             if (err != TIFFReadDirEntryErrOk)
1344             {
1345                 _TIFFfreeExt(tif, data);
1346                 return (err);
1347             }
1348         }
1349     }
1350     else
1351     {
1352         /* See above comment for the Classic TIFF case */
1353         if (original_datasize_clamped <= 8 && datasize <= 8)
1354             _TIFFmemcpy(data, &direntry->tdir_offset, datasize);
1355         else
1356         {
1357             enum TIFFReadDirEntryErr err;
1358             uint64_t offset = direntry->tdir_offset.toff_long8;
1359             if (tif->tif_flags & TIFF_SWAB)
1360                 TIFFSwabLong8(&offset);
1361             if (isMapped(tif))
1362                 err = TIFFReadDirEntryData(tif, (uint64_t)offset,
1363                                            (tmsize_t)datasize, data);
1364             else
1365                 err = TIFFReadDirEntryDataAndRealloc(tif, (uint64_t)offset,
1366                                                      (tmsize_t)datasize, &data);
1367             if (err != TIFFReadDirEntryErrOk)
1368             {
1369                 _TIFFfreeExt(tif, data);
1370                 return (err);
1371             }
1372         }
1373     }
1374     *value = data;
1375     return (TIFFReadDirEntryErrOk);
1376 }
1377 
1378 static enum TIFFReadDirEntryErr
TIFFReadDirEntryArray(TIFF * tif,TIFFDirEntry * direntry,uint32_t * count,uint32_t desttypesize,void ** value)1379 TIFFReadDirEntryArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t *count,
1380                       uint32_t desttypesize, void **value)
1381 {
1382     return TIFFReadDirEntryArrayWithLimit(tif, direntry, count, desttypesize,
1383                                           value, ~((uint64_t)0));
1384 }
1385 
1386 static enum TIFFReadDirEntryErr
TIFFReadDirEntryByteArray(TIFF * tif,TIFFDirEntry * direntry,uint8_t ** value)1387 TIFFReadDirEntryByteArray(TIFF *tif, TIFFDirEntry *direntry, uint8_t **value)
1388 {
1389     enum TIFFReadDirEntryErr err;
1390     uint32_t count;
1391     void *origdata;
1392     uint8_t *data;
1393     switch (direntry->tdir_type)
1394     {
1395         case TIFF_ASCII:
1396         case TIFF_UNDEFINED:
1397         case TIFF_BYTE:
1398         case TIFF_SBYTE:
1399         case TIFF_SHORT:
1400         case TIFF_SSHORT:
1401         case TIFF_LONG:
1402         case TIFF_SLONG:
1403         case TIFF_LONG8:
1404         case TIFF_SLONG8:
1405             break;
1406         default:
1407             return (TIFFReadDirEntryErrType);
1408     }
1409     err = TIFFReadDirEntryArray(tif, direntry, &count, 1, &origdata);
1410     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1411     {
1412         *value = 0;
1413         return (err);
1414     }
1415     switch (direntry->tdir_type)
1416     {
1417         case TIFF_ASCII:
1418         case TIFF_UNDEFINED:
1419         case TIFF_BYTE:
1420             *value = (uint8_t *)origdata;
1421             return (TIFFReadDirEntryErrOk);
1422         case TIFF_SBYTE:
1423         {
1424             int8_t *m;
1425             uint32_t n;
1426             m = (int8_t *)origdata;
1427             for (n = 0; n < count; n++)
1428             {
1429                 err = TIFFReadDirEntryCheckRangeByteSbyte(*m);
1430                 if (err != TIFFReadDirEntryErrOk)
1431                 {
1432                     _TIFFfreeExt(tif, origdata);
1433                     return (err);
1434                 }
1435                 m++;
1436             }
1437             *value = (uint8_t *)origdata;
1438             return (TIFFReadDirEntryErrOk);
1439         }
1440     }
1441     data = (uint8_t *)_TIFFmallocExt(tif, count);
1442     if (data == 0)
1443     {
1444         _TIFFfreeExt(tif, origdata);
1445         return (TIFFReadDirEntryErrAlloc);
1446     }
1447     switch (direntry->tdir_type)
1448     {
1449         case TIFF_SHORT:
1450         {
1451             uint16_t *ma;
1452             uint8_t *mb;
1453             uint32_t n;
1454             ma = (uint16_t *)origdata;
1455             mb = data;
1456             for (n = 0; n < count; n++)
1457             {
1458                 if (tif->tif_flags & TIFF_SWAB)
1459                     TIFFSwabShort(ma);
1460                 err = TIFFReadDirEntryCheckRangeByteShort(*ma);
1461                 if (err != TIFFReadDirEntryErrOk)
1462                     break;
1463                 *mb++ = (uint8_t)(*ma++);
1464             }
1465         }
1466         break;
1467         case TIFF_SSHORT:
1468         {
1469             int16_t *ma;
1470             uint8_t *mb;
1471             uint32_t n;
1472             ma = (int16_t *)origdata;
1473             mb = data;
1474             for (n = 0; n < count; n++)
1475             {
1476                 if (tif->tif_flags & TIFF_SWAB)
1477                     TIFFSwabShort((uint16_t *)ma);
1478                 err = TIFFReadDirEntryCheckRangeByteSshort(*ma);
1479                 if (err != TIFFReadDirEntryErrOk)
1480                     break;
1481                 *mb++ = (uint8_t)(*ma++);
1482             }
1483         }
1484         break;
1485         case TIFF_LONG:
1486         {
1487             uint32_t *ma;
1488             uint8_t *mb;
1489             uint32_t n;
1490             ma = (uint32_t *)origdata;
1491             mb = data;
1492             for (n = 0; n < count; n++)
1493             {
1494                 if (tif->tif_flags & TIFF_SWAB)
1495                     TIFFSwabLong(ma);
1496                 err = TIFFReadDirEntryCheckRangeByteLong(*ma);
1497                 if (err != TIFFReadDirEntryErrOk)
1498                     break;
1499                 *mb++ = (uint8_t)(*ma++);
1500             }
1501         }
1502         break;
1503         case TIFF_SLONG:
1504         {
1505             int32_t *ma;
1506             uint8_t *mb;
1507             uint32_t n;
1508             ma = (int32_t *)origdata;
1509             mb = data;
1510             for (n = 0; n < count; n++)
1511             {
1512                 if (tif->tif_flags & TIFF_SWAB)
1513                     TIFFSwabLong((uint32_t *)ma);
1514                 err = TIFFReadDirEntryCheckRangeByteSlong(*ma);
1515                 if (err != TIFFReadDirEntryErrOk)
1516                     break;
1517                 *mb++ = (uint8_t)(*ma++);
1518             }
1519         }
1520         break;
1521         case TIFF_LONG8:
1522         {
1523             uint64_t *ma;
1524             uint8_t *mb;
1525             uint32_t n;
1526             ma = (uint64_t *)origdata;
1527             mb = data;
1528             for (n = 0; n < count; n++)
1529             {
1530                 if (tif->tif_flags & TIFF_SWAB)
1531                     TIFFSwabLong8(ma);
1532                 err = TIFFReadDirEntryCheckRangeByteLong8(*ma);
1533                 if (err != TIFFReadDirEntryErrOk)
1534                     break;
1535                 *mb++ = (uint8_t)(*ma++);
1536             }
1537         }
1538         break;
1539         case TIFF_SLONG8:
1540         {
1541             int64_t *ma;
1542             uint8_t *mb;
1543             uint32_t n;
1544             ma = (int64_t *)origdata;
1545             mb = data;
1546             for (n = 0; n < count; n++)
1547             {
1548                 if (tif->tif_flags & TIFF_SWAB)
1549                     TIFFSwabLong8((uint64_t *)ma);
1550                 err = TIFFReadDirEntryCheckRangeByteSlong8(*ma);
1551                 if (err != TIFFReadDirEntryErrOk)
1552                     break;
1553                 *mb++ = (uint8_t)(*ma++);
1554             }
1555         }
1556         break;
1557     }
1558     _TIFFfreeExt(tif, origdata);
1559     if (err != TIFFReadDirEntryErrOk)
1560     {
1561         _TIFFfreeExt(tif, data);
1562         return (err);
1563     }
1564     *value = data;
1565     return (TIFFReadDirEntryErrOk);
1566 }
1567 
1568 static enum TIFFReadDirEntryErr
TIFFReadDirEntrySbyteArray(TIFF * tif,TIFFDirEntry * direntry,int8_t ** value)1569 TIFFReadDirEntrySbyteArray(TIFF *tif, TIFFDirEntry *direntry, int8_t **value)
1570 {
1571     enum TIFFReadDirEntryErr err;
1572     uint32_t count;
1573     void *origdata;
1574     int8_t *data;
1575     switch (direntry->tdir_type)
1576     {
1577         case TIFF_UNDEFINED:
1578         case TIFF_BYTE:
1579         case TIFF_SBYTE:
1580         case TIFF_SHORT:
1581         case TIFF_SSHORT:
1582         case TIFF_LONG:
1583         case TIFF_SLONG:
1584         case TIFF_LONG8:
1585         case TIFF_SLONG8:
1586             break;
1587         default:
1588             return (TIFFReadDirEntryErrType);
1589     }
1590     err = TIFFReadDirEntryArray(tif, direntry, &count, 1, &origdata);
1591     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1592     {
1593         *value = 0;
1594         return (err);
1595     }
1596     switch (direntry->tdir_type)
1597     {
1598         case TIFF_UNDEFINED:
1599         case TIFF_BYTE:
1600         {
1601             uint8_t *m;
1602             uint32_t n;
1603             m = (uint8_t *)origdata;
1604             for (n = 0; n < count; n++)
1605             {
1606                 err = TIFFReadDirEntryCheckRangeSbyteByte(*m);
1607                 if (err != TIFFReadDirEntryErrOk)
1608                 {
1609                     _TIFFfreeExt(tif, origdata);
1610                     return (err);
1611                 }
1612                 m++;
1613             }
1614             *value = (int8_t *)origdata;
1615             return (TIFFReadDirEntryErrOk);
1616         }
1617         case TIFF_SBYTE:
1618             *value = (int8_t *)origdata;
1619             return (TIFFReadDirEntryErrOk);
1620     }
1621     data = (int8_t *)_TIFFmallocExt(tif, count);
1622     if (data == 0)
1623     {
1624         _TIFFfreeExt(tif, origdata);
1625         return (TIFFReadDirEntryErrAlloc);
1626     }
1627     switch (direntry->tdir_type)
1628     {
1629         case TIFF_SHORT:
1630         {
1631             uint16_t *ma;
1632             int8_t *mb;
1633             uint32_t n;
1634             ma = (uint16_t *)origdata;
1635             mb = data;
1636             for (n = 0; n < count; n++)
1637             {
1638                 if (tif->tif_flags & TIFF_SWAB)
1639                     TIFFSwabShort(ma);
1640                 err = TIFFReadDirEntryCheckRangeSbyteShort(*ma);
1641                 if (err != TIFFReadDirEntryErrOk)
1642                     break;
1643                 *mb++ = (int8_t)(*ma++);
1644             }
1645         }
1646         break;
1647         case TIFF_SSHORT:
1648         {
1649             int16_t *ma;
1650             int8_t *mb;
1651             uint32_t n;
1652             ma = (int16_t *)origdata;
1653             mb = data;
1654             for (n = 0; n < count; n++)
1655             {
1656                 if (tif->tif_flags & TIFF_SWAB)
1657                     TIFFSwabShort((uint16_t *)ma);
1658                 err = TIFFReadDirEntryCheckRangeSbyteSshort(*ma);
1659                 if (err != TIFFReadDirEntryErrOk)
1660                     break;
1661                 *mb++ = (int8_t)(*ma++);
1662             }
1663         }
1664         break;
1665         case TIFF_LONG:
1666         {
1667             uint32_t *ma;
1668             int8_t *mb;
1669             uint32_t n;
1670             ma = (uint32_t *)origdata;
1671             mb = data;
1672             for (n = 0; n < count; n++)
1673             {
1674                 if (tif->tif_flags & TIFF_SWAB)
1675                     TIFFSwabLong(ma);
1676                 err = TIFFReadDirEntryCheckRangeSbyteLong(*ma);
1677                 if (err != TIFFReadDirEntryErrOk)
1678                     break;
1679                 *mb++ = (int8_t)(*ma++);
1680             }
1681         }
1682         break;
1683         case TIFF_SLONG:
1684         {
1685             int32_t *ma;
1686             int8_t *mb;
1687             uint32_t n;
1688             ma = (int32_t *)origdata;
1689             mb = data;
1690             for (n = 0; n < count; n++)
1691             {
1692                 if (tif->tif_flags & TIFF_SWAB)
1693                     TIFFSwabLong((uint32_t *)ma);
1694                 err = TIFFReadDirEntryCheckRangeSbyteSlong(*ma);
1695                 if (err != TIFFReadDirEntryErrOk)
1696                     break;
1697                 *mb++ = (int8_t)(*ma++);
1698             }
1699         }
1700         break;
1701         case TIFF_LONG8:
1702         {
1703             uint64_t *ma;
1704             int8_t *mb;
1705             uint32_t n;
1706             ma = (uint64_t *)origdata;
1707             mb = data;
1708             for (n = 0; n < count; n++)
1709             {
1710                 if (tif->tif_flags & TIFF_SWAB)
1711                     TIFFSwabLong8(ma);
1712                 err = TIFFReadDirEntryCheckRangeSbyteLong8(*ma);
1713                 if (err != TIFFReadDirEntryErrOk)
1714                     break;
1715                 *mb++ = (int8_t)(*ma++);
1716             }
1717         }
1718         break;
1719         case TIFF_SLONG8:
1720         {
1721             int64_t *ma;
1722             int8_t *mb;
1723             uint32_t n;
1724             ma = (int64_t *)origdata;
1725             mb = data;
1726             for (n = 0; n < count; n++)
1727             {
1728                 if (tif->tif_flags & TIFF_SWAB)
1729                     TIFFSwabLong8((uint64_t *)ma);
1730                 err = TIFFReadDirEntryCheckRangeSbyteSlong8(*ma);
1731                 if (err != TIFFReadDirEntryErrOk)
1732                     break;
1733                 *mb++ = (int8_t)(*ma++);
1734             }
1735         }
1736         break;
1737     }
1738     _TIFFfreeExt(tif, origdata);
1739     if (err != TIFFReadDirEntryErrOk)
1740     {
1741         _TIFFfreeExt(tif, data);
1742         return (err);
1743     }
1744     *value = data;
1745     return (TIFFReadDirEntryErrOk);
1746 }
1747 
1748 static enum TIFFReadDirEntryErr
TIFFReadDirEntryShortArray(TIFF * tif,TIFFDirEntry * direntry,uint16_t ** value)1749 TIFFReadDirEntryShortArray(TIFF *tif, TIFFDirEntry *direntry, uint16_t **value)
1750 {
1751     enum TIFFReadDirEntryErr err;
1752     uint32_t count;
1753     void *origdata;
1754     uint16_t *data;
1755     switch (direntry->tdir_type)
1756     {
1757         case TIFF_BYTE:
1758         case TIFF_SBYTE:
1759         case TIFF_SHORT:
1760         case TIFF_SSHORT:
1761         case TIFF_LONG:
1762         case TIFF_SLONG:
1763         case TIFF_LONG8:
1764         case TIFF_SLONG8:
1765             break;
1766         default:
1767             return (TIFFReadDirEntryErrType);
1768     }
1769     err = TIFFReadDirEntryArray(tif, direntry, &count, 2, &origdata);
1770     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1771     {
1772         *value = 0;
1773         return (err);
1774     }
1775     switch (direntry->tdir_type)
1776     {
1777         case TIFF_SHORT:
1778             *value = (uint16_t *)origdata;
1779             if (tif->tif_flags & TIFF_SWAB)
1780                 TIFFSwabArrayOfShort(*value, count);
1781             return (TIFFReadDirEntryErrOk);
1782         case TIFF_SSHORT:
1783         {
1784             int16_t *m;
1785             uint32_t n;
1786             m = (int16_t *)origdata;
1787             for (n = 0; n < count; n++)
1788             {
1789                 if (tif->tif_flags & TIFF_SWAB)
1790                     TIFFSwabShort((uint16_t *)m);
1791                 err = TIFFReadDirEntryCheckRangeShortSshort(*m);
1792                 if (err != TIFFReadDirEntryErrOk)
1793                 {
1794                     _TIFFfreeExt(tif, origdata);
1795                     return (err);
1796                 }
1797                 m++;
1798             }
1799             *value = (uint16_t *)origdata;
1800             return (TIFFReadDirEntryErrOk);
1801         }
1802     }
1803     data = (uint16_t *)_TIFFmallocExt(tif, count * 2);
1804     if (data == 0)
1805     {
1806         _TIFFfreeExt(tif, origdata);
1807         return (TIFFReadDirEntryErrAlloc);
1808     }
1809     switch (direntry->tdir_type)
1810     {
1811         case TIFF_BYTE:
1812         {
1813             uint8_t *ma;
1814             uint16_t *mb;
1815             uint32_t n;
1816             ma = (uint8_t *)origdata;
1817             mb = data;
1818             for (n = 0; n < count; n++)
1819                 *mb++ = (uint16_t)(*ma++);
1820         }
1821         break;
1822         case TIFF_SBYTE:
1823         {
1824             int8_t *ma;
1825             uint16_t *mb;
1826             uint32_t n;
1827             ma = (int8_t *)origdata;
1828             mb = data;
1829             for (n = 0; n < count; n++)
1830             {
1831                 err = TIFFReadDirEntryCheckRangeShortSbyte(*ma);
1832                 if (err != TIFFReadDirEntryErrOk)
1833                     break;
1834                 *mb++ = (uint16_t)(*ma++);
1835             }
1836         }
1837         break;
1838         case TIFF_LONG:
1839         {
1840             uint32_t *ma;
1841             uint16_t *mb;
1842             uint32_t n;
1843             ma = (uint32_t *)origdata;
1844             mb = data;
1845             for (n = 0; n < count; n++)
1846             {
1847                 if (tif->tif_flags & TIFF_SWAB)
1848                     TIFFSwabLong(ma);
1849                 err = TIFFReadDirEntryCheckRangeShortLong(*ma);
1850                 if (err != TIFFReadDirEntryErrOk)
1851                     break;
1852                 *mb++ = (uint16_t)(*ma++);
1853             }
1854         }
1855         break;
1856         case TIFF_SLONG:
1857         {
1858             int32_t *ma;
1859             uint16_t *mb;
1860             uint32_t n;
1861             ma = (int32_t *)origdata;
1862             mb = data;
1863             for (n = 0; n < count; n++)
1864             {
1865                 if (tif->tif_flags & TIFF_SWAB)
1866                     TIFFSwabLong((uint32_t *)ma);
1867                 err = TIFFReadDirEntryCheckRangeShortSlong(*ma);
1868                 if (err != TIFFReadDirEntryErrOk)
1869                     break;
1870                 *mb++ = (uint16_t)(*ma++);
1871             }
1872         }
1873         break;
1874         case TIFF_LONG8:
1875         {
1876             uint64_t *ma;
1877             uint16_t *mb;
1878             uint32_t n;
1879             ma = (uint64_t *)origdata;
1880             mb = data;
1881             for (n = 0; n < count; n++)
1882             {
1883                 if (tif->tif_flags & TIFF_SWAB)
1884                     TIFFSwabLong8(ma);
1885                 err = TIFFReadDirEntryCheckRangeShortLong8(*ma);
1886                 if (err != TIFFReadDirEntryErrOk)
1887                     break;
1888                 *mb++ = (uint16_t)(*ma++);
1889             }
1890         }
1891         break;
1892         case TIFF_SLONG8:
1893         {
1894             int64_t *ma;
1895             uint16_t *mb;
1896             uint32_t n;
1897             ma = (int64_t *)origdata;
1898             mb = data;
1899             for (n = 0; n < count; n++)
1900             {
1901                 if (tif->tif_flags & TIFF_SWAB)
1902                     TIFFSwabLong8((uint64_t *)ma);
1903                 err = TIFFReadDirEntryCheckRangeShortSlong8(*ma);
1904                 if (err != TIFFReadDirEntryErrOk)
1905                     break;
1906                 *mb++ = (uint16_t)(*ma++);
1907             }
1908         }
1909         break;
1910     }
1911     _TIFFfreeExt(tif, origdata);
1912     if (err != TIFFReadDirEntryErrOk)
1913     {
1914         _TIFFfreeExt(tif, data);
1915         return (err);
1916     }
1917     *value = data;
1918     return (TIFFReadDirEntryErrOk);
1919 }
1920 
1921 static enum TIFFReadDirEntryErr
TIFFReadDirEntrySshortArray(TIFF * tif,TIFFDirEntry * direntry,int16_t ** value)1922 TIFFReadDirEntrySshortArray(TIFF *tif, TIFFDirEntry *direntry, int16_t **value)
1923 {
1924     enum TIFFReadDirEntryErr err;
1925     uint32_t count;
1926     void *origdata;
1927     int16_t *data;
1928     switch (direntry->tdir_type)
1929     {
1930         case TIFF_BYTE:
1931         case TIFF_SBYTE:
1932         case TIFF_SHORT:
1933         case TIFF_SSHORT:
1934         case TIFF_LONG:
1935         case TIFF_SLONG:
1936         case TIFF_LONG8:
1937         case TIFF_SLONG8:
1938             break;
1939         default:
1940             return (TIFFReadDirEntryErrType);
1941     }
1942     err = TIFFReadDirEntryArray(tif, direntry, &count, 2, &origdata);
1943     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1944     {
1945         *value = 0;
1946         return (err);
1947     }
1948     switch (direntry->tdir_type)
1949     {
1950         case TIFF_SHORT:
1951         {
1952             uint16_t *m;
1953             uint32_t n;
1954             m = (uint16_t *)origdata;
1955             for (n = 0; n < count; n++)
1956             {
1957                 if (tif->tif_flags & TIFF_SWAB)
1958                     TIFFSwabShort(m);
1959                 err = TIFFReadDirEntryCheckRangeSshortShort(*m);
1960                 if (err != TIFFReadDirEntryErrOk)
1961                 {
1962                     _TIFFfreeExt(tif, origdata);
1963                     return (err);
1964                 }
1965                 m++;
1966             }
1967             *value = (int16_t *)origdata;
1968             return (TIFFReadDirEntryErrOk);
1969         }
1970         case TIFF_SSHORT:
1971             *value = (int16_t *)origdata;
1972             if (tif->tif_flags & TIFF_SWAB)
1973                 TIFFSwabArrayOfShort((uint16_t *)(*value), count);
1974             return (TIFFReadDirEntryErrOk);
1975     }
1976     data = (int16_t *)_TIFFmallocExt(tif, count * 2);
1977     if (data == 0)
1978     {
1979         _TIFFfreeExt(tif, origdata);
1980         return (TIFFReadDirEntryErrAlloc);
1981     }
1982     switch (direntry->tdir_type)
1983     {
1984         case TIFF_BYTE:
1985         {
1986             uint8_t *ma;
1987             int16_t *mb;
1988             uint32_t n;
1989             ma = (uint8_t *)origdata;
1990             mb = data;
1991             for (n = 0; n < count; n++)
1992                 *mb++ = (int16_t)(*ma++);
1993         }
1994         break;
1995         case TIFF_SBYTE:
1996         {
1997             int8_t *ma;
1998             int16_t *mb;
1999             uint32_t n;
2000             ma = (int8_t *)origdata;
2001             mb = data;
2002             for (n = 0; n < count; n++)
2003                 *mb++ = (int16_t)(*ma++);
2004         }
2005         break;
2006         case TIFF_LONG:
2007         {
2008             uint32_t *ma;
2009             int16_t *mb;
2010             uint32_t n;
2011             ma = (uint32_t *)origdata;
2012             mb = data;
2013             for (n = 0; n < count; n++)
2014             {
2015                 if (tif->tif_flags & TIFF_SWAB)
2016                     TIFFSwabLong(ma);
2017                 err = TIFFReadDirEntryCheckRangeSshortLong(*ma);
2018                 if (err != TIFFReadDirEntryErrOk)
2019                     break;
2020                 *mb++ = (int16_t)(*ma++);
2021             }
2022         }
2023         break;
2024         case TIFF_SLONG:
2025         {
2026             int32_t *ma;
2027             int16_t *mb;
2028             uint32_t n;
2029             ma = (int32_t *)origdata;
2030             mb = data;
2031             for (n = 0; n < count; n++)
2032             {
2033                 if (tif->tif_flags & TIFF_SWAB)
2034                     TIFFSwabLong((uint32_t *)ma);
2035                 err = TIFFReadDirEntryCheckRangeSshortSlong(*ma);
2036                 if (err != TIFFReadDirEntryErrOk)
2037                     break;
2038                 *mb++ = (int16_t)(*ma++);
2039             }
2040         }
2041         break;
2042         case TIFF_LONG8:
2043         {
2044             uint64_t *ma;
2045             int16_t *mb;
2046             uint32_t n;
2047             ma = (uint64_t *)origdata;
2048             mb = data;
2049             for (n = 0; n < count; n++)
2050             {
2051                 if (tif->tif_flags & TIFF_SWAB)
2052                     TIFFSwabLong8(ma);
2053                 err = TIFFReadDirEntryCheckRangeSshortLong8(*ma);
2054                 if (err != TIFFReadDirEntryErrOk)
2055                     break;
2056                 *mb++ = (int16_t)(*ma++);
2057             }
2058         }
2059         break;
2060         case TIFF_SLONG8:
2061         {
2062             int64_t *ma;
2063             int16_t *mb;
2064             uint32_t n;
2065             ma = (int64_t *)origdata;
2066             mb = data;
2067             for (n = 0; n < count; n++)
2068             {
2069                 if (tif->tif_flags & TIFF_SWAB)
2070                     TIFFSwabLong8((uint64_t *)ma);
2071                 err = TIFFReadDirEntryCheckRangeSshortSlong8(*ma);
2072                 if (err != TIFFReadDirEntryErrOk)
2073                     break;
2074                 *mb++ = (int16_t)(*ma++);
2075             }
2076         }
2077         break;
2078     }
2079     _TIFFfreeExt(tif, origdata);
2080     if (err != TIFFReadDirEntryErrOk)
2081     {
2082         _TIFFfreeExt(tif, data);
2083         return (err);
2084     }
2085     *value = data;
2086     return (TIFFReadDirEntryErrOk);
2087 }
2088 
2089 static enum TIFFReadDirEntryErr
TIFFReadDirEntryLongArray(TIFF * tif,TIFFDirEntry * direntry,uint32_t ** value)2090 TIFFReadDirEntryLongArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t **value)
2091 {
2092     enum TIFFReadDirEntryErr err;
2093     uint32_t count;
2094     void *origdata;
2095     uint32_t *data;
2096     switch (direntry->tdir_type)
2097     {
2098         case TIFF_BYTE:
2099         case TIFF_SBYTE:
2100         case TIFF_SHORT:
2101         case TIFF_SSHORT:
2102         case TIFF_LONG:
2103         case TIFF_SLONG:
2104         case TIFF_LONG8:
2105         case TIFF_SLONG8:
2106             break;
2107         default:
2108             return (TIFFReadDirEntryErrType);
2109     }
2110     err = TIFFReadDirEntryArray(tif, direntry, &count, 4, &origdata);
2111     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2112     {
2113         *value = 0;
2114         return (err);
2115     }
2116     switch (direntry->tdir_type)
2117     {
2118         case TIFF_LONG:
2119             *value = (uint32_t *)origdata;
2120             if (tif->tif_flags & TIFF_SWAB)
2121                 TIFFSwabArrayOfLong(*value, count);
2122             return (TIFFReadDirEntryErrOk);
2123         case TIFF_SLONG:
2124         {
2125             int32_t *m;
2126             uint32_t n;
2127             m = (int32_t *)origdata;
2128             for (n = 0; n < count; n++)
2129             {
2130                 if (tif->tif_flags & TIFF_SWAB)
2131                     TIFFSwabLong((uint32_t *)m);
2132                 err = TIFFReadDirEntryCheckRangeLongSlong(*m);
2133                 if (err != TIFFReadDirEntryErrOk)
2134                 {
2135                     _TIFFfreeExt(tif, origdata);
2136                     return (err);
2137                 }
2138                 m++;
2139             }
2140             *value = (uint32_t *)origdata;
2141             return (TIFFReadDirEntryErrOk);
2142         }
2143     }
2144     data = (uint32_t *)_TIFFmallocExt(tif, count * 4);
2145     if (data == 0)
2146     {
2147         _TIFFfreeExt(tif, origdata);
2148         return (TIFFReadDirEntryErrAlloc);
2149     }
2150     switch (direntry->tdir_type)
2151     {
2152         case TIFF_BYTE:
2153         {
2154             uint8_t *ma;
2155             uint32_t *mb;
2156             uint32_t n;
2157             ma = (uint8_t *)origdata;
2158             mb = data;
2159             for (n = 0; n < count; n++)
2160                 *mb++ = (uint32_t)(*ma++);
2161         }
2162         break;
2163         case TIFF_SBYTE:
2164         {
2165             int8_t *ma;
2166             uint32_t *mb;
2167             uint32_t n;
2168             ma = (int8_t *)origdata;
2169             mb = data;
2170             for (n = 0; n < count; n++)
2171             {
2172                 err = TIFFReadDirEntryCheckRangeLongSbyte(*ma);
2173                 if (err != TIFFReadDirEntryErrOk)
2174                     break;
2175                 *mb++ = (uint32_t)(*ma++);
2176             }
2177         }
2178         break;
2179         case TIFF_SHORT:
2180         {
2181             uint16_t *ma;
2182             uint32_t *mb;
2183             uint32_t n;
2184             ma = (uint16_t *)origdata;
2185             mb = data;
2186             for (n = 0; n < count; n++)
2187             {
2188                 if (tif->tif_flags & TIFF_SWAB)
2189                     TIFFSwabShort(ma);
2190                 *mb++ = (uint32_t)(*ma++);
2191             }
2192         }
2193         break;
2194         case TIFF_SSHORT:
2195         {
2196             int16_t *ma;
2197             uint32_t *mb;
2198             uint32_t n;
2199             ma = (int16_t *)origdata;
2200             mb = data;
2201             for (n = 0; n < count; n++)
2202             {
2203                 if (tif->tif_flags & TIFF_SWAB)
2204                     TIFFSwabShort((uint16_t *)ma);
2205                 err = TIFFReadDirEntryCheckRangeLongSshort(*ma);
2206                 if (err != TIFFReadDirEntryErrOk)
2207                     break;
2208                 *mb++ = (uint32_t)(*ma++);
2209             }
2210         }
2211         break;
2212         case TIFF_LONG8:
2213         {
2214             uint64_t *ma;
2215             uint32_t *mb;
2216             uint32_t n;
2217             ma = (uint64_t *)origdata;
2218             mb = data;
2219             for (n = 0; n < count; n++)
2220             {
2221                 if (tif->tif_flags & TIFF_SWAB)
2222                     TIFFSwabLong8(ma);
2223                 err = TIFFReadDirEntryCheckRangeLongLong8(*ma);
2224                 if (err != TIFFReadDirEntryErrOk)
2225                     break;
2226                 *mb++ = (uint32_t)(*ma++);
2227             }
2228         }
2229         break;
2230         case TIFF_SLONG8:
2231         {
2232             int64_t *ma;
2233             uint32_t *mb;
2234             uint32_t n;
2235             ma = (int64_t *)origdata;
2236             mb = data;
2237             for (n = 0; n < count; n++)
2238             {
2239                 if (tif->tif_flags & TIFF_SWAB)
2240                     TIFFSwabLong8((uint64_t *)ma);
2241                 err = TIFFReadDirEntryCheckRangeLongSlong8(*ma);
2242                 if (err != TIFFReadDirEntryErrOk)
2243                     break;
2244                 *mb++ = (uint32_t)(*ma++);
2245             }
2246         }
2247         break;
2248     }
2249     _TIFFfreeExt(tif, origdata);
2250     if (err != TIFFReadDirEntryErrOk)
2251     {
2252         _TIFFfreeExt(tif, data);
2253         return (err);
2254     }
2255     *value = data;
2256     return (TIFFReadDirEntryErrOk);
2257 }
2258 
2259 static enum TIFFReadDirEntryErr
TIFFReadDirEntrySlongArray(TIFF * tif,TIFFDirEntry * direntry,int32_t ** value)2260 TIFFReadDirEntrySlongArray(TIFF *tif, TIFFDirEntry *direntry, int32_t **value)
2261 {
2262     enum TIFFReadDirEntryErr err;
2263     uint32_t count;
2264     void *origdata;
2265     int32_t *data;
2266     switch (direntry->tdir_type)
2267     {
2268         case TIFF_BYTE:
2269         case TIFF_SBYTE:
2270         case TIFF_SHORT:
2271         case TIFF_SSHORT:
2272         case TIFF_LONG:
2273         case TIFF_SLONG:
2274         case TIFF_LONG8:
2275         case TIFF_SLONG8:
2276             break;
2277         default:
2278             return (TIFFReadDirEntryErrType);
2279     }
2280     err = TIFFReadDirEntryArray(tif, direntry, &count, 4, &origdata);
2281     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2282     {
2283         *value = 0;
2284         return (err);
2285     }
2286     switch (direntry->tdir_type)
2287     {
2288         case TIFF_LONG:
2289         {
2290             uint32_t *m;
2291             uint32_t n;
2292             m = (uint32_t *)origdata;
2293             for (n = 0; n < count; n++)
2294             {
2295                 if (tif->tif_flags & TIFF_SWAB)
2296                     TIFFSwabLong((uint32_t *)m);
2297                 err = TIFFReadDirEntryCheckRangeSlongLong(*m);
2298                 if (err != TIFFReadDirEntryErrOk)
2299                 {
2300                     _TIFFfreeExt(tif, origdata);
2301                     return (err);
2302                 }
2303                 m++;
2304             }
2305             *value = (int32_t *)origdata;
2306             return (TIFFReadDirEntryErrOk);
2307         }
2308         case TIFF_SLONG:
2309             *value = (int32_t *)origdata;
2310             if (tif->tif_flags & TIFF_SWAB)
2311                 TIFFSwabArrayOfLong((uint32_t *)(*value), count);
2312             return (TIFFReadDirEntryErrOk);
2313     }
2314     data = (int32_t *)_TIFFmallocExt(tif, count * 4);
2315     if (data == 0)
2316     {
2317         _TIFFfreeExt(tif, origdata);
2318         return (TIFFReadDirEntryErrAlloc);
2319     }
2320     switch (direntry->tdir_type)
2321     {
2322         case TIFF_BYTE:
2323         {
2324             uint8_t *ma;
2325             int32_t *mb;
2326             uint32_t n;
2327             ma = (uint8_t *)origdata;
2328             mb = data;
2329             for (n = 0; n < count; n++)
2330                 *mb++ = (int32_t)(*ma++);
2331         }
2332         break;
2333         case TIFF_SBYTE:
2334         {
2335             int8_t *ma;
2336             int32_t *mb;
2337             uint32_t n;
2338             ma = (int8_t *)origdata;
2339             mb = data;
2340             for (n = 0; n < count; n++)
2341                 *mb++ = (int32_t)(*ma++);
2342         }
2343         break;
2344         case TIFF_SHORT:
2345         {
2346             uint16_t *ma;
2347             int32_t *mb;
2348             uint32_t n;
2349             ma = (uint16_t *)origdata;
2350             mb = data;
2351             for (n = 0; n < count; n++)
2352             {
2353                 if (tif->tif_flags & TIFF_SWAB)
2354                     TIFFSwabShort(ma);
2355                 *mb++ = (int32_t)(*ma++);
2356             }
2357         }
2358         break;
2359         case TIFF_SSHORT:
2360         {
2361             int16_t *ma;
2362             int32_t *mb;
2363             uint32_t n;
2364             ma = (int16_t *)origdata;
2365             mb = data;
2366             for (n = 0; n < count; n++)
2367             {
2368                 if (tif->tif_flags & TIFF_SWAB)
2369                     TIFFSwabShort((uint16_t *)ma);
2370                 *mb++ = (int32_t)(*ma++);
2371             }
2372         }
2373         break;
2374         case TIFF_LONG8:
2375         {
2376             uint64_t *ma;
2377             int32_t *mb;
2378             uint32_t n;
2379             ma = (uint64_t *)origdata;
2380             mb = data;
2381             for (n = 0; n < count; n++)
2382             {
2383                 if (tif->tif_flags & TIFF_SWAB)
2384                     TIFFSwabLong8(ma);
2385                 err = TIFFReadDirEntryCheckRangeSlongLong8(*ma);
2386                 if (err != TIFFReadDirEntryErrOk)
2387                     break;
2388                 *mb++ = (int32_t)(*ma++);
2389             }
2390         }
2391         break;
2392         case TIFF_SLONG8:
2393         {
2394             int64_t *ma;
2395             int32_t *mb;
2396             uint32_t n;
2397             ma = (int64_t *)origdata;
2398             mb = data;
2399             for (n = 0; n < count; n++)
2400             {
2401                 if (tif->tif_flags & TIFF_SWAB)
2402                     TIFFSwabLong8((uint64_t *)ma);
2403                 err = TIFFReadDirEntryCheckRangeSlongSlong8(*ma);
2404                 if (err != TIFFReadDirEntryErrOk)
2405                     break;
2406                 *mb++ = (int32_t)(*ma++);
2407             }
2408         }
2409         break;
2410     }
2411     _TIFFfreeExt(tif, origdata);
2412     if (err != TIFFReadDirEntryErrOk)
2413     {
2414         _TIFFfreeExt(tif, data);
2415         return (err);
2416     }
2417     *value = data;
2418     return (TIFFReadDirEntryErrOk);
2419 }
2420 
2421 static enum TIFFReadDirEntryErr
TIFFReadDirEntryLong8ArrayWithLimit(TIFF * tif,TIFFDirEntry * direntry,uint64_t ** value,uint64_t maxcount)2422 TIFFReadDirEntryLong8ArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
2423                                     uint64_t **value, uint64_t maxcount)
2424 {
2425     enum TIFFReadDirEntryErr err;
2426     uint32_t count;
2427     void *origdata;
2428     uint64_t *data;
2429     switch (direntry->tdir_type)
2430     {
2431         case TIFF_BYTE:
2432         case TIFF_SBYTE:
2433         case TIFF_SHORT:
2434         case TIFF_SSHORT:
2435         case TIFF_LONG:
2436         case TIFF_SLONG:
2437         case TIFF_LONG8:
2438         case TIFF_SLONG8:
2439             break;
2440         default:
2441             return (TIFFReadDirEntryErrType);
2442     }
2443     err = TIFFReadDirEntryArrayWithLimit(tif, direntry, &count, 8, &origdata,
2444                                          maxcount);
2445     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2446     {
2447         *value = 0;
2448         return (err);
2449     }
2450     switch (direntry->tdir_type)
2451     {
2452         case TIFF_LONG8:
2453             *value = (uint64_t *)origdata;
2454             if (tif->tif_flags & TIFF_SWAB)
2455                 TIFFSwabArrayOfLong8(*value, count);
2456             return (TIFFReadDirEntryErrOk);
2457         case TIFF_SLONG8:
2458         {
2459             int64_t *m;
2460             uint32_t n;
2461             m = (int64_t *)origdata;
2462             for (n = 0; n < count; n++)
2463             {
2464                 if (tif->tif_flags & TIFF_SWAB)
2465                     TIFFSwabLong8((uint64_t *)m);
2466                 err = TIFFReadDirEntryCheckRangeLong8Slong8(*m);
2467                 if (err != TIFFReadDirEntryErrOk)
2468                 {
2469                     _TIFFfreeExt(tif, origdata);
2470                     return (err);
2471                 }
2472                 m++;
2473             }
2474             *value = (uint64_t *)origdata;
2475             return (TIFFReadDirEntryErrOk);
2476         }
2477     }
2478     data = (uint64_t *)_TIFFmallocExt(tif, count * 8);
2479     if (data == 0)
2480     {
2481         _TIFFfreeExt(tif, origdata);
2482         return (TIFFReadDirEntryErrAlloc);
2483     }
2484     switch (direntry->tdir_type)
2485     {
2486         case TIFF_BYTE:
2487         {
2488             uint8_t *ma;
2489             uint64_t *mb;
2490             uint32_t n;
2491             ma = (uint8_t *)origdata;
2492             mb = data;
2493             for (n = 0; n < count; n++)
2494                 *mb++ = (uint64_t)(*ma++);
2495         }
2496         break;
2497         case TIFF_SBYTE:
2498         {
2499             int8_t *ma;
2500             uint64_t *mb;
2501             uint32_t n;
2502             ma = (int8_t *)origdata;
2503             mb = data;
2504             for (n = 0; n < count; n++)
2505             {
2506                 err = TIFFReadDirEntryCheckRangeLong8Sbyte(*ma);
2507                 if (err != TIFFReadDirEntryErrOk)
2508                     break;
2509                 *mb++ = (uint64_t)(*ma++);
2510             }
2511         }
2512         break;
2513         case TIFF_SHORT:
2514         {
2515             uint16_t *ma;
2516             uint64_t *mb;
2517             uint32_t n;
2518             ma = (uint16_t *)origdata;
2519             mb = data;
2520             for (n = 0; n < count; n++)
2521             {
2522                 if (tif->tif_flags & TIFF_SWAB)
2523                     TIFFSwabShort(ma);
2524                 *mb++ = (uint64_t)(*ma++);
2525             }
2526         }
2527         break;
2528         case TIFF_SSHORT:
2529         {
2530             int16_t *ma;
2531             uint64_t *mb;
2532             uint32_t n;
2533             ma = (int16_t *)origdata;
2534             mb = data;
2535             for (n = 0; n < count; n++)
2536             {
2537                 if (tif->tif_flags & TIFF_SWAB)
2538                     TIFFSwabShort((uint16_t *)ma);
2539                 err = TIFFReadDirEntryCheckRangeLong8Sshort(*ma);
2540                 if (err != TIFFReadDirEntryErrOk)
2541                     break;
2542                 *mb++ = (uint64_t)(*ma++);
2543             }
2544         }
2545         break;
2546         case TIFF_LONG:
2547         {
2548             uint32_t *ma;
2549             uint64_t *mb;
2550             uint32_t n;
2551             ma = (uint32_t *)origdata;
2552             mb = data;
2553             for (n = 0; n < count; n++)
2554             {
2555                 if (tif->tif_flags & TIFF_SWAB)
2556                     TIFFSwabLong(ma);
2557                 *mb++ = (uint64_t)(*ma++);
2558             }
2559         }
2560         break;
2561         case TIFF_SLONG:
2562         {
2563             int32_t *ma;
2564             uint64_t *mb;
2565             uint32_t n;
2566             ma = (int32_t *)origdata;
2567             mb = data;
2568             for (n = 0; n < count; n++)
2569             {
2570                 if (tif->tif_flags & TIFF_SWAB)
2571                     TIFFSwabLong((uint32_t *)ma);
2572                 err = TIFFReadDirEntryCheckRangeLong8Slong(*ma);
2573                 if (err != TIFFReadDirEntryErrOk)
2574                     break;
2575                 *mb++ = (uint64_t)(*ma++);
2576             }
2577         }
2578         break;
2579     }
2580     _TIFFfreeExt(tif, origdata);
2581     if (err != TIFFReadDirEntryErrOk)
2582     {
2583         _TIFFfreeExt(tif, data);
2584         return (err);
2585     }
2586     *value = data;
2587     return (TIFFReadDirEntryErrOk);
2588 }
2589 
2590 static enum TIFFReadDirEntryErr
TIFFReadDirEntryLong8Array(TIFF * tif,TIFFDirEntry * direntry,uint64_t ** value)2591 TIFFReadDirEntryLong8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value)
2592 {
2593     return TIFFReadDirEntryLong8ArrayWithLimit(tif, direntry, value,
2594                                                ~((uint64_t)0));
2595 }
2596 
2597 static enum TIFFReadDirEntryErr
TIFFReadDirEntrySlong8Array(TIFF * tif,TIFFDirEntry * direntry,int64_t ** value)2598 TIFFReadDirEntrySlong8Array(TIFF *tif, TIFFDirEntry *direntry, int64_t **value)
2599 {
2600     enum TIFFReadDirEntryErr err;
2601     uint32_t count;
2602     void *origdata;
2603     int64_t *data;
2604     switch (direntry->tdir_type)
2605     {
2606         case TIFF_BYTE:
2607         case TIFF_SBYTE:
2608         case TIFF_SHORT:
2609         case TIFF_SSHORT:
2610         case TIFF_LONG:
2611         case TIFF_SLONG:
2612         case TIFF_LONG8:
2613         case TIFF_SLONG8:
2614             break;
2615         default:
2616             return (TIFFReadDirEntryErrType);
2617     }
2618     err = TIFFReadDirEntryArray(tif, direntry, &count, 8, &origdata);
2619     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2620     {
2621         *value = 0;
2622         return (err);
2623     }
2624     switch (direntry->tdir_type)
2625     {
2626         case TIFF_LONG8:
2627         {
2628             uint64_t *m;
2629             uint32_t n;
2630             m = (uint64_t *)origdata;
2631             for (n = 0; n < count; n++)
2632             {
2633                 if (tif->tif_flags & TIFF_SWAB)
2634                     TIFFSwabLong8(m);
2635                 err = TIFFReadDirEntryCheckRangeSlong8Long8(*m);
2636                 if (err != TIFFReadDirEntryErrOk)
2637                 {
2638                     _TIFFfreeExt(tif, origdata);
2639                     return (err);
2640                 }
2641                 m++;
2642             }
2643             *value = (int64_t *)origdata;
2644             return (TIFFReadDirEntryErrOk);
2645         }
2646         case TIFF_SLONG8:
2647             *value = (int64_t *)origdata;
2648             if (tif->tif_flags & TIFF_SWAB)
2649                 TIFFSwabArrayOfLong8((uint64_t *)(*value), count);
2650             return (TIFFReadDirEntryErrOk);
2651     }
2652     data = (int64_t *)_TIFFmallocExt(tif, count * 8);
2653     if (data == 0)
2654     {
2655         _TIFFfreeExt(tif, origdata);
2656         return (TIFFReadDirEntryErrAlloc);
2657     }
2658     switch (direntry->tdir_type)
2659     {
2660         case TIFF_BYTE:
2661         {
2662             uint8_t *ma;
2663             int64_t *mb;
2664             uint32_t n;
2665             ma = (uint8_t *)origdata;
2666             mb = data;
2667             for (n = 0; n < count; n++)
2668                 *mb++ = (int64_t)(*ma++);
2669         }
2670         break;
2671         case TIFF_SBYTE:
2672         {
2673             int8_t *ma;
2674             int64_t *mb;
2675             uint32_t n;
2676             ma = (int8_t *)origdata;
2677             mb = data;
2678             for (n = 0; n < count; n++)
2679                 *mb++ = (int64_t)(*ma++);
2680         }
2681         break;
2682         case TIFF_SHORT:
2683         {
2684             uint16_t *ma;
2685             int64_t *mb;
2686             uint32_t n;
2687             ma = (uint16_t *)origdata;
2688             mb = data;
2689             for (n = 0; n < count; n++)
2690             {
2691                 if (tif->tif_flags & TIFF_SWAB)
2692                     TIFFSwabShort(ma);
2693                 *mb++ = (int64_t)(*ma++);
2694             }
2695         }
2696         break;
2697         case TIFF_SSHORT:
2698         {
2699             int16_t *ma;
2700             int64_t *mb;
2701             uint32_t n;
2702             ma = (int16_t *)origdata;
2703             mb = data;
2704             for (n = 0; n < count; n++)
2705             {
2706                 if (tif->tif_flags & TIFF_SWAB)
2707                     TIFFSwabShort((uint16_t *)ma);
2708                 *mb++ = (int64_t)(*ma++);
2709             }
2710         }
2711         break;
2712         case TIFF_LONG:
2713         {
2714             uint32_t *ma;
2715             int64_t *mb;
2716             uint32_t n;
2717             ma = (uint32_t *)origdata;
2718             mb = data;
2719             for (n = 0; n < count; n++)
2720             {
2721                 if (tif->tif_flags & TIFF_SWAB)
2722                     TIFFSwabLong(ma);
2723                 *mb++ = (int64_t)(*ma++);
2724             }
2725         }
2726         break;
2727         case TIFF_SLONG:
2728         {
2729             int32_t *ma;
2730             int64_t *mb;
2731             uint32_t n;
2732             ma = (int32_t *)origdata;
2733             mb = data;
2734             for (n = 0; n < count; n++)
2735             {
2736                 if (tif->tif_flags & TIFF_SWAB)
2737                     TIFFSwabLong((uint32_t *)ma);
2738                 *mb++ = (int64_t)(*ma++);
2739             }
2740         }
2741         break;
2742     }
2743     _TIFFfreeExt(tif, origdata);
2744     *value = data;
2745     return (TIFFReadDirEntryErrOk);
2746 }
2747 
2748 static enum TIFFReadDirEntryErr
TIFFReadDirEntryFloatArray(TIFF * tif,TIFFDirEntry * direntry,float ** value)2749 TIFFReadDirEntryFloatArray(TIFF *tif, TIFFDirEntry *direntry, float **value)
2750 {
2751     enum TIFFReadDirEntryErr err;
2752     uint32_t count;
2753     void *origdata;
2754     float *data;
2755     switch (direntry->tdir_type)
2756     {
2757         case TIFF_BYTE:
2758         case TIFF_SBYTE:
2759         case TIFF_SHORT:
2760         case TIFF_SSHORT:
2761         case TIFF_LONG:
2762         case TIFF_SLONG:
2763         case TIFF_LONG8:
2764         case TIFF_SLONG8:
2765         case TIFF_RATIONAL:
2766         case TIFF_SRATIONAL:
2767         case TIFF_FLOAT:
2768         case TIFF_DOUBLE:
2769             break;
2770         default:
2771             return (TIFFReadDirEntryErrType);
2772     }
2773     err = TIFFReadDirEntryArray(tif, direntry, &count, 4, &origdata);
2774     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2775     {
2776         *value = 0;
2777         return (err);
2778     }
2779     switch (direntry->tdir_type)
2780     {
2781         case TIFF_FLOAT:
2782             if (tif->tif_flags & TIFF_SWAB)
2783                 TIFFSwabArrayOfLong((uint32_t *)origdata, count);
2784             TIFFCvtIEEEDoubleToNative(tif, count, (float *)origdata);
2785             *value = (float *)origdata;
2786             return (TIFFReadDirEntryErrOk);
2787     }
2788     data = (float *)_TIFFmallocExt(tif, count * sizeof(float));
2789     if (data == 0)
2790     {
2791         _TIFFfreeExt(tif, origdata);
2792         return (TIFFReadDirEntryErrAlloc);
2793     }
2794     switch (direntry->tdir_type)
2795     {
2796         case TIFF_BYTE:
2797         {
2798             uint8_t *ma;
2799             float *mb;
2800             uint32_t n;
2801             ma = (uint8_t *)origdata;
2802             mb = data;
2803             for (n = 0; n < count; n++)
2804                 *mb++ = (float)(*ma++);
2805         }
2806         break;
2807         case TIFF_SBYTE:
2808         {
2809             int8_t *ma;
2810             float *mb;
2811             uint32_t n;
2812             ma = (int8_t *)origdata;
2813             mb = data;
2814             for (n = 0; n < count; n++)
2815                 *mb++ = (float)(*ma++);
2816         }
2817         break;
2818         case TIFF_SHORT:
2819         {
2820             uint16_t *ma;
2821             float *mb;
2822             uint32_t n;
2823             ma = (uint16_t *)origdata;
2824             mb = data;
2825             for (n = 0; n < count; n++)
2826             {
2827                 if (tif->tif_flags & TIFF_SWAB)
2828                     TIFFSwabShort(ma);
2829                 *mb++ = (float)(*ma++);
2830             }
2831         }
2832         break;
2833         case TIFF_SSHORT:
2834         {
2835             int16_t *ma;
2836             float *mb;
2837             uint32_t n;
2838             ma = (int16_t *)origdata;
2839             mb = data;
2840             for (n = 0; n < count; n++)
2841             {
2842                 if (tif->tif_flags & TIFF_SWAB)
2843                     TIFFSwabShort((uint16_t *)ma);
2844                 *mb++ = (float)(*ma++);
2845             }
2846         }
2847         break;
2848         case TIFF_LONG:
2849         {
2850             uint32_t *ma;
2851             float *mb;
2852             uint32_t n;
2853             ma = (uint32_t *)origdata;
2854             mb = data;
2855             for (n = 0; n < count; n++)
2856             {
2857                 if (tif->tif_flags & TIFF_SWAB)
2858                     TIFFSwabLong(ma);
2859                 *mb++ = (float)(*ma++);
2860             }
2861         }
2862         break;
2863         case TIFF_SLONG:
2864         {
2865             int32_t *ma;
2866             float *mb;
2867             uint32_t n;
2868             ma = (int32_t *)origdata;
2869             mb = data;
2870             for (n = 0; n < count; n++)
2871             {
2872                 if (tif->tif_flags & TIFF_SWAB)
2873                     TIFFSwabLong((uint32_t *)ma);
2874                 *mb++ = (float)(*ma++);
2875             }
2876         }
2877         break;
2878         case TIFF_LONG8:
2879         {
2880             uint64_t *ma;
2881             float *mb;
2882             uint32_t n;
2883             ma = (uint64_t *)origdata;
2884             mb = data;
2885             for (n = 0; n < count; n++)
2886             {
2887                 if (tif->tif_flags & TIFF_SWAB)
2888                     TIFFSwabLong8(ma);
2889 #if defined(__WIN32__) && (_MSC_VER < 1500)
2890                 /*
2891                  * XXX: MSVC 6.0 does not support
2892                  * conversion of 64-bit integers into
2893                  * floating point values.
2894                  */
2895                 *mb++ = _TIFFUInt64ToFloat(*ma++);
2896 #else
2897                 *mb++ = (float)(*ma++);
2898 #endif
2899             }
2900         }
2901         break;
2902         case TIFF_SLONG8:
2903         {
2904             int64_t *ma;
2905             float *mb;
2906             uint32_t n;
2907             ma = (int64_t *)origdata;
2908             mb = data;
2909             for (n = 0; n < count; n++)
2910             {
2911                 if (tif->tif_flags & TIFF_SWAB)
2912                     TIFFSwabLong8((uint64_t *)ma);
2913                 *mb++ = (float)(*ma++);
2914             }
2915         }
2916         break;
2917         case TIFF_RATIONAL:
2918         {
2919             uint32_t *ma;
2920             uint32_t maa;
2921             uint32_t mab;
2922             float *mb;
2923             uint32_t n;
2924             ma = (uint32_t *)origdata;
2925             mb = data;
2926             for (n = 0; n < count; n++)
2927             {
2928                 if (tif->tif_flags & TIFF_SWAB)
2929                     TIFFSwabLong(ma);
2930                 maa = *ma++;
2931                 if (tif->tif_flags & TIFF_SWAB)
2932                     TIFFSwabLong(ma);
2933                 mab = *ma++;
2934                 if (mab == 0)
2935                     *mb++ = 0.0;
2936                 else
2937                     *mb++ = (float)maa / (float)mab;
2938             }
2939         }
2940         break;
2941         case TIFF_SRATIONAL:
2942         {
2943             uint32_t *ma;
2944             int32_t maa;
2945             uint32_t mab;
2946             float *mb;
2947             uint32_t n;
2948             ma = (uint32_t *)origdata;
2949             mb = data;
2950             for (n = 0; n < count; n++)
2951             {
2952                 if (tif->tif_flags & TIFF_SWAB)
2953                     TIFFSwabLong(ma);
2954                 maa = *(int32_t *)ma;
2955                 ma++;
2956                 if (tif->tif_flags & TIFF_SWAB)
2957                     TIFFSwabLong(ma);
2958                 mab = *ma++;
2959                 if (mab == 0)
2960                     *mb++ = 0.0;
2961                 else
2962                     *mb++ = (float)maa / (float)mab;
2963             }
2964         }
2965         break;
2966         case TIFF_DOUBLE:
2967         {
2968             double *ma;
2969             float *mb;
2970             uint32_t n;
2971             if (tif->tif_flags & TIFF_SWAB)
2972                 TIFFSwabArrayOfLong8((uint64_t *)origdata, count);
2973             TIFFCvtIEEEDoubleToNative(tif, count, (double *)origdata);
2974             ma = (double *)origdata;
2975             mb = data;
2976             for (n = 0; n < count; n++)
2977             {
2978                 double val = *ma++;
2979                 if (val > FLT_MAX)
2980                     val = FLT_MAX;
2981                 else if (val < -FLT_MAX)
2982                     val = -FLT_MAX;
2983                 *mb++ = (float)val;
2984             }
2985         }
2986         break;
2987     }
2988     _TIFFfreeExt(tif, origdata);
2989     *value = data;
2990     return (TIFFReadDirEntryErrOk);
2991 }
2992 
2993 static enum TIFFReadDirEntryErr
TIFFReadDirEntryDoubleArray(TIFF * tif,TIFFDirEntry * direntry,double ** value)2994 TIFFReadDirEntryDoubleArray(TIFF *tif, TIFFDirEntry *direntry, double **value)
2995 {
2996     enum TIFFReadDirEntryErr err;
2997     uint32_t count;
2998     void *origdata;
2999     double *data;
3000     switch (direntry->tdir_type)
3001     {
3002         case TIFF_BYTE:
3003         case TIFF_SBYTE:
3004         case TIFF_SHORT:
3005         case TIFF_SSHORT:
3006         case TIFF_LONG:
3007         case TIFF_SLONG:
3008         case TIFF_LONG8:
3009         case TIFF_SLONG8:
3010         case TIFF_RATIONAL:
3011         case TIFF_SRATIONAL:
3012         case TIFF_FLOAT:
3013         case TIFF_DOUBLE:
3014             break;
3015         default:
3016             return (TIFFReadDirEntryErrType);
3017     }
3018     err = TIFFReadDirEntryArray(tif, direntry, &count, 8, &origdata);
3019     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
3020     {
3021         *value = 0;
3022         return (err);
3023     }
3024     switch (direntry->tdir_type)
3025     {
3026         case TIFF_DOUBLE:
3027             if (tif->tif_flags & TIFF_SWAB)
3028                 TIFFSwabArrayOfLong8((uint64_t *)origdata, count);
3029             TIFFCvtIEEEDoubleToNative(tif, count, (double *)origdata);
3030             *value = (double *)origdata;
3031             return (TIFFReadDirEntryErrOk);
3032     }
3033     data = (double *)_TIFFmallocExt(tif, count * sizeof(double));
3034     if (data == 0)
3035     {
3036         _TIFFfreeExt(tif, origdata);
3037         return (TIFFReadDirEntryErrAlloc);
3038     }
3039     switch (direntry->tdir_type)
3040     {
3041         case TIFF_BYTE:
3042         {
3043             uint8_t *ma;
3044             double *mb;
3045             uint32_t n;
3046             ma = (uint8_t *)origdata;
3047             mb = data;
3048             for (n = 0; n < count; n++)
3049                 *mb++ = (double)(*ma++);
3050         }
3051         break;
3052         case TIFF_SBYTE:
3053         {
3054             int8_t *ma;
3055             double *mb;
3056             uint32_t n;
3057             ma = (int8_t *)origdata;
3058             mb = data;
3059             for (n = 0; n < count; n++)
3060                 *mb++ = (double)(*ma++);
3061         }
3062         break;
3063         case TIFF_SHORT:
3064         {
3065             uint16_t *ma;
3066             double *mb;
3067             uint32_t n;
3068             ma = (uint16_t *)origdata;
3069             mb = data;
3070             for (n = 0; n < count; n++)
3071             {
3072                 if (tif->tif_flags & TIFF_SWAB)
3073                     TIFFSwabShort(ma);
3074                 *mb++ = (double)(*ma++);
3075             }
3076         }
3077         break;
3078         case TIFF_SSHORT:
3079         {
3080             int16_t *ma;
3081             double *mb;
3082             uint32_t n;
3083             ma = (int16_t *)origdata;
3084             mb = data;
3085             for (n = 0; n < count; n++)
3086             {
3087                 if (tif->tif_flags & TIFF_SWAB)
3088                     TIFFSwabShort((uint16_t *)ma);
3089                 *mb++ = (double)(*ma++);
3090             }
3091         }
3092         break;
3093         case TIFF_LONG:
3094         {
3095             uint32_t *ma;
3096             double *mb;
3097             uint32_t n;
3098             ma = (uint32_t *)origdata;
3099             mb = data;
3100             for (n = 0; n < count; n++)
3101             {
3102                 if (tif->tif_flags & TIFF_SWAB)
3103                     TIFFSwabLong(ma);
3104                 *mb++ = (double)(*ma++);
3105             }
3106         }
3107         break;
3108         case TIFF_SLONG:
3109         {
3110             int32_t *ma;
3111             double *mb;
3112             uint32_t n;
3113             ma = (int32_t *)origdata;
3114             mb = data;
3115             for (n = 0; n < count; n++)
3116             {
3117                 if (tif->tif_flags & TIFF_SWAB)
3118                     TIFFSwabLong((uint32_t *)ma);
3119                 *mb++ = (double)(*ma++);
3120             }
3121         }
3122         break;
3123         case TIFF_LONG8:
3124         {
3125             uint64_t *ma;
3126             double *mb;
3127             uint32_t n;
3128             ma = (uint64_t *)origdata;
3129             mb = data;
3130             for (n = 0; n < count; n++)
3131             {
3132                 if (tif->tif_flags & TIFF_SWAB)
3133                     TIFFSwabLong8(ma);
3134 #if defined(__WIN32__) && (_MSC_VER < 1500)
3135                 /*
3136                  * XXX: MSVC 6.0 does not support
3137                  * conversion of 64-bit integers into
3138                  * floating point values.
3139                  */
3140                 *mb++ = _TIFFUInt64ToDouble(*ma++);
3141 #else
3142                 *mb++ = (double)(*ma++);
3143 #endif
3144             }
3145         }
3146         break;
3147         case TIFF_SLONG8:
3148         {
3149             int64_t *ma;
3150             double *mb;
3151             uint32_t n;
3152             ma = (int64_t *)origdata;
3153             mb = data;
3154             for (n = 0; n < count; n++)
3155             {
3156                 if (tif->tif_flags & TIFF_SWAB)
3157                     TIFFSwabLong8((uint64_t *)ma);
3158                 *mb++ = (double)(*ma++);
3159             }
3160         }
3161         break;
3162         case TIFF_RATIONAL:
3163         {
3164             uint32_t *ma;
3165             uint32_t maa;
3166             uint32_t mab;
3167             double *mb;
3168             uint32_t n;
3169             ma = (uint32_t *)origdata;
3170             mb = data;
3171             for (n = 0; n < count; n++)
3172             {
3173                 if (tif->tif_flags & TIFF_SWAB)
3174                     TIFFSwabLong(ma);
3175                 maa = *ma++;
3176                 if (tif->tif_flags & TIFF_SWAB)
3177                     TIFFSwabLong(ma);
3178                 mab = *ma++;
3179                 if (mab == 0)
3180                     *mb++ = 0.0;
3181                 else
3182                     *mb++ = (double)maa / (double)mab;
3183             }
3184         }
3185         break;
3186         case TIFF_SRATIONAL:
3187         {
3188             uint32_t *ma;
3189             int32_t maa;
3190             uint32_t mab;
3191             double *mb;
3192             uint32_t n;
3193             ma = (uint32_t *)origdata;
3194             mb = data;
3195             for (n = 0; n < count; n++)
3196             {
3197                 if (tif->tif_flags & TIFF_SWAB)
3198                     TIFFSwabLong(ma);
3199                 maa = *(int32_t *)ma;
3200                 ma++;
3201                 if (tif->tif_flags & TIFF_SWAB)
3202                     TIFFSwabLong(ma);
3203                 mab = *ma++;
3204                 if (mab == 0)
3205                     *mb++ = 0.0;
3206                 else
3207                     *mb++ = (double)maa / (double)mab;
3208             }
3209         }
3210         break;
3211         case TIFF_FLOAT:
3212         {
3213             float *ma;
3214             double *mb;
3215             uint32_t n;
3216             if (tif->tif_flags & TIFF_SWAB)
3217                 TIFFSwabArrayOfLong((uint32_t *)origdata, count);
3218             TIFFCvtIEEEFloatToNative(tif, count, (float *)origdata);
3219             ma = (float *)origdata;
3220             mb = data;
3221             for (n = 0; n < count; n++)
3222                 *mb++ = (double)(*ma++);
3223         }
3224         break;
3225     }
3226     _TIFFfreeExt(tif, origdata);
3227     *value = data;
3228     return (TIFFReadDirEntryErrOk);
3229 }
3230 
3231 static enum TIFFReadDirEntryErr
TIFFReadDirEntryIfd8Array(TIFF * tif,TIFFDirEntry * direntry,uint64_t ** value)3232 TIFFReadDirEntryIfd8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value)
3233 {
3234     enum TIFFReadDirEntryErr err;
3235     uint32_t count;
3236     void *origdata;
3237     uint64_t *data;
3238     switch (direntry->tdir_type)
3239     {
3240         case TIFF_LONG:
3241         case TIFF_LONG8:
3242         case TIFF_IFD:
3243         case TIFF_IFD8:
3244             break;
3245         default:
3246             return (TIFFReadDirEntryErrType);
3247     }
3248     err = TIFFReadDirEntryArray(tif, direntry, &count, 8, &origdata);
3249     if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
3250     {
3251         *value = 0;
3252         return (err);
3253     }
3254     switch (direntry->tdir_type)
3255     {
3256         case TIFF_LONG8:
3257         case TIFF_IFD8:
3258             *value = (uint64_t *)origdata;
3259             if (tif->tif_flags & TIFF_SWAB)
3260                 TIFFSwabArrayOfLong8(*value, count);
3261             return (TIFFReadDirEntryErrOk);
3262     }
3263     data = (uint64_t *)_TIFFmallocExt(tif, count * 8);
3264     if (data == 0)
3265     {
3266         _TIFFfreeExt(tif, origdata);
3267         return (TIFFReadDirEntryErrAlloc);
3268     }
3269     switch (direntry->tdir_type)
3270     {
3271         case TIFF_LONG:
3272         case TIFF_IFD:
3273         {
3274             uint32_t *ma;
3275             uint64_t *mb;
3276             uint32_t n;
3277             ma = (uint32_t *)origdata;
3278             mb = data;
3279             for (n = 0; n < count; n++)
3280             {
3281                 if (tif->tif_flags & TIFF_SWAB)
3282                     TIFFSwabLong(ma);
3283                 *mb++ = (uint64_t)(*ma++);
3284             }
3285         }
3286         break;
3287     }
3288     _TIFFfreeExt(tif, origdata);
3289     *value = data;
3290     return (TIFFReadDirEntryErrOk);
3291 }
3292 
3293 static enum TIFFReadDirEntryErr
TIFFReadDirEntryPersampleShort(TIFF * tif,TIFFDirEntry * direntry,uint16_t * value)3294 TIFFReadDirEntryPersampleShort(TIFF *tif, TIFFDirEntry *direntry,
3295                                uint16_t *value)
3296 {
3297     enum TIFFReadDirEntryErr err;
3298     uint16_t *m;
3299     uint16_t *na;
3300     uint16_t nb;
3301     if (direntry->tdir_count < (uint64_t)tif->tif_dir.td_samplesperpixel)
3302         return (TIFFReadDirEntryErrCount);
3303     err = TIFFReadDirEntryShortArray(tif, direntry, &m);
3304     if (err != TIFFReadDirEntryErrOk || m == NULL)
3305         return (err);
3306     na = m;
3307     nb = tif->tif_dir.td_samplesperpixel;
3308     *value = *na++;
3309     nb--;
3310     while (nb > 0)
3311     {
3312         if (*na++ != *value)
3313         {
3314             err = TIFFReadDirEntryErrPsdif;
3315             break;
3316         }
3317         nb--;
3318     }
3319     _TIFFfreeExt(tif, m);
3320     return (err);
3321 }
3322 
TIFFReadDirEntryCheckedByte(TIFF * tif,TIFFDirEntry * direntry,uint8_t * value)3323 static void TIFFReadDirEntryCheckedByte(TIFF *tif, TIFFDirEntry *direntry,
3324                                         uint8_t *value)
3325 {
3326     (void)tif;
3327     *value = *(uint8_t *)(&direntry->tdir_offset);
3328 }
3329 
TIFFReadDirEntryCheckedSbyte(TIFF * tif,TIFFDirEntry * direntry,int8_t * value)3330 static void TIFFReadDirEntryCheckedSbyte(TIFF *tif, TIFFDirEntry *direntry,
3331                                          int8_t *value)
3332 {
3333     (void)tif;
3334     *value = *(int8_t *)(&direntry->tdir_offset);
3335 }
3336 
TIFFReadDirEntryCheckedShort(TIFF * tif,TIFFDirEntry * direntry,uint16_t * value)3337 static void TIFFReadDirEntryCheckedShort(TIFF *tif, TIFFDirEntry *direntry,
3338                                          uint16_t *value)
3339 {
3340     *value = direntry->tdir_offset.toff_short;
3341     /* *value=*(uint16_t*)(&direntry->tdir_offset); */
3342     if (tif->tif_flags & TIFF_SWAB)
3343         TIFFSwabShort(value);
3344 }
3345 
TIFFReadDirEntryCheckedSshort(TIFF * tif,TIFFDirEntry * direntry,int16_t * value)3346 static void TIFFReadDirEntryCheckedSshort(TIFF *tif, TIFFDirEntry *direntry,
3347                                           int16_t *value)
3348 {
3349     *value = *(int16_t *)(&direntry->tdir_offset);
3350     if (tif->tif_flags & TIFF_SWAB)
3351         TIFFSwabShort((uint16_t *)value);
3352 }
3353 
TIFFReadDirEntryCheckedLong(TIFF * tif,TIFFDirEntry * direntry,uint32_t * value)3354 static void TIFFReadDirEntryCheckedLong(TIFF *tif, TIFFDirEntry *direntry,
3355                                         uint32_t *value)
3356 {
3357     *value = *(uint32_t *)(&direntry->tdir_offset);
3358     if (tif->tif_flags & TIFF_SWAB)
3359         TIFFSwabLong(value);
3360 }
3361 
TIFFReadDirEntryCheckedSlong(TIFF * tif,TIFFDirEntry * direntry,int32_t * value)3362 static void TIFFReadDirEntryCheckedSlong(TIFF *tif, TIFFDirEntry *direntry,
3363                                          int32_t *value)
3364 {
3365     *value = *(int32_t *)(&direntry->tdir_offset);
3366     if (tif->tif_flags & TIFF_SWAB)
3367         TIFFSwabLong((uint32_t *)value);
3368 }
3369 
3370 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckedLong8(TIFF * tif,TIFFDirEntry * direntry,uint64_t * value)3371 TIFFReadDirEntryCheckedLong8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value)
3372 {
3373     if (!(tif->tif_flags & TIFF_BIGTIFF))
3374     {
3375         enum TIFFReadDirEntryErr err;
3376         uint32_t offset = direntry->tdir_offset.toff_long;
3377         if (tif->tif_flags & TIFF_SWAB)
3378             TIFFSwabLong(&offset);
3379         err = TIFFReadDirEntryData(tif, offset, 8, value);
3380         if (err != TIFFReadDirEntryErrOk)
3381             return (err);
3382     }
3383     else
3384         *value = direntry->tdir_offset.toff_long8;
3385     if (tif->tif_flags & TIFF_SWAB)
3386         TIFFSwabLong8(value);
3387     return (TIFFReadDirEntryErrOk);
3388 }
3389 
3390 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckedSlong8(TIFF * tif,TIFFDirEntry * direntry,int64_t * value)3391 TIFFReadDirEntryCheckedSlong8(TIFF *tif, TIFFDirEntry *direntry, int64_t *value)
3392 {
3393     if (!(tif->tif_flags & TIFF_BIGTIFF))
3394     {
3395         enum TIFFReadDirEntryErr err;
3396         uint32_t offset = direntry->tdir_offset.toff_long;
3397         if (tif->tif_flags & TIFF_SWAB)
3398             TIFFSwabLong(&offset);
3399         err = TIFFReadDirEntryData(tif, offset, 8, value);
3400         if (err != TIFFReadDirEntryErrOk)
3401             return (err);
3402     }
3403     else
3404         *value = *(int64_t *)(&direntry->tdir_offset);
3405     if (tif->tif_flags & TIFF_SWAB)
3406         TIFFSwabLong8((uint64_t *)value);
3407     return (TIFFReadDirEntryErrOk);
3408 }
3409 
3410 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckedRational(TIFF * tif,TIFFDirEntry * direntry,double * value)3411 TIFFReadDirEntryCheckedRational(TIFF *tif, TIFFDirEntry *direntry,
3412                                 double *value)
3413 {
3414     UInt64Aligned_t m;
3415 
3416     assert(sizeof(double) == 8);
3417     assert(sizeof(uint64_t) == 8);
3418     assert(sizeof(uint32_t) == 4);
3419     if (!(tif->tif_flags & TIFF_BIGTIFF))
3420     {
3421         enum TIFFReadDirEntryErr err;
3422         uint32_t offset = direntry->tdir_offset.toff_long;
3423         if (tif->tif_flags & TIFF_SWAB)
3424             TIFFSwabLong(&offset);
3425         err = TIFFReadDirEntryData(tif, offset, 8, m.i);
3426         if (err != TIFFReadDirEntryErrOk)
3427             return (err);
3428     }
3429     else
3430         m.l = direntry->tdir_offset.toff_long8;
3431     if (tif->tif_flags & TIFF_SWAB)
3432         TIFFSwabArrayOfLong(m.i, 2);
3433     /* Not completely sure what we should do when m.i[1]==0, but some */
3434     /* sanitizers do not like division by 0.0: */
3435     /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
3436     if (m.i[0] == 0 || m.i[1] == 0)
3437         *value = 0.0;
3438     else
3439         *value = (double)m.i[0] / (double)m.i[1];
3440     return (TIFFReadDirEntryErrOk);
3441 }
3442 
3443 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckedSrational(TIFF * tif,TIFFDirEntry * direntry,double * value)3444 TIFFReadDirEntryCheckedSrational(TIFF *tif, TIFFDirEntry *direntry,
3445                                  double *value)
3446 {
3447     UInt64Aligned_t m;
3448     assert(sizeof(double) == 8);
3449     assert(sizeof(uint64_t) == 8);
3450     assert(sizeof(int32_t) == 4);
3451     assert(sizeof(uint32_t) == 4);
3452     if (!(tif->tif_flags & TIFF_BIGTIFF))
3453     {
3454         enum TIFFReadDirEntryErr err;
3455         uint32_t offset = direntry->tdir_offset.toff_long;
3456         if (tif->tif_flags & TIFF_SWAB)
3457             TIFFSwabLong(&offset);
3458         err = TIFFReadDirEntryData(tif, offset, 8, m.i);
3459         if (err != TIFFReadDirEntryErrOk)
3460             return (err);
3461     }
3462     else
3463         m.l = direntry->tdir_offset.toff_long8;
3464     if (tif->tif_flags & TIFF_SWAB)
3465         TIFFSwabArrayOfLong(m.i, 2);
3466     /* Not completely sure what we should do when m.i[1]==0, but some */
3467     /* sanitizers do not like division by 0.0: */
3468     /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
3469     if ((int32_t)m.i[0] == 0 || m.i[1] == 0)
3470         *value = 0.0;
3471     else
3472         *value = (double)((int32_t)m.i[0]) / (double)m.i[1];
3473     return (TIFFReadDirEntryErrOk);
3474 }
3475 
3476 #if 0
3477 static enum TIFFReadDirEntryErr
3478 TIFFReadDirEntryCheckedRationalDirect(TIFF *tif, TIFFDirEntry *direntry,
3479                                       TIFFRational_t *value)
3480 { /*--: SetGetRATIONAL_directly:_CustomTag: Read rational (and signed rationals)
3481      directly --*/
3482     UInt64Aligned_t m;
3483 
3484     assert(sizeof(double) == 8);
3485     assert(sizeof(uint64_t) == 8);
3486     assert(sizeof(uint32_t) == 4);
3487 
3488     if (direntry->tdir_count != 1)
3489         return (TIFFReadDirEntryErrCount);
3490 
3491     if (direntry->tdir_type != TIFF_RATIONAL &&
3492         direntry->tdir_type != TIFF_SRATIONAL)
3493         return (TIFFReadDirEntryErrType);
3494 
3495     if (!(tif->tif_flags & TIFF_BIGTIFF))
3496     {
3497         enum TIFFReadDirEntryErr err;
3498         uint32_t offset = direntry->tdir_offset.toff_long;
3499         if (tif->tif_flags & TIFF_SWAB)
3500             TIFFSwabLong(&offset);
3501         err = TIFFReadDirEntryData(tif, offset, 8, m.i);
3502         if (err != TIFFReadDirEntryErrOk)
3503             return (err);
3504     }
3505     else
3506     {
3507         m.l = direntry->tdir_offset.toff_long8;
3508     }
3509 
3510     if (tif->tif_flags & TIFF_SWAB)
3511         TIFFSwabArrayOfLong(m.i, 2);
3512 
3513     value->uNum = m.i[0];
3514     value->uDenom = m.i[1];
3515     return (TIFFReadDirEntryErrOk);
3516 } /*-- TIFFReadDirEntryCheckedRationalDirect() --*/
3517 #endif
3518 
TIFFReadDirEntryCheckedFloat(TIFF * tif,TIFFDirEntry * direntry,float * value)3519 static void TIFFReadDirEntryCheckedFloat(TIFF *tif, TIFFDirEntry *direntry,
3520                                          float *value)
3521 {
3522     union
3523     {
3524         float f;
3525         uint32_t i;
3526     } float_union;
3527     assert(sizeof(float) == 4);
3528     assert(sizeof(uint32_t) == 4);
3529     assert(sizeof(float_union) == 4);
3530     float_union.i = *(uint32_t *)(&direntry->tdir_offset);
3531     *value = float_union.f;
3532     if (tif->tif_flags & TIFF_SWAB)
3533         TIFFSwabLong((uint32_t *)value);
3534 }
3535 
3536 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckedDouble(TIFF * tif,TIFFDirEntry * direntry,double * value)3537 TIFFReadDirEntryCheckedDouble(TIFF *tif, TIFFDirEntry *direntry, double *value)
3538 {
3539     assert(sizeof(double) == 8);
3540     assert(sizeof(uint64_t) == 8);
3541     assert(sizeof(UInt64Aligned_t) == 8);
3542     if (!(tif->tif_flags & TIFF_BIGTIFF))
3543     {
3544         enum TIFFReadDirEntryErr err;
3545         uint32_t offset = direntry->tdir_offset.toff_long;
3546         if (tif->tif_flags & TIFF_SWAB)
3547             TIFFSwabLong(&offset);
3548         err = TIFFReadDirEntryData(tif, offset, 8, value);
3549         if (err != TIFFReadDirEntryErrOk)
3550             return (err);
3551     }
3552     else
3553     {
3554         UInt64Aligned_t uint64_union;
3555         uint64_union.l = direntry->tdir_offset.toff_long8;
3556         *value = uint64_union.d;
3557     }
3558     if (tif->tif_flags & TIFF_SWAB)
3559         TIFFSwabLong8((uint64_t *)value);
3560     return (TIFFReadDirEntryErrOk);
3561 }
3562 
3563 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeByteSbyte(int8_t value)3564 TIFFReadDirEntryCheckRangeByteSbyte(int8_t value)
3565 {
3566     if (value < 0)
3567         return (TIFFReadDirEntryErrRange);
3568     else
3569         return (TIFFReadDirEntryErrOk);
3570 }
3571 
3572 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeByteShort(uint16_t value)3573 TIFFReadDirEntryCheckRangeByteShort(uint16_t value)
3574 {
3575     if (value > 0xFF)
3576         return (TIFFReadDirEntryErrRange);
3577     else
3578         return (TIFFReadDirEntryErrOk);
3579 }
3580 
3581 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeByteSshort(int16_t value)3582 TIFFReadDirEntryCheckRangeByteSshort(int16_t value)
3583 {
3584     if ((value < 0) || (value > 0xFF))
3585         return (TIFFReadDirEntryErrRange);
3586     else
3587         return (TIFFReadDirEntryErrOk);
3588 }
3589 
3590 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeByteLong(uint32_t value)3591 TIFFReadDirEntryCheckRangeByteLong(uint32_t value)
3592 {
3593     if (value > 0xFF)
3594         return (TIFFReadDirEntryErrRange);
3595     else
3596         return (TIFFReadDirEntryErrOk);
3597 }
3598 
3599 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeByteSlong(int32_t value)3600 TIFFReadDirEntryCheckRangeByteSlong(int32_t value)
3601 {
3602     if ((value < 0) || (value > 0xFF))
3603         return (TIFFReadDirEntryErrRange);
3604     else
3605         return (TIFFReadDirEntryErrOk);
3606 }
3607 
3608 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeByteLong8(uint64_t value)3609 TIFFReadDirEntryCheckRangeByteLong8(uint64_t value)
3610 {
3611     if (value > 0xFF)
3612         return (TIFFReadDirEntryErrRange);
3613     else
3614         return (TIFFReadDirEntryErrOk);
3615 }
3616 
3617 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeByteSlong8(int64_t value)3618 TIFFReadDirEntryCheckRangeByteSlong8(int64_t value)
3619 {
3620     if ((value < 0) || (value > 0xFF))
3621         return (TIFFReadDirEntryErrRange);
3622     else
3623         return (TIFFReadDirEntryErrOk);
3624 }
3625 
3626 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSbyteByte(uint8_t value)3627 TIFFReadDirEntryCheckRangeSbyteByte(uint8_t value)
3628 {
3629     if (value > 0x7F)
3630         return (TIFFReadDirEntryErrRange);
3631     else
3632         return (TIFFReadDirEntryErrOk);
3633 }
3634 
3635 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSbyteShort(uint16_t value)3636 TIFFReadDirEntryCheckRangeSbyteShort(uint16_t value)
3637 {
3638     if (value > 0x7F)
3639         return (TIFFReadDirEntryErrRange);
3640     else
3641         return (TIFFReadDirEntryErrOk);
3642 }
3643 
3644 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSbyteSshort(int16_t value)3645 TIFFReadDirEntryCheckRangeSbyteSshort(int16_t value)
3646 {
3647     if ((value < -0x80) || (value > 0x7F))
3648         return (TIFFReadDirEntryErrRange);
3649     else
3650         return (TIFFReadDirEntryErrOk);
3651 }
3652 
3653 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSbyteLong(uint32_t value)3654 TIFFReadDirEntryCheckRangeSbyteLong(uint32_t value)
3655 {
3656     if (value > 0x7F)
3657         return (TIFFReadDirEntryErrRange);
3658     else
3659         return (TIFFReadDirEntryErrOk);
3660 }
3661 
3662 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSbyteSlong(int32_t value)3663 TIFFReadDirEntryCheckRangeSbyteSlong(int32_t value)
3664 {
3665     if ((value < -0x80) || (value > 0x7F))
3666         return (TIFFReadDirEntryErrRange);
3667     else
3668         return (TIFFReadDirEntryErrOk);
3669 }
3670 
3671 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSbyteLong8(uint64_t value)3672 TIFFReadDirEntryCheckRangeSbyteLong8(uint64_t value)
3673 {
3674     if (value > 0x7F)
3675         return (TIFFReadDirEntryErrRange);
3676     else
3677         return (TIFFReadDirEntryErrOk);
3678 }
3679 
3680 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSbyteSlong8(int64_t value)3681 TIFFReadDirEntryCheckRangeSbyteSlong8(int64_t value)
3682 {
3683     if ((value < -0x80) || (value > 0x7F))
3684         return (TIFFReadDirEntryErrRange);
3685     else
3686         return (TIFFReadDirEntryErrOk);
3687 }
3688 
3689 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeShortSbyte(int8_t value)3690 TIFFReadDirEntryCheckRangeShortSbyte(int8_t value)
3691 {
3692     if (value < 0)
3693         return (TIFFReadDirEntryErrRange);
3694     else
3695         return (TIFFReadDirEntryErrOk);
3696 }
3697 
3698 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeShortSshort(int16_t value)3699 TIFFReadDirEntryCheckRangeShortSshort(int16_t value)
3700 {
3701     if (value < 0)
3702         return (TIFFReadDirEntryErrRange);
3703     else
3704         return (TIFFReadDirEntryErrOk);
3705 }
3706 
3707 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeShortLong(uint32_t value)3708 TIFFReadDirEntryCheckRangeShortLong(uint32_t value)
3709 {
3710     if (value > 0xFFFF)
3711         return (TIFFReadDirEntryErrRange);
3712     else
3713         return (TIFFReadDirEntryErrOk);
3714 }
3715 
3716 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeShortSlong(int32_t value)3717 TIFFReadDirEntryCheckRangeShortSlong(int32_t value)
3718 {
3719     if ((value < 0) || (value > 0xFFFF))
3720         return (TIFFReadDirEntryErrRange);
3721     else
3722         return (TIFFReadDirEntryErrOk);
3723 }
3724 
3725 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeShortLong8(uint64_t value)3726 TIFFReadDirEntryCheckRangeShortLong8(uint64_t value)
3727 {
3728     if (value > 0xFFFF)
3729         return (TIFFReadDirEntryErrRange);
3730     else
3731         return (TIFFReadDirEntryErrOk);
3732 }
3733 
3734 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeShortSlong8(int64_t value)3735 TIFFReadDirEntryCheckRangeShortSlong8(int64_t value)
3736 {
3737     if ((value < 0) || (value > 0xFFFF))
3738         return (TIFFReadDirEntryErrRange);
3739     else
3740         return (TIFFReadDirEntryErrOk);
3741 }
3742 
3743 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSshortShort(uint16_t value)3744 TIFFReadDirEntryCheckRangeSshortShort(uint16_t value)
3745 {
3746     if (value > 0x7FFF)
3747         return (TIFFReadDirEntryErrRange);
3748     else
3749         return (TIFFReadDirEntryErrOk);
3750 }
3751 
3752 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSshortLong(uint32_t value)3753 TIFFReadDirEntryCheckRangeSshortLong(uint32_t value)
3754 {
3755     if (value > 0x7FFF)
3756         return (TIFFReadDirEntryErrRange);
3757     else
3758         return (TIFFReadDirEntryErrOk);
3759 }
3760 
3761 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSshortSlong(int32_t value)3762 TIFFReadDirEntryCheckRangeSshortSlong(int32_t value)
3763 {
3764     if ((value < -0x8000) || (value > 0x7FFF))
3765         return (TIFFReadDirEntryErrRange);
3766     else
3767         return (TIFFReadDirEntryErrOk);
3768 }
3769 
3770 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSshortLong8(uint64_t value)3771 TIFFReadDirEntryCheckRangeSshortLong8(uint64_t value)
3772 {
3773     if (value > 0x7FFF)
3774         return (TIFFReadDirEntryErrRange);
3775     else
3776         return (TIFFReadDirEntryErrOk);
3777 }
3778 
3779 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSshortSlong8(int64_t value)3780 TIFFReadDirEntryCheckRangeSshortSlong8(int64_t value)
3781 {
3782     if ((value < -0x8000) || (value > 0x7FFF))
3783         return (TIFFReadDirEntryErrRange);
3784     else
3785         return (TIFFReadDirEntryErrOk);
3786 }
3787 
3788 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLongSbyte(int8_t value)3789 TIFFReadDirEntryCheckRangeLongSbyte(int8_t value)
3790 {
3791     if (value < 0)
3792         return (TIFFReadDirEntryErrRange);
3793     else
3794         return (TIFFReadDirEntryErrOk);
3795 }
3796 
3797 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLongSshort(int16_t value)3798 TIFFReadDirEntryCheckRangeLongSshort(int16_t value)
3799 {
3800     if (value < 0)
3801         return (TIFFReadDirEntryErrRange);
3802     else
3803         return (TIFFReadDirEntryErrOk);
3804 }
3805 
3806 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLongSlong(int32_t value)3807 TIFFReadDirEntryCheckRangeLongSlong(int32_t value)
3808 {
3809     if (value < 0)
3810         return (TIFFReadDirEntryErrRange);
3811     else
3812         return (TIFFReadDirEntryErrOk);
3813 }
3814 
3815 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLongLong8(uint64_t value)3816 TIFFReadDirEntryCheckRangeLongLong8(uint64_t value)
3817 {
3818     if (value > UINT32_MAX)
3819         return (TIFFReadDirEntryErrRange);
3820     else
3821         return (TIFFReadDirEntryErrOk);
3822 }
3823 
3824 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLongSlong8(int64_t value)3825 TIFFReadDirEntryCheckRangeLongSlong8(int64_t value)
3826 {
3827     if ((value < 0) || (value > (int64_t)UINT32_MAX))
3828         return (TIFFReadDirEntryErrRange);
3829     else
3830         return (TIFFReadDirEntryErrOk);
3831 }
3832 
3833 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlongLong(uint32_t value)3834 TIFFReadDirEntryCheckRangeSlongLong(uint32_t value)
3835 {
3836     if (value > 0x7FFFFFFFUL)
3837         return (TIFFReadDirEntryErrRange);
3838     else
3839         return (TIFFReadDirEntryErrOk);
3840 }
3841 
3842 /* Check that the 8-byte unsigned value can fit in a 4-byte unsigned range */
3843 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlongLong8(uint64_t value)3844 TIFFReadDirEntryCheckRangeSlongLong8(uint64_t value)
3845 {
3846     if (value > 0x7FFFFFFF)
3847         return (TIFFReadDirEntryErrRange);
3848     else
3849         return (TIFFReadDirEntryErrOk);
3850 }
3851 
3852 /* Check that the 8-byte signed value can fit in a 4-byte signed range */
3853 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlongSlong8(int64_t value)3854 TIFFReadDirEntryCheckRangeSlongSlong8(int64_t value)
3855 {
3856     if ((value < 0 - ((int64_t)0x7FFFFFFF + 1)) || (value > 0x7FFFFFFF))
3857         return (TIFFReadDirEntryErrRange);
3858     else
3859         return (TIFFReadDirEntryErrOk);
3860 }
3861 
3862 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Sbyte(int8_t value)3863 TIFFReadDirEntryCheckRangeLong8Sbyte(int8_t value)
3864 {
3865     if (value < 0)
3866         return (TIFFReadDirEntryErrRange);
3867     else
3868         return (TIFFReadDirEntryErrOk);
3869 }
3870 
3871 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Sshort(int16_t value)3872 TIFFReadDirEntryCheckRangeLong8Sshort(int16_t value)
3873 {
3874     if (value < 0)
3875         return (TIFFReadDirEntryErrRange);
3876     else
3877         return (TIFFReadDirEntryErrOk);
3878 }
3879 
3880 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Slong(int32_t value)3881 TIFFReadDirEntryCheckRangeLong8Slong(int32_t value)
3882 {
3883     if (value < 0)
3884         return (TIFFReadDirEntryErrRange);
3885     else
3886         return (TIFFReadDirEntryErrOk);
3887 }
3888 
3889 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeLong8Slong8(int64_t value)3890 TIFFReadDirEntryCheckRangeLong8Slong8(int64_t value)
3891 {
3892     if (value < 0)
3893         return (TIFFReadDirEntryErrRange);
3894     else
3895         return (TIFFReadDirEntryErrOk);
3896 }
3897 
3898 static enum TIFFReadDirEntryErr
TIFFReadDirEntryCheckRangeSlong8Long8(uint64_t value)3899 TIFFReadDirEntryCheckRangeSlong8Long8(uint64_t value)
3900 {
3901     if (value > INT64_MAX)
3902         return (TIFFReadDirEntryErrRange);
3903     else
3904         return (TIFFReadDirEntryErrOk);
3905 }
3906 
TIFFReadDirEntryData(TIFF * tif,uint64_t offset,tmsize_t size,void * dest)3907 static enum TIFFReadDirEntryErr TIFFReadDirEntryData(TIFF *tif, uint64_t offset,
3908                                                      tmsize_t size, void *dest)
3909 {
3910     assert(size > 0);
3911     if (!isMapped(tif))
3912     {
3913         if (!SeekOK(tif, offset))
3914             return (TIFFReadDirEntryErrIo);
3915         if (!ReadOK(tif, dest, size))
3916             return (TIFFReadDirEntryErrIo);
3917     }
3918     else
3919     {
3920         size_t ma, mb;
3921         ma = (size_t)offset;
3922         if ((uint64_t)ma != offset || ma > (~(size_t)0) - (size_t)size)
3923         {
3924             return TIFFReadDirEntryErrIo;
3925         }
3926         mb = ma + size;
3927         if (mb > (uint64_t)tif->tif_size)
3928             return (TIFFReadDirEntryErrIo);
3929         _TIFFmemcpy(dest, tif->tif_base + ma, size);
3930     }
3931     return (TIFFReadDirEntryErrOk);
3932 }
3933 
TIFFReadDirEntryOutputErr(TIFF * tif,enum TIFFReadDirEntryErr err,const char * module,const char * tagname,int recover)3934 static void TIFFReadDirEntryOutputErr(TIFF *tif, enum TIFFReadDirEntryErr err,
3935                                       const char *module, const char *tagname,
3936                                       int recover)
3937 {
3938     if (!recover)
3939     {
3940         switch (err)
3941         {
3942             case TIFFReadDirEntryErrCount:
3943                 TIFFErrorExtR(tif, module, "Incorrect count for \"%s\"",
3944                               tagname);
3945                 break;
3946             case TIFFReadDirEntryErrType:
3947                 TIFFErrorExtR(tif, module, "Incompatible type for \"%s\"",
3948                               tagname);
3949                 break;
3950             case TIFFReadDirEntryErrIo:
3951                 TIFFErrorExtR(tif, module, "IO error during reading of \"%s\"",
3952                               tagname);
3953                 break;
3954             case TIFFReadDirEntryErrRange:
3955                 TIFFErrorExtR(tif, module, "Incorrect value for \"%s\"",
3956                               tagname);
3957                 break;
3958             case TIFFReadDirEntryErrPsdif:
3959                 TIFFErrorExtR(
3960                     tif, module,
3961                     "Cannot handle different values per sample for \"%s\"",
3962                     tagname);
3963                 break;
3964             case TIFFReadDirEntryErrSizesan:
3965                 TIFFErrorExtR(tif, module,
3966                               "Sanity check on size of \"%s\" value failed",
3967                               tagname);
3968                 break;
3969             case TIFFReadDirEntryErrAlloc:
3970                 TIFFErrorExtR(tif, module, "Out of memory reading of \"%s\"",
3971                               tagname);
3972                 break;
3973             default:
3974                 assert(0); /* we should never get here */
3975                 break;
3976         }
3977     }
3978     else
3979     {
3980         switch (err)
3981         {
3982             case TIFFReadDirEntryErrCount:
3983                 TIFFWarningExtR(tif, module,
3984                                 "Incorrect count for \"%s\"; tag ignored",
3985                                 tagname);
3986                 break;
3987             case TIFFReadDirEntryErrType:
3988                 TIFFWarningExtR(tif, module,
3989                                 "Incompatible type for \"%s\"; tag ignored",
3990                                 tagname);
3991                 break;
3992             case TIFFReadDirEntryErrIo:
3993                 TIFFWarningExtR(
3994                     tif, module,
3995                     "IO error during reading of \"%s\"; tag ignored", tagname);
3996                 break;
3997             case TIFFReadDirEntryErrRange:
3998                 TIFFWarningExtR(tif, module,
3999                                 "Incorrect value for \"%s\"; tag ignored",
4000                                 tagname);
4001                 break;
4002             case TIFFReadDirEntryErrPsdif:
4003                 TIFFWarningExtR(tif, module,
4004                                 "Cannot handle different values per sample for "
4005                                 "\"%s\"; tag ignored",
4006                                 tagname);
4007                 break;
4008             case TIFFReadDirEntryErrSizesan:
4009                 TIFFWarningExtR(
4010                     tif, module,
4011                     "Sanity check on size of \"%s\" value failed; tag ignored",
4012                     tagname);
4013                 break;
4014             case TIFFReadDirEntryErrAlloc:
4015                 TIFFWarningExtR(tif, module,
4016                                 "Out of memory reading of \"%s\"; tag ignored",
4017                                 tagname);
4018                 break;
4019             default:
4020                 assert(0); /* we should never get here */
4021                 break;
4022         }
4023     }
4024 }
4025 
4026 /*
4027  * Return the maximum number of color channels specified for a given photometric
4028  * type. 0 is returned if photometric type isn't supported or no default value
4029  * is defined by the specification.
4030  */
_TIFFGetMaxColorChannels(uint16_t photometric)4031 static int _TIFFGetMaxColorChannels(uint16_t photometric)
4032 {
4033     switch (photometric)
4034     {
4035         case PHOTOMETRIC_PALETTE:
4036         case PHOTOMETRIC_MINISWHITE:
4037         case PHOTOMETRIC_MINISBLACK:
4038             return 1;
4039         case PHOTOMETRIC_YCBCR:
4040         case PHOTOMETRIC_RGB:
4041         case PHOTOMETRIC_CIELAB:
4042         case PHOTOMETRIC_LOGLUV:
4043         case PHOTOMETRIC_ITULAB:
4044         case PHOTOMETRIC_ICCLAB:
4045             return 3;
4046         case PHOTOMETRIC_SEPARATED:
4047         case PHOTOMETRIC_MASK:
4048             return 4;
4049         case PHOTOMETRIC_LOGL:
4050         case PHOTOMETRIC_CFA:
4051         default:
4052             return 0;
4053     }
4054 }
4055 
ByteCountLooksBad(TIFF * tif)4056 static int ByteCountLooksBad(TIFF *tif)
4057 {
4058     /*
4059      * Assume we have wrong StripByteCount value (in case
4060      * of single strip) in following cases:
4061      *   - it is equal to zero along with StripOffset;
4062      *   - it is larger than file itself (in case of uncompressed
4063      *     image);
4064      *   - it is smaller than the size of the bytes per row
4065      *     multiplied on the number of rows.  The last case should
4066      *     not be checked in the case of writing new image,
4067      *     because we may do not know the exact strip size
4068      *     until the whole image will be written and directory
4069      *     dumped out.
4070      */
4071     uint64_t bytecount = TIFFGetStrileByteCount(tif, 0);
4072     uint64_t offset = TIFFGetStrileOffset(tif, 0);
4073     uint64_t filesize;
4074 
4075     if (offset == 0)
4076         return 0;
4077     if (bytecount == 0)
4078         return 1;
4079     if (tif->tif_dir.td_compression != COMPRESSION_NONE)
4080         return 0;
4081     filesize = TIFFGetFileSize(tif);
4082     if (offset <= filesize && bytecount > filesize - offset)
4083         return 1;
4084     if (tif->tif_mode == O_RDONLY)
4085     {
4086         uint64_t scanlinesize = TIFFScanlineSize64(tif);
4087         if (tif->tif_dir.td_imagelength > 0 &&
4088             scanlinesize > UINT64_MAX / tif->tif_dir.td_imagelength)
4089         {
4090             return 1;
4091         }
4092         if (bytecount < scanlinesize * tif->tif_dir.td_imagelength)
4093             return 1;
4094     }
4095     return 0;
4096 }
4097 
4098 /*
4099  * Read the next TIFF directory from a file and convert it to the internal
4100  * format. We read directories sequentially.
4101  */
TIFFReadDirectory(TIFF * tif)4102 int TIFFReadDirectory(TIFF *tif)
4103 {
4104     static const char module[] = "TIFFReadDirectory";
4105     TIFFDirEntry *dir;
4106     uint16_t dircount;
4107     TIFFDirEntry *dp;
4108     uint16_t di;
4109     const TIFFField *fip;
4110     uint32_t fii = FAILED_FII;
4111     toff_t nextdiroff;
4112     int bitspersample_read = FALSE;
4113     int color_channels;
4114 
4115     if (tif->tif_nextdiroff == 0)
4116     {
4117         /* In this special case, tif_diroff needs also to be set to 0.
4118          * This is behind the last IFD, thus no checking or reading necessary.
4119          */
4120         tif->tif_diroff = tif->tif_nextdiroff;
4121         return 0;
4122     }
4123 
4124     nextdiroff = tif->tif_nextdiroff;
4125     /* tif_curdir++ and tif_nextdiroff should only be updated after SUCCESSFUL
4126      * reading of the directory. Otherwise, invalid IFD offsets could corrupt
4127      * the IFD list. */
4128     if (!_TIFFCheckDirNumberAndOffset(tif,
4129                                       tif->tif_curdir ==
4130                                               TIFF_NON_EXISTENT_DIR_NUMBER
4131                                           ? 0
4132                                           : tif->tif_curdir + 1,
4133                                       nextdiroff))
4134     {
4135         return 0; /* bad offset (IFD looping or more than TIFF_MAX_DIR_COUNT
4136                      IFDs) */
4137     }
4138     dircount = TIFFFetchDirectory(tif, nextdiroff, &dir, &tif->tif_nextdiroff);
4139     if (!dircount)
4140     {
4141         TIFFErrorExtR(tif, module,
4142                       "Failed to read directory at offset %" PRIu64,
4143                       nextdiroff);
4144         return 0;
4145     }
4146     /* Set global values after a valid directory has been fetched.
4147      * tif_diroff is already set to nextdiroff in TIFFFetchDirectory() in the
4148      * beginning. */
4149     if (tif->tif_curdir == TIFF_NON_EXISTENT_DIR_NUMBER)
4150         tif->tif_curdir = 0;
4151     else
4152         tif->tif_curdir++;
4153     (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
4154 
4155     TIFFReadDirectoryCheckOrder(tif, dir, dircount);
4156 
4157     /*
4158      * Mark duplicates of any tag to be ignored (bugzilla 1994)
4159      * to avoid certain pathological problems.
4160      */
4161     {
4162         TIFFDirEntry *ma;
4163         uint16_t mb;
4164         for (ma = dir, mb = 0; mb < dircount; ma++, mb++)
4165         {
4166             TIFFDirEntry *na;
4167             uint16_t nb;
4168             for (na = ma + 1, nb = mb + 1; nb < dircount; na++, nb++)
4169             {
4170                 if (ma->tdir_tag == na->tdir_tag)
4171                 {
4172                     na->tdir_ignore = TRUE;
4173                 }
4174             }
4175         }
4176     }
4177 
4178     tif->tif_flags &= ~TIFF_BEENWRITING; /* reset before new dir */
4179     tif->tif_flags &= ~TIFF_BUF4WRITE;   /* reset before new dir */
4180     tif->tif_flags &= ~TIFF_CHOPPEDUPARRAYS;
4181 
4182     /* free any old stuff and reinit */
4183     TIFFFreeDirectory(tif);
4184     TIFFDefaultDirectory(tif);
4185     /*
4186      * Electronic Arts writes gray-scale TIFF files
4187      * without a PlanarConfiguration directory entry.
4188      * Thus we setup a default value here, even though
4189      * the TIFF spec says there is no default value.
4190      * After PlanarConfiguration is preset in TIFFDefaultDirectory()
4191      * the following setting is not needed, but does not harm either.
4192      */
4193     TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
4194     /*
4195      * Setup default value and then make a pass over
4196      * the fields to check type and tag information,
4197      * and to extract info required to size data
4198      * structures.  A second pass is made afterwards
4199      * to read in everything not taken in the first pass.
4200      * But we must process the Compression tag first
4201      * in order to merge in codec-private tag definitions (otherwise
4202      * we may get complaints about unknown tags).  However, the
4203      * Compression tag may be dependent on the SamplesPerPixel
4204      * tag value because older TIFF specs permitted Compression
4205      * to be written as a SamplesPerPixel-count tag entry.
4206      * Thus if we don't first figure out the correct SamplesPerPixel
4207      * tag value then we may end up ignoring the Compression tag
4208      * value because it has an incorrect count value (if the
4209      * true value of SamplesPerPixel is not 1).
4210      */
4211     dp =
4212         TIFFReadDirectoryFindEntry(tif, dir, dircount, TIFFTAG_SAMPLESPERPIXEL);
4213     if (dp)
4214     {
4215         if (!TIFFFetchNormalTag(tif, dp, 0))
4216             goto bad;
4217         dp->tdir_ignore = TRUE;
4218     }
4219     dp = TIFFReadDirectoryFindEntry(tif, dir, dircount, TIFFTAG_COMPRESSION);
4220     if (dp)
4221     {
4222         /*
4223          * The 5.0 spec says the Compression tag has one value, while
4224          * earlier specs say it has one value per sample.  Because of
4225          * this, we accept the tag if one value is supplied with either
4226          * count.
4227          */
4228         uint16_t value;
4229         enum TIFFReadDirEntryErr err;
4230         err = TIFFReadDirEntryShort(tif, dp, &value);
4231         if (err == TIFFReadDirEntryErrCount)
4232             err = TIFFReadDirEntryPersampleShort(tif, dp, &value);
4233         if (err != TIFFReadDirEntryErrOk)
4234         {
4235             TIFFReadDirEntryOutputErr(tif, err, module, "Compression", 0);
4236             goto bad;
4237         }
4238         if (!TIFFSetField(tif, TIFFTAG_COMPRESSION, value))
4239             goto bad;
4240         dp->tdir_ignore = TRUE;
4241     }
4242     else
4243     {
4244         if (!TIFFSetField(tif, TIFFTAG_COMPRESSION, COMPRESSION_NONE))
4245             goto bad;
4246     }
4247     /*
4248      * First real pass over the directory.
4249      */
4250     for (di = 0, dp = dir; di < dircount; di++, dp++)
4251     {
4252         if (!dp->tdir_ignore)
4253         {
4254             TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
4255             if (fii == FAILED_FII)
4256             {
4257                 TIFFWarningExtR(tif, module,
4258                                 "Unknown field with tag %" PRIu16 " (0x%" PRIx16
4259                                 ") encountered",
4260                                 dp->tdir_tag, dp->tdir_tag);
4261                 /* the following knowingly leaks the
4262                    anonymous field structure */
4263                 if (!_TIFFMergeFields(
4264                         tif,
4265                         _TIFFCreateAnonField(tif, dp->tdir_tag,
4266                                              (TIFFDataType)dp->tdir_type),
4267                         1))
4268                 {
4269                     TIFFWarningExtR(
4270                         tif, module,
4271                         "Registering anonymous field with tag %" PRIu16
4272                         " (0x%" PRIx16 ") failed",
4273                         dp->tdir_tag, dp->tdir_tag);
4274                     dp->tdir_ignore = TRUE;
4275                 }
4276                 else
4277                 {
4278                     TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
4279                     assert(fii != FAILED_FII);
4280                 }
4281             }
4282         }
4283         if (!dp->tdir_ignore)
4284         {
4285             fip = tif->tif_fields[fii];
4286             if (fip->field_bit == FIELD_IGNORE)
4287                 dp->tdir_ignore = TRUE;
4288             else
4289             {
4290                 switch (dp->tdir_tag)
4291                 {
4292                     case TIFFTAG_STRIPOFFSETS:
4293                     case TIFFTAG_STRIPBYTECOUNTS:
4294                     case TIFFTAG_TILEOFFSETS:
4295                     case TIFFTAG_TILEBYTECOUNTS:
4296                         TIFFSetFieldBit(tif, fip->field_bit);
4297                         break;
4298                     case TIFFTAG_IMAGEWIDTH:
4299                     case TIFFTAG_IMAGELENGTH:
4300                     case TIFFTAG_IMAGEDEPTH:
4301                     case TIFFTAG_TILELENGTH:
4302                     case TIFFTAG_TILEWIDTH:
4303                     case TIFFTAG_TILEDEPTH:
4304                     case TIFFTAG_PLANARCONFIG:
4305                     case TIFFTAG_ROWSPERSTRIP:
4306                     case TIFFTAG_EXTRASAMPLES:
4307                         if (!TIFFFetchNormalTag(tif, dp, 0))
4308                             goto bad;
4309                         dp->tdir_ignore = TRUE;
4310                         break;
4311                     default:
4312                         if (!_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag))
4313                             dp->tdir_ignore = TRUE;
4314                         break;
4315                 }
4316             }
4317         }
4318     }
4319     /*
4320      * XXX: OJPEG hack.
4321      * If a) compression is OJPEG, b) planarconfig tag says it's separate,
4322      * c) strip offsets/bytecounts tag are both present and
4323      * d) both contain exactly one value, then we consistently find
4324      * that the buggy implementation of the buggy compression scheme
4325      * matches contig planarconfig best. So we 'fix-up' the tag here
4326      */
4327     if ((tif->tif_dir.td_compression == COMPRESSION_OJPEG) &&
4328         (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE))
4329     {
4330         if (!_TIFFFillStriles(tif))
4331             goto bad;
4332         dp = TIFFReadDirectoryFindEntry(tif, dir, dircount,
4333                                         TIFFTAG_STRIPOFFSETS);
4334         if ((dp != 0) && (dp->tdir_count == 1))
4335         {
4336             dp = TIFFReadDirectoryFindEntry(tif, dir, dircount,
4337                                             TIFFTAG_STRIPBYTECOUNTS);
4338             if ((dp != 0) && (dp->tdir_count == 1))
4339             {
4340                 tif->tif_dir.td_planarconfig = PLANARCONFIG_CONTIG;
4341                 TIFFWarningExtR(tif, module,
4342                                 "Planarconfig tag value assumed incorrect, "
4343                                 "assuming data is contig instead of chunky");
4344             }
4345         }
4346     }
4347     /*
4348      * Allocate directory structure and setup defaults.
4349      */
4350     if (!TIFFFieldSet(tif, FIELD_IMAGEDIMENSIONS))
4351     {
4352         MissingRequired(tif, "ImageLength");
4353         goto bad;
4354     }
4355 
4356     /*
4357      * Second pass: extract other information.
4358      */
4359     for (di = 0, dp = dir; di < dircount; di++, dp++)
4360     {
4361         if (!dp->tdir_ignore)
4362         {
4363             switch (dp->tdir_tag)
4364             {
4365                 case TIFFTAG_MINSAMPLEVALUE:
4366                 case TIFFTAG_MAXSAMPLEVALUE:
4367                 case TIFFTAG_BITSPERSAMPLE:
4368                 case TIFFTAG_DATATYPE:
4369                 case TIFFTAG_SAMPLEFORMAT:
4370                     /*
4371                      * The MinSampleValue, MaxSampleValue, BitsPerSample
4372                      * DataType and SampleFormat tags are supposed to be
4373                      * written as one value/sample, but some vendors
4374                      * incorrectly write one value only -- so we accept
4375                      * that as well (yuck). Other vendors write correct
4376                      * value for NumberOfSamples, but incorrect one for
4377                      * BitsPerSample and friends, and we will read this
4378                      * too.
4379                      */
4380                     {
4381                         uint16_t value;
4382                         enum TIFFReadDirEntryErr err;
4383                         err = TIFFReadDirEntryShort(tif, dp, &value);
4384                         if (err == TIFFReadDirEntryErrCount)
4385                             err =
4386                                 TIFFReadDirEntryPersampleShort(tif, dp, &value);
4387                         if (err != TIFFReadDirEntryErrOk)
4388                         {
4389                             fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4390                             TIFFReadDirEntryOutputErr(
4391                                 tif, err, module,
4392                                 fip ? fip->field_name : "unknown tagname", 0);
4393                             goto bad;
4394                         }
4395                         if (!TIFFSetField(tif, dp->tdir_tag, value))
4396                             goto bad;
4397                         if (dp->tdir_tag == TIFFTAG_BITSPERSAMPLE)
4398                             bitspersample_read = TRUE;
4399                     }
4400                     break;
4401                 case TIFFTAG_SMINSAMPLEVALUE:
4402                 case TIFFTAG_SMAXSAMPLEVALUE:
4403                 {
4404 
4405                     double *data = NULL;
4406                     enum TIFFReadDirEntryErr err;
4407                     uint32_t saved_flags;
4408                     int m;
4409                     if (dp->tdir_count !=
4410                         (uint64_t)tif->tif_dir.td_samplesperpixel)
4411                         err = TIFFReadDirEntryErrCount;
4412                     else
4413                         err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
4414                     if (err != TIFFReadDirEntryErrOk)
4415                     {
4416                         fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4417                         TIFFReadDirEntryOutputErr(
4418                             tif, err, module,
4419                             fip ? fip->field_name : "unknown tagname", 0);
4420                         goto bad;
4421                     }
4422                     saved_flags = tif->tif_flags;
4423                     tif->tif_flags |= TIFF_PERSAMPLE;
4424                     m = TIFFSetField(tif, dp->tdir_tag, data);
4425                     tif->tif_flags = saved_flags;
4426                     _TIFFfreeExt(tif, data);
4427                     if (!m)
4428                         goto bad;
4429                 }
4430                 break;
4431                 case TIFFTAG_STRIPOFFSETS:
4432                 case TIFFTAG_TILEOFFSETS:
4433                     switch (dp->tdir_type)
4434                     {
4435                         case TIFF_SHORT:
4436                         case TIFF_LONG:
4437                         case TIFF_LONG8:
4438                             break;
4439                         default:
4440                             /* Warn except if directory typically created with
4441                              * TIFFDeferStrileArrayWriting() */
4442                             if (!(tif->tif_mode == O_RDWR &&
4443                                   dp->tdir_count == 0 && dp->tdir_type == 0 &&
4444                                   dp->tdir_offset.toff_long8 == 0))
4445                             {
4446                                 fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4447                                 TIFFWarningExtR(
4448                                     tif, module, "Invalid data type for tag %s",
4449                                     fip ? fip->field_name : "unknown tagname");
4450                             }
4451                             break;
4452                     }
4453                     _TIFFmemcpy(&(tif->tif_dir.td_stripoffset_entry), dp,
4454                                 sizeof(TIFFDirEntry));
4455                     break;
4456                 case TIFFTAG_STRIPBYTECOUNTS:
4457                 case TIFFTAG_TILEBYTECOUNTS:
4458                     switch (dp->tdir_type)
4459                     {
4460                         case TIFF_SHORT:
4461                         case TIFF_LONG:
4462                         case TIFF_LONG8:
4463                             break;
4464                         default:
4465                             /* Warn except if directory typically created with
4466                              * TIFFDeferStrileArrayWriting() */
4467                             if (!(tif->tif_mode == O_RDWR &&
4468                                   dp->tdir_count == 0 && dp->tdir_type == 0 &&
4469                                   dp->tdir_offset.toff_long8 == 0))
4470                             {
4471                                 fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4472                                 TIFFWarningExtR(
4473                                     tif, module, "Invalid data type for tag %s",
4474                                     fip ? fip->field_name : "unknown tagname");
4475                             }
4476                             break;
4477                     }
4478                     _TIFFmemcpy(&(tif->tif_dir.td_stripbytecount_entry), dp,
4479                                 sizeof(TIFFDirEntry));
4480                     break;
4481                 case TIFFTAG_COLORMAP:
4482                 case TIFFTAG_TRANSFERFUNCTION:
4483                 {
4484                     enum TIFFReadDirEntryErr err;
4485                     uint32_t countpersample;
4486                     uint32_t countrequired;
4487                     uint32_t incrementpersample;
4488                     uint16_t *value = NULL;
4489                     /* It would be dangerous to instantiate those tag values */
4490                     /* since if td_bitspersample has not yet been read (due to
4491                      */
4492                     /* unordered tags), it could be read afterwards with a */
4493                     /* values greater than the default one (1), which may cause
4494                      */
4495                     /* crashes in user code */
4496                     if (!bitspersample_read)
4497                     {
4498                         fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4499                         TIFFWarningExtR(
4500                             tif, module,
4501                             "Ignoring %s since BitsPerSample tag not found",
4502                             fip ? fip->field_name : "unknown tagname");
4503                         continue;
4504                     }
4505                     /* ColorMap or TransferFunction for high bit */
4506                     /* depths do not make much sense and could be */
4507                     /* used as a denial of service vector */
4508                     if (tif->tif_dir.td_bitspersample > 24)
4509                     {
4510                         fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4511                         TIFFWarningExtR(
4512                             tif, module,
4513                             "Ignoring %s because BitsPerSample=%" PRIu16 ">24",
4514                             fip ? fip->field_name : "unknown tagname",
4515                             tif->tif_dir.td_bitspersample);
4516                         continue;
4517                     }
4518                     countpersample = (1U << tif->tif_dir.td_bitspersample);
4519                     if ((dp->tdir_tag == TIFFTAG_TRANSFERFUNCTION) &&
4520                         (dp->tdir_count == (uint64_t)countpersample))
4521                     {
4522                         countrequired = countpersample;
4523                         incrementpersample = 0;
4524                     }
4525                     else
4526                     {
4527                         countrequired = 3 * countpersample;
4528                         incrementpersample = countpersample;
4529                     }
4530                     if (dp->tdir_count != (uint64_t)countrequired)
4531                         err = TIFFReadDirEntryErrCount;
4532                     else
4533                         err = TIFFReadDirEntryShortArray(tif, dp, &value);
4534                     if (err != TIFFReadDirEntryErrOk)
4535                     {
4536                         fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4537                         TIFFReadDirEntryOutputErr(
4538                             tif, err, module,
4539                             fip ? fip->field_name : "unknown tagname", 1);
4540                     }
4541                     else
4542                     {
4543                         TIFFSetField(tif, dp->tdir_tag, value,
4544                                      value + incrementpersample,
4545                                      value + 2 * incrementpersample);
4546                         _TIFFfreeExt(tif, value);
4547                     }
4548                 }
4549                 break;
4550                     /* BEGIN REV 4.0 COMPATIBILITY */
4551                 case TIFFTAG_OSUBFILETYPE:
4552                 {
4553                     uint16_t valueo;
4554                     uint32_t value;
4555                     if (TIFFReadDirEntryShort(tif, dp, &valueo) ==
4556                         TIFFReadDirEntryErrOk)
4557                     {
4558                         switch (valueo)
4559                         {
4560                             case OFILETYPE_REDUCEDIMAGE:
4561                                 value = FILETYPE_REDUCEDIMAGE;
4562                                 break;
4563                             case OFILETYPE_PAGE:
4564                                 value = FILETYPE_PAGE;
4565                                 break;
4566                             default:
4567                                 value = 0;
4568                                 break;
4569                         }
4570                         if (value != 0)
4571                             TIFFSetField(tif, TIFFTAG_SUBFILETYPE, value);
4572                     }
4573                 }
4574                 break;
4575                 /* END REV 4.0 COMPATIBILITY */
4576 #if 0
4577                 case TIFFTAG_EP_BATTERYLEVEL:
4578                     /* TIFFTAG_EP_BATTERYLEVEL can be RATIONAL or ASCII.
4579                      * LibTiff defines it as ASCII and converts RATIONAL to an
4580                      * ASCII string. */
4581                     switch (dp->tdir_type)
4582                     {
4583                         case TIFF_RATIONAL:
4584                         {
4585                             /* Read rational and convert to ASCII*/
4586                             enum TIFFReadDirEntryErr err;
4587                             TIFFRational_t rValue;
4588                             err = TIFFReadDirEntryCheckedRationalDirect(
4589                                 tif, dp, &rValue);
4590                             if (err != TIFFReadDirEntryErrOk)
4591                             {
4592                                 fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4593                                 TIFFReadDirEntryOutputErr(
4594                                     tif, err, module,
4595                                     fip ? fip->field_name : "unknown tagname",
4596                                     1);
4597                             }
4598                             else
4599                             {
4600                                 char szAux[32];
4601                                 snprintf(szAux, sizeof(szAux) - 1, "%d/%d",
4602                                          rValue.uNum, rValue.uDenom);
4603                                 TIFFSetField(tif, dp->tdir_tag, szAux);
4604                             }
4605                         }
4606                         break;
4607                         case TIFF_ASCII:
4608                             (void)TIFFFetchNormalTag(tif, dp, TRUE);
4609                             break;
4610                         default:
4611                             fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4612                             TIFFWarningExtR(tif, module,
4613                                             "Invalid data type for tag %s. "
4614                                             "ASCII or RATIONAL expected",
4615                                             fip ? fip->field_name
4616                                                 : "unknown tagname");
4617                             break;
4618                     }
4619                     break;
4620 #endif
4621                 default:
4622                     (void)TIFFFetchNormalTag(tif, dp, TRUE);
4623                     break;
4624             }
4625         } /* -- if (!dp->tdir_ignore) */
4626     }     /* -- for-loop -- */
4627 
4628     /*
4629      * OJPEG hack:
4630      * - If a) compression is OJPEG, and b) photometric tag is missing,
4631      * then we consistently find that photometric should be YCbCr
4632      * - If a) compression is OJPEG, and b) photometric tag says it's RGB,
4633      * then we consistently find that the buggy implementation of the
4634      * buggy compression scheme matches photometric YCbCr instead.
4635      * - If a) compression is OJPEG, and b) bitspersample tag is missing,
4636      * then we consistently find bitspersample should be 8.
4637      * - If a) compression is OJPEG, b) samplesperpixel tag is missing,
4638      * and c) photometric is RGB or YCbCr, then we consistently find
4639      * samplesperpixel should be 3
4640      * - If a) compression is OJPEG, b) samplesperpixel tag is missing,
4641      * and c) photometric is MINISWHITE or MINISBLACK, then we consistently
4642      * find samplesperpixel should be 3
4643      */
4644     if (tif->tif_dir.td_compression == COMPRESSION_OJPEG)
4645     {
4646         if (!TIFFFieldSet(tif, FIELD_PHOTOMETRIC))
4647         {
4648             TIFFWarningExtR(
4649                 tif, module,
4650                 "Photometric tag is missing, assuming data is YCbCr");
4651             if (!TIFFSetField(tif, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_YCBCR))
4652                 goto bad;
4653         }
4654         else if (tif->tif_dir.td_photometric == PHOTOMETRIC_RGB)
4655         {
4656             tif->tif_dir.td_photometric = PHOTOMETRIC_YCBCR;
4657             TIFFWarningExtR(tif, module,
4658                             "Photometric tag value assumed incorrect, "
4659                             "assuming data is YCbCr instead of RGB");
4660         }
4661         if (!TIFFFieldSet(tif, FIELD_BITSPERSAMPLE))
4662         {
4663             TIFFWarningExtR(
4664                 tif, module,
4665                 "BitsPerSample tag is missing, assuming 8 bits per sample");
4666             if (!TIFFSetField(tif, TIFFTAG_BITSPERSAMPLE, 8))
4667                 goto bad;
4668         }
4669         if (!TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
4670         {
4671             if (tif->tif_dir.td_photometric == PHOTOMETRIC_RGB)
4672             {
4673                 TIFFWarningExtR(tif, module,
4674                                 "SamplesPerPixel tag is missing, "
4675                                 "assuming correct SamplesPerPixel value is 3");
4676                 if (!TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 3))
4677                     goto bad;
4678             }
4679             if (tif->tif_dir.td_photometric == PHOTOMETRIC_YCBCR)
4680             {
4681                 TIFFWarningExtR(tif, module,
4682                                 "SamplesPerPixel tag is missing, "
4683                                 "applying correct SamplesPerPixel value of 3");
4684                 if (!TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 3))
4685                     goto bad;
4686             }
4687             else if ((tif->tif_dir.td_photometric == PHOTOMETRIC_MINISWHITE) ||
4688                      (tif->tif_dir.td_photometric == PHOTOMETRIC_MINISBLACK))
4689             {
4690                 /*
4691                  * SamplesPerPixel tag is missing, but is not required
4692                  * by spec.  Assume correct SamplesPerPixel value of 1.
4693                  */
4694                 if (!TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 1))
4695                     goto bad;
4696             }
4697         }
4698     }
4699 
4700     /*
4701      * Setup appropriate structures (by strip or by tile)
4702      * We do that only after the above OJPEG hack which alters SamplesPerPixel
4703      * and thus influences the number of strips in the separate planarconfig.
4704      */
4705     if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS))
4706     {
4707         tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
4708         tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
4709         tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
4710         tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
4711         tif->tif_flags &= ~TIFF_ISTILED;
4712     }
4713     else
4714     {
4715         tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
4716         tif->tif_flags |= TIFF_ISTILED;
4717     }
4718     if (!tif->tif_dir.td_nstrips)
4719     {
4720         TIFFErrorExtR(tif, module, "Cannot handle zero number of %s",
4721                       isTiled(tif) ? "tiles" : "strips");
4722         goto bad;
4723     }
4724     if (tif->tif_dir.td_nstrips > INT_MAX)
4725     {
4726         TIFFErrorExt(tif->tif_clientdata, module,
4727                      "Cannot handle %u number of %s",
4728                      tif->tif_dir.td_nstrips,
4729                      isTiled(tif) ? "tiles" : "strips");
4730         goto bad;
4731     }
4732     tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
4733     if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
4734         tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
4735     if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS))
4736     {
4737 #ifdef OJPEG_SUPPORT
4738         if ((tif->tif_dir.td_compression == COMPRESSION_OJPEG) &&
4739             (isTiled(tif) == 0) && (tif->tif_dir.td_nstrips == 1))
4740         {
4741             /*
4742              * XXX: OJPEG hack.
4743              * If a) compression is OJPEG, b) it's not a tiled TIFF,
4744              * and c) the number of strips is 1,
4745              * then we tolerate the absence of stripoffsets tag,
4746              * because, presumably, all required data is in the
4747              * JpegInterchangeFormat stream.
4748              */
4749             TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
4750         }
4751         else
4752 #endif
4753         {
4754             MissingRequired(tif, isTiled(tif) ? "TileOffsets" : "StripOffsets");
4755             goto bad;
4756         }
4757     }
4758 
4759     if (tif->tif_mode == O_RDWR &&
4760         tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
4761         tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
4762         tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
4763         tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
4764         tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
4765         tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
4766         tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
4767         tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0)
4768     {
4769         /* Directory typically created with TIFFDeferStrileArrayWriting() */
4770         TIFFSetupStrips(tif);
4771     }
4772     else if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD))
4773     {
4774         if (tif->tif_dir.td_stripoffset_entry.tdir_tag != 0)
4775         {
4776             if (!TIFFFetchStripThing(tif, &(tif->tif_dir.td_stripoffset_entry),
4777                                      tif->tif_dir.td_nstrips,
4778                                      &tif->tif_dir.td_stripoffset_p))
4779             {
4780                 goto bad;
4781             }
4782         }
4783         if (tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0)
4784         {
4785             if (!TIFFFetchStripThing(
4786                     tif, &(tif->tif_dir.td_stripbytecount_entry),
4787                     tif->tif_dir.td_nstrips, &tif->tif_dir.td_stripbytecount_p))
4788             {
4789                 goto bad;
4790             }
4791         }
4792     }
4793 
4794     /*
4795      * Make sure all non-color channels are extrasamples.
4796      * If it's not the case, define them as such.
4797      */
4798     color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
4799     if (color_channels &&
4800         tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples >
4801             color_channels)
4802     {
4803         uint16_t old_extrasamples;
4804         uint16_t *new_sampleinfo;
4805 
4806         TIFFWarningExtR(
4807             tif, module,
4808             "Sum of Photometric type-related "
4809             "color channels and ExtraSamples doesn't match SamplesPerPixel. "
4810             "Defining non-color channels as ExtraSamples.");
4811 
4812         old_extrasamples = tif->tif_dir.td_extrasamples;
4813         tif->tif_dir.td_extrasamples =
4814             (uint16_t)(tif->tif_dir.td_samplesperpixel - color_channels);
4815 
4816         // sampleinfo should contain information relative to these new extra
4817         // samples
4818         new_sampleinfo = (uint16_t *)_TIFFcallocExt(
4819             tif, tif->tif_dir.td_extrasamples, sizeof(uint16_t));
4820         if (!new_sampleinfo)
4821         {
4822             TIFFErrorExtR(tif, module,
4823                           "Failed to allocate memory for "
4824                           "temporary new sampleinfo array "
4825                           "(%" PRIu16 " 16 bit elements)",
4826                           tif->tif_dir.td_extrasamples);
4827             goto bad;
4828         }
4829 
4830         if (old_extrasamples > 0)
4831             memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo,
4832                    old_extrasamples * sizeof(uint16_t));
4833         _TIFFsetShortArrayExt(tif, &tif->tif_dir.td_sampleinfo, new_sampleinfo,
4834                               tif->tif_dir.td_extrasamples);
4835         _TIFFfreeExt(tif, new_sampleinfo);
4836     }
4837 
4838     /*
4839      * Verify Palette image has a Colormap.
4840      */
4841     if (tif->tif_dir.td_photometric == PHOTOMETRIC_PALETTE &&
4842         !TIFFFieldSet(tif, FIELD_COLORMAP))
4843     {
4844         if (tif->tif_dir.td_bitspersample >= 8 &&
4845             tif->tif_dir.td_samplesperpixel == 3)
4846             tif->tif_dir.td_photometric = PHOTOMETRIC_RGB;
4847         else if (tif->tif_dir.td_bitspersample >= 8)
4848             tif->tif_dir.td_photometric = PHOTOMETRIC_MINISBLACK;
4849         else
4850         {
4851             MissingRequired(tif, "Colormap");
4852             goto bad;
4853         }
4854     }
4855     /*
4856      * OJPEG hack:
4857      * We do no further messing with strip/tile offsets/bytecounts in OJPEG
4858      * TIFFs
4859      */
4860     if (tif->tif_dir.td_compression != COMPRESSION_OJPEG)
4861     {
4862         /*
4863          * Attempt to deal with a missing StripByteCounts tag.
4864          */
4865         if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS))
4866         {
4867             /*
4868              * Some manufacturers violate the spec by not giving
4869              * the size of the strips.  In this case, assume there
4870              * is one uncompressed strip of data.
4871              */
4872             if ((tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
4873                  tif->tif_dir.td_nstrips > 1) ||
4874                 (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE &&
4875                  tif->tif_dir.td_nstrips !=
4876                      (uint32_t)tif->tif_dir.td_samplesperpixel))
4877             {
4878                 MissingRequired(tif, "StripByteCounts");
4879                 goto bad;
4880             }
4881             TIFFWarningExtR(
4882                 tif, module,
4883                 "TIFF directory is missing required "
4884                 "\"StripByteCounts\" field, calculating from imagelength");
4885             if (EstimateStripByteCounts(tif, dir, dircount) < 0)
4886                 goto bad;
4887         }
4888         else if (tif->tif_dir.td_nstrips == 1 &&
4889                  !(tif->tif_flags & TIFF_ISTILED) && ByteCountLooksBad(tif))
4890         {
4891             /*
4892              * XXX: Plexus (and others) sometimes give a value of
4893              * zero for a tag when they don't know what the
4894              * correct value is!  Try and handle the simple case
4895              * of estimating the size of a one strip image.
4896              */
4897             TIFFWarningExtR(tif, module,
4898                             "Bogus \"StripByteCounts\" field, ignoring and "
4899                             "calculating from imagelength");
4900             if (EstimateStripByteCounts(tif, dir, dircount) < 0)
4901                 goto bad;
4902         }
4903         else if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD) &&
4904                  tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
4905                  tif->tif_dir.td_nstrips > 2 &&
4906                  tif->tif_dir.td_compression == COMPRESSION_NONE &&
4907                  TIFFGetStrileByteCount(tif, 0) !=
4908                      TIFFGetStrileByteCount(tif, 1) &&
4909                  TIFFGetStrileByteCount(tif, 0) != 0 &&
4910                  TIFFGetStrileByteCount(tif, 1) != 0)
4911         {
4912             /*
4913              * XXX: Some vendors fill StripByteCount array with
4914              * absolutely wrong values (it can be equal to
4915              * StripOffset array, for example). Catch this case
4916              * here.
4917              *
4918              * We avoid this check if deferring strile loading
4919              * as it would always force us to load the strip/tile
4920              * information.
4921              */
4922             TIFFWarningExtR(tif, module,
4923                             "Wrong \"StripByteCounts\" field, ignoring and "
4924                             "calculating from imagelength");
4925             if (EstimateStripByteCounts(tif, dir, dircount) < 0)
4926                 goto bad;
4927         }
4928     }
4929     if (dir)
4930     {
4931         _TIFFfreeExt(tif, dir);
4932         dir = NULL;
4933     }
4934     if (!TIFFFieldSet(tif, FIELD_MAXSAMPLEVALUE))
4935     {
4936         if (tif->tif_dir.td_bitspersample >= 16)
4937             tif->tif_dir.td_maxsamplevalue = 0xFFFF;
4938         else
4939             tif->tif_dir.td_maxsamplevalue =
4940                 (uint16_t)((1L << tif->tif_dir.td_bitspersample) - 1);
4941     }
4942 
4943 #ifdef STRIPBYTECOUNTSORTED_UNUSED
4944     /*
4945      * XXX: We can optimize checking for the strip bounds using the sorted
4946      * bytecounts array. See also comments for TIFFAppendToStrip()
4947      * function in tif_write.c.
4948      */
4949     if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD) && tif->tif_dir.td_nstrips > 1)
4950     {
4951         uint32_t strip;
4952 
4953         tif->tif_dir.td_stripbytecountsorted = 1;
4954         for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++)
4955         {
4956             if (TIFFGetStrileOffset(tif, strip - 1) >
4957                 TIFFGetStrileOffset(tif, strip))
4958             {
4959                 tif->tif_dir.td_stripbytecountsorted = 0;
4960                 break;
4961             }
4962         }
4963     }
4964 #endif
4965 
4966     /*
4967      * An opportunity for compression mode dependent tag fixup
4968      */
4969     (*tif->tif_fixuptags)(tif);
4970 
4971     /*
4972      * Some manufacturers make life difficult by writing
4973      * large amounts of uncompressed data as a single strip.
4974      * This is contrary to the recommendations of the spec.
4975      * The following makes an attempt at breaking such images
4976      * into strips closer to the recommended 8k bytes.  A
4977      * side effect, however, is that the RowsPerStrip tag
4978      * value may be changed.
4979      */
4980     if ((tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG) &&
4981         (tif->tif_dir.td_nstrips == 1) &&
4982         (tif->tif_dir.td_compression == COMPRESSION_NONE) &&
4983         ((tif->tif_flags & (TIFF_STRIPCHOP | TIFF_ISTILED)) == TIFF_STRIPCHOP))
4984     {
4985         ChopUpSingleUncompressedStrip(tif);
4986     }
4987 
4988     /* There are also uncompressed striped files with strips larger than */
4989     /* 2 GB, which make them unfriendly with a lot of code. If possible, */
4990     /* try to expose smaller "virtual" strips. */
4991     if (tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
4992         tif->tif_dir.td_compression == COMPRESSION_NONE &&
4993         (tif->tif_flags & (TIFF_STRIPCHOP | TIFF_ISTILED)) == TIFF_STRIPCHOP &&
4994         TIFFStripSize64(tif) > 0x7FFFFFFFUL)
4995     {
4996         TryChopUpUncompressedBigTiff(tif);
4997     }
4998 
4999     /*
5000      * Clear the dirty directory flag.
5001      */
5002     tif->tif_flags &= ~TIFF_DIRTYDIRECT;
5003     tif->tif_flags &= ~TIFF_DIRTYSTRIP;
5004 
5005     /*
5006      * Reinitialize i/o since we are starting on a new directory.
5007      */
5008     tif->tif_row = (uint32_t)-1;
5009     tif->tif_curstrip = (uint32_t)-1;
5010     tif->tif_col = (uint32_t)-1;
5011     tif->tif_curtile = (uint32_t)-1;
5012     tif->tif_tilesize = (tmsize_t)-1;
5013 
5014     tif->tif_scanlinesize = TIFFScanlineSize(tif);
5015     if (!tif->tif_scanlinesize)
5016     {
5017         TIFFErrorExtR(tif, module, "Cannot handle zero scanline size");
5018         return (0);
5019     }
5020 
5021     if (isTiled(tif))
5022     {
5023         tif->tif_tilesize = TIFFTileSize(tif);
5024         if (!tif->tif_tilesize)
5025         {
5026             TIFFErrorExtR(tif, module, "Cannot handle zero tile size");
5027             return (0);
5028         }
5029     }
5030     else
5031     {
5032         if (!TIFFStripSize(tif))
5033         {
5034             TIFFErrorExtR(tif, module, "Cannot handle zero strip size");
5035             return (0);
5036         }
5037     }
5038     return (1);
5039 bad:
5040     if (dir)
5041         _TIFFfreeExt(tif, dir);
5042     return (0);
5043 }
5044 
TIFFReadDirectoryCheckOrder(TIFF * tif,TIFFDirEntry * dir,uint16_t dircount)5045 static void TIFFReadDirectoryCheckOrder(TIFF *tif, TIFFDirEntry *dir,
5046                                         uint16_t dircount)
5047 {
5048     static const char module[] = "TIFFReadDirectoryCheckOrder";
5049     uint16_t m;
5050     uint16_t n;
5051     TIFFDirEntry *o;
5052     m = 0;
5053     for (n = 0, o = dir; n < dircount; n++, o++)
5054     {
5055         if (o->tdir_tag < m)
5056         {
5057             TIFFWarningExtR(tif, module,
5058                             "Invalid TIFF directory; tags are not sorted in "
5059                             "ascending order");
5060             break;
5061         }
5062         m = o->tdir_tag + 1;
5063     }
5064 }
5065 
TIFFReadDirectoryFindEntry(TIFF * tif,TIFFDirEntry * dir,uint16_t dircount,uint16_t tagid)5066 static TIFFDirEntry *TIFFReadDirectoryFindEntry(TIFF *tif, TIFFDirEntry *dir,
5067                                                 uint16_t dircount,
5068                                                 uint16_t tagid)
5069 {
5070     TIFFDirEntry *m;
5071     uint16_t n;
5072     (void)tif;
5073     for (m = dir, n = 0; n < dircount; m++, n++)
5074     {
5075         if (m->tdir_tag == tagid)
5076             return (m);
5077     }
5078     return (0);
5079 }
5080 
TIFFReadDirectoryFindFieldInfo(TIFF * tif,uint16_t tagid,uint32_t * fii)5081 static void TIFFReadDirectoryFindFieldInfo(TIFF *tif, uint16_t tagid,
5082                                            uint32_t *fii)
5083 {
5084     int32_t ma, mb, mc;
5085     ma = -1;
5086     mc = (int32_t)tif->tif_nfields;
5087     while (1)
5088     {
5089         if (ma + 1 == mc)
5090         {
5091             *fii = FAILED_FII;
5092             return;
5093         }
5094         mb = (ma + mc) / 2;
5095         if (tif->tif_fields[mb]->field_tag == (uint32_t)tagid)
5096             break;
5097         if (tif->tif_fields[mb]->field_tag < (uint32_t)tagid)
5098             ma = mb;
5099         else
5100             mc = mb;
5101     }
5102     while (1)
5103     {
5104         if (mb == 0)
5105             break;
5106         if (tif->tif_fields[mb - 1]->field_tag != (uint32_t)tagid)
5107             break;
5108         mb--;
5109     }
5110     *fii = mb;
5111 }
5112 
5113 /*
5114  * Read custom directory from the arbitrary offset.
5115  * The code is very similar to TIFFReadDirectory().
5116  */
TIFFReadCustomDirectory(TIFF * tif,toff_t diroff,const TIFFFieldArray * infoarray)5117 int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
5118                             const TIFFFieldArray *infoarray)
5119 {
5120     static const char module[] = "TIFFReadCustomDirectory";
5121     TIFFDirEntry *dir;
5122     uint16_t dircount;
5123     TIFFDirEntry *dp;
5124     uint16_t di;
5125     const TIFFField *fip;
5126     uint32_t fii;
5127     (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
5128     _TIFFSetupFields(tif, infoarray);
5129     dircount = TIFFFetchDirectory(tif, diroff, &dir, NULL);
5130     if (!dircount)
5131     {
5132         TIFFErrorExtR(tif, module,
5133                       "Failed to read custom directory at offset %" PRIu64,
5134                       diroff);
5135         return 0;
5136     }
5137     TIFFFreeDirectory(tif);
5138     _TIFFmemset(&tif->tif_dir, 0, sizeof(TIFFDirectory));
5139     TIFFReadDirectoryCheckOrder(tif, dir, dircount);
5140     for (di = 0, dp = dir; di < dircount; di++, dp++)
5141     {
5142         TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
5143         if (fii == FAILED_FII)
5144         {
5145             TIFFWarningExtR(tif, module,
5146                             "Unknown field with tag %" PRIu16 " (0x%" PRIx16
5147                             ") encountered",
5148                             dp->tdir_tag, dp->tdir_tag);
5149             if (!_TIFFMergeFields(
5150                     tif,
5151                     _TIFFCreateAnonField(tif, dp->tdir_tag,
5152                                          (TIFFDataType)dp->tdir_type),
5153                     1))
5154             {
5155                 TIFFWarningExtR(tif, module,
5156                                 "Registering anonymous field with tag %" PRIu16
5157                                 " (0x%" PRIx16 ") failed",
5158                                 dp->tdir_tag, dp->tdir_tag);
5159                 dp->tdir_ignore = TRUE;
5160             }
5161             else
5162             {
5163                 TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
5164                 assert(fii != FAILED_FII);
5165             }
5166         }
5167         if (!dp->tdir_ignore)
5168         {
5169             fip = tif->tif_fields[fii];
5170             if (fip->field_bit == FIELD_IGNORE)
5171                 dp->tdir_ignore = TRUE;
5172             else
5173             {
5174                 /* check data type */
5175                 while ((fip->field_type != TIFF_ANY) &&
5176                        (fip->field_type != dp->tdir_type))
5177                 {
5178                     fii++;
5179                     if ((fii == tif->tif_nfields) ||
5180                         (tif->tif_fields[fii]->field_tag !=
5181                          (uint32_t)dp->tdir_tag))
5182                     {
5183                         fii = 0xFFFF;
5184                         break;
5185                     }
5186                     fip = tif->tif_fields[fii];
5187                 }
5188                 if (fii == 0xFFFF)
5189                 {
5190                     TIFFWarningExtR(tif, module,
5191                                     "Wrong data type %" PRIu16
5192                                     " for \"%s\"; tag ignored",
5193                                     dp->tdir_type, fip->field_name);
5194                     dp->tdir_ignore = TRUE;
5195                 }
5196                 else
5197                 {
5198                     /* check count if known in advance */
5199                     if ((fip->field_readcount != TIFF_VARIABLE) &&
5200                         (fip->field_readcount != TIFF_VARIABLE2))
5201                     {
5202                         uint32_t expected;
5203                         if (fip->field_readcount == TIFF_SPP)
5204                             expected =
5205                                 (uint32_t)tif->tif_dir.td_samplesperpixel;
5206                         else
5207                             expected = (uint32_t)fip->field_readcount;
5208                         if (!CheckDirCount(tif, dp, expected))
5209                             dp->tdir_ignore = TRUE;
5210                     }
5211                 }
5212             }
5213             if (!dp->tdir_ignore)
5214             {
5215                 switch (dp->tdir_tag)
5216                 {
5217                     case EXIFTAG_SUBJECTDISTANCE:
5218                         if (!TIFFFieldIsAnonymous(fip))
5219                         {
5220                             /* should only be called on a Exif directory */
5221                             /* when exifFields[] is active */
5222                             (void)TIFFFetchSubjectDistance(tif, dp);
5223                         }
5224                         else
5225                         {
5226                             (void)TIFFFetchNormalTag(tif, dp, TRUE);
5227                         }
5228                         break;
5229                     default:
5230                         (void)TIFFFetchNormalTag(tif, dp, TRUE);
5231                         break;
5232                 }
5233             } /*-- if (!dp->tdir_ignore) */
5234         }
5235     }
5236     /* To be able to return from SubIFD or custom-IFD to main-IFD */
5237     tif->tif_setdirectory_force_absolute = TRUE;
5238     if (dir)
5239         _TIFFfreeExt(tif, dir);
5240     return 1;
5241 }
5242 
5243 /*
5244  * EXIF is important special case of custom IFD, so we have a special
5245  * function to read it.
5246  */
TIFFReadEXIFDirectory(TIFF * tif,toff_t diroff)5247 int TIFFReadEXIFDirectory(TIFF *tif, toff_t diroff)
5248 {
5249     const TIFFFieldArray *exifFieldArray;
5250     exifFieldArray = _TIFFGetExifFields();
5251     return TIFFReadCustomDirectory(tif, diroff, exifFieldArray);
5252 }
5253 
5254 /*
5255  *--: EXIF-GPS custom directory reading as another special case of custom IFD.
5256  */
TIFFReadGPSDirectory(TIFF * tif,toff_t diroff)5257 int TIFFReadGPSDirectory(TIFF *tif, toff_t diroff)
5258 {
5259     const TIFFFieldArray *gpsFieldArray;
5260     gpsFieldArray = _TIFFGetGpsFields();
5261     return TIFFReadCustomDirectory(tif, diroff, gpsFieldArray);
5262 }
5263 
EstimateStripByteCounts(TIFF * tif,TIFFDirEntry * dir,uint16_t dircount)5264 static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
5265                                    uint16_t dircount)
5266 {
5267     static const char module[] = "EstimateStripByteCounts";
5268 
5269     TIFFDirEntry *dp;
5270     TIFFDirectory *td = &tif->tif_dir;
5271     uint32_t strip;
5272 
5273     /* Do not try to load stripbytecount as we will compute it */
5274     if (!_TIFFFillStrilesInternal(tif, 0))
5275         return -1;
5276 
5277     if (td->td_stripbytecount_p)
5278         _TIFFfreeExt(tif, td->td_stripbytecount_p);
5279     td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc(
5280         tif, td->td_nstrips, sizeof(uint64_t), "for \"StripByteCounts\" array");
5281     if (td->td_stripbytecount_p == NULL)
5282         return -1;
5283 
5284     if (td->td_compression != COMPRESSION_NONE)
5285     {
5286         uint64_t space;
5287         uint64_t filesize;
5288         uint16_t n;
5289         filesize = TIFFGetFileSize(tif);
5290         if (!(tif->tif_flags & TIFF_BIGTIFF))
5291             space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4;
5292         else
5293             space = sizeof(TIFFHeaderBig) + 8 + dircount * 20 + 8;
5294         /* calculate amount of space used by indirect values */
5295         for (dp = dir, n = dircount; n > 0; n--, dp++)
5296         {
5297             uint32_t typewidth;
5298             uint64_t datasize;
5299             typewidth = TIFFDataWidth((TIFFDataType)dp->tdir_type);
5300             if (typewidth == 0)
5301             {
5302                 TIFFErrorExtR(
5303                     tif, module,
5304                     "Cannot determine size of unknown tag type %" PRIu16,
5305                     dp->tdir_type);
5306                 return -1;
5307             }
5308             if (dp->tdir_count > UINT64_MAX / typewidth)
5309                 return -1;
5310             datasize = (uint64_t)typewidth * dp->tdir_count;
5311             if (!(tif->tif_flags & TIFF_BIGTIFF))
5312             {
5313                 if (datasize <= 4)
5314                     datasize = 0;
5315             }
5316             else
5317             {
5318                 if (datasize <= 8)
5319                     datasize = 0;
5320             }
5321             if (space > UINT64_MAX - datasize)
5322                 return -1;
5323             space += datasize;
5324         }
5325         if (filesize < space)
5326             /* we should perhaps return in error ? */
5327             space = filesize;
5328         else
5329             space = filesize - space;
5330         if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
5331             space /= td->td_samplesperpixel;
5332         for (strip = 0; strip < td->td_nstrips; strip++)
5333             td->td_stripbytecount_p[strip] = space;
5334         /*
5335          * This gross hack handles the case were the offset to
5336          * the last strip is past the place where we think the strip
5337          * should begin.  Since a strip of data must be contiguous,
5338          * it's safe to assume that we've overestimated the amount
5339          * of data in the strip and trim this number back accordingly.
5340          */
5341         strip--;
5342         if (td->td_stripoffset_p[strip] >
5343             UINT64_MAX - td->td_stripbytecount_p[strip])
5344             return -1;
5345         if (td->td_stripoffset_p[strip] + td->td_stripbytecount_p[strip] >
5346             filesize)
5347         {
5348             if (td->td_stripoffset_p[strip] >= filesize)
5349             {
5350                 /* Not sure what we should in that case... */
5351                 td->td_stripbytecount_p[strip] = 0;
5352             }
5353             else
5354             {
5355                 td->td_stripbytecount_p[strip] =
5356                     filesize - td->td_stripoffset_p[strip];
5357             }
5358         }
5359     }
5360     else if (isTiled(tif))
5361     {
5362         uint64_t bytespertile = TIFFTileSize64(tif);
5363 
5364         for (strip = 0; strip < td->td_nstrips; strip++)
5365             td->td_stripbytecount_p[strip] = bytespertile;
5366     }
5367     else
5368     {
5369         uint64_t rowbytes = TIFFScanlineSize64(tif);
5370         uint32_t rowsperstrip = td->td_imagelength / td->td_stripsperimage;
5371         for (strip = 0; strip < td->td_nstrips; strip++)
5372         {
5373             if (rowbytes > 0 && rowsperstrip > UINT64_MAX / rowbytes)
5374                 return -1;
5375             td->td_stripbytecount_p[strip] = rowbytes * rowsperstrip;
5376         }
5377     }
5378     TIFFSetFieldBit(tif, FIELD_STRIPBYTECOUNTS);
5379     if (!TIFFFieldSet(tif, FIELD_ROWSPERSTRIP))
5380         td->td_rowsperstrip = td->td_imagelength;
5381     return 1;
5382 }
5383 
MissingRequired(TIFF * tif,const char * tagname)5384 static void MissingRequired(TIFF *tif, const char *tagname)
5385 {
5386     static const char module[] = "MissingRequired";
5387 
5388     TIFFErrorExtR(tif, module,
5389                   "TIFF directory is missing required \"%s\" field", tagname);
5390 }
5391 
hashFuncOffsetToNumber(const void * elt)5392 static unsigned long hashFuncOffsetToNumber(const void *elt)
5393 {
5394     const TIFFOffsetAndDirNumber *offsetAndDirNumber =
5395         (const TIFFOffsetAndDirNumber *)elt;
5396     const uint32_t hash = (uint32_t)(offsetAndDirNumber->offset >> 32) ^
5397                           ((uint32_t)offsetAndDirNumber->offset & 0xFFFFFFFFU);
5398     return hash;
5399 }
5400 
equalFuncOffsetToNumber(const void * elt1,const void * elt2)5401 static bool equalFuncOffsetToNumber(const void *elt1, const void *elt2)
5402 {
5403     const TIFFOffsetAndDirNumber *offsetAndDirNumber1 =
5404         (const TIFFOffsetAndDirNumber *)elt1;
5405     const TIFFOffsetAndDirNumber *offsetAndDirNumber2 =
5406         (const TIFFOffsetAndDirNumber *)elt2;
5407     return offsetAndDirNumber1->offset == offsetAndDirNumber2->offset;
5408 }
5409 
hashFuncNumberToOffset(const void * elt)5410 static unsigned long hashFuncNumberToOffset(const void *elt)
5411 {
5412     const TIFFOffsetAndDirNumber *offsetAndDirNumber =
5413         (const TIFFOffsetAndDirNumber *)elt;
5414     return offsetAndDirNumber->dirNumber;
5415 }
5416 
equalFuncNumberToOffset(const void * elt1,const void * elt2)5417 static bool equalFuncNumberToOffset(const void *elt1, const void *elt2)
5418 {
5419     const TIFFOffsetAndDirNumber *offsetAndDirNumber1 =
5420         (const TIFFOffsetAndDirNumber *)elt1;
5421     const TIFFOffsetAndDirNumber *offsetAndDirNumber2 =
5422         (const TIFFOffsetAndDirNumber *)elt2;
5423     return offsetAndDirNumber1->dirNumber == offsetAndDirNumber2->dirNumber;
5424 }
5425 
5426 /*
5427  * Check the directory number and offset against the list of already seen
5428  * directory numbers and offsets. This is a trick to prevent IFD looping.
5429  * The one can create TIFF file with looped directory pointers. We will
5430  * maintain a list of already seen directories and check every IFD offset
5431  * and its IFD number against that list. However, the offset of an IFD number
5432  * can change - e.g. when writing updates to file.
5433  * Returns 1 if all is ok; 0 if last directory or IFD loop is encountered,
5434  * or an error has occurred.
5435  */
_TIFFCheckDirNumberAndOffset(TIFF * tif,tdir_t dirn,uint64_t diroff)5436 int _TIFFCheckDirNumberAndOffset(TIFF *tif, tdir_t dirn, uint64_t diroff)
5437 {
5438     if (diroff == 0) /* no more directories */
5439         return 0;
5440 
5441     if (tif->tif_map_dir_offset_to_number == NULL)
5442     {
5443         tif->tif_map_dir_offset_to_number = TIFFHashSetNew(
5444             hashFuncOffsetToNumber, equalFuncOffsetToNumber, free);
5445         if (tif->tif_map_dir_offset_to_number == NULL)
5446         {
5447             TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5448                           "Not enough memory");
5449             return 1;
5450         }
5451     }
5452 
5453     if (tif->tif_map_dir_number_to_offset == NULL)
5454     {
5455         /* No free callback for this map, as it shares the same items as
5456          * tif->tif_map_dir_offset_to_number. */
5457         tif->tif_map_dir_number_to_offset = TIFFHashSetNew(
5458             hashFuncNumberToOffset, equalFuncNumberToOffset, NULL);
5459         if (tif->tif_map_dir_number_to_offset == NULL)
5460         {
5461             TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5462                           "Not enough memory");
5463             return 1;
5464         }
5465     }
5466 
5467     /* Check if offset is already in the list:
5468      * - yes: check, if offset is at the same IFD number - if not, it is an IFD
5469      * loop
5470      * -  no: add to list or update offset at that IFD number
5471      */
5472     TIFFOffsetAndDirNumber entry;
5473     entry.offset = diroff;
5474     entry.dirNumber = dirn;
5475 
5476     TIFFOffsetAndDirNumber *foundEntry =
5477         (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5478             tif->tif_map_dir_offset_to_number, &entry);
5479     if (foundEntry)
5480     {
5481         if (foundEntry->dirNumber == dirn)
5482         {
5483             return 1;
5484         }
5485         else
5486         {
5487             TIFFWarningExtR(tif, "_TIFFCheckDirNumberAndOffset",
5488                             "TIFF directory %d has IFD looping to directory %u "
5489                             "at offset 0x%" PRIx64 " (%" PRIu64 ")",
5490                             (int)dirn - 1, foundEntry->dirNumber, diroff,
5491                             diroff);
5492             return 0;
5493         }
5494     }
5495 
5496     /* Check if offset of an IFD has been changed and update offset of that IFD
5497      * number. */
5498     foundEntry = (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5499         tif->tif_map_dir_number_to_offset, &entry);
5500     if (foundEntry)
5501     {
5502         if (foundEntry->offset != diroff)
5503         {
5504             TIFFOffsetAndDirNumber entryOld;
5505             entryOld.offset = foundEntry->offset;
5506             entryOld.dirNumber = dirn;
5507             /* We must remove first from tif_map_dir_number_to_offset as the */
5508             /* entry is owned (and thus freed) by */
5509             /* tif_map_dir_offset_to_number */
5510             TIFFOffsetAndDirNumber *foundEntryOld =
5511                 (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5512                     tif->tif_map_dir_number_to_offset, &entryOld);
5513             if (foundEntryOld)
5514             {
5515                 TIFFHashSetRemove(tif->tif_map_dir_number_to_offset,
5516                                   foundEntryOld);
5517             }
5518             foundEntryOld = (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5519                 tif->tif_map_dir_offset_to_number, &entryOld);
5520             if (foundEntryOld)
5521             {
5522                 TIFFHashSetRemove(tif->tif_map_dir_offset_to_number,
5523                                   foundEntryOld);
5524             }
5525 
5526             TIFFOffsetAndDirNumber *entryPtr = (TIFFOffsetAndDirNumber *)malloc(
5527                 sizeof(TIFFOffsetAndDirNumber));
5528             if (entryPtr == NULL)
5529             {
5530                 return 0;
5531             }
5532 
5533             /* Add IFD offset and dirn to IFD directory list */
5534             *entryPtr = entry;
5535 
5536             if (!TIFFHashSetInsert(tif->tif_map_dir_offset_to_number, entryPtr))
5537             {
5538                 TIFFErrorExtR(
5539                     tif, "_TIFFCheckDirNumberAndOffset",
5540                     "Insertion in tif_map_dir_offset_to_number failed");
5541                 return 0;
5542             }
5543             if (!TIFFHashSetInsert(tif->tif_map_dir_number_to_offset, entryPtr))
5544             {
5545                 TIFFErrorExtR(
5546                     tif, "_TIFFCheckDirNumberAndOffset",
5547                     "Insertion in tif_map_dir_number_to_offset failed");
5548                 return 0;
5549             }
5550         }
5551         return 1;
5552     }
5553 
5554     /* Arbitrary (hopefully big enough) limit */
5555     if (TIFFHashSetSize(tif->tif_map_dir_offset_to_number) >=
5556         TIFF_MAX_DIR_COUNT)
5557     {
5558         TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5559                       "Cannot handle more than %u TIFF directories",
5560                       TIFF_MAX_DIR_COUNT);
5561         return 0;
5562     }
5563 
5564     TIFFOffsetAndDirNumber *entryPtr =
5565         (TIFFOffsetAndDirNumber *)malloc(sizeof(TIFFOffsetAndDirNumber));
5566     if (entryPtr == NULL)
5567     {
5568         TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5569                       "malloc(sizeof(TIFFOffsetAndDirNumber)) failed");
5570         return 0;
5571     }
5572 
5573     /* Add IFD offset and dirn to IFD directory list */
5574     *entryPtr = entry;
5575 
5576     if (!TIFFHashSetInsert(tif->tif_map_dir_offset_to_number, entryPtr))
5577     {
5578         TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5579                       "Insertion in tif_map_dir_offset_to_number failed");
5580         return 0;
5581     }
5582     if (!TIFFHashSetInsert(tif->tif_map_dir_number_to_offset, entryPtr))
5583     {
5584         TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5585                       "Insertion in tif_map_dir_number_to_offset failed");
5586         return 0;
5587     }
5588 
5589     return 1;
5590 } /* --- _TIFFCheckDirNumberAndOffset() ---*/
5591 
5592 /*
5593  * Retrieve the matching IFD directory number of a given IFD offset
5594  * from the list of directories already seen.
5595  * Returns 1 if the offset was in the list and the directory number
5596  * can be returned.
5597  * Otherwise returns 0 or if an error occurred.
5598  */
_TIFFGetDirNumberFromOffset(TIFF * tif,uint64_t diroff,tdir_t * dirn)5599 int _TIFFGetDirNumberFromOffset(TIFF *tif, uint64_t diroff, tdir_t *dirn)
5600 {
5601     if (diroff == 0) /* no more directories */
5602         return 0;
5603 
5604     /* Check if offset is already in the list and return matching directory
5605      * number. Otherwise update IFD list using TIFFNumberOfDirectories() and
5606      * search again in IFD list.
5607      */
5608     if (tif->tif_map_dir_offset_to_number == NULL)
5609         return 0;
5610     TIFFOffsetAndDirNumber entry;
5611     entry.offset = diroff;
5612     entry.dirNumber = 0; /* not used */
5613 
5614     TIFFOffsetAndDirNumber *foundEntry =
5615         (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5616             tif->tif_map_dir_offset_to_number, &entry);
5617     if (foundEntry)
5618     {
5619         *dirn = foundEntry->dirNumber;
5620         return 1;
5621     }
5622 
5623     /* This updates the directory list for all main-IFDs in the file. */
5624     TIFFNumberOfDirectories(tif);
5625 
5626     foundEntry = (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5627         tif->tif_map_dir_offset_to_number, &entry);
5628     if (foundEntry)
5629     {
5630         *dirn = foundEntry->dirNumber;
5631         return 1;
5632     }
5633 
5634     return 0;
5635 } /*--- _TIFFGetDirNumberFromOffset() ---*/
5636 
5637 /*
5638  * Retrieve the matching IFD directory offset of a given IFD number
5639  * from the list of directories already seen.
5640  * Returns 1 if the offset was in the list of already seen IFDs and the
5641  * directory offset can be returned. The directory list is not updated.
5642  * Otherwise returns 0 or if an error occurred.
5643  */
_TIFFGetOffsetFromDirNumber(TIFF * tif,tdir_t dirn,uint64_t * diroff)5644 int _TIFFGetOffsetFromDirNumber(TIFF *tif, tdir_t dirn, uint64_t *diroff)
5645 {
5646 
5647     if (tif->tif_map_dir_number_to_offset == NULL)
5648         return 0;
5649     TIFFOffsetAndDirNumber entry;
5650     entry.offset = 0; /* not used */
5651     entry.dirNumber = dirn;
5652 
5653     TIFFOffsetAndDirNumber *foundEntry =
5654         (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5655             tif->tif_map_dir_number_to_offset, &entry);
5656     if (foundEntry)
5657     {
5658         *diroff = foundEntry->offset;
5659         return 1;
5660     }
5661 
5662     return 0;
5663 } /*--- _TIFFGetOffsetFromDirNumber() ---*/
5664 
5665 /*
5666  * Remove an entry from the directory list of already seen directories
5667  * by directory offset.
5668  * If an entry is to be removed from the list, it is also okay if the entry
5669  * is not in the list or the list does not exist.
5670  */
_TIFFRemoveEntryFromDirectoryListByOffset(TIFF * tif,uint64_t diroff)5671 int _TIFFRemoveEntryFromDirectoryListByOffset(TIFF *tif, uint64_t diroff)
5672 {
5673     if (tif->tif_map_dir_offset_to_number == NULL)
5674         return 1;
5675 
5676     TIFFOffsetAndDirNumber entryOld;
5677     entryOld.offset = diroff;
5678     entryOld.dirNumber = 0;
5679     /* We must remove first from tif_map_dir_number_to_offset as the
5680      * entry is owned (and thus freed) by tif_map_dir_offset_to_number.
5681      * However, we need firstly to find the directory number from offset. */
5682 
5683     TIFFOffsetAndDirNumber *foundEntryOldOff =
5684         (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5685             tif->tif_map_dir_offset_to_number, &entryOld);
5686     if (foundEntryOldOff)
5687     {
5688         entryOld.dirNumber = foundEntryOldOff->dirNumber;
5689         if (tif->tif_map_dir_number_to_offset != NULL)
5690         {
5691             TIFFOffsetAndDirNumber *foundEntryOldDir =
5692                 (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5693                     tif->tif_map_dir_number_to_offset, &entryOld);
5694             if (foundEntryOldDir)
5695             {
5696                 TIFFHashSetRemove(tif->tif_map_dir_number_to_offset,
5697                                   foundEntryOldDir);
5698                 TIFFHashSetRemove(tif->tif_map_dir_offset_to_number,
5699                                   foundEntryOldOff);
5700                 return 1;
5701             }
5702         }
5703         else
5704         {
5705             TIFFErrorExtR(tif, "_TIFFRemoveEntryFromDirectoryListByOffset",
5706                           "Unexpectedly tif_map_dir_number_to_offset is "
5707                           "missing but tif_map_dir_offset_to_number exists.");
5708             return 0;
5709         }
5710     }
5711     return 1;
5712 } /*--- _TIFFRemoveEntryFromDirectoryListByOffset() ---*/
5713 
5714 /*
5715  * Check the count field of a directory entry against a known value.  The
5716  * caller is expected to skip/ignore the tag if there is a mismatch.
5717  */
CheckDirCount(TIFF * tif,TIFFDirEntry * dir,uint32_t count)5718 static int CheckDirCount(TIFF *tif, TIFFDirEntry *dir, uint32_t count)
5719 {
5720     if ((uint64_t)count > dir->tdir_count)
5721     {
5722         const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
5723         TIFFWarningExtR(tif, tif->tif_name,
5724                         "incorrect count for field \"%s\" (%" PRIu64
5725                         ", expecting %" PRIu32 "); tag ignored",
5726                         fip ? fip->field_name : "unknown tagname",
5727                         dir->tdir_count, count);
5728         return (0);
5729     }
5730     else if ((uint64_t)count < dir->tdir_count)
5731     {
5732         const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
5733         TIFFWarningExtR(tif, tif->tif_name,
5734                         "incorrect count for field \"%s\" (%" PRIu64
5735                         ", expecting %" PRIu32 "); tag trimmed",
5736                         fip ? fip->field_name : "unknown tagname",
5737                         dir->tdir_count, count);
5738         dir->tdir_count = count;
5739         return (1);
5740     }
5741     return (1);
5742 }
5743 
5744 /*
5745  * Read IFD structure from the specified offset. If the pointer to
5746  * nextdiroff variable has been specified, read it too. Function returns a
5747  * number of fields in the directory or 0 if failed.
5748  */
TIFFFetchDirectory(TIFF * tif,uint64_t diroff,TIFFDirEntry ** pdir,uint64_t * nextdiroff)5749 static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
5750                                    TIFFDirEntry **pdir, uint64_t *nextdiroff)
5751 {
5752     static const char module[] = "TIFFFetchDirectory";
5753 
5754     void *origdir;
5755     uint16_t dircount16;
5756     uint32_t dirsize;
5757     TIFFDirEntry *dir;
5758     uint8_t *ma;
5759     TIFFDirEntry *mb;
5760     uint16_t n;
5761 
5762     assert(pdir);
5763 
5764     tif->tif_diroff = diroff;
5765     if (nextdiroff)
5766         *nextdiroff = 0;
5767     if (!isMapped(tif))
5768     {
5769         if (!SeekOK(tif, tif->tif_diroff))
5770         {
5771             TIFFErrorExtR(tif, module,
5772                           "%s: Seek error accessing TIFF directory",
5773                           tif->tif_name);
5774             return 0;
5775         }
5776         if (!(tif->tif_flags & TIFF_BIGTIFF))
5777         {
5778             if (!ReadOK(tif, &dircount16, sizeof(uint16_t)))
5779             {
5780                 TIFFErrorExtR(tif, module,
5781                               "%s: Can not read TIFF directory count",
5782                               tif->tif_name);
5783                 return 0;
5784             }
5785             if (tif->tif_flags & TIFF_SWAB)
5786                 TIFFSwabShort(&dircount16);
5787             if (dircount16 > 4096)
5788             {
5789                 TIFFErrorExtR(tif, module,
5790                               "Sanity check on directory count failed, this is "
5791                               "probably not a valid IFD offset");
5792                 return 0;
5793             }
5794             dirsize = 12;
5795         }
5796         else
5797         {
5798             uint64_t dircount64;
5799             if (!ReadOK(tif, &dircount64, sizeof(uint64_t)))
5800             {
5801                 TIFFErrorExtR(tif, module,
5802                               "%s: Can not read TIFF directory count",
5803                               tif->tif_name);
5804                 return 0;
5805             }
5806             if (tif->tif_flags & TIFF_SWAB)
5807                 TIFFSwabLong8(&dircount64);
5808             if (dircount64 > 4096)
5809             {
5810                 TIFFErrorExtR(tif, module,
5811                               "Sanity check on directory count failed, this is "
5812                               "probably not a valid IFD offset");
5813                 return 0;
5814             }
5815             dircount16 = (uint16_t)dircount64;
5816             dirsize = 20;
5817         }
5818         origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
5819                                    "to read TIFF directory");
5820         if (origdir == NULL)
5821             return 0;
5822         if (!ReadOK(tif, origdir, (tmsize_t)(dircount16 * dirsize)))
5823         {
5824             TIFFErrorExtR(tif, module, "%.100s: Can not read TIFF directory",
5825                           tif->tif_name);
5826             _TIFFfreeExt(tif, origdir);
5827             return 0;
5828         }
5829         /*
5830          * Read offset to next directory for sequential scans if
5831          * needed.
5832          */
5833         if (nextdiroff)
5834         {
5835             if (!(tif->tif_flags & TIFF_BIGTIFF))
5836             {
5837                 uint32_t nextdiroff32;
5838                 if (!ReadOK(tif, &nextdiroff32, sizeof(uint32_t)))
5839                     nextdiroff32 = 0;
5840                 if (tif->tif_flags & TIFF_SWAB)
5841                     TIFFSwabLong(&nextdiroff32);
5842                 *nextdiroff = nextdiroff32;
5843             }
5844             else
5845             {
5846                 if (!ReadOK(tif, nextdiroff, sizeof(uint64_t)))
5847                     *nextdiroff = 0;
5848                 if (tif->tif_flags & TIFF_SWAB)
5849                     TIFFSwabLong8(nextdiroff);
5850             }
5851         }
5852     }
5853     else
5854     {
5855         tmsize_t m;
5856         tmsize_t off;
5857         if (tif->tif_diroff > (uint64_t)INT64_MAX)
5858         {
5859             TIFFErrorExtR(tif, module, "Can not read TIFF directory count");
5860             return (0);
5861         }
5862         off = (tmsize_t)tif->tif_diroff;
5863 
5864         /*
5865          * Check for integer overflow when validating the dir_off,
5866          * otherwise a very high offset may cause an OOB read and
5867          * crash the client. Make two comparisons instead of
5868          *
5869          *  off + sizeof(uint16_t) > tif->tif_size
5870          *
5871          * to avoid overflow.
5872          */
5873         if (!(tif->tif_flags & TIFF_BIGTIFF))
5874         {
5875             m = off + sizeof(uint16_t);
5876             if ((m < off) || (m < (tmsize_t)sizeof(uint16_t)) ||
5877                 (m > tif->tif_size))
5878             {
5879                 TIFFErrorExtR(tif, module, "Can not read TIFF directory count");
5880                 return 0;
5881             }
5882             else
5883             {
5884                 _TIFFmemcpy(&dircount16, tif->tif_base + off, sizeof(uint16_t));
5885             }
5886             off += sizeof(uint16_t);
5887             if (tif->tif_flags & TIFF_SWAB)
5888                 TIFFSwabShort(&dircount16);
5889             if (dircount16 > 4096)
5890             {
5891                 TIFFErrorExtR(tif, module,
5892                               "Sanity check on directory count failed, this is "
5893                               "probably not a valid IFD offset");
5894                 return 0;
5895             }
5896             dirsize = 12;
5897         }
5898         else
5899         {
5900             uint64_t dircount64;
5901             m = off + sizeof(uint64_t);
5902             if ((m < off) || (m < (tmsize_t)sizeof(uint64_t)) ||
5903                 (m > tif->tif_size))
5904             {
5905                 TIFFErrorExtR(tif, module, "Can not read TIFF directory count");
5906                 return 0;
5907             }
5908             else
5909             {
5910                 _TIFFmemcpy(&dircount64, tif->tif_base + off, sizeof(uint64_t));
5911             }
5912             off += sizeof(uint64_t);
5913             if (tif->tif_flags & TIFF_SWAB)
5914                 TIFFSwabLong8(&dircount64);
5915             if (dircount64 > 4096)
5916             {
5917                 TIFFErrorExtR(tif, module,
5918                               "Sanity check on directory count failed, this is "
5919                               "probably not a valid IFD offset");
5920                 return 0;
5921             }
5922             dircount16 = (uint16_t)dircount64;
5923             dirsize = 20;
5924         }
5925         if (dircount16 == 0)
5926         {
5927             TIFFErrorExtR(tif, module,
5928                           "Sanity check on directory count failed, zero tag "
5929                           "directories not supported");
5930             return 0;
5931         }
5932         origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
5933                                    "to read TIFF directory");
5934         if (origdir == NULL)
5935             return 0;
5936         m = off + dircount16 * dirsize;
5937         if ((m < off) || (m < (tmsize_t)(dircount16 * dirsize)) ||
5938             (m > tif->tif_size))
5939         {
5940             TIFFErrorExtR(tif, module, "Can not read TIFF directory");
5941             _TIFFfreeExt(tif, origdir);
5942             return 0;
5943         }
5944         else
5945         {
5946             _TIFFmemcpy(origdir, tif->tif_base + off, dircount16 * dirsize);
5947         }
5948         if (nextdiroff)
5949         {
5950             off += dircount16 * dirsize;
5951             if (!(tif->tif_flags & TIFF_BIGTIFF))
5952             {
5953                 uint32_t nextdiroff32;
5954                 m = off + sizeof(uint32_t);
5955                 if ((m < off) || (m < (tmsize_t)sizeof(uint32_t)) ||
5956                     (m > tif->tif_size))
5957                     nextdiroff32 = 0;
5958                 else
5959                     _TIFFmemcpy(&nextdiroff32, tif->tif_base + off,
5960                                 sizeof(uint32_t));
5961                 if (tif->tif_flags & TIFF_SWAB)
5962                     TIFFSwabLong(&nextdiroff32);
5963                 *nextdiroff = nextdiroff32;
5964             }
5965             else
5966             {
5967                 m = off + sizeof(uint64_t);
5968                 if ((m < off) || (m < (tmsize_t)sizeof(uint64_t)) ||
5969                     (m > tif->tif_size))
5970                     *nextdiroff = 0;
5971                 else
5972                     _TIFFmemcpy(nextdiroff, tif->tif_base + off,
5973                                 sizeof(uint64_t));
5974                 if (tif->tif_flags & TIFF_SWAB)
5975                     TIFFSwabLong8(nextdiroff);
5976             }
5977         }
5978     }
5979     dir = (TIFFDirEntry *)_TIFFCheckMalloc(
5980         tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory");
5981     if (dir == 0)
5982     {
5983         _TIFFfreeExt(tif, origdir);
5984         return 0;
5985     }
5986     ma = (uint8_t *)origdir;
5987     mb = dir;
5988     for (n = 0; n < dircount16; n++)
5989     {
5990         mb->tdir_ignore = FALSE;
5991         if (tif->tif_flags & TIFF_SWAB)
5992             TIFFSwabShort((uint16_t *)ma);
5993         mb->tdir_tag = *(uint16_t *)ma;
5994         ma += sizeof(uint16_t);
5995         if (tif->tif_flags & TIFF_SWAB)
5996             TIFFSwabShort((uint16_t *)ma);
5997         mb->tdir_type = *(uint16_t *)ma;
5998         ma += sizeof(uint16_t);
5999         if (!(tif->tif_flags & TIFF_BIGTIFF))
6000         {
6001             if (tif->tif_flags & TIFF_SWAB)
6002                 TIFFSwabLong((uint32_t *)ma);
6003             mb->tdir_count = (uint64_t)(*(uint32_t *)ma);
6004             ma += sizeof(uint32_t);
6005             mb->tdir_offset.toff_long8 = 0;
6006             *(uint32_t *)(&mb->tdir_offset) = *(uint32_t *)ma;
6007             ma += sizeof(uint32_t);
6008         }
6009         else
6010         {
6011             if (tif->tif_flags & TIFF_SWAB)
6012                 TIFFSwabLong8((uint64_t *)ma);
6013             mb->tdir_count = TIFFReadUInt64(ma);
6014             ma += sizeof(uint64_t);
6015             mb->tdir_offset.toff_long8 = TIFFReadUInt64(ma);
6016             ma += sizeof(uint64_t);
6017         }
6018         mb++;
6019     }
6020     _TIFFfreeExt(tif, origdir);
6021     *pdir = dir;
6022     return dircount16;
6023 }
6024 
6025 /*
6026  * Fetch a tag that is not handled by special case code.
6027  */
TIFFFetchNormalTag(TIFF * tif,TIFFDirEntry * dp,int recover)6028 static int TIFFFetchNormalTag(TIFF *tif, TIFFDirEntry *dp, int recover)
6029 {
6030     static const char module[] = "TIFFFetchNormalTag";
6031     enum TIFFReadDirEntryErr err;
6032     uint32_t fii;
6033     const TIFFField *fip = NULL;
6034     TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
6035     if (fii == FAILED_FII)
6036     {
6037         TIFFErrorExtR(tif, "TIFFFetchNormalTag",
6038                       "No definition found for tag %" PRIu16, dp->tdir_tag);
6039         return 0;
6040     }
6041     fip = tif->tif_fields[fii];
6042     assert(fip != NULL); /* should not happen */
6043     assert(fip->set_field_type !=
6044            TIFF_SETGET_OTHER); /* if so, we shouldn't arrive here but deal with
6045                                   this in specialized code */
6046     assert(fip->set_field_type !=
6047            TIFF_SETGET_INT); /* if so, we shouldn't arrive here as this is only
6048                                 the case for pseudo-tags */
6049     err = TIFFReadDirEntryErrOk;
6050     switch (fip->set_field_type)
6051     {
6052         case TIFF_SETGET_UNDEFINED:
6053             TIFFErrorExtR(
6054                 tif, "TIFFFetchNormalTag",
6055                 "Defined set_field_type of custom tag %u (%s) is "
6056                 "TIFF_SETGET_UNDEFINED and thus tag is not read from file",
6057                 fip->field_tag, fip->field_name);
6058             break;
6059         case TIFF_SETGET_ASCII:
6060         {
6061             uint8_t *data;
6062             assert(fip->field_passcount == 0);
6063             err = TIFFReadDirEntryByteArray(tif, dp, &data);
6064             if (err == TIFFReadDirEntryErrOk)
6065             {
6066                 size_t mb = 0;
6067                 int n;
6068                 if (data != NULL)
6069                 {
6070                     if (dp->tdir_count > 0 && data[dp->tdir_count - 1] == 0)
6071                     {
6072                         /* optimization: if data is known to be 0 terminated, we
6073                          * can use strlen() */
6074                         mb = strlen((const char *)data);
6075                     }
6076                     else
6077                     {
6078                         /* general case. equivalent to non-portable */
6079                         /* mb = strnlen((const char*)data,
6080                          * (uint32_t)dp->tdir_count); */
6081                         uint8_t *ma = data;
6082                         while (mb < (uint32_t)dp->tdir_count)
6083                         {
6084                             if (*ma == 0)
6085                                 break;
6086                             ma++;
6087                             mb++;
6088                         }
6089                     }
6090                 }
6091                 if (mb + 1 < (uint32_t)dp->tdir_count)
6092                     TIFFWarningExtR(
6093                         tif, module,
6094                         "ASCII value for tag \"%s\" contains null byte in "
6095                         "value; value incorrectly truncated during reading due "
6096                         "to implementation limitations",
6097                         fip->field_name);
6098                 else if (mb + 1 > (uint32_t)dp->tdir_count)
6099                 {
6100                     uint8_t *o;
6101                     TIFFWarningExtR(
6102                         tif, module,
6103                         "ASCII value for tag \"%s\" does not end in null byte",
6104                         fip->field_name);
6105                     /* TIFFReadDirEntryArrayWithLimit() ensures this can't be
6106                      * larger than MAX_SIZE_TAG_DATA */
6107                     assert((uint32_t)dp->tdir_count + 1 == dp->tdir_count + 1);
6108                     o = _TIFFmallocExt(tif, (uint32_t)dp->tdir_count + 1);
6109                     if (o == NULL)
6110                     {
6111                         if (data != NULL)
6112                             _TIFFfreeExt(tif, data);
6113                         return (0);
6114                     }
6115                     if (dp->tdir_count > 0)
6116                     {
6117                         _TIFFmemcpy(o, data, (uint32_t)dp->tdir_count);
6118                     }
6119                     o[(uint32_t)dp->tdir_count] = 0;
6120                     if (data != 0)
6121                         _TIFFfreeExt(tif, data);
6122                     data = o;
6123                 }
6124                 n = TIFFSetField(tif, dp->tdir_tag, data);
6125                 if (data != 0)
6126                     _TIFFfreeExt(tif, data);
6127                 if (!n)
6128                     return (0);
6129             }
6130         }
6131         break;
6132         case TIFF_SETGET_UINT8:
6133         {
6134             uint8_t data = 0;
6135             assert(fip->field_readcount == 1);
6136             assert(fip->field_passcount == 0);
6137             err = TIFFReadDirEntryByte(tif, dp, &data);
6138             if (err == TIFFReadDirEntryErrOk)
6139             {
6140                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6141                     return (0);
6142             }
6143         }
6144         break;
6145         case TIFF_SETGET_SINT8:
6146         {
6147             int8_t data = 0;
6148             assert(fip->field_readcount == 1);
6149             assert(fip->field_passcount == 0);
6150             err = TIFFReadDirEntrySbyte(tif, dp, &data);
6151             if (err == TIFFReadDirEntryErrOk)
6152             {
6153                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6154                     return (0);
6155             }
6156         }
6157         break;
6158         case TIFF_SETGET_UINT16:
6159         {
6160             uint16_t data;
6161             assert(fip->field_readcount == 1);
6162             assert(fip->field_passcount == 0);
6163             err = TIFFReadDirEntryShort(tif, dp, &data);
6164             if (err == TIFFReadDirEntryErrOk)
6165             {
6166                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6167                     return (0);
6168             }
6169         }
6170         break;
6171         case TIFF_SETGET_SINT16:
6172         {
6173             int16_t data;
6174             assert(fip->field_readcount == 1);
6175             assert(fip->field_passcount == 0);
6176             err = TIFFReadDirEntrySshort(tif, dp, &data);
6177             if (err == TIFFReadDirEntryErrOk)
6178             {
6179                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6180                     return (0);
6181             }
6182         }
6183         break;
6184         case TIFF_SETGET_UINT32:
6185         {
6186             uint32_t data;
6187             assert(fip->field_readcount == 1);
6188             assert(fip->field_passcount == 0);
6189             err = TIFFReadDirEntryLong(tif, dp, &data);
6190             if (err == TIFFReadDirEntryErrOk)
6191             {
6192                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6193                     return (0);
6194             }
6195         }
6196         break;
6197         case TIFF_SETGET_SINT32:
6198         {
6199             int32_t data;
6200             assert(fip->field_readcount == 1);
6201             assert(fip->field_passcount == 0);
6202             err = TIFFReadDirEntrySlong(tif, dp, &data);
6203             if (err == TIFFReadDirEntryErrOk)
6204             {
6205                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6206                     return (0);
6207             }
6208         }
6209         break;
6210         case TIFF_SETGET_UINT64:
6211         {
6212             uint64_t data;
6213             assert(fip->field_readcount == 1);
6214             assert(fip->field_passcount == 0);
6215             err = TIFFReadDirEntryLong8(tif, dp, &data);
6216             if (err == TIFFReadDirEntryErrOk)
6217             {
6218                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6219                     return (0);
6220             }
6221         }
6222         break;
6223         case TIFF_SETGET_SINT64:
6224         {
6225             int64_t data;
6226             assert(fip->field_readcount == 1);
6227             assert(fip->field_passcount == 0);
6228             err = TIFFReadDirEntrySlong8(tif, dp, &data);
6229             if (err == TIFFReadDirEntryErrOk)
6230             {
6231                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6232                     return (0);
6233             }
6234         }
6235         break;
6236         case TIFF_SETGET_FLOAT:
6237         {
6238             float data;
6239             assert(fip->field_readcount == 1);
6240             assert(fip->field_passcount == 0);
6241             err = TIFFReadDirEntryFloat(tif, dp, &data);
6242             if (err == TIFFReadDirEntryErrOk)
6243             {
6244                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6245                     return (0);
6246             }
6247         }
6248         break;
6249         case TIFF_SETGET_DOUBLE:
6250         {
6251             double data;
6252             assert(fip->field_readcount == 1);
6253             assert(fip->field_passcount == 0);
6254             err = TIFFReadDirEntryDouble(tif, dp, &data);
6255             if (err == TIFFReadDirEntryErrOk)
6256             {
6257                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6258                     return (0);
6259             }
6260         }
6261         break;
6262         case TIFF_SETGET_IFD8:
6263         {
6264             uint64_t data;
6265             assert(fip->field_readcount == 1);
6266             assert(fip->field_passcount == 0);
6267             err = TIFFReadDirEntryIfd8(tif, dp, &data);
6268             if (err == TIFFReadDirEntryErrOk)
6269             {
6270                 if (!TIFFSetField(tif, dp->tdir_tag, data))
6271                     return (0);
6272             }
6273         }
6274         break;
6275         case TIFF_SETGET_UINT16_PAIR:
6276         {
6277             uint16_t *data;
6278             assert(fip->field_readcount == 2);
6279             assert(fip->field_passcount == 0);
6280             if (dp->tdir_count != 2)
6281             {
6282                 TIFFWarningExtR(tif, module,
6283                                 "incorrect count for field \"%s\", expected 2, "
6284                                 "got %" PRIu64,
6285                                 fip->field_name, dp->tdir_count);
6286                 return (0);
6287             }
6288             err = TIFFReadDirEntryShortArray(tif, dp, &data);
6289             if (err == TIFFReadDirEntryErrOk)
6290             {
6291                 int m;
6292                 assert(data); /* avoid CLang static Analyzer false positive */
6293                 m = TIFFSetField(tif, dp->tdir_tag, data[0], data[1]);
6294                 _TIFFfreeExt(tif, data);
6295                 if (!m)
6296                     return (0);
6297             }
6298         }
6299         break;
6300         case TIFF_SETGET_C0_UINT8:
6301         {
6302             uint8_t *data;
6303             assert(fip->field_readcount >= 1);
6304             assert(fip->field_passcount == 0);
6305             if (dp->tdir_count != (uint64_t)fip->field_readcount)
6306             {
6307                 TIFFWarningExtR(tif, module,
6308                                 "incorrect count for field \"%s\", expected "
6309                                 "%d, got %" PRIu64,
6310                                 fip->field_name, (int)fip->field_readcount,
6311                                 dp->tdir_count);
6312                 return (0);
6313             }
6314             else
6315             {
6316                 err = TIFFReadDirEntryByteArray(tif, dp, &data);
6317                 if (err == TIFFReadDirEntryErrOk)
6318                 {
6319                     int m;
6320                     m = TIFFSetField(tif, dp->tdir_tag, data);
6321                     if (data != 0)
6322                         _TIFFfreeExt(tif, data);
6323                     if (!m)
6324                         return (0);
6325                 }
6326             }
6327         }
6328         break;
6329         case TIFF_SETGET_C0_SINT8:
6330         {
6331             int8_t *data;
6332             assert(fip->field_readcount >= 1);
6333             assert(fip->field_passcount == 0);
6334             if (dp->tdir_count != (uint64_t)fip->field_readcount)
6335             {
6336                 TIFFWarningExtR(tif, module,
6337                                 "incorrect count for field \"%s\", expected "
6338                                 "%d, got %" PRIu64,
6339                                 fip->field_name, (int)fip->field_readcount,
6340                                 dp->tdir_count);
6341                 return (0);
6342             }
6343             else
6344             {
6345                 err = TIFFReadDirEntrySbyteArray(tif, dp, &data);
6346                 if (err == TIFFReadDirEntryErrOk)
6347                 {
6348                     int m;
6349                     m = TIFFSetField(tif, dp->tdir_tag, data);
6350                     if (data != 0)
6351                         _TIFFfreeExt(tif, data);
6352                     if (!m)
6353                         return (0);
6354                 }
6355             }
6356         }
6357         break;
6358         case TIFF_SETGET_C0_UINT16:
6359         {
6360             uint16_t *data;
6361             assert(fip->field_readcount >= 1);
6362             assert(fip->field_passcount == 0);
6363             if (dp->tdir_count != (uint64_t)fip->field_readcount)
6364             {
6365                 TIFFWarningExtR(tif, module,
6366                                 "incorrect count for field \"%s\", expected "
6367                                 "%d, got %" PRIu64,
6368                                 fip->field_name, (int)fip->field_readcount,
6369                                 dp->tdir_count);
6370                 return (0);
6371             }
6372             else
6373             {
6374                 err = TIFFReadDirEntryShortArray(tif, dp, &data);
6375                 if (err == TIFFReadDirEntryErrOk)
6376                 {
6377                     int m;
6378                     m = TIFFSetField(tif, dp->tdir_tag, data);
6379                     if (data != 0)
6380                         _TIFFfreeExt(tif, data);
6381                     if (!m)
6382                         return (0);
6383                 }
6384             }
6385         }
6386         break;
6387         case TIFF_SETGET_C0_SINT16:
6388         {
6389             int16_t *data;
6390             assert(fip->field_readcount >= 1);
6391             assert(fip->field_passcount == 0);
6392             if (dp->tdir_count != (uint64_t)fip->field_readcount)
6393             {
6394                 TIFFWarningExtR(tif, module,
6395                                 "incorrect count for field \"%s\", expected "
6396                                 "%d, got %" PRIu64,
6397                                 fip->field_name, (int)fip->field_readcount,
6398                                 dp->tdir_count);
6399                 return (0);
6400             }
6401             else
6402             {
6403                 err = TIFFReadDirEntrySshortArray(tif, dp, &data);
6404                 if (err == TIFFReadDirEntryErrOk)
6405                 {
6406                     int m;
6407                     m = TIFFSetField(tif, dp->tdir_tag, data);
6408                     if (data != 0)
6409                         _TIFFfreeExt(tif, data);
6410                     if (!m)
6411                         return (0);
6412                 }
6413             }
6414         }
6415         break;
6416         case TIFF_SETGET_C0_UINT32:
6417         {
6418             uint32_t *data;
6419             assert(fip->field_readcount >= 1);
6420             assert(fip->field_passcount == 0);
6421             if (dp->tdir_count != (uint64_t)fip->field_readcount)
6422             {
6423                 TIFFWarningExtR(tif, module,
6424                                 "incorrect count for field \"%s\", expected "
6425                                 "%d, got %" PRIu64,
6426                                 fip->field_name, (int)fip->field_readcount,
6427                                 dp->tdir_count);
6428                 return (0);
6429             }
6430             else
6431             {
6432                 err = TIFFReadDirEntryLongArray(tif, dp, &data);
6433                 if (err == TIFFReadDirEntryErrOk)
6434                 {
6435                     int m;
6436                     m = TIFFSetField(tif, dp->tdir_tag, data);
6437                     if (data != 0)
6438                         _TIFFfreeExt(tif, data);
6439                     if (!m)
6440                         return (0);
6441                 }
6442             }
6443         }
6444         break;
6445         case TIFF_SETGET_C0_SINT32:
6446         {
6447             int32_t *data;
6448             assert(fip->field_readcount >= 1);
6449             assert(fip->field_passcount == 0);
6450             if (dp->tdir_count != (uint64_t)fip->field_readcount)
6451             {
6452                 TIFFWarningExtR(tif, module,
6453                                 "incorrect count for field \"%s\", expected "
6454                                 "%d, got %" PRIu64,
6455                                 fip->field_name, (int)fip->field_readcount,
6456                                 dp->tdir_count);
6457                 return (0);
6458             }
6459             else
6460             {
6461                 err = TIFFReadDirEntrySlongArray(tif, dp, &data);
6462                 if (err == TIFFReadDirEntryErrOk)
6463                 {
6464                     int m;
6465                     m = TIFFSetField(tif, dp->tdir_tag, data);
6466                     if (data != 0)
6467                         _TIFFfreeExt(tif, data);
6468                     if (!m)
6469                         return (0);
6470                 }
6471             }
6472         }
6473         break;
6474         case TIFF_SETGET_C0_UINT64:
6475         {
6476             uint64_t *data;
6477             assert(fip->field_readcount >= 1);
6478             assert(fip->field_passcount == 0);
6479             if (dp->tdir_count != (uint64_t)fip->field_readcount)
6480             {
6481                 TIFFWarningExtR(tif, module,
6482                                 "incorrect count for field \"%s\", expected "
6483                                 "%d, got %" PRIu64,
6484                                 fip->field_name, (int)fip->field_readcount,
6485                                 dp->tdir_count);
6486                 return (0);
6487             }
6488             else
6489             {
6490                 err = TIFFReadDirEntryLong8Array(tif, dp, &data);
6491                 if (err == TIFFReadDirEntryErrOk)
6492                 {
6493                     int m;
6494                     m = TIFFSetField(tif, dp->tdir_tag, data);
6495                     if (data != 0)
6496                         _TIFFfreeExt(tif, data);
6497                     if (!m)
6498                         return (0);
6499                 }
6500             }
6501         }
6502         break;
6503         case TIFF_SETGET_C0_SINT64:
6504         {
6505             int64_t *data;
6506             assert(fip->field_readcount >= 1);
6507             assert(fip->field_passcount == 0);
6508             if (dp->tdir_count != (uint64_t)fip->field_readcount)
6509             {
6510                 TIFFWarningExtR(tif, module,
6511                                 "incorrect count for field \"%s\", expected "
6512                                 "%d, got %" PRIu64,
6513                                 fip->field_name, (int)fip->field_readcount,
6514                                 dp->tdir_count);
6515                 return (0);
6516             }
6517             else
6518             {
6519                 err = TIFFReadDirEntrySlong8Array(tif, dp, &data);
6520                 if (err == TIFFReadDirEntryErrOk)
6521                 {
6522                     int m;
6523                     m = TIFFSetField(tif, dp->tdir_tag, data);
6524                     if (data != 0)
6525                         _TIFFfreeExt(tif, data);
6526                     if (!m)
6527                         return (0);
6528                 }
6529             }
6530         }
6531         break;
6532         case TIFF_SETGET_C0_FLOAT:
6533         {
6534             float *data;
6535             assert(fip->field_readcount >= 1);
6536             assert(fip->field_passcount == 0);
6537             if (dp->tdir_count != (uint64_t)fip->field_readcount)
6538             {
6539                 TIFFWarningExtR(tif, module,
6540                                 "incorrect count for field \"%s\", expected "
6541                                 "%d, got %" PRIu64,
6542                                 fip->field_name, (int)fip->field_readcount,
6543                                 dp->tdir_count);
6544                 return (0);
6545             }
6546             else
6547             {
6548                 err = TIFFReadDirEntryFloatArray(tif, dp, &data);
6549                 if (err == TIFFReadDirEntryErrOk)
6550                 {
6551                     int m;
6552                     m = TIFFSetField(tif, dp->tdir_tag, data);
6553                     if (data != 0)
6554                         _TIFFfreeExt(tif, data);
6555                     if (!m)
6556                         return (0);
6557                 }
6558             }
6559         }
6560         break;
6561         /*--: Rational2Double: Extend for Double Arrays and Rational-Arrays read
6562          * into Double-Arrays. */
6563         case TIFF_SETGET_C0_DOUBLE:
6564         {
6565             double *data;
6566             assert(fip->field_readcount >= 1);
6567             assert(fip->field_passcount == 0);
6568             if (dp->tdir_count != (uint64_t)fip->field_readcount)
6569             {
6570                 TIFFWarningExtR(tif, module,
6571                                 "incorrect count for field \"%s\", expected "
6572                                 "%d, got %" PRIu64,
6573                                 fip->field_name, (int)fip->field_readcount,
6574                                 dp->tdir_count);
6575                 return (0);
6576             }
6577             else
6578             {
6579                 err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
6580                 if (err == TIFFReadDirEntryErrOk)
6581                 {
6582                     int m;
6583                     m = TIFFSetField(tif, dp->tdir_tag, data);
6584                     if (data != 0)
6585                         _TIFFfreeExt(tif, data);
6586                     if (!m)
6587                         return (0);
6588                 }
6589             }
6590         }
6591         break;
6592         case TIFF_SETGET_C16_ASCII:
6593         {
6594             uint8_t *data;
6595             assert(fip->field_readcount == TIFF_VARIABLE);
6596             assert(fip->field_passcount == 1);
6597             if (dp->tdir_count > 0xFFFF)
6598                 err = TIFFReadDirEntryErrCount;
6599             else
6600             {
6601                 err = TIFFReadDirEntryByteArray(tif, dp, &data);
6602                 if (err == TIFFReadDirEntryErrOk)
6603                 {
6604                     int m;
6605                     if (data != 0 && dp->tdir_count > 0 &&
6606                         data[dp->tdir_count - 1] != '\0')
6607                     {
6608                         TIFFWarningExtR(
6609                             tif, module,
6610                             "ASCII value for tag \"%s\" does not end in null "
6611                             "byte. Forcing it to be null",
6612                             fip->field_name);
6613                         data[dp->tdir_count - 1] = '\0';
6614                     }
6615                     m = TIFFSetField(tif, dp->tdir_tag,
6616                                      (uint16_t)(dp->tdir_count), data);
6617                     if (data != 0)
6618                         _TIFFfreeExt(tif, data);
6619                     if (!m)
6620                         return (0);
6621                 }
6622             }
6623         }
6624         break;
6625         case TIFF_SETGET_C16_UINT8:
6626         {
6627             uint8_t *data;
6628             assert(fip->field_readcount == TIFF_VARIABLE);
6629             assert(fip->field_passcount == 1);
6630             if (dp->tdir_count > 0xFFFF)
6631                 err = TIFFReadDirEntryErrCount;
6632             else
6633             {
6634                 err = TIFFReadDirEntryByteArray(tif, dp, &data);
6635                 if (err == TIFFReadDirEntryErrOk)
6636                 {
6637                     int m;
6638                     m = TIFFSetField(tif, dp->tdir_tag,
6639                                      (uint16_t)(dp->tdir_count), data);
6640                     if (data != 0)
6641                         _TIFFfreeExt(tif, data);
6642                     if (!m)
6643                         return (0);
6644                 }
6645             }
6646         }
6647         break;
6648         case TIFF_SETGET_C16_SINT8:
6649         {
6650             int8_t *data;
6651             assert(fip->field_readcount == TIFF_VARIABLE);
6652             assert(fip->field_passcount == 1);
6653             if (dp->tdir_count > 0xFFFF)
6654                 err = TIFFReadDirEntryErrCount;
6655             else
6656             {
6657                 err = TIFFReadDirEntrySbyteArray(tif, dp, &data);
6658                 if (err == TIFFReadDirEntryErrOk)
6659                 {
6660                     int m;
6661                     m = TIFFSetField(tif, dp->tdir_tag,
6662                                      (uint16_t)(dp->tdir_count), data);
6663                     if (data != 0)
6664                         _TIFFfreeExt(tif, data);
6665                     if (!m)
6666                         return (0);
6667                 }
6668             }
6669         }
6670         break;
6671         case TIFF_SETGET_C16_UINT16:
6672         {
6673             uint16_t *data;
6674             assert(fip->field_readcount == TIFF_VARIABLE);
6675             assert(fip->field_passcount == 1);
6676             if (dp->tdir_count > 0xFFFF)
6677                 err = TIFFReadDirEntryErrCount;
6678             else
6679             {
6680                 err = TIFFReadDirEntryShortArray(tif, dp, &data);
6681                 if (err == TIFFReadDirEntryErrOk)
6682                 {
6683                     int m;
6684                     m = TIFFSetField(tif, dp->tdir_tag,
6685                                      (uint16_t)(dp->tdir_count), data);
6686                     if (data != 0)
6687                         _TIFFfreeExt(tif, data);
6688                     if (!m)
6689                         return (0);
6690                 }
6691             }
6692         }
6693         break;
6694         case TIFF_SETGET_C16_SINT16:
6695         {
6696             int16_t *data;
6697             assert(fip->field_readcount == TIFF_VARIABLE);
6698             assert(fip->field_passcount == 1);
6699             if (dp->tdir_count > 0xFFFF)
6700                 err = TIFFReadDirEntryErrCount;
6701             else
6702             {
6703                 err = TIFFReadDirEntrySshortArray(tif, dp, &data);
6704                 if (err == TIFFReadDirEntryErrOk)
6705                 {
6706                     int m;
6707                     m = TIFFSetField(tif, dp->tdir_tag,
6708                                      (uint16_t)(dp->tdir_count), data);
6709                     if (data != 0)
6710                         _TIFFfreeExt(tif, data);
6711                     if (!m)
6712                         return (0);
6713                 }
6714             }
6715         }
6716         break;
6717         case TIFF_SETGET_C16_UINT32:
6718         {
6719             uint32_t *data;
6720             assert(fip->field_readcount == TIFF_VARIABLE);
6721             assert(fip->field_passcount == 1);
6722             if (dp->tdir_count > 0xFFFF)
6723                 err = TIFFReadDirEntryErrCount;
6724             else
6725             {
6726                 err = TIFFReadDirEntryLongArray(tif, dp, &data);
6727                 if (err == TIFFReadDirEntryErrOk)
6728                 {
6729                     int m;
6730                     m = TIFFSetField(tif, dp->tdir_tag,
6731                                      (uint16_t)(dp->tdir_count), data);
6732                     if (data != 0)
6733                         _TIFFfreeExt(tif, data);
6734                     if (!m)
6735                         return (0);
6736                 }
6737             }
6738         }
6739         break;
6740         case TIFF_SETGET_C16_SINT32:
6741         {
6742             int32_t *data;
6743             assert(fip->field_readcount == TIFF_VARIABLE);
6744             assert(fip->field_passcount == 1);
6745             if (dp->tdir_count > 0xFFFF)
6746                 err = TIFFReadDirEntryErrCount;
6747             else
6748             {
6749                 err = TIFFReadDirEntrySlongArray(tif, dp, &data);
6750                 if (err == TIFFReadDirEntryErrOk)
6751                 {
6752                     int m;
6753                     m = TIFFSetField(tif, dp->tdir_tag,
6754                                      (uint16_t)(dp->tdir_count), data);
6755                     if (data != 0)
6756                         _TIFFfreeExt(tif, data);
6757                     if (!m)
6758                         return (0);
6759                 }
6760             }
6761         }
6762         break;
6763         case TIFF_SETGET_C16_UINT64:
6764         {
6765             uint64_t *data;
6766             assert(fip->field_readcount == TIFF_VARIABLE);
6767             assert(fip->field_passcount == 1);
6768             if (dp->tdir_count > 0xFFFF)
6769                 err = TIFFReadDirEntryErrCount;
6770             else
6771             {
6772                 err = TIFFReadDirEntryLong8Array(tif, dp, &data);
6773                 if (err == TIFFReadDirEntryErrOk)
6774                 {
6775                     int m;
6776                     m = TIFFSetField(tif, dp->tdir_tag,
6777                                      (uint16_t)(dp->tdir_count), data);
6778                     if (data != 0)
6779                         _TIFFfreeExt(tif, data);
6780                     if (!m)
6781                         return (0);
6782                 }
6783             }
6784         }
6785         break;
6786         case TIFF_SETGET_C16_SINT64:
6787         {
6788             int64_t *data;
6789             assert(fip->field_readcount == TIFF_VARIABLE);
6790             assert(fip->field_passcount == 1);
6791             if (dp->tdir_count > 0xFFFF)
6792                 err = TIFFReadDirEntryErrCount;
6793             else
6794             {
6795                 err = TIFFReadDirEntrySlong8Array(tif, dp, &data);
6796                 if (err == TIFFReadDirEntryErrOk)
6797                 {
6798                     int m;
6799                     m = TIFFSetField(tif, dp->tdir_tag,
6800                                      (uint16_t)(dp->tdir_count), data);
6801                     if (data != 0)
6802                         _TIFFfreeExt(tif, data);
6803                     if (!m)
6804                         return (0);
6805                 }
6806             }
6807         }
6808         break;
6809         case TIFF_SETGET_C16_FLOAT:
6810         {
6811             float *data;
6812             assert(fip->field_readcount == TIFF_VARIABLE);
6813             assert(fip->field_passcount == 1);
6814             if (dp->tdir_count > 0xFFFF)
6815                 err = TIFFReadDirEntryErrCount;
6816             else
6817             {
6818                 err = TIFFReadDirEntryFloatArray(tif, dp, &data);
6819                 if (err == TIFFReadDirEntryErrOk)
6820                 {
6821                     int m;
6822                     m = TIFFSetField(tif, dp->tdir_tag,
6823                                      (uint16_t)(dp->tdir_count), data);
6824                     if (data != 0)
6825                         _TIFFfreeExt(tif, data);
6826                     if (!m)
6827                         return (0);
6828                 }
6829             }
6830         }
6831         break;
6832         case TIFF_SETGET_C16_DOUBLE:
6833         {
6834             double *data;
6835             assert(fip->field_readcount == TIFF_VARIABLE);
6836             assert(fip->field_passcount == 1);
6837             if (dp->tdir_count > 0xFFFF)
6838                 err = TIFFReadDirEntryErrCount;
6839             else
6840             {
6841                 err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
6842                 if (err == TIFFReadDirEntryErrOk)
6843                 {
6844                     int m;
6845                     m = TIFFSetField(tif, dp->tdir_tag,
6846                                      (uint16_t)(dp->tdir_count), data);
6847                     if (data != 0)
6848                         _TIFFfreeExt(tif, data);
6849                     if (!m)
6850                         return (0);
6851                 }
6852             }
6853         }
6854         break;
6855         case TIFF_SETGET_C16_IFD8:
6856         {
6857             uint64_t *data;
6858             assert(fip->field_readcount == TIFF_VARIABLE);
6859             assert(fip->field_passcount == 1);
6860             if (dp->tdir_count > 0xFFFF)
6861                 err = TIFFReadDirEntryErrCount;
6862             else
6863             {
6864                 err = TIFFReadDirEntryIfd8Array(tif, dp, &data);
6865                 if (err == TIFFReadDirEntryErrOk)
6866                 {
6867                     int m;
6868                     m = TIFFSetField(tif, dp->tdir_tag,
6869                                      (uint16_t)(dp->tdir_count), data);
6870                     if (data != 0)
6871                         _TIFFfreeExt(tif, data);
6872                     if (!m)
6873                         return (0);
6874                 }
6875             }
6876         }
6877         break;
6878         case TIFF_SETGET_C32_ASCII:
6879         {
6880             uint8_t *data;
6881             assert(fip->field_readcount == TIFF_VARIABLE2);
6882             assert(fip->field_passcount == 1);
6883             err = TIFFReadDirEntryByteArray(tif, dp, &data);
6884             if (err == TIFFReadDirEntryErrOk)
6885             {
6886                 int m;
6887                 if (data != 0 && dp->tdir_count > 0 &&
6888                     data[dp->tdir_count - 1] != '\0')
6889                 {
6890                     TIFFWarningExtR(tif, module,
6891                                     "ASCII value for tag \"%s\" does not end "
6892                                     "in null byte. Forcing it to be null",
6893                                     fip->field_name);
6894                     data[dp->tdir_count - 1] = '\0';
6895                 }
6896                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
6897                                  data);
6898                 if (data != 0)
6899                     _TIFFfreeExt(tif, data);
6900                 if (!m)
6901                     return (0);
6902             }
6903         }
6904         break;
6905         case TIFF_SETGET_C32_UINT8:
6906         {
6907             uint8_t *data;
6908             uint32_t count = 0;
6909             assert(fip->field_readcount == TIFF_VARIABLE2);
6910             assert(fip->field_passcount == 1);
6911             if (fip->field_tag == TIFFTAG_RICHTIFFIPTC &&
6912                 dp->tdir_type == TIFF_LONG)
6913             {
6914                 /* Adobe's software (wrongly) writes RichTIFFIPTC tag with
6915                  * data type LONG instead of UNDEFINED. Work around this
6916                  * frequently found issue */
6917                 void *origdata;
6918                 err = TIFFReadDirEntryArray(tif, dp, &count, 4, &origdata);
6919                 if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
6920                 {
6921                     data = NULL;
6922                 }
6923                 else
6924                 {
6925                     if (tif->tif_flags & TIFF_SWAB)
6926                         TIFFSwabArrayOfLong((uint32_t *)origdata, count);
6927                     data = (uint8_t *)origdata;
6928                     count = (uint32_t)(count * 4);
6929                 }
6930             }
6931             else
6932             {
6933                 err = TIFFReadDirEntryByteArray(tif, dp, &data);
6934                 count = (uint32_t)(dp->tdir_count);
6935             }
6936             if (err == TIFFReadDirEntryErrOk)
6937             {
6938                 int m;
6939                 m = TIFFSetField(tif, dp->tdir_tag, count, data);
6940                 if (data != 0)
6941                     _TIFFfreeExt(tif, data);
6942                 if (!m)
6943                     return (0);
6944             }
6945         }
6946         break;
6947         case TIFF_SETGET_C32_SINT8:
6948         {
6949             int8_t *data = NULL;
6950             assert(fip->field_readcount == TIFF_VARIABLE2);
6951             assert(fip->field_passcount == 1);
6952             err = TIFFReadDirEntrySbyteArray(tif, dp, &data);
6953             if (err == TIFFReadDirEntryErrOk)
6954             {
6955                 int m;
6956                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
6957                                  data);
6958                 if (data != 0)
6959                     _TIFFfreeExt(tif, data);
6960                 if (!m)
6961                     return (0);
6962             }
6963         }
6964         break;
6965         case TIFF_SETGET_C32_UINT16:
6966         {
6967             uint16_t *data;
6968             assert(fip->field_readcount == TIFF_VARIABLE2);
6969             assert(fip->field_passcount == 1);
6970             err = TIFFReadDirEntryShortArray(tif, dp, &data);
6971             if (err == TIFFReadDirEntryErrOk)
6972             {
6973                 int m;
6974                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
6975                                  data);
6976                 if (data != 0)
6977                     _TIFFfreeExt(tif, data);
6978                 if (!m)
6979                     return (0);
6980             }
6981         }
6982         break;
6983         case TIFF_SETGET_C32_SINT16:
6984         {
6985             int16_t *data = NULL;
6986             assert(fip->field_readcount == TIFF_VARIABLE2);
6987             assert(fip->field_passcount == 1);
6988             err = TIFFReadDirEntrySshortArray(tif, dp, &data);
6989             if (err == TIFFReadDirEntryErrOk)
6990             {
6991                 int m;
6992                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
6993                                  data);
6994                 if (data != 0)
6995                     _TIFFfreeExt(tif, data);
6996                 if (!m)
6997                     return (0);
6998             }
6999         }
7000         break;
7001         case TIFF_SETGET_C32_UINT32:
7002         {
7003             uint32_t *data;
7004             assert(fip->field_readcount == TIFF_VARIABLE2);
7005             assert(fip->field_passcount == 1);
7006             err = TIFFReadDirEntryLongArray(tif, dp, &data);
7007             if (err == TIFFReadDirEntryErrOk)
7008             {
7009                 int m;
7010                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7011                                  data);
7012                 if (data != 0)
7013                     _TIFFfreeExt(tif, data);
7014                 if (!m)
7015                     return (0);
7016             }
7017         }
7018         break;
7019         case TIFF_SETGET_C32_SINT32:
7020         {
7021             int32_t *data = NULL;
7022             assert(fip->field_readcount == TIFF_VARIABLE2);
7023             assert(fip->field_passcount == 1);
7024             err = TIFFReadDirEntrySlongArray(tif, dp, &data);
7025             if (err == TIFFReadDirEntryErrOk)
7026             {
7027                 int m;
7028                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7029                                  data);
7030                 if (data != 0)
7031                     _TIFFfreeExt(tif, data);
7032                 if (!m)
7033                     return (0);
7034             }
7035         }
7036         break;
7037         case TIFF_SETGET_C32_UINT64:
7038         {
7039             uint64_t *data;
7040             assert(fip->field_readcount == TIFF_VARIABLE2);
7041             assert(fip->field_passcount == 1);
7042             err = TIFFReadDirEntryLong8Array(tif, dp, &data);
7043             if (err == TIFFReadDirEntryErrOk)
7044             {
7045                 int m;
7046                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7047                                  data);
7048                 if (data != 0)
7049                     _TIFFfreeExt(tif, data);
7050                 if (!m)
7051                     return (0);
7052             }
7053         }
7054         break;
7055         case TIFF_SETGET_C32_SINT64:
7056         {
7057             int64_t *data = NULL;
7058             assert(fip->field_readcount == TIFF_VARIABLE2);
7059             assert(fip->field_passcount == 1);
7060             err = TIFFReadDirEntrySlong8Array(tif, dp, &data);
7061             if (err == TIFFReadDirEntryErrOk)
7062             {
7063                 int m;
7064                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7065                                  data);
7066                 if (data != 0)
7067                     _TIFFfreeExt(tif, data);
7068                 if (!m)
7069                     return (0);
7070             }
7071         }
7072         break;
7073         case TIFF_SETGET_C32_FLOAT:
7074         {
7075             float *data;
7076             assert(fip->field_readcount == TIFF_VARIABLE2);
7077             assert(fip->field_passcount == 1);
7078             err = TIFFReadDirEntryFloatArray(tif, dp, &data);
7079             if (err == TIFFReadDirEntryErrOk)
7080             {
7081                 int m;
7082                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7083                                  data);
7084                 if (data != 0)
7085                     _TIFFfreeExt(tif, data);
7086                 if (!m)
7087                     return (0);
7088             }
7089         }
7090         break;
7091         case TIFF_SETGET_C32_DOUBLE:
7092         {
7093             double *data;
7094             assert(fip->field_readcount == TIFF_VARIABLE2);
7095             assert(fip->field_passcount == 1);
7096             err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
7097             if (err == TIFFReadDirEntryErrOk)
7098             {
7099                 int m;
7100                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7101                                  data);
7102                 if (data != 0)
7103                     _TIFFfreeExt(tif, data);
7104                 if (!m)
7105                     return (0);
7106             }
7107         }
7108         break;
7109         case TIFF_SETGET_C32_IFD8:
7110         {
7111             uint64_t *data;
7112             assert(fip->field_readcount == TIFF_VARIABLE2);
7113             assert(fip->field_passcount == 1);
7114             err = TIFFReadDirEntryIfd8Array(tif, dp, &data);
7115             if (err == TIFFReadDirEntryErrOk)
7116             {
7117                 int m;
7118                 m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7119                                  data);
7120                 if (data != 0)
7121                     _TIFFfreeExt(tif, data);
7122                 if (!m)
7123                     return (0);
7124             }
7125         }
7126         break;
7127         default:
7128             assert(0); /* we should never get here */
7129             break;
7130     }
7131     if (err != TIFFReadDirEntryErrOk)
7132     {
7133         TIFFReadDirEntryOutputErr(tif, err, module, fip->field_name, recover);
7134         return (0);
7135     }
7136     return (1);
7137 }
7138 
7139 /*
7140  * Fetch a set of offsets or lengths.
7141  * While this routine says "strips", in fact it's also used for tiles.
7142  */
TIFFFetchStripThing(TIFF * tif,TIFFDirEntry * dir,uint32_t nstrips,uint64_t ** lpp)7143 static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
7144                                uint64_t **lpp)
7145 {
7146     static const char module[] = "TIFFFetchStripThing";
7147     enum TIFFReadDirEntryErr err;
7148     uint64_t *data;
7149     err = TIFFReadDirEntryLong8ArrayWithLimit(tif, dir, &data, nstrips);
7150     if (err != TIFFReadDirEntryErrOk)
7151     {
7152         const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
7153         TIFFReadDirEntryOutputErr(tif, err, module,
7154                                   fip ? fip->field_name : "unknown tagname", 0);
7155         return (0);
7156     }
7157     if (dir->tdir_count < (uint64_t)nstrips)
7158     {
7159         uint64_t *resizeddata;
7160         const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
7161         const char *pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT");
7162         uint32_t max_nstrips = 1000000;
7163         if (pszMax)
7164             max_nstrips = (uint32_t)atoi(pszMax);
7165         TIFFReadDirEntryOutputErr(tif, TIFFReadDirEntryErrCount, module,
7166                                   fip ? fip->field_name : "unknown tagname",
7167                                   (nstrips <= max_nstrips));
7168 
7169         if (nstrips > max_nstrips)
7170         {
7171             _TIFFfreeExt(tif, data);
7172             return (0);
7173         }
7174 
7175         resizeddata = (uint64_t *)_TIFFCheckMalloc(
7176             tif, nstrips, sizeof(uint64_t), "for strip array");
7177         if (resizeddata == 0)
7178         {
7179             _TIFFfreeExt(tif, data);
7180             return (0);
7181         }
7182         if (dir->tdir_count)
7183             _TIFFmemcpy(resizeddata, data,
7184                         (uint32_t)dir->tdir_count * sizeof(uint64_t));
7185         _TIFFmemset(resizeddata + (uint32_t)dir->tdir_count, 0,
7186                     (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
7187         _TIFFfreeExt(tif, data);
7188         data = resizeddata;
7189     }
7190     *lpp = data;
7191     return (1);
7192 }
7193 
7194 /*
7195  * Fetch and set the SubjectDistance EXIF tag.
7196  */
TIFFFetchSubjectDistance(TIFF * tif,TIFFDirEntry * dir)7197 static int TIFFFetchSubjectDistance(TIFF *tif, TIFFDirEntry *dir)
7198 {
7199     static const char module[] = "TIFFFetchSubjectDistance";
7200     enum TIFFReadDirEntryErr err;
7201     UInt64Aligned_t m;
7202     m.l = 0;
7203     assert(sizeof(double) == 8);
7204     assert(sizeof(uint64_t) == 8);
7205     assert(sizeof(uint32_t) == 4);
7206     if (dir->tdir_count != 1)
7207         err = TIFFReadDirEntryErrCount;
7208     else if (dir->tdir_type != TIFF_RATIONAL)
7209         err = TIFFReadDirEntryErrType;
7210     else
7211     {
7212         if (!(tif->tif_flags & TIFF_BIGTIFF))
7213         {
7214             uint32_t offset;
7215             offset = *(uint32_t *)(&dir->tdir_offset);
7216             if (tif->tif_flags & TIFF_SWAB)
7217                 TIFFSwabLong(&offset);
7218             err = TIFFReadDirEntryData(tif, offset, 8, m.i);
7219         }
7220         else
7221         {
7222             m.l = dir->tdir_offset.toff_long8;
7223             err = TIFFReadDirEntryErrOk;
7224         }
7225     }
7226     if (err == TIFFReadDirEntryErrOk)
7227     {
7228         double n;
7229         if (tif->tif_flags & TIFF_SWAB)
7230             TIFFSwabArrayOfLong(m.i, 2);
7231         if (m.i[0] == 0)
7232             n = 0.0;
7233         else if (m.i[0] == 0xFFFFFFFF || m.i[1] == 0)
7234             /*
7235              * XXX: Numerator 0xFFFFFFFF means that we have infinite
7236              * distance. Indicate that with a negative floating point
7237              * SubjectDistance value.
7238              */
7239             n = -1.0;
7240         else
7241             n = (double)m.i[0] / (double)m.i[1];
7242         return (TIFFSetField(tif, dir->tdir_tag, n));
7243     }
7244     else
7245     {
7246         TIFFReadDirEntryOutputErr(tif, err, module, "SubjectDistance", TRUE);
7247         return (0);
7248     }
7249 }
7250 
allocChoppedUpStripArrays(TIFF * tif,uint32_t nstrips,uint64_t stripbytes,uint32_t rowsperstrip)7251 static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
7252                                       uint64_t stripbytes,
7253                                       uint32_t rowsperstrip)
7254 {
7255     TIFFDirectory *td = &tif->tif_dir;
7256     uint64_t bytecount;
7257     uint64_t offset;
7258     uint64_t last_offset;
7259     uint64_t last_bytecount;
7260     uint32_t i;
7261     uint64_t *newcounts;
7262     uint64_t *newoffsets;
7263 
7264     offset = TIFFGetStrileOffset(tif, 0);
7265     last_offset = TIFFGetStrileOffset(tif, td->td_nstrips - 1);
7266     last_bytecount = TIFFGetStrileByteCount(tif, td->td_nstrips - 1);
7267     if (last_offset > UINT64_MAX - last_bytecount ||
7268         last_offset + last_bytecount < offset)
7269     {
7270         return;
7271     }
7272     bytecount = last_offset + last_bytecount - offset;
7273 
7274     newcounts =
7275         (uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t),
7276                                      "for chopped \"StripByteCounts\" array");
7277     newoffsets = (uint64_t *)_TIFFCheckMalloc(
7278         tif, nstrips, sizeof(uint64_t), "for chopped \"StripOffsets\" array");
7279     if (newcounts == NULL || newoffsets == NULL)
7280     {
7281         /*
7282          * Unable to allocate new strip information, give up and use
7283          * the original one strip information.
7284          */
7285         if (newcounts != NULL)
7286             _TIFFfreeExt(tif, newcounts);
7287         if (newoffsets != NULL)
7288             _TIFFfreeExt(tif, newoffsets);
7289         return;
7290     }
7291 
7292     /*
7293      * Fill the strip information arrays with new bytecounts and offsets
7294      * that reflect the broken-up format.
7295      */
7296     for (i = 0; i < nstrips; i++)
7297     {
7298         if (stripbytes > bytecount)
7299             stripbytes = bytecount;
7300         newcounts[i] = stripbytes;
7301         newoffsets[i] = stripbytes ? offset : 0;
7302         offset += stripbytes;
7303         bytecount -= stripbytes;
7304     }
7305 
7306     /*
7307      * Replace old single strip info with multi-strip info.
7308      */
7309     td->td_stripsperimage = td->td_nstrips = nstrips;
7310     TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
7311 
7312     _TIFFfreeExt(tif, td->td_stripbytecount_p);
7313     _TIFFfreeExt(tif, td->td_stripoffset_p);
7314     td->td_stripbytecount_p = newcounts;
7315     td->td_stripoffset_p = newoffsets;
7316 #ifdef STRIPBYTECOUNTSORTED_UNUSED
7317     td->td_stripbytecountsorted = 1;
7318 #endif
7319     tif->tif_flags |= TIFF_CHOPPEDUPARRAYS;
7320 }
7321 
7322 /*
7323  * Replace a single strip (tile) of uncompressed data by multiple strips
7324  * (tiles), each approximately STRIP_SIZE_DEFAULT bytes. This is useful for
7325  * dealing with large images or for dealing with machines with a limited
7326  * amount memory.
7327  */
ChopUpSingleUncompressedStrip(TIFF * tif)7328 static void ChopUpSingleUncompressedStrip(TIFF *tif)
7329 {
7330     register TIFFDirectory *td = &tif->tif_dir;
7331     uint64_t bytecount;
7332     uint64_t offset;
7333     uint32_t rowblock;
7334     uint64_t rowblockbytes;
7335     uint64_t stripbytes;
7336     uint32_t nstrips;
7337     uint32_t rowsperstrip;
7338 
7339     bytecount = TIFFGetStrileByteCount(tif, 0);
7340     /* On a newly created file, just re-opened to be filled, we */
7341     /* don't want strip chop to trigger as it is going to cause issues */
7342     /* later ( StripOffsets and StripByteCounts improperly filled) . */
7343     if (bytecount == 0 && tif->tif_mode != O_RDONLY)
7344         return;
7345     offset = TIFFGetStrileByteCount(tif, 0);
7346     assert(td->td_planarconfig == PLANARCONFIG_CONTIG);
7347     if ((td->td_photometric == PHOTOMETRIC_YCBCR) && (!isUpSampled(tif)))
7348         rowblock = td->td_ycbcrsubsampling[1];
7349     else
7350         rowblock = 1;
7351     rowblockbytes = TIFFVTileSize64(tif, rowblock);
7352     /*
7353      * Make the rows hold at least one scanline, but fill specified amount
7354      * of data if possible.
7355      */
7356     if (rowblockbytes > STRIP_SIZE_DEFAULT)
7357     {
7358         stripbytes = rowblockbytes;
7359         rowsperstrip = rowblock;
7360     }
7361     else if (rowblockbytes > 0)
7362     {
7363         uint32_t rowblocksperstrip;
7364         rowblocksperstrip = (uint32_t)(STRIP_SIZE_DEFAULT / rowblockbytes);
7365         rowsperstrip = rowblocksperstrip * rowblock;
7366         stripbytes = rowblocksperstrip * rowblockbytes;
7367     }
7368     else
7369         return;
7370 
7371     /*
7372      * never increase the number of rows per strip
7373      */
7374     if (rowsperstrip >= td->td_rowsperstrip)
7375         return;
7376     nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
7377     if (nstrips == 0)
7378         return;
7379 
7380     /* If we are going to allocate a lot of memory, make sure that the */
7381     /* file is as big as needed */
7382     if (tif->tif_mode == O_RDONLY && nstrips > 1000000 &&
7383         (offset >= TIFFGetFileSize(tif) ||
7384          stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)))
7385     {
7386         return;
7387     }
7388 
7389     allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
7390 }
7391 
7392 /*
7393  * Replace a file with contiguous strips > 2 GB of uncompressed data by
7394  * multiple smaller strips. This is useful for
7395  * dealing with large images or for dealing with machines with a limited
7396  * amount memory.
7397  */
TryChopUpUncompressedBigTiff(TIFF * tif)7398 static void TryChopUpUncompressedBigTiff(TIFF *tif)
7399 {
7400     TIFFDirectory *td = &tif->tif_dir;
7401     uint32_t rowblock;
7402     uint64_t rowblockbytes;
7403     uint32_t i;
7404     uint64_t stripsize;
7405     uint32_t rowblocksperstrip;
7406     uint32_t rowsperstrip;
7407     uint64_t stripbytes;
7408     uint32_t nstrips;
7409 
7410     stripsize = TIFFStripSize64(tif);
7411 
7412     assert(tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG);
7413     assert(tif->tif_dir.td_compression == COMPRESSION_NONE);
7414     assert((tif->tif_flags & (TIFF_STRIPCHOP | TIFF_ISTILED)) ==
7415            TIFF_STRIPCHOP);
7416     assert(stripsize > 0x7FFFFFFFUL);
7417 
7418     /* On a newly created file, just re-opened to be filled, we */
7419     /* don't want strip chop to trigger as it is going to cause issues */
7420     /* later ( StripOffsets and StripByteCounts improperly filled) . */
7421     if (TIFFGetStrileByteCount(tif, 0) == 0 && tif->tif_mode != O_RDONLY)
7422         return;
7423 
7424     if ((td->td_photometric == PHOTOMETRIC_YCBCR) && (!isUpSampled(tif)))
7425         rowblock = td->td_ycbcrsubsampling[1];
7426     else
7427         rowblock = 1;
7428     rowblockbytes = TIFFVStripSize64(tif, rowblock);
7429     if (rowblockbytes == 0 || rowblockbytes > 0x7FFFFFFFUL)
7430     {
7431         /* In case of file with gigantic width */
7432         return;
7433     }
7434 
7435     /* Check that the strips are contiguous and of the expected size */
7436     for (i = 0; i < td->td_nstrips; i++)
7437     {
7438         if (i == td->td_nstrips - 1)
7439         {
7440             if (TIFFGetStrileByteCount(tif, i) <
7441                 TIFFVStripSize64(tif,
7442                                  td->td_imagelength - i * td->td_rowsperstrip))
7443             {
7444                 return;
7445             }
7446         }
7447         else
7448         {
7449             if (TIFFGetStrileByteCount(tif, i) != stripsize)
7450             {
7451                 return;
7452             }
7453             if (i > 0 && TIFFGetStrileOffset(tif, i) !=
7454                              TIFFGetStrileOffset(tif, i - 1) +
7455                                  TIFFGetStrileByteCount(tif, i - 1))
7456             {
7457                 return;
7458             }
7459         }
7460     }
7461 
7462     /* Aim for 512 MB strips (that will still be manageable by 32 bit builds */
7463     rowblocksperstrip = (uint32_t)(512 * 1024 * 1024 / rowblockbytes);
7464     if (rowblocksperstrip == 0)
7465         rowblocksperstrip = 1;
7466     rowsperstrip = rowblocksperstrip * rowblock;
7467     stripbytes = rowblocksperstrip * rowblockbytes;
7468     assert(stripbytes <= 0x7FFFFFFFUL);
7469 
7470     nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
7471     if (nstrips == 0)
7472         return;
7473 
7474     /* If we are going to allocate a lot of memory, make sure that the */
7475     /* file is as big as needed */
7476     if (tif->tif_mode == O_RDONLY && nstrips > 1000000)
7477     {
7478         uint64_t last_offset = TIFFGetStrileOffset(tif, td->td_nstrips - 1);
7479         uint64_t filesize = TIFFGetFileSize(tif);
7480         uint64_t last_bytecount =
7481             TIFFGetStrileByteCount(tif, td->td_nstrips - 1);
7482         if (last_offset > filesize || last_bytecount > filesize - last_offset)
7483         {
7484             return;
7485         }
7486     }
7487 
7488     allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
7489 }
7490 
7491 TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
_TIFFUnsanitizedAddUInt64AndInt(uint64_t a,int b)7492 static uint64_t _TIFFUnsanitizedAddUInt64AndInt(uint64_t a, int b)
7493 {
7494     return a + b;
7495 }
7496 
7497 /* Read the value of [Strip|Tile]Offset or [Strip|Tile]ByteCount around
7498  * strip/tile of number strile. Also fetch the neighbouring values using a
7499  * 4096 byte page size.
7500  */
_TIFFPartialReadStripArray(TIFF * tif,TIFFDirEntry * dirent,int strile,uint64_t * panVals)7501 static int _TIFFPartialReadStripArray(TIFF *tif, TIFFDirEntry *dirent,
7502                                       int strile, uint64_t *panVals)
7503 {
7504     static const char module[] = "_TIFFPartialReadStripArray";
7505 #define IO_CACHE_PAGE_SIZE 4096
7506 
7507     size_t sizeofval;
7508     const int bSwab = (tif->tif_flags & TIFF_SWAB) != 0;
7509     int sizeofvalint;
7510     uint64_t nBaseOffset;
7511     uint64_t nOffset;
7512     uint64_t nOffsetStartPage;
7513     uint64_t nOffsetEndPage;
7514     tmsize_t nToRead;
7515     tmsize_t nRead;
7516     uint64_t nLastStripOffset;
7517     int iStartBefore;
7518     int i;
7519     const uint32_t arraySize = tif->tif_dir.td_stripoffsetbyteallocsize;
7520     unsigned char buffer[2 * IO_CACHE_PAGE_SIZE];
7521 
7522     assert(dirent->tdir_count > 4);
7523 
7524     if (dirent->tdir_type == TIFF_SHORT)
7525     {
7526         sizeofval = sizeof(uint16_t);
7527     }
7528     else if (dirent->tdir_type == TIFF_LONG)
7529     {
7530         sizeofval = sizeof(uint32_t);
7531     }
7532     else if (dirent->tdir_type == TIFF_LONG8)
7533     {
7534         sizeofval = sizeof(uint64_t);
7535     }
7536     else if (dirent->tdir_type == TIFF_SLONG8)
7537     {
7538         /* Non conformant but used by some images as in */
7539         /* https://github.com/OSGeo/gdal/issues/2165 */
7540         sizeofval = sizeof(int64_t);
7541     }
7542     else
7543     {
7544         TIFFErrorExtR(tif, module,
7545                       "Invalid type for [Strip|Tile][Offset/ByteCount] tag");
7546         panVals[strile] = 0;
7547         return 0;
7548     }
7549     sizeofvalint = (int)(sizeofval);
7550 
7551     if (tif->tif_flags & TIFF_BIGTIFF)
7552     {
7553         uint64_t offset = dirent->tdir_offset.toff_long8;
7554         if (bSwab)
7555             TIFFSwabLong8(&offset);
7556         nBaseOffset = offset;
7557     }
7558     else
7559     {
7560         uint32_t offset = dirent->tdir_offset.toff_long;
7561         if (bSwab)
7562             TIFFSwabLong(&offset);
7563         nBaseOffset = offset;
7564     }
7565     /* To avoid later unsigned integer overflows */
7566     if (nBaseOffset > (uint64_t)INT64_MAX)
7567     {
7568         TIFFErrorExtR(tif, module, "Cannot read offset/size for strile %d",
7569                       strile);
7570         panVals[strile] = 0;
7571         return 0;
7572     }
7573     nOffset = nBaseOffset + sizeofval * strile;
7574     nOffsetStartPage = (nOffset / IO_CACHE_PAGE_SIZE) * IO_CACHE_PAGE_SIZE;
7575     nOffsetEndPage = nOffsetStartPage + IO_CACHE_PAGE_SIZE;
7576 
7577     if (nOffset + sizeofval > nOffsetEndPage)
7578         nOffsetEndPage += IO_CACHE_PAGE_SIZE;
7579 #undef IO_CACHE_PAGE_SIZE
7580 
7581     nLastStripOffset = nBaseOffset + arraySize * sizeofval;
7582     if (nLastStripOffset < nOffsetEndPage)
7583         nOffsetEndPage = nLastStripOffset;
7584     if (nOffsetStartPage >= nOffsetEndPage)
7585     {
7586         TIFFErrorExtR(tif, module, "Cannot read offset/size for strile %d",
7587                       strile);
7588         panVals[strile] = 0;
7589         return 0;
7590     }
7591     if (!SeekOK(tif, nOffsetStartPage))
7592     {
7593         panVals[strile] = 0;
7594         return 0;
7595     }
7596 
7597     nToRead = (tmsize_t)(nOffsetEndPage - nOffsetStartPage);
7598     nRead = TIFFReadFile(tif, buffer, nToRead);
7599     if (nRead < nToRead)
7600     {
7601         TIFFErrorExtR(tif, module,
7602                       "Cannot read offset/size for strile around ~%d", strile);
7603         return 0;
7604     }
7605     iStartBefore = -(int)((nOffset - nOffsetStartPage) / sizeofval);
7606     if (strile + iStartBefore < 0)
7607         iStartBefore = -strile;
7608     for (i = iStartBefore;
7609          (uint32_t)(strile + i) < arraySize &&
7610          _TIFFUnsanitizedAddUInt64AndInt(nOffset, (i + 1) * sizeofvalint) <=
7611              nOffsetEndPage;
7612          ++i)
7613     {
7614         if (dirent->tdir_type == TIFF_SHORT)
7615         {
7616             uint16_t val;
7617             memcpy(&val,
7618                    buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
7619                    sizeof(val));
7620             if (bSwab)
7621                 TIFFSwabShort(&val);
7622             panVals[strile + i] = val;
7623         }
7624         else if (dirent->tdir_type == TIFF_LONG)
7625         {
7626             uint32_t val;
7627             memcpy(&val,
7628                    buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
7629                    sizeof(val));
7630             if (bSwab)
7631                 TIFFSwabLong(&val);
7632             panVals[strile + i] = val;
7633         }
7634         else if (dirent->tdir_type == TIFF_LONG8)
7635         {
7636             uint64_t val;
7637             memcpy(&val,
7638                    buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
7639                    sizeof(val));
7640             if (bSwab)
7641                 TIFFSwabLong8(&val);
7642             panVals[strile + i] = val;
7643         }
7644         else /* if( dirent->tdir_type == TIFF_SLONG8 ) */
7645         {
7646             /* Non conformant data type */
7647             int64_t val;
7648             memcpy(&val,
7649                    buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
7650                    sizeof(val));
7651             if (bSwab)
7652                 TIFFSwabLong8((uint64_t *)&val);
7653             panVals[strile + i] = (uint64_t)val;
7654         }
7655     }
7656     return 1;
7657 }
7658 
_TIFFFetchStrileValue(TIFF * tif,uint32_t strile,TIFFDirEntry * dirent,uint64_t ** parray)7659 static int _TIFFFetchStrileValue(TIFF *tif, uint32_t strile,
7660                                  TIFFDirEntry *dirent, uint64_t **parray)
7661 {
7662     static const char module[] = "_TIFFFetchStrileValue";
7663     TIFFDirectory *td = &tif->tif_dir;
7664     if (strile >= dirent->tdir_count)
7665     {
7666         return 0;
7667     }
7668     if (strile >= td->td_stripoffsetbyteallocsize)
7669     {
7670         uint32_t nStripArrayAllocBefore = td->td_stripoffsetbyteallocsize;
7671         uint32_t nStripArrayAllocNew;
7672         uint64_t nArraySize64;
7673         size_t nArraySize;
7674         uint64_t *offsetArray;
7675         uint64_t *bytecountArray;
7676 
7677         if (strile > 1000000)
7678         {
7679             uint64_t filesize = TIFFGetFileSize(tif);
7680             /* Avoid excessive memory allocation attempt */
7681             /* For such a big blockid we need at least a TIFF_LONG per strile */
7682             /* for the offset array. */
7683             if (strile > filesize / sizeof(uint32_t))
7684             {
7685                 TIFFErrorExtR(tif, module, "File too short");
7686                 return 0;
7687             }
7688         }
7689 
7690         if (td->td_stripoffsetbyteallocsize == 0 &&
7691             td->td_nstrips < 1024 * 1024)
7692         {
7693             nStripArrayAllocNew = td->td_nstrips;
7694         }
7695         else
7696         {
7697 #define TIFF_MAX(a, b) (((a) > (b)) ? (a) : (b))
7698 #define TIFF_MIN(a, b) (((a) < (b)) ? (a) : (b))
7699             nStripArrayAllocNew = TIFF_MAX(strile + 1, 1024U * 512U);
7700             if (nStripArrayAllocNew < 0xFFFFFFFFU / 2)
7701                 nStripArrayAllocNew *= 2;
7702             nStripArrayAllocNew = TIFF_MIN(nStripArrayAllocNew, td->td_nstrips);
7703         }
7704         assert(strile < nStripArrayAllocNew);
7705         nArraySize64 = (uint64_t)sizeof(uint64_t) * nStripArrayAllocNew;
7706         nArraySize = (size_t)(nArraySize64);
7707 #if SIZEOF_SIZE_T == 4
7708         if (nArraySize != nArraySize64)
7709         {
7710             TIFFErrorExtR(tif, module,
7711                           "Cannot allocate strip offset and bytecount arrays");
7712             return 0;
7713         }
7714 #endif
7715         offsetArray = (uint64_t *)(_TIFFreallocExt(tif, td->td_stripoffset_p,
7716                                                    nArraySize));
7717         bytecountArray = (uint64_t *)(_TIFFreallocExt(
7718             tif, td->td_stripbytecount_p, nArraySize));
7719         if (offsetArray)
7720             td->td_stripoffset_p = offsetArray;
7721         if (bytecountArray)
7722             td->td_stripbytecount_p = bytecountArray;
7723         if (offsetArray && bytecountArray)
7724         {
7725             td->td_stripoffsetbyteallocsize = nStripArrayAllocNew;
7726             /* Initialize new entries to ~0 / -1 */
7727             /* coverity[overrun-buffer-arg] */
7728             memset(td->td_stripoffset_p + nStripArrayAllocBefore, 0xFF,
7729                    (td->td_stripoffsetbyteallocsize - nStripArrayAllocBefore) *
7730                        sizeof(uint64_t));
7731             /* coverity[overrun-buffer-arg] */
7732             memset(td->td_stripbytecount_p + nStripArrayAllocBefore, 0xFF,
7733                    (td->td_stripoffsetbyteallocsize - nStripArrayAllocBefore) *
7734                        sizeof(uint64_t));
7735         }
7736         else
7737         {
7738             TIFFErrorExtR(tif, module,
7739                           "Cannot allocate strip offset and bytecount arrays");
7740             _TIFFfreeExt(tif, td->td_stripoffset_p);
7741             td->td_stripoffset_p = NULL;
7742             _TIFFfreeExt(tif, td->td_stripbytecount_p);
7743             td->td_stripbytecount_p = NULL;
7744             td->td_stripoffsetbyteallocsize = 0;
7745         }
7746     }
7747     if (*parray == NULL || strile >= td->td_stripoffsetbyteallocsize)
7748         return 0;
7749 
7750     if (~((*parray)[strile]) == 0)
7751     {
7752         if (!_TIFFPartialReadStripArray(tif, dirent, strile, *parray))
7753         {
7754             (*parray)[strile] = 0;
7755             return 0;
7756         }
7757     }
7758 
7759     return 1;
7760 }
7761 
_TIFFGetStrileOffsetOrByteCountValue(TIFF * tif,uint32_t strile,TIFFDirEntry * dirent,uint64_t ** parray,int * pbErr)7762 static uint64_t _TIFFGetStrileOffsetOrByteCountValue(TIFF *tif, uint32_t strile,
7763                                                      TIFFDirEntry *dirent,
7764                                                      uint64_t **parray,
7765                                                      int *pbErr)
7766 {
7767     TIFFDirectory *td = &tif->tif_dir;
7768     if (pbErr)
7769         *pbErr = 0;
7770     if ((tif->tif_flags & TIFF_DEFERSTRILELOAD) &&
7771         !(tif->tif_flags & TIFF_CHOPPEDUPARRAYS))
7772     {
7773         if (!(tif->tif_flags & TIFF_LAZYSTRILELOAD) ||
7774             /* If the values may fit in the toff_long/toff_long8 member */
7775             /* then use _TIFFFillStriles to simplify _TIFFFetchStrileValue */
7776             dirent->tdir_count <= 4)
7777         {
7778             if (!_TIFFFillStriles(tif))
7779             {
7780                 if (pbErr)
7781                     *pbErr = 1;
7782                 /* Do not return, as we want this function to always */
7783                 /* return the same value if called several times with */
7784                 /* the same arguments */
7785             }
7786         }
7787         else
7788         {
7789             if (!_TIFFFetchStrileValue(tif, strile, dirent, parray))
7790             {
7791                 if (pbErr)
7792                     *pbErr = 1;
7793                 return 0;
7794             }
7795         }
7796     }
7797     if (*parray == NULL || strile >= td->td_nstrips)
7798     {
7799         if (pbErr)
7800             *pbErr = 1;
7801         return 0;
7802     }
7803     return (*parray)[strile];
7804 }
7805 
7806 /* Return the value of the TileOffsets/StripOffsets array for the specified
7807  * tile/strile */
TIFFGetStrileOffset(TIFF * tif,uint32_t strile)7808 uint64_t TIFFGetStrileOffset(TIFF *tif, uint32_t strile)
7809 {
7810     return TIFFGetStrileOffsetWithErr(tif, strile, NULL);
7811 }
7812 
7813 /* Return the value of the TileOffsets/StripOffsets array for the specified
7814  * tile/strile */
TIFFGetStrileOffsetWithErr(TIFF * tif,uint32_t strile,int * pbErr)7815 uint64_t TIFFGetStrileOffsetWithErr(TIFF *tif, uint32_t strile, int *pbErr)
7816 {
7817     TIFFDirectory *td = &tif->tif_dir;
7818     return _TIFFGetStrileOffsetOrByteCountValue(tif, strile,
7819                                                 &(td->td_stripoffset_entry),
7820                                                 &(td->td_stripoffset_p), pbErr);
7821 }
7822 
7823 /* Return the value of the TileByteCounts/StripByteCounts array for the
7824  * specified tile/strile */
TIFFGetStrileByteCount(TIFF * tif,uint32_t strile)7825 uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile)
7826 {
7827     return TIFFGetStrileByteCountWithErr(tif, strile, NULL);
7828 }
7829 
7830 /* Return the value of the TileByteCounts/StripByteCounts array for the
7831  * specified tile/strile */
TIFFGetStrileByteCountWithErr(TIFF * tif,uint32_t strile,int * pbErr)7832 uint64_t TIFFGetStrileByteCountWithErr(TIFF *tif, uint32_t strile, int *pbErr)
7833 {
7834     TIFFDirectory *td = &tif->tif_dir;
7835     return _TIFFGetStrileOffsetOrByteCountValue(
7836         tif, strile, &(td->td_stripbytecount_entry), &(td->td_stripbytecount_p),
7837         pbErr);
7838 }
7839 
_TIFFFillStriles(TIFF * tif)7840 int _TIFFFillStriles(TIFF *tif) { return _TIFFFillStrilesInternal(tif, 1); }
7841 
_TIFFFillStrilesInternal(TIFF * tif,int loadStripByteCount)7842 static int _TIFFFillStrilesInternal(TIFF *tif, int loadStripByteCount)
7843 {
7844     register TIFFDirectory *td = &tif->tif_dir;
7845     int return_value = 1;
7846 
7847     /* Do not do anything if TIFF_DEFERSTRILELOAD is not set */
7848     if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD) ||
7849         (tif->tif_flags & TIFF_CHOPPEDUPARRAYS) != 0)
7850         return 1;
7851 
7852     if (tif->tif_flags & TIFF_LAZYSTRILELOAD)
7853     {
7854         /* In case of lazy loading, reload completely the arrays */
7855         _TIFFfreeExt(tif, td->td_stripoffset_p);
7856         _TIFFfreeExt(tif, td->td_stripbytecount_p);
7857         td->td_stripoffset_p = NULL;
7858         td->td_stripbytecount_p = NULL;
7859         td->td_stripoffsetbyteallocsize = 0;
7860         tif->tif_flags &= ~TIFF_LAZYSTRILELOAD;
7861     }
7862 
7863     /* If stripoffset array is already loaded, exit with success */
7864     if (td->td_stripoffset_p != NULL)
7865         return 1;
7866 
7867     /* If tdir_count was canceled, then we already got there, but in error */
7868     if (td->td_stripoffset_entry.tdir_count == 0)
7869         return 0;
7870 
7871     if (!TIFFFetchStripThing(tif, &(td->td_stripoffset_entry), td->td_nstrips,
7872                              &td->td_stripoffset_p))
7873     {
7874         return_value = 0;
7875     }
7876 
7877     if (loadStripByteCount &&
7878         !TIFFFetchStripThing(tif, &(td->td_stripbytecount_entry),
7879                              td->td_nstrips, &td->td_stripbytecount_p))
7880     {
7881         return_value = 0;
7882     }
7883 
7884     _TIFFmemset(&(td->td_stripoffset_entry), 0, sizeof(TIFFDirEntry));
7885     _TIFFmemset(&(td->td_stripbytecount_entry), 0, sizeof(TIFFDirEntry));
7886 
7887 #ifdef STRIPBYTECOUNTSORTED_UNUSED
7888     if (tif->tif_dir.td_nstrips > 1 && return_value == 1)
7889     {
7890         uint32_t strip;
7891 
7892         tif->tif_dir.td_stripbytecountsorted = 1;
7893         for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++)
7894         {
7895             if (tif->tif_dir.td_stripoffset_p[strip - 1] >
7896                 tif->tif_dir.td_stripoffset_p[strip])
7897             {
7898                 tif->tif_dir.td_stripbytecountsorted = 0;
7899                 break;
7900             }
7901         }
7902     }
7903 #endif
7904 
7905     return return_value;
7906 }
7907