| diff --git a/third_party/libtiff/tif_dir.c b/third_party/libtiff/tif_dir.c |
| index 4b3632ab1..81b849374 100644 |
| --- a/third_party/libtiff/tif_dir.c |
| +++ b/third_party/libtiff/tif_dir.c |
| @@ -862,6 +862,32 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) |
| if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ |
| return 0; |
| |
| + if( tag == TIFFTAG_NUMBEROFINKS ) |
| + { |
| + int i; |
| + for (i = 0; i < td->td_customValueCount; i++) { |
| + uint16 val; |
| + TIFFTagValue *tv = td->td_customValues + i; |
| + if (tv->info->field_tag != tag) |
| + continue; |
| + val = *(uint16 *)tv->value; |
| + /* Truncate to SamplesPerPixel, since the */ |
| + /* setting code for INKNAMES assume that there are SamplesPerPixel */ |
| + /* inknames. */ |
| + /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ |
| + if( val > td->td_samplesperpixel ) |
| + { |
| + TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", |
| + "Truncating NumberOfInks from %u to %u", |
| + val, td->td_samplesperpixel); |
| + val = td->td_samplesperpixel; |
| + } |
| + *va_arg(ap, uint16*) = val; |
| + return 1; |
| + } |
| + return 0; |
| + } |
| + |
| /* |
| * We want to force the custom code to be used for custom |
| * fields even if the tag happens to match a well known |
| diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c |
| index d50b39a80..7dbcf6d86 100644 |
| --- a/third_party/libtiff/tif_dirread.c |
| +++ b/third_party/libtiff/tif_dirread.c |
| @@ -5503,8 +5503,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif) |
| uint64 rowblockbytes; |
| uint64 stripbytes; |
| uint32 strip; |
| - uint64 nstrips64; |
| - uint32 nstrips32; |
| + uint32 nstrips; |
| uint32 rowsperstrip; |
| uint64* newcounts; |
| uint64* newoffsets; |
| @@ -5535,18 +5534,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) |
| return; |
| |
| /* |
| - * never increase the number of strips in an image |
| + * never increase the number of rows per strip |
| */ |
| if (rowsperstrip >= td->td_rowsperstrip) |
| return; |
| - nstrips64 = TIFFhowmany_64(bytecount, stripbytes); |
| - if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ |
| - return; |
| - nstrips32 = (uint32)nstrips64; |
| + nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); |
| + if( nstrips == 0 ) |
| + return; |
| |
| - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), |
| + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), |
| "for chopped \"StripByteCounts\" array"); |
| - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), |
| + newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), |
| "for chopped \"StripOffsets\" array"); |
| if (newcounts == NULL || newoffsets == NULL) { |
| /* |
| @@ -5563,18 +5561,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif) |
| * Fill the strip information arrays with new bytecounts and offsets |
| * that reflect the broken-up format. |
| */ |
| - for (strip = 0; strip < nstrips32; strip++) { |
| + for (strip = 0; strip < nstrips; strip++) { |
| if (stripbytes > bytecount) |
| stripbytes = bytecount; |
| newcounts[strip] = stripbytes; |
| - newoffsets[strip] = offset; |
| + newoffsets[strip] = stripbytes ? offset : 0; |
| offset += stripbytes; |
| bytecount -= stripbytes; |
| } |
| /* |
| * Replace old single strip info with multi-strip info. |
| */ |
| - td->td_stripsperimage = td->td_nstrips = nstrips32; |
| + td->td_stripsperimage = td->td_nstrips = nstrips; |
| TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); |
| |
| _TIFFfree(td->td_stripbytecount); |
| diff --git a/third_party/libtiff/tif_luv.c b/third_party/libtiff/tif_luv.c |
| index ca08f30a7..220c15034 100644 |
| --- a/third_party/libtiff/tif_luv.c |
| +++ b/third_party/libtiff/tif_luv.c |
| @@ -158,6 +158,7 @@ |
| typedef struct logLuvState LogLuvState; |
| |
| struct logLuvState { |
| + int encoder_state; /* 1 if encoder correctly initialized */ |
| int user_datafmt; /* user data format */ |
| int encode_meth; /* encoding method */ |
| int pixel_size; /* bytes per pixel */ |
| @@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif) |
| td->td_photometric, "must be either LogLUV or LogL"); |
| break; |
| } |
| + sp->encoder_state = 1; |
| return (1); |
| notsupported: |
| TIFFErrorExt(tif->tif_clientdata, module, |
| @@ -1563,19 +1565,27 @@ notsupported: |
| static void |
| LogLuvClose(TIFF* tif) |
| { |
| + LogLuvState* sp = (LogLuvState*) tif->tif_data; |
| TIFFDirectory *td = &tif->tif_dir; |
| |
| + assert(sp != 0); |
| /* |
| * For consistency, we always want to write out the same |
| * bitspersample and sampleformat for our TIFF file, |
| * regardless of the data format being used by the application. |
| * Since this routine is called after tags have been set but |
| * before they have been recorded in the file, we reset them here. |
| + * Note: this is really a nasty approach. See PixarLogClose |
| */ |
| - td->td_samplesperpixel = |
| - (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; |
| - td->td_bitspersample = 16; |
| - td->td_sampleformat = SAMPLEFORMAT_INT; |
| + if( sp->encoder_state ) |
| + { |
| + /* See PixarLogClose. Might avoid issues with tags whose size depends |
| + * on those below, but not completely sure this is enough. */ |
| + td->td_samplesperpixel = |
| + (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; |
| + td->td_bitspersample = 16; |
| + td->td_sampleformat = SAMPLEFORMAT_INT; |
| + } |
| } |
| |
| static void |
| diff --git a/third_party/libtiff/tif_ojpeg.c b/third_party/libtiff/tif_ojpeg.c |
| index e128887bf..cb84be96b 100644 |
| --- a/third_party/libtiff/tif_ojpeg.c |
| +++ b/third_party/libtiff/tif_ojpeg.c |
| @@ -253,6 +253,7 @@ typedef enum { |
| |
| typedef struct { |
| TIFF* tif; |
| + int decoder_ok; |
| #ifndef LIBJPEG_ENCAP_EXTERNAL |
| JMP_BUF exit_jmpbuf; |
| #endif |
| @@ -731,6 +732,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s) |
| } |
| sp->write_curstrile++; |
| } |
| + sp->decoder_ok = 1; |
| return(1); |
| } |
| |
| @@ -793,8 +795,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif) |
| static int |
| OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) |
| { |
| + static const char module[]="OJPEGDecode"; |
| OJPEGState* sp=(OJPEGState*)tif->tif_data; |
| (void)s; |
| + if( !sp->decoder_ok ) |
| + { |
| + TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); |
| + return 0; |
| + } |
| if (sp->libjpeg_jpeg_query_style==0) |
| { |
| if (OJPEGDecodeRaw(tif,buf,cc)==0) |
| diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c |
| index 8f6ca8f63..e6574ec3d 100644 |
| --- a/third_party/libtiff/tif_pixarlog.c |
| +++ b/third_party/libtiff/tif_pixarlog.c |
| @@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif) |
| static void |
| PixarLogClose(TIFF* tif) |
| { |
| + PixarLogState* sp = (PixarLogState*) tif->tif_data; |
| TIFFDirectory *td = &tif->tif_dir; |
| |
| + assert(sp != 0); |
| /* In a really sneaky (and really incorrect, and untruthful, and |
| * troublesome, and error-prone) maneuver that completely goes against |
| * the spirit of TIFF, and breaks TIFF, on close, we covertly |
| @@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif) |
| * readers that don't know about PixarLog, or how to set |
| * the PIXARLOGDATFMT pseudo-tag. |
| */ |
| - td->td_bitspersample = 8; |
| - td->td_sampleformat = SAMPLEFORMAT_UINT; |
| + |
| + if (sp->state&PLSTATE_INIT) { |
| + /* We test the state to avoid an issue such as in |
| + * http://bugzilla.maptools.org/show_bug.cgi?id=2604 |
| + * What appends in that case is that the bitspersample is 1 and |
| + * a TransferFunction is set. The size of the TransferFunction |
| + * depends on 1<<bitspersample. So if we increase it, an access |
| + * out of the buffer will happen at directory flushing. |
| + * Another option would be to clear those targs. |
| + */ |
| + td->td_bitspersample = 8; |
| + td->td_sampleformat = SAMPLEFORMAT_UINT; |
| + } |
| } |
| |
| static void |
| diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c |
| index 795153bbf..1ba100e54 100644 |
| --- a/third_party/libtiff/tif_read.c |
| +++ b/third_party/libtiff/tif_read.c |
| @@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) |
| rowsperstrip=td->td_rowsperstrip; |
| if (rowsperstrip>td->td_imagelength) |
| rowsperstrip=td->td_imagelength; |
| - stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); |
| + stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); |
| stripinplane=(strip%stripsperplane); |
| plane=(uint16)(strip/stripsperplane); |
| rows=td->td_imagelength-stripinplane*rowsperstrip; |
| diff --git a/third_party/libtiff/tif_strip.c b/third_party/libtiff/tif_strip.c |
| index b6098dd31..3b55285cd 100644 |
| --- a/third_party/libtiff/tif_strip.c |
| +++ b/third_party/libtiff/tif_strip.c |
| @@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif) |
| TIFFDirectory *td = &tif->tif_dir; |
| uint32 nstrips; |
| |
| - /* If the value was already computed and store in td_nstrips, then return it, |
| - since ChopUpSingleUncompressedStrip might have altered and resized the |
| - since the td_stripbytecount and td_stripoffset arrays to the new value |
| - after the initial affectation of td_nstrips = TIFFNumberOfStrips() in |
| - tif_dirread.c ~line 3612. |
| - See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ |
| - if( td->td_nstrips ) |
| - return td->td_nstrips; |
| - |
| nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : |
| TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); |
| if (td->td_planarconfig == PLANARCONFIG_SEPARATE) |
| diff --git a/third_party/libtiff/tiffiop.h b/third_party/libtiff/tiffiop.h |
| index b6db1e932..1925a6b5e 100644 |
| --- a/third_party/libtiff/tiffiop.h |
| +++ b/third_party/libtiff/tiffiop.h |
| @@ -249,6 +249,10 @@ struct tiff { |
| #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ |
| ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ |
| 0U) |
| +/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ |
| +/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ |
| +#define TIFFhowmany_32_maxuint_compat(x, y) \ |
| + (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) |
| #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) |
| #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) |
| #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) |