175 lines
7.9 KiB
Diff
175 lines
7.9 KiB
Diff
From 7160a3d1a81ba2feaee3a8c0aea10eb9efb74ab9 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
|
Date: Tue, 14 Mar 2023 18:40:04 +0100
|
|
Subject: [PATCH] Merge branch
|
|
'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
|
|
|
|
tiffcrop correctly update buffersize after rotateImage() fix#520
|
|
|
|
Closes #520
|
|
|
|
See merge request libtiff/libtiff!467
|
|
|
|
(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
|
|
---
|
|
tools/tiffcrop.c | 66 +++++++++++++++++++++++++++++++++++++-----------
|
|
1 file changed, 51 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
index 2c0ebf4b..e183e849 100644
|
|
--- a/tools/tiffcrop.c
|
|
+++ b/tools/tiffcrop.c
|
|
@@ -526,7 +526,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
|
|
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
|
|
uint32_t, uint32_t, uint8_t *, uint8_t *);
|
|
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
|
|
- unsigned char **);
|
|
+ unsigned char **, size_t *);
|
|
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
|
|
unsigned char *);
|
|
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
|
|
@@ -6557,7 +6557,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
|
|
return (-1);
|
|
}
|
|
|
|
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
|
|
+ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
|
|
{
|
|
TIFFError ("correct_orientation", "Unable to rotate image");
|
|
return (-1);
|
|
@@ -7781,16 +7781,19 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
|
|
|
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
|
{
|
|
+ /* rotateImage() set up a new buffer and calculates its size
|
|
+ * individually. Therefore, seg_buffs size needs to be updated
|
|
+ * accordingly. */
|
|
+ size_t rot_buf_size = 0;
|
|
if (rotateImage(crop->rotation, image, &crop->combined_width,
|
|
- &crop->combined_length, &crop_buff))
|
|
+ &crop->combined_length, &crop_buff, &rot_buf_size))
|
|
{
|
|
TIFFError("processCropSelections",
|
|
"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
|
|
return (-1);
|
|
}
|
|
seg_buffs[0].buffer = crop_buff;
|
|
- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
|
|
- * image->spp) * crop->combined_length;
|
|
+ seg_buffs[0].size = rot_buf_size;
|
|
}
|
|
}
|
|
else /* Separated Images */
|
|
@@ -7890,9 +7893,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
|
{
|
|
/* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed.
|
|
* ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
|
|
- */
|
|
- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
|
|
- &crop->regionlist[i].length, &crop_buff))
|
|
+ * Furthermore, rotateImage() set up a new buffer and calculates
|
|
+ * its size individually. Therefore, seg_buffs size needs to be
|
|
+ * updated accordingly. */
|
|
+ size_t rot_buf_size = 0;
|
|
+ if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
|
|
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
|
|
{
|
|
TIFFError("processCropSelections",
|
|
"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
|
|
@@ -7903,8 +7909,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
|
crop->combined_width = total_width;
|
|
crop->combined_length = total_length;
|
|
seg_buffs[i].buffer = crop_buff;
|
|
- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
|
|
- * image->spp) * crop->regionlist[i].length;
|
|
+ seg_buffs[i].size = rot_buf_size;
|
|
}
|
|
} /* for crop->selections loop */
|
|
} /* Separated Images (else case) */
|
|
@@ -8024,7 +8029,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
|
|
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
|
{
|
|
if (rotateImage(crop->rotation, image, &crop->combined_width,
|
|
- &crop->combined_length, crop_buff_ptr))
|
|
+ &crop->combined_length, crop_buff_ptr, NULL))
|
|
{
|
|
TIFFError("createCroppedImage",
|
|
"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
|
|
@@ -8687,13 +8692,14 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
|
|
/* Rotate an image by a multiple of 90 degrees clockwise */
|
|
static int
|
|
rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
|
|
- uint32_t *img_length, unsigned char **ibuff_ptr)
|
|
+ uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size)
|
|
{
|
|
int shift_width;
|
|
uint32_t bytes_per_pixel, bytes_per_sample;
|
|
uint32_t row, rowsize, src_offset, dst_offset;
|
|
uint32_t i, col, width, length;
|
|
- uint32_t colsize, buffsize, col_offset, pix_offset;
|
|
+ uint32_t colsize, col_offset, pix_offset;
|
|
+ tmsize_t buffsize;
|
|
unsigned char *ibuff;
|
|
unsigned char *src;
|
|
unsigned char *dst;
|
|
@@ -8706,12 +8712,40 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
|
|
spp = image->spp;
|
|
bps = image->bps;
|
|
|
|
+ if ((spp != 0 && bps != 0 &&
|
|
+ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
|
|
+ (spp != 0 && bps != 0 &&
|
|
+ length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
|
|
+ {
|
|
+ TIFFError("rotateImage", "Integer overflow detected.");
|
|
+ return (-1);
|
|
+ }
|
|
rowsize = ((bps * spp * width) + 7) / 8;
|
|
colsize = ((bps * spp * length) + 7) / 8;
|
|
if ((colsize * width) > (rowsize * length))
|
|
- buffsize = (colsize + 1) * width;
|
|
+ {
|
|
+ if (((tmsize_t)colsize + 1) != 0 &&
|
|
+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
|
|
+ ((tmsize_t)colsize + 1)))
|
|
+ {
|
|
+ TIFFError("rotateImage",
|
|
+ "Integer overflow when calculating buffer size.");
|
|
+ return (-1);
|
|
+ }
|
|
+ buffsize = ((tmsize_t)colsize + 1) * width;
|
|
+ }
|
|
else
|
|
+ {
|
|
+ if (((tmsize_t)rowsize + 1) != 0 &&
|
|
+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
|
|
+ ((tmsize_t)rowsize + 1)))
|
|
+ {
|
|
+ TIFFError("rotateImage",
|
|
+ "Integer overflow when calculating buffer size.");
|
|
+ return (-1);
|
|
+ }
|
|
buffsize = (rowsize + 1) * length;
|
|
+ }
|
|
|
|
bytes_per_sample = (bps + 7) / 8;
|
|
bytes_per_pixel = ((bps * spp) + 7) / 8;
|
|
@@ -8734,7 +8768,7 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
|
|
/* Add 3 padding bytes for extractContigSamplesShifted32bits */
|
|
if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
|
|
{
|
|
- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
|
|
+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT " bytes ", buffsize + NUM_BUFF_OVERSIZE_BYTES);
|
|
return (-1);
|
|
}
|
|
_TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
|
|
@@ -8764,6 +8798,8 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
|
|
for (row = 0; row < length; row++)
|
|
{
|
|
src_offset = row * rowsize;
|
|
+ if (rot_buf_size != NULL)
|
|
+ *rot_buf_size = buffsize;
|
|
dst_offset = (length - row - 1) * rowsize;
|
|
src = ibuff + src_offset;
|
|
dst = rbuff + dst_offset;
|