Coverage Report

Created: 2025-06-10 07:27

/src/ghostpdl/tiff/libtiff/tif_dirread.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 1988-1997 Sam Leffler
3
 * Copyright (c) 1991-1997 Silicon Graphics, Inc.
4
 *
5
 * Permission to use, copy, modify, distribute, and sell this software and
6
 * its documentation for any purpose is hereby granted without fee, provided
7
 * that (i) the above copyright notices and this permission notice appear in
8
 * all copies of the software and related documentation, and (ii) the names of
9
 * Sam Leffler and Silicon Graphics may not be used in any advertising or
10
 * publicity relating to the software without the specific, prior written
11
 * permission of Sam Leffler and Silicon Graphics.
12
 *
13
 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
14
 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
15
 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
16
 *
17
 * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
18
 * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
19
 * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
20
 * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
21
 * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
22
 * OF THIS SOFTWARE.
23
 */
24
25
/*
26
 * TIFF Library.
27
 *
28
 * Directory Read Support Routines.
29
 */
30
31
/* Suggested pending improvements:
32
 * - add a field 'field_info' to the TIFFDirEntry structure, and set that with
33
 *   the pointer to the appropriate TIFFField structure early on in
34
 *   TIFFReadDirectory, so as to eliminate current possibly repetitive lookup.
35
 */
36
37
#include "tiffconf.h"
38
#include "tiffiop.h"
39
#include <float.h>
40
#include <limits.h>
41
#include <stdlib.h>
42
#include <string.h>
43
44
0
#define FAILED_FII ((uint32_t)-1)
45
46
#ifdef HAVE_IEEEFP
47
#define TIFFCvtIEEEFloatToNative(tif, n, fp)
48
#define TIFFCvtIEEEDoubleToNative(tif, n, dp)
49
#else
50
extern void TIFFCvtIEEEFloatToNative(TIFF *, uint32_t, float *);
51
extern void TIFFCvtIEEEDoubleToNative(TIFF *, uint32_t, double *);
52
#endif
53
54
enum TIFFReadDirEntryErr
55
{
56
    TIFFReadDirEntryErrOk = 0,
57
    TIFFReadDirEntryErrCount = 1,
58
    TIFFReadDirEntryErrType = 2,
59
    TIFFReadDirEntryErrIo = 3,
60
    TIFFReadDirEntryErrRange = 4,
61
    TIFFReadDirEntryErrPsdif = 5,
62
    TIFFReadDirEntryErrSizesan = 6,
63
    TIFFReadDirEntryErrAlloc = 7,
64
};
65
66
static enum TIFFReadDirEntryErr
67
TIFFReadDirEntryByte(TIFF *tif, TIFFDirEntry *direntry, uint8_t *value);
68
static enum TIFFReadDirEntryErr
69
TIFFReadDirEntrySbyte(TIFF *tif, TIFFDirEntry *direntry, int8_t *value);
70
static enum TIFFReadDirEntryErr
71
TIFFReadDirEntryShort(TIFF *tif, TIFFDirEntry *direntry, uint16_t *value);
72
static enum TIFFReadDirEntryErr
73
TIFFReadDirEntrySshort(TIFF *tif, TIFFDirEntry *direntry, int16_t *value);
74
static enum TIFFReadDirEntryErr
75
TIFFReadDirEntryLong(TIFF *tif, TIFFDirEntry *direntry, uint32_t *value);
76
static enum TIFFReadDirEntryErr
77
TIFFReadDirEntrySlong(TIFF *tif, TIFFDirEntry *direntry, int32_t *value);
78
static enum TIFFReadDirEntryErr
79
TIFFReadDirEntryLong8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value);
80
static enum TIFFReadDirEntryErr
81
TIFFReadDirEntrySlong8(TIFF *tif, TIFFDirEntry *direntry, int64_t *value);
82
static enum TIFFReadDirEntryErr
83
TIFFReadDirEntryFloat(TIFF *tif, TIFFDirEntry *direntry, float *value);
84
static enum TIFFReadDirEntryErr
85
TIFFReadDirEntryDouble(TIFF *tif, TIFFDirEntry *direntry, double *value);
86
static enum TIFFReadDirEntryErr
87
TIFFReadDirEntryIfd8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value);
88
89
static enum TIFFReadDirEntryErr
90
TIFFReadDirEntryArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t *count,
91
                      uint32_t desttypesize, void **value);
92
static enum TIFFReadDirEntryErr
93
TIFFReadDirEntryByteArray(TIFF *tif, TIFFDirEntry *direntry, uint8_t **value);
94
static enum TIFFReadDirEntryErr
95
TIFFReadDirEntrySbyteArray(TIFF *tif, TIFFDirEntry *direntry, int8_t **value);
96
static enum TIFFReadDirEntryErr
97
TIFFReadDirEntryShortArray(TIFF *tif, TIFFDirEntry *direntry, uint16_t **value);
98
static enum TIFFReadDirEntryErr
99
TIFFReadDirEntrySshortArray(TIFF *tif, TIFFDirEntry *direntry, int16_t **value);
100
static enum TIFFReadDirEntryErr
101
TIFFReadDirEntryLongArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t **value);
102
static enum TIFFReadDirEntryErr
103
TIFFReadDirEntrySlongArray(TIFF *tif, TIFFDirEntry *direntry, int32_t **value);
104
static enum TIFFReadDirEntryErr
105
TIFFReadDirEntryLong8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value);
106
static enum TIFFReadDirEntryErr
107
TIFFReadDirEntrySlong8Array(TIFF *tif, TIFFDirEntry *direntry, int64_t **value);
108
static enum TIFFReadDirEntryErr
109
TIFFReadDirEntryFloatArray(TIFF *tif, TIFFDirEntry *direntry, float **value);
110
static enum TIFFReadDirEntryErr
111
TIFFReadDirEntryDoubleArray(TIFF *tif, TIFFDirEntry *direntry, double **value);
112
static enum TIFFReadDirEntryErr
113
TIFFReadDirEntryIfd8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value);
114
115
static enum TIFFReadDirEntryErr
116
TIFFReadDirEntryPersampleShort(TIFF *tif, TIFFDirEntry *direntry,
117
                               uint16_t *value);
118
119
static void TIFFReadDirEntryCheckedByte(TIFF *tif, TIFFDirEntry *direntry,
120
                                        uint8_t *value);
121
static void TIFFReadDirEntryCheckedSbyte(TIFF *tif, TIFFDirEntry *direntry,
122
                                         int8_t *value);
123
static void TIFFReadDirEntryCheckedShort(TIFF *tif, TIFFDirEntry *direntry,
124
                                         uint16_t *value);
125
static void TIFFReadDirEntryCheckedSshort(TIFF *tif, TIFFDirEntry *direntry,
126
                                          int16_t *value);
127
static void TIFFReadDirEntryCheckedLong(TIFF *tif, TIFFDirEntry *direntry,
128
                                        uint32_t *value);
129
static void TIFFReadDirEntryCheckedSlong(TIFF *tif, TIFFDirEntry *direntry,
130
                                         int32_t *value);
131
static enum TIFFReadDirEntryErr
132
TIFFReadDirEntryCheckedLong8(TIFF *tif, TIFFDirEntry *direntry,
133
                             uint64_t *value);
134
static enum TIFFReadDirEntryErr
135
TIFFReadDirEntryCheckedSlong8(TIFF *tif, TIFFDirEntry *direntry,
136
                              int64_t *value);
137
static enum TIFFReadDirEntryErr
138
TIFFReadDirEntryCheckedRational(TIFF *tif, TIFFDirEntry *direntry,
139
                                double *value);
140
static enum TIFFReadDirEntryErr
141
TIFFReadDirEntryCheckedSrational(TIFF *tif, TIFFDirEntry *direntry,
142
                                 double *value);
143
static void TIFFReadDirEntryCheckedFloat(TIFF *tif, TIFFDirEntry *direntry,
144
                                         float *value);
145
static enum TIFFReadDirEntryErr
146
TIFFReadDirEntryCheckedDouble(TIFF *tif, TIFFDirEntry *direntry, double *value);
147
#if 0
148
static enum TIFFReadDirEntryErr
149
TIFFReadDirEntryCheckedRationalDirect(TIFF *tif, TIFFDirEntry *direntry,
150
                                      TIFFRational_t *value);
151
#endif
152
static enum TIFFReadDirEntryErr
153
TIFFReadDirEntryCheckRangeByteSbyte(int8_t value);
154
static enum TIFFReadDirEntryErr
155
TIFFReadDirEntryCheckRangeByteShort(uint16_t value);
156
static enum TIFFReadDirEntryErr
157
TIFFReadDirEntryCheckRangeByteSshort(int16_t value);
158
static enum TIFFReadDirEntryErr
159
TIFFReadDirEntryCheckRangeByteLong(uint32_t value);
160
static enum TIFFReadDirEntryErr
161
TIFFReadDirEntryCheckRangeByteSlong(int32_t value);
162
static enum TIFFReadDirEntryErr
163
TIFFReadDirEntryCheckRangeByteLong8(uint64_t value);
164
static enum TIFFReadDirEntryErr
165
TIFFReadDirEntryCheckRangeByteSlong8(int64_t value);
166
167
static enum TIFFReadDirEntryErr
168
TIFFReadDirEntryCheckRangeSbyteByte(uint8_t value);
169
static enum TIFFReadDirEntryErr
170
TIFFReadDirEntryCheckRangeSbyteShort(uint16_t value);
171
static enum TIFFReadDirEntryErr
172
TIFFReadDirEntryCheckRangeSbyteSshort(int16_t value);
173
static enum TIFFReadDirEntryErr
174
TIFFReadDirEntryCheckRangeSbyteLong(uint32_t value);
175
static enum TIFFReadDirEntryErr
176
TIFFReadDirEntryCheckRangeSbyteSlong(int32_t value);
177
static enum TIFFReadDirEntryErr
178
TIFFReadDirEntryCheckRangeSbyteLong8(uint64_t value);
179
static enum TIFFReadDirEntryErr
180
TIFFReadDirEntryCheckRangeSbyteSlong8(int64_t value);
181
182
static enum TIFFReadDirEntryErr
183
TIFFReadDirEntryCheckRangeShortSbyte(int8_t value);
184
static enum TIFFReadDirEntryErr
185
TIFFReadDirEntryCheckRangeShortSshort(int16_t value);
186
static enum TIFFReadDirEntryErr
187
TIFFReadDirEntryCheckRangeShortLong(uint32_t value);
188
static enum TIFFReadDirEntryErr
189
TIFFReadDirEntryCheckRangeShortSlong(int32_t value);
190
static enum TIFFReadDirEntryErr
191
TIFFReadDirEntryCheckRangeShortLong8(uint64_t value);
192
static enum TIFFReadDirEntryErr
193
TIFFReadDirEntryCheckRangeShortSlong8(int64_t value);
194
195
static enum TIFFReadDirEntryErr
196
TIFFReadDirEntryCheckRangeSshortShort(uint16_t value);
197
static enum TIFFReadDirEntryErr
198
TIFFReadDirEntryCheckRangeSshortLong(uint32_t value);
199
static enum TIFFReadDirEntryErr
200
TIFFReadDirEntryCheckRangeSshortSlong(int32_t value);
201
static enum TIFFReadDirEntryErr
202
TIFFReadDirEntryCheckRangeSshortLong8(uint64_t value);
203
static enum TIFFReadDirEntryErr
204
TIFFReadDirEntryCheckRangeSshortSlong8(int64_t value);
205
206
static enum TIFFReadDirEntryErr
207
TIFFReadDirEntryCheckRangeLongSbyte(int8_t value);
208
static enum TIFFReadDirEntryErr
209
TIFFReadDirEntryCheckRangeLongSshort(int16_t value);
210
static enum TIFFReadDirEntryErr
211
TIFFReadDirEntryCheckRangeLongSlong(int32_t value);
212
static enum TIFFReadDirEntryErr
213
TIFFReadDirEntryCheckRangeLongLong8(uint64_t value);
214
static enum TIFFReadDirEntryErr
215
TIFFReadDirEntryCheckRangeLongSlong8(int64_t value);
216
217
static enum TIFFReadDirEntryErr
218
TIFFReadDirEntryCheckRangeSlongLong(uint32_t value);
219
static enum TIFFReadDirEntryErr
220
TIFFReadDirEntryCheckRangeSlongLong8(uint64_t value);
221
static enum TIFFReadDirEntryErr
222
TIFFReadDirEntryCheckRangeSlongSlong8(int64_t value);
223
224
static enum TIFFReadDirEntryErr
225
TIFFReadDirEntryCheckRangeLong8Sbyte(int8_t value);
226
static enum TIFFReadDirEntryErr
227
TIFFReadDirEntryCheckRangeLong8Sshort(int16_t value);
228
static enum TIFFReadDirEntryErr
229
TIFFReadDirEntryCheckRangeLong8Slong(int32_t value);
230
static enum TIFFReadDirEntryErr
231
TIFFReadDirEntryCheckRangeLong8Slong8(int64_t value);
232
233
static enum TIFFReadDirEntryErr
234
TIFFReadDirEntryCheckRangeSlong8Long8(uint64_t value);
235
236
static enum TIFFReadDirEntryErr TIFFReadDirEntryData(TIFF *tif, uint64_t offset,
237
                                                     tmsize_t size, void *dest);
238
static void TIFFReadDirEntryOutputErr(TIFF *tif, enum TIFFReadDirEntryErr err,
239
                                      const char *module, const char *tagname,
240
                                      int recover);
241
242
static void TIFFReadDirectoryCheckOrder(TIFF *tif, TIFFDirEntry *dir,
243
                                        uint16_t dircount);
244
static TIFFDirEntry *TIFFReadDirectoryFindEntry(TIFF *tif, TIFFDirEntry *dir,
245
                                                uint16_t dircount,
246
                                                uint16_t tagid);
247
static void TIFFReadDirectoryFindFieldInfo(TIFF *tif, uint16_t tagid,
248
                                           uint32_t *fii);
249
250
static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
251
                                   uint16_t dircount);
252
static void MissingRequired(TIFF *, const char *);
253
static int CheckDirCount(TIFF *, TIFFDirEntry *, uint32_t);
254
static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
255
                                   TIFFDirEntry **pdir, uint64_t *nextdiroff);
256
static int TIFFFetchNormalTag(TIFF *, TIFFDirEntry *, int recover);
257
static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
258
                               uint64_t **lpp);
259
static int TIFFFetchSubjectDistance(TIFF *, TIFFDirEntry *);
260
static void ChopUpSingleUncompressedStrip(TIFF *);
261
static void TryChopUpUncompressedBigTiff(TIFF *);
262
static uint64_t TIFFReadUInt64(const uint8_t *value);
263
static int _TIFFGetMaxColorChannels(uint16_t photometric);
264
265
static int _TIFFFillStrilesInternal(TIFF *tif, int loadStripByteCount);
266
267
typedef union _UInt64Aligned_t
268
{
269
    double d;
270
    uint64_t l;
271
    uint32_t i[2];
272
    uint16_t s[4];
273
    uint8_t c[8];
274
} UInt64Aligned_t;
275
276
/*
277
  Unaligned safe copy of a uint64_t value from an octet array.
278
*/
279
static uint64_t TIFFReadUInt64(const uint8_t *value)
280
0
{
281
0
    UInt64Aligned_t result;
282
283
0
    result.c[0] = value[0];
284
0
    result.c[1] = value[1];
285
0
    result.c[2] = value[2];
286
0
    result.c[3] = value[3];
287
0
    result.c[4] = value[4];
288
0
    result.c[5] = value[5];
289
0
    result.c[6] = value[6];
290
0
    result.c[7] = value[7];
291
292
0
    return result.l;
293
0
}
294
295
static enum TIFFReadDirEntryErr
296
TIFFReadDirEntryByte(TIFF *tif, TIFFDirEntry *direntry, uint8_t *value)
297
0
{
298
0
    enum TIFFReadDirEntryErr err;
299
0
    if (direntry->tdir_count != 1)
300
0
        return (TIFFReadDirEntryErrCount);
301
0
    switch (direntry->tdir_type)
302
0
    {
303
0
        case TIFF_BYTE:
304
0
        case TIFF_UNDEFINED: /* Support to read TIFF_UNDEFINED with
305
                                field_readcount==1 */
306
0
            TIFFReadDirEntryCheckedByte(tif, direntry, value);
307
0
            return (TIFFReadDirEntryErrOk);
308
0
        case TIFF_SBYTE:
309
0
        {
310
0
            int8_t m;
311
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
312
0
            err = TIFFReadDirEntryCheckRangeByteSbyte(m);
313
0
            if (err != TIFFReadDirEntryErrOk)
314
0
                return (err);
315
0
            *value = (uint8_t)m;
316
0
            return (TIFFReadDirEntryErrOk);
317
0
        }
318
0
        case TIFF_SHORT:
319
0
        {
320
0
            uint16_t m;
321
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
322
0
            err = TIFFReadDirEntryCheckRangeByteShort(m);
323
0
            if (err != TIFFReadDirEntryErrOk)
324
0
                return (err);
325
0
            *value = (uint8_t)m;
326
0
            return (TIFFReadDirEntryErrOk);
327
0
        }
328
0
        case TIFF_SSHORT:
329
0
        {
330
0
            int16_t m;
331
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
332
0
            err = TIFFReadDirEntryCheckRangeByteSshort(m);
333
0
            if (err != TIFFReadDirEntryErrOk)
334
0
                return (err);
335
0
            *value = (uint8_t)m;
336
0
            return (TIFFReadDirEntryErrOk);
337
0
        }
338
0
        case TIFF_LONG:
339
0
        {
340
0
            uint32_t m;
341
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
342
0
            err = TIFFReadDirEntryCheckRangeByteLong(m);
343
0
            if (err != TIFFReadDirEntryErrOk)
344
0
                return (err);
345
0
            *value = (uint8_t)m;
346
0
            return (TIFFReadDirEntryErrOk);
347
0
        }
348
0
        case TIFF_SLONG:
349
0
        {
350
0
            int32_t m;
351
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
352
0
            err = TIFFReadDirEntryCheckRangeByteSlong(m);
353
0
            if (err != TIFFReadDirEntryErrOk)
354
0
                return (err);
355
0
            *value = (uint8_t)m;
356
0
            return (TIFFReadDirEntryErrOk);
357
0
        }
358
0
        case TIFF_LONG8:
359
0
        {
360
0
            uint64_t m;
361
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
362
0
            if (err != TIFFReadDirEntryErrOk)
363
0
                return (err);
364
0
            err = TIFFReadDirEntryCheckRangeByteLong8(m);
365
0
            if (err != TIFFReadDirEntryErrOk)
366
0
                return (err);
367
0
            *value = (uint8_t)m;
368
0
            return (TIFFReadDirEntryErrOk);
369
0
        }
370
0
        case TIFF_SLONG8:
371
0
        {
372
0
            int64_t m;
373
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
374
0
            if (err != TIFFReadDirEntryErrOk)
375
0
                return (err);
376
0
            err = TIFFReadDirEntryCheckRangeByteSlong8(m);
377
0
            if (err != TIFFReadDirEntryErrOk)
378
0
                return (err);
379
0
            *value = (uint8_t)m;
380
0
            return (TIFFReadDirEntryErrOk);
381
0
        }
382
0
        default:
383
0
            return (TIFFReadDirEntryErrType);
384
0
    }
385
0
}
386
387
static enum TIFFReadDirEntryErr
388
TIFFReadDirEntrySbyte(TIFF *tif, TIFFDirEntry *direntry, int8_t *value)
389
0
{
390
0
    enum TIFFReadDirEntryErr err;
391
0
    if (direntry->tdir_count != 1)
392
0
        return (TIFFReadDirEntryErrCount);
393
0
    switch (direntry->tdir_type)
394
0
    {
395
0
        case TIFF_BYTE:
396
0
        case TIFF_UNDEFINED: /* Support to read TIFF_UNDEFINED with
397
                                field_readcount==1 */
398
0
        {
399
0
            uint8_t m;
400
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
401
0
            err = TIFFReadDirEntryCheckRangeSbyteByte(m);
402
0
            if (err != TIFFReadDirEntryErrOk)
403
0
                return (err);
404
0
            *value = (int8_t)m;
405
0
            return (TIFFReadDirEntryErrOk);
406
0
        }
407
0
        case TIFF_SBYTE:
408
0
        {
409
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, value);
410
0
            return (TIFFReadDirEntryErrOk);
411
0
        }
412
0
        case TIFF_SHORT:
413
0
        {
414
0
            uint16_t m;
415
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
416
0
            err = TIFFReadDirEntryCheckRangeSbyteShort(m);
417
0
            if (err != TIFFReadDirEntryErrOk)
418
0
                return (err);
419
0
            *value = (int8_t)m;
420
0
            return (TIFFReadDirEntryErrOk);
421
0
        }
422
0
        case TIFF_SSHORT:
423
0
        {
424
0
            int16_t m;
425
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
426
0
            err = TIFFReadDirEntryCheckRangeSbyteSshort(m);
427
0
            if (err != TIFFReadDirEntryErrOk)
428
0
                return (err);
429
0
            *value = (int8_t)m;
430
0
            return (TIFFReadDirEntryErrOk);
431
0
        }
432
0
        case TIFF_LONG:
433
0
        {
434
0
            uint32_t m;
435
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
436
0
            err = TIFFReadDirEntryCheckRangeSbyteLong(m);
437
0
            if (err != TIFFReadDirEntryErrOk)
438
0
                return (err);
439
0
            *value = (int8_t)m;
440
0
            return (TIFFReadDirEntryErrOk);
441
0
        }
442
0
        case TIFF_SLONG:
443
0
        {
444
0
            int32_t m;
445
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
446
0
            err = TIFFReadDirEntryCheckRangeSbyteSlong(m);
447
0
            if (err != TIFFReadDirEntryErrOk)
448
0
                return (err);
449
0
            *value = (int8_t)m;
450
0
            return (TIFFReadDirEntryErrOk);
451
0
        }
452
0
        case TIFF_LONG8:
453
0
        {
454
0
            uint64_t m;
455
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
456
0
            if (err != TIFFReadDirEntryErrOk)
457
0
                return (err);
458
0
            err = TIFFReadDirEntryCheckRangeSbyteLong8(m);
459
0
            if (err != TIFFReadDirEntryErrOk)
460
0
                return (err);
461
0
            *value = (int8_t)m;
462
0
            return (TIFFReadDirEntryErrOk);
463
0
        }
464
0
        case TIFF_SLONG8:
465
0
        {
466
0
            int64_t m;
467
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
468
0
            if (err != TIFFReadDirEntryErrOk)
469
0
                return (err);
470
0
            err = TIFFReadDirEntryCheckRangeSbyteSlong8(m);
471
0
            if (err != TIFFReadDirEntryErrOk)
472
0
                return (err);
473
0
            *value = (int8_t)m;
474
0
            return (TIFFReadDirEntryErrOk);
475
0
        }
476
0
        default:
477
0
            return (TIFFReadDirEntryErrType);
478
0
    }
479
0
} /*-- TIFFReadDirEntrySbyte() --*/
480
481
static enum TIFFReadDirEntryErr
482
TIFFReadDirEntryShort(TIFF *tif, TIFFDirEntry *direntry, uint16_t *value)
483
0
{
484
0
    enum TIFFReadDirEntryErr err;
485
0
    if (direntry->tdir_count != 1)
486
0
        return (TIFFReadDirEntryErrCount);
487
0
    switch (direntry->tdir_type)
488
0
    {
489
0
        case TIFF_BYTE:
490
0
        {
491
0
            uint8_t m;
492
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
493
0
            *value = (uint16_t)m;
494
0
            return (TIFFReadDirEntryErrOk);
495
0
        }
496
0
        case TIFF_SBYTE:
497
0
        {
498
0
            int8_t m;
499
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
500
0
            err = TIFFReadDirEntryCheckRangeShortSbyte(m);
501
0
            if (err != TIFFReadDirEntryErrOk)
502
0
                return (err);
503
0
            *value = (uint16_t)m;
504
0
            return (TIFFReadDirEntryErrOk);
505
0
        }
506
0
        case TIFF_SHORT:
507
0
            TIFFReadDirEntryCheckedShort(tif, direntry, value);
508
0
            return (TIFFReadDirEntryErrOk);
509
0
        case TIFF_SSHORT:
510
0
        {
511
0
            int16_t m;
512
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
513
0
            err = TIFFReadDirEntryCheckRangeShortSshort(m);
514
0
            if (err != TIFFReadDirEntryErrOk)
515
0
                return (err);
516
0
            *value = (uint16_t)m;
517
0
            return (TIFFReadDirEntryErrOk);
518
0
        }
519
0
        case TIFF_LONG:
520
0
        {
521
0
            uint32_t m;
522
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
523
0
            err = TIFFReadDirEntryCheckRangeShortLong(m);
524
0
            if (err != TIFFReadDirEntryErrOk)
525
0
                return (err);
526
0
            *value = (uint16_t)m;
527
0
            return (TIFFReadDirEntryErrOk);
528
0
        }
529
0
        case TIFF_SLONG:
530
0
        {
531
0
            int32_t m;
532
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
533
0
            err = TIFFReadDirEntryCheckRangeShortSlong(m);
534
0
            if (err != TIFFReadDirEntryErrOk)
535
0
                return (err);
536
0
            *value = (uint16_t)m;
537
0
            return (TIFFReadDirEntryErrOk);
538
0
        }
539
0
        case TIFF_LONG8:
540
0
        {
541
0
            uint64_t m;
542
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
543
0
            if (err != TIFFReadDirEntryErrOk)
544
0
                return (err);
545
0
            err = TIFFReadDirEntryCheckRangeShortLong8(m);
546
0
            if (err != TIFFReadDirEntryErrOk)
547
0
                return (err);
548
0
            *value = (uint16_t)m;
549
0
            return (TIFFReadDirEntryErrOk);
550
0
        }
551
0
        case TIFF_SLONG8:
552
0
        {
553
0
            int64_t m;
554
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
555
0
            if (err != TIFFReadDirEntryErrOk)
556
0
                return (err);
557
0
            err = TIFFReadDirEntryCheckRangeShortSlong8(m);
558
0
            if (err != TIFFReadDirEntryErrOk)
559
0
                return (err);
560
0
            *value = (uint16_t)m;
561
0
            return (TIFFReadDirEntryErrOk);
562
0
        }
563
0
        default:
564
0
            return (TIFFReadDirEntryErrType);
565
0
    }
566
0
} /*-- TIFFReadDirEntryShort() --*/
567
568
static enum TIFFReadDirEntryErr
569
TIFFReadDirEntrySshort(TIFF *tif, TIFFDirEntry *direntry, int16_t *value)
570
0
{
571
0
    enum TIFFReadDirEntryErr err;
572
0
    if (direntry->tdir_count != 1)
573
0
        return (TIFFReadDirEntryErrCount);
574
0
    switch (direntry->tdir_type)
575
0
    {
576
0
        case TIFF_BYTE:
577
0
        {
578
0
            uint8_t m;
579
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
580
0
            *value = (int16_t)m;
581
0
            return (TIFFReadDirEntryErrOk);
582
0
        }
583
0
        case TIFF_SBYTE:
584
0
        {
585
0
            int8_t m;
586
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
587
0
            *value = (int16_t)m;
588
0
            return (TIFFReadDirEntryErrOk);
589
0
        }
590
0
        case TIFF_SHORT:
591
0
        {
592
0
            uint16_t m;
593
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
594
0
            err = TIFFReadDirEntryCheckRangeSshortShort(m);
595
0
            if (err != TIFFReadDirEntryErrOk)
596
0
                return (err);
597
0
            *value = (uint16_t)m;
598
0
            return (TIFFReadDirEntryErrOk);
599
0
        }
600
0
        case TIFF_SSHORT:
601
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, value);
602
0
            return (TIFFReadDirEntryErrOk);
603
0
        case TIFF_LONG:
604
0
        {
605
0
            uint32_t m;
606
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
607
0
            err = TIFFReadDirEntryCheckRangeSshortLong(m);
608
0
            if (err != TIFFReadDirEntryErrOk)
609
0
                return (err);
610
0
            *value = (int16_t)m;
611
0
            return (TIFFReadDirEntryErrOk);
612
0
        }
613
0
        case TIFF_SLONG:
614
0
        {
615
0
            int32_t m;
616
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
617
0
            err = TIFFReadDirEntryCheckRangeSshortSlong(m);
618
0
            if (err != TIFFReadDirEntryErrOk)
619
0
                return (err);
620
0
            *value = (int16_t)m;
621
0
            return (TIFFReadDirEntryErrOk);
622
0
        }
623
0
        case TIFF_LONG8:
624
0
        {
625
0
            uint64_t m;
626
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
627
0
            if (err != TIFFReadDirEntryErrOk)
628
0
                return (err);
629
0
            err = TIFFReadDirEntryCheckRangeSshortLong8(m);
630
0
            if (err != TIFFReadDirEntryErrOk)
631
0
                return (err);
632
0
            *value = (int16_t)m;
633
0
            return (TIFFReadDirEntryErrOk);
634
0
        }
635
0
        case TIFF_SLONG8:
636
0
        {
637
0
            int64_t m;
638
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
639
0
            if (err != TIFFReadDirEntryErrOk)
640
0
                return (err);
641
0
            err = TIFFReadDirEntryCheckRangeSshortSlong8(m);
642
0
            if (err != TIFFReadDirEntryErrOk)
643
0
                return (err);
644
0
            *value = (int16_t)m;
645
0
            return (TIFFReadDirEntryErrOk);
646
0
        }
647
0
        default:
648
0
            return (TIFFReadDirEntryErrType);
649
0
    }
650
0
} /*-- TIFFReadDirEntrySshort() --*/
651
652
static enum TIFFReadDirEntryErr
653
TIFFReadDirEntryLong(TIFF *tif, TIFFDirEntry *direntry, uint32_t *value)
654
0
{
655
0
    enum TIFFReadDirEntryErr err;
656
0
    if (direntry->tdir_count != 1)
657
0
        return (TIFFReadDirEntryErrCount);
658
0
    switch (direntry->tdir_type)
659
0
    {
660
0
        case TIFF_BYTE:
661
0
        {
662
0
            uint8_t m;
663
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
664
0
            *value = (uint32_t)m;
665
0
            return (TIFFReadDirEntryErrOk);
666
0
        }
667
0
        case TIFF_SBYTE:
668
0
        {
669
0
            int8_t m;
670
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
671
0
            err = TIFFReadDirEntryCheckRangeLongSbyte(m);
672
0
            if (err != TIFFReadDirEntryErrOk)
673
0
                return (err);
674
0
            *value = (uint32_t)m;
675
0
            return (TIFFReadDirEntryErrOk);
676
0
        }
677
0
        case TIFF_SHORT:
678
0
        {
679
0
            uint16_t m;
680
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
681
0
            *value = (uint32_t)m;
682
0
            return (TIFFReadDirEntryErrOk);
683
0
        }
684
0
        case TIFF_SSHORT:
685
0
        {
686
0
            int16_t m;
687
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
688
0
            err = TIFFReadDirEntryCheckRangeLongSshort(m);
689
0
            if (err != TIFFReadDirEntryErrOk)
690
0
                return (err);
691
0
            *value = (uint32_t)m;
692
0
            return (TIFFReadDirEntryErrOk);
693
0
        }
694
0
        case TIFF_LONG:
695
0
            TIFFReadDirEntryCheckedLong(tif, direntry, value);
696
0
            return (TIFFReadDirEntryErrOk);
697
0
        case TIFF_SLONG:
698
0
        {
699
0
            int32_t m;
700
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
701
0
            err = TIFFReadDirEntryCheckRangeLongSlong(m);
702
0
            if (err != TIFFReadDirEntryErrOk)
703
0
                return (err);
704
0
            *value = (uint32_t)m;
705
0
            return (TIFFReadDirEntryErrOk);
706
0
        }
707
0
        case TIFF_LONG8:
708
0
        {
709
0
            uint64_t m;
710
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
711
0
            if (err != TIFFReadDirEntryErrOk)
712
0
                return (err);
713
0
            err = TIFFReadDirEntryCheckRangeLongLong8(m);
714
0
            if (err != TIFFReadDirEntryErrOk)
715
0
                return (err);
716
0
            *value = (uint32_t)m;
717
0
            return (TIFFReadDirEntryErrOk);
718
0
        }
719
0
        case TIFF_SLONG8:
720
0
        {
721
0
            int64_t m;
722
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
723
0
            if (err != TIFFReadDirEntryErrOk)
724
0
                return (err);
725
0
            err = TIFFReadDirEntryCheckRangeLongSlong8(m);
726
0
            if (err != TIFFReadDirEntryErrOk)
727
0
                return (err);
728
0
            *value = (uint32_t)m;
729
0
            return (TIFFReadDirEntryErrOk);
730
0
        }
731
0
        default:
732
0
            return (TIFFReadDirEntryErrType);
733
0
    }
734
0
} /*-- TIFFReadDirEntryLong() --*/
735
736
static enum TIFFReadDirEntryErr
737
TIFFReadDirEntrySlong(TIFF *tif, TIFFDirEntry *direntry, int32_t *value)
738
0
{
739
0
    enum TIFFReadDirEntryErr err;
740
0
    if (direntry->tdir_count != 1)
741
0
        return (TIFFReadDirEntryErrCount);
742
0
    switch (direntry->tdir_type)
743
0
    {
744
0
        case TIFF_BYTE:
745
0
        {
746
0
            uint8_t m;
747
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
748
0
            *value = (int32_t)m;
749
0
            return (TIFFReadDirEntryErrOk);
750
0
        }
751
0
        case TIFF_SBYTE:
752
0
        {
753
0
            int8_t m;
754
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
755
0
            *value = (int32_t)m;
756
0
            return (TIFFReadDirEntryErrOk);
757
0
        }
758
0
        case TIFF_SHORT:
759
0
        {
760
0
            uint16_t m;
761
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
762
0
            *value = (int32_t)m;
763
0
            return (TIFFReadDirEntryErrOk);
764
0
        }
765
0
        case TIFF_SSHORT:
766
0
        {
767
0
            int16_t m;
768
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
769
0
            *value = (int32_t)m;
770
0
            return (TIFFReadDirEntryErrOk);
771
0
        }
772
0
        case TIFF_LONG:
773
0
        {
774
0
            uint32_t m;
775
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
776
0
            err = TIFFReadDirEntryCheckRangeSlongLong(m);
777
0
            if (err != TIFFReadDirEntryErrOk)
778
0
                return (err);
779
0
            *value = (int32_t)m;
780
0
            return (TIFFReadDirEntryErrOk);
781
0
        }
782
0
        case TIFF_SLONG:
783
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, value);
784
0
            return (TIFFReadDirEntryErrOk);
785
0
        case TIFF_LONG8:
786
0
        {
787
0
            uint64_t m;
788
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
789
0
            if (err != TIFFReadDirEntryErrOk)
790
0
                return (err);
791
0
            err = TIFFReadDirEntryCheckRangeSlongLong8(m);
792
0
            if (err != TIFFReadDirEntryErrOk)
793
0
                return (err);
794
0
            *value = (int32_t)m;
795
0
            return (TIFFReadDirEntryErrOk);
796
0
        }
797
0
        case TIFF_SLONG8:
798
0
        {
799
0
            int64_t m;
800
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
801
0
            if (err != TIFFReadDirEntryErrOk)
802
0
                return (err);
803
0
            err = TIFFReadDirEntryCheckRangeSlongSlong8(m);
804
0
            if (err != TIFFReadDirEntryErrOk)
805
0
                return (err);
806
0
            *value = (int32_t)m;
807
0
            return (TIFFReadDirEntryErrOk);
808
0
        }
809
0
        default:
810
0
            return (TIFFReadDirEntryErrType);
811
0
    }
812
0
} /*-- TIFFReadDirEntrySlong() --*/
813
814
static enum TIFFReadDirEntryErr
815
TIFFReadDirEntryLong8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value)
816
0
{
817
0
    enum TIFFReadDirEntryErr err;
818
0
    if (direntry->tdir_count != 1)
819
0
        return (TIFFReadDirEntryErrCount);
820
0
    switch (direntry->tdir_type)
821
0
    {
822
0
        case TIFF_BYTE:
823
0
        {
824
0
            uint8_t m;
825
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
826
0
            *value = (uint64_t)m;
827
0
            return (TIFFReadDirEntryErrOk);
828
0
        }
829
0
        case TIFF_SBYTE:
830
0
        {
831
0
            int8_t m;
832
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
833
0
            err = TIFFReadDirEntryCheckRangeLong8Sbyte(m);
834
0
            if (err != TIFFReadDirEntryErrOk)
835
0
                return (err);
836
0
            *value = (uint64_t)m;
837
0
            return (TIFFReadDirEntryErrOk);
838
0
        }
839
0
        case TIFF_SHORT:
840
0
        {
841
0
            uint16_t m;
842
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
843
0
            *value = (uint64_t)m;
844
0
            return (TIFFReadDirEntryErrOk);
845
0
        }
846
0
        case TIFF_SSHORT:
847
0
        {
848
0
            int16_t m;
849
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
850
0
            err = TIFFReadDirEntryCheckRangeLong8Sshort(m);
851
0
            if (err != TIFFReadDirEntryErrOk)
852
0
                return (err);
853
0
            *value = (uint64_t)m;
854
0
            return (TIFFReadDirEntryErrOk);
855
0
        }
856
0
        case TIFF_LONG:
857
0
        {
858
0
            uint32_t m;
859
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
860
0
            *value = (uint64_t)m;
861
0
            return (TIFFReadDirEntryErrOk);
862
0
        }
863
0
        case TIFF_SLONG:
864
0
        {
865
0
            int32_t m;
866
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
867
0
            err = TIFFReadDirEntryCheckRangeLong8Slong(m);
868
0
            if (err != TIFFReadDirEntryErrOk)
869
0
                return (err);
870
0
            *value = (uint64_t)m;
871
0
            return (TIFFReadDirEntryErrOk);
872
0
        }
873
0
        case TIFF_LONG8:
874
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, value);
875
0
            return (err);
876
0
        case TIFF_SLONG8:
877
0
        {
878
0
            int64_t m;
879
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
880
0
            if (err != TIFFReadDirEntryErrOk)
881
0
                return (err);
882
0
            err = TIFFReadDirEntryCheckRangeLong8Slong8(m);
883
0
            if (err != TIFFReadDirEntryErrOk)
884
0
                return (err);
885
0
            *value = (uint64_t)m;
886
0
            return (TIFFReadDirEntryErrOk);
887
0
        }
888
0
        default:
889
0
            return (TIFFReadDirEntryErrType);
890
0
    }
891
0
} /*-- TIFFReadDirEntryLong8() --*/
892
893
static enum TIFFReadDirEntryErr
894
TIFFReadDirEntrySlong8(TIFF *tif, TIFFDirEntry *direntry, int64_t *value)
895
0
{
896
0
    enum TIFFReadDirEntryErr err;
897
0
    if (direntry->tdir_count != 1)
898
0
        return (TIFFReadDirEntryErrCount);
899
0
    switch (direntry->tdir_type)
900
0
    {
901
0
        case TIFF_BYTE:
902
0
        {
903
0
            uint8_t m;
904
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
905
0
            *value = (int64_t)m;
906
0
            return (TIFFReadDirEntryErrOk);
907
0
        }
908
0
        case TIFF_SBYTE:
909
0
        {
910
0
            int8_t m;
911
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
912
0
            *value = (int64_t)m;
913
0
            return (TIFFReadDirEntryErrOk);
914
0
        }
915
0
        case TIFF_SHORT:
916
0
        {
917
0
            uint16_t m;
918
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
919
0
            *value = (int64_t)m;
920
0
            return (TIFFReadDirEntryErrOk);
921
0
        }
922
0
        case TIFF_SSHORT:
923
0
        {
924
0
            int16_t m;
925
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
926
0
            *value = (int64_t)m;
927
0
            return (TIFFReadDirEntryErrOk);
928
0
        }
929
0
        case TIFF_LONG:
930
0
        {
931
0
            uint32_t m;
932
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
933
0
            *value = (int64_t)m;
934
0
            return (TIFFReadDirEntryErrOk);
935
0
        }
936
0
        case TIFF_SLONG:
937
0
        {
938
0
            int32_t m;
939
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
940
0
            *value = (int64_t)m;
941
0
            return (TIFFReadDirEntryErrOk);
942
0
        }
943
0
        case TIFF_LONG8:
944
0
        {
945
0
            uint64_t m;
946
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
947
0
            if (err != TIFFReadDirEntryErrOk)
948
0
                return (err);
949
0
            err = TIFFReadDirEntryCheckRangeSlong8Long8(m);
950
0
            if (err != TIFFReadDirEntryErrOk)
951
0
                return (err);
952
0
            *value = (int64_t)m;
953
0
            return (TIFFReadDirEntryErrOk);
954
0
        }
955
0
        case TIFF_SLONG8:
956
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, value);
957
0
            return (err);
958
0
        default:
959
0
            return (TIFFReadDirEntryErrType);
960
0
    }
961
0
} /*-- TIFFReadDirEntrySlong8() --*/
962
963
static enum TIFFReadDirEntryErr
964
TIFFReadDirEntryFloat(TIFF *tif, TIFFDirEntry *direntry, float *value)
965
0
{
966
0
    enum TIFFReadDirEntryErr err;
967
0
    if (direntry->tdir_count != 1)
968
0
        return (TIFFReadDirEntryErrCount);
969
0
    switch (direntry->tdir_type)
970
0
    {
971
0
        case TIFF_BYTE:
972
0
        {
973
0
            uint8_t m;
974
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
975
0
            *value = (float)m;
976
0
            return (TIFFReadDirEntryErrOk);
977
0
        }
978
0
        case TIFF_SBYTE:
979
0
        {
980
0
            int8_t m;
981
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
982
0
            *value = (float)m;
983
0
            return (TIFFReadDirEntryErrOk);
984
0
        }
985
0
        case TIFF_SHORT:
986
0
        {
987
0
            uint16_t m;
988
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
989
0
            *value = (float)m;
990
0
            return (TIFFReadDirEntryErrOk);
991
0
        }
992
0
        case TIFF_SSHORT:
993
0
        {
994
0
            int16_t m;
995
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
996
0
            *value = (float)m;
997
0
            return (TIFFReadDirEntryErrOk);
998
0
        }
999
0
        case TIFF_LONG:
1000
0
        {
1001
0
            uint32_t m;
1002
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
1003
0
            *value = (float)m;
1004
0
            return (TIFFReadDirEntryErrOk);
1005
0
        }
1006
0
        case TIFF_SLONG:
1007
0
        {
1008
0
            int32_t m;
1009
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
1010
0
            *value = (float)m;
1011
0
            return (TIFFReadDirEntryErrOk);
1012
0
        }
1013
0
        case TIFF_LONG8:
1014
0
        {
1015
0
            uint64_t m;
1016
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
1017
0
            if (err != TIFFReadDirEntryErrOk)
1018
0
                return (err);
1019
0
            *value = (float)m;
1020
0
            return (TIFFReadDirEntryErrOk);
1021
0
        }
1022
0
        case TIFF_SLONG8:
1023
0
        {
1024
0
            int64_t m;
1025
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
1026
0
            if (err != TIFFReadDirEntryErrOk)
1027
0
                return (err);
1028
0
            *value = (float)m;
1029
0
            return (TIFFReadDirEntryErrOk);
1030
0
        }
1031
0
        case TIFF_RATIONAL:
1032
0
        {
1033
0
            double m;
1034
0
            err = TIFFReadDirEntryCheckedRational(tif, direntry, &m);
1035
0
            if (err != TIFFReadDirEntryErrOk)
1036
0
                return (err);
1037
0
            *value = (float)m;
1038
0
            return (TIFFReadDirEntryErrOk);
1039
0
        }
1040
0
        case TIFF_SRATIONAL:
1041
0
        {
1042
0
            double m;
1043
0
            err = TIFFReadDirEntryCheckedSrational(tif, direntry, &m);
1044
0
            if (err != TIFFReadDirEntryErrOk)
1045
0
                return (err);
1046
0
            *value = (float)m;
1047
0
            return (TIFFReadDirEntryErrOk);
1048
0
        }
1049
0
        case TIFF_FLOAT:
1050
0
            TIFFReadDirEntryCheckedFloat(tif, direntry, value);
1051
0
            return (TIFFReadDirEntryErrOk);
1052
0
        case TIFF_DOUBLE:
1053
0
        {
1054
0
            double m;
1055
0
            err = TIFFReadDirEntryCheckedDouble(tif, direntry, &m);
1056
0
            if (err != TIFFReadDirEntryErrOk)
1057
0
                return (err);
1058
0
            if ((m > FLT_MAX) || (m < -FLT_MAX))
1059
0
                return (TIFFReadDirEntryErrRange);
1060
0
            *value = (float)m;
1061
0
            return (TIFFReadDirEntryErrOk);
1062
0
        }
1063
0
        default:
1064
0
            return (TIFFReadDirEntryErrType);
1065
0
    }
1066
0
}
1067
1068
static enum TIFFReadDirEntryErr
1069
TIFFReadDirEntryDouble(TIFF *tif, TIFFDirEntry *direntry, double *value)
1070
0
{
1071
0
    enum TIFFReadDirEntryErr err;
1072
0
    if (direntry->tdir_count != 1)
1073
0
        return (TIFFReadDirEntryErrCount);
1074
0
    switch (direntry->tdir_type)
1075
0
    {
1076
0
        case TIFF_BYTE:
1077
0
        {
1078
0
            uint8_t m;
1079
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
1080
0
            *value = (double)m;
1081
0
            return (TIFFReadDirEntryErrOk);
1082
0
        }
1083
0
        case TIFF_SBYTE:
1084
0
        {
1085
0
            int8_t m;
1086
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
1087
0
            *value = (double)m;
1088
0
            return (TIFFReadDirEntryErrOk);
1089
0
        }
1090
0
        case TIFF_SHORT:
1091
0
        {
1092
0
            uint16_t m;
1093
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
1094
0
            *value = (double)m;
1095
0
            return (TIFFReadDirEntryErrOk);
1096
0
        }
1097
0
        case TIFF_SSHORT:
1098
0
        {
1099
0
            int16_t m;
1100
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
1101
0
            *value = (double)m;
1102
0
            return (TIFFReadDirEntryErrOk);
1103
0
        }
1104
0
        case TIFF_LONG:
1105
0
        {
1106
0
            uint32_t m;
1107
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
1108
0
            *value = (double)m;
1109
0
            return (TIFFReadDirEntryErrOk);
1110
0
        }
1111
0
        case TIFF_SLONG:
1112
0
        {
1113
0
            int32_t m;
1114
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
1115
0
            *value = (double)m;
1116
0
            return (TIFFReadDirEntryErrOk);
1117
0
        }
1118
0
        case TIFF_LONG8:
1119
0
        {
1120
0
            uint64_t m;
1121
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
1122
0
            if (err != TIFFReadDirEntryErrOk)
1123
0
                return (err);
1124
0
            *value = (double)m;
1125
0
            return (TIFFReadDirEntryErrOk);
1126
0
        }
1127
0
        case TIFF_SLONG8:
1128
0
        {
1129
0
            int64_t m;
1130
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
1131
0
            if (err != TIFFReadDirEntryErrOk)
1132
0
                return (err);
1133
0
            *value = (double)m;
1134
0
            return (TIFFReadDirEntryErrOk);
1135
0
        }
1136
0
        case TIFF_RATIONAL:
1137
0
            err = TIFFReadDirEntryCheckedRational(tif, direntry, value);
1138
0
            return (err);
1139
0
        case TIFF_SRATIONAL:
1140
0
            err = TIFFReadDirEntryCheckedSrational(tif, direntry, value);
1141
0
            return (err);
1142
0
        case TIFF_FLOAT:
1143
0
        {
1144
0
            float m;
1145
0
            TIFFReadDirEntryCheckedFloat(tif, direntry, &m);
1146
0
            *value = (double)m;
1147
0
            return (TIFFReadDirEntryErrOk);
1148
0
        }
1149
0
        case TIFF_DOUBLE:
1150
0
            err = TIFFReadDirEntryCheckedDouble(tif, direntry, value);
1151
0
            return (err);
1152
0
        default:
1153
0
            return (TIFFReadDirEntryErrType);
1154
0
    }
1155
0
}
1156
1157
static enum TIFFReadDirEntryErr
1158
TIFFReadDirEntryIfd8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value)
1159
0
{
1160
0
    enum TIFFReadDirEntryErr err;
1161
0
    if (direntry->tdir_count != 1)
1162
0
        return (TIFFReadDirEntryErrCount);
1163
0
    switch (direntry->tdir_type)
1164
0
    {
1165
0
        case TIFF_LONG:
1166
0
        case TIFF_IFD:
1167
0
        {
1168
0
            uint32_t m;
1169
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
1170
0
            *value = (uint64_t)m;
1171
0
            return (TIFFReadDirEntryErrOk);
1172
0
        }
1173
0
        case TIFF_LONG8:
1174
0
        case TIFF_IFD8:
1175
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, value);
1176
0
            return (err);
1177
0
        default:
1178
0
            return (TIFFReadDirEntryErrType);
1179
0
    }
1180
0
}
1181
1182
0
#define INITIAL_THRESHOLD (1024 * 1024)
1183
0
#define THRESHOLD_MULTIPLIER 10
1184
#define MAX_THRESHOLD                                                          \
1185
0
    (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER *      \
1186
0
     INITIAL_THRESHOLD)
1187
1188
static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc(TIFF *tif,
1189
                                                               uint64_t offset,
1190
                                                               tmsize_t size,
1191
                                                               void **pdest)
1192
0
{
1193
0
#if SIZEOF_SIZE_T == 8
1194
0
    tmsize_t threshold = INITIAL_THRESHOLD;
1195
0
#endif
1196
0
    tmsize_t already_read = 0;
1197
1198
0
    assert(!isMapped(tif));
1199
1200
0
    if (!SeekOK(tif, offset))
1201
0
        return (TIFFReadDirEntryErrIo);
1202
1203
    /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
1204
    /* so as to avoid allocating too much memory in case the file is too */
1205
    /* short. We could ask for the file size, but this might be */
1206
    /* expensive with some I/O layers (think of reading a gzipped file) */
1207
    /* Restrict to 64 bit processes, so as to avoid reallocs() */
1208
    /* on 32 bit processes where virtual memory is scarce.  */
1209
0
    while (already_read < size)
1210
0
    {
1211
0
        void *new_dest;
1212
0
        tmsize_t bytes_read;
1213
0
        tmsize_t to_read = size - already_read;
1214
0
#if SIZEOF_SIZE_T == 8
1215
0
        if (to_read >= threshold && threshold < MAX_THRESHOLD)
1216
0
        {
1217
0
            to_read = threshold;
1218
0
            threshold *= THRESHOLD_MULTIPLIER;
1219
0
        }
1220
0
#endif
1221
1222
0
        new_dest =
1223
0
            (uint8_t *)_TIFFreallocExt(tif, *pdest, already_read + to_read);
1224
0
        if (new_dest == NULL)
1225
0
        {
1226
0
            TIFFErrorExtR(tif, tif->tif_name,
1227
0
                          "Failed to allocate memory for %s "
1228
0
                          "(%" TIFF_SSIZE_FORMAT
1229
0
                          " elements of %" TIFF_SSIZE_FORMAT " bytes each)",
1230
0
                          "TIFFReadDirEntryArray", (tmsize_t)1,
1231
0
                          already_read + to_read);
1232
0
            return TIFFReadDirEntryErrAlloc;
1233
0
        }
1234
0
        *pdest = new_dest;
1235
1236
0
        bytes_read = TIFFReadFile(tif, (char *)*pdest + already_read, to_read);
1237
0
        already_read += bytes_read;
1238
0
        if (bytes_read != to_read)
1239
0
        {
1240
0
            return TIFFReadDirEntryErrIo;
1241
0
        }
1242
0
    }
1243
0
    return TIFFReadDirEntryErrOk;
1244
0
}
1245
1246
/* Caution: if raising that value, make sure int32 / uint32 overflows can't
1247
 * occur elsewhere */
1248
0
#define MAX_SIZE_TAG_DATA 2147483647U
1249
1250
static enum TIFFReadDirEntryErr
1251
TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
1252
                               uint32_t *count, uint32_t desttypesize,
1253
                               void **value, uint64_t maxcount)
1254
0
{
1255
0
    int typesize;
1256
0
    uint32_t datasize;
1257
0
    void *data;
1258
0
    uint64_t target_count64;
1259
0
    int original_datasize_clamped;
1260
0
    typesize = TIFFDataWidth(direntry->tdir_type);
1261
1262
0
    target_count64 =
1263
0
        (direntry->tdir_count > maxcount) ? maxcount : direntry->tdir_count;
1264
1265
0
    if ((target_count64 == 0) || (typesize == 0))
1266
0
    {
1267
0
        *value = 0;
1268
0
        return (TIFFReadDirEntryErrOk);
1269
0
    }
1270
0
    (void)desttypesize;
1271
1272
    /* We just want to know if the original tag size is more than 4 bytes
1273
     * (classic TIFF) or 8 bytes (BigTIFF)
1274
     */
1275
0
    original_datasize_clamped =
1276
0
        ((direntry->tdir_count > 10) ? 10 : (int)direntry->tdir_count) *
1277
0
        typesize;
1278
1279
    /*
1280
     * As a sanity check, make sure we have no more than a 2GB tag array
1281
     * in either the current data type or the dest data type.  This also
1282
     * avoids problems with overflow of tmsize_t on 32bit systems.
1283
     */
1284
0
    if ((uint64_t)(MAX_SIZE_TAG_DATA / typesize) < target_count64)
1285
0
        return (TIFFReadDirEntryErrSizesan);
1286
0
    if ((uint64_t)(MAX_SIZE_TAG_DATA / desttypesize) < target_count64)
1287
0
        return (TIFFReadDirEntryErrSizesan);
1288
1289
0
    *count = (uint32_t)target_count64;
1290
0
    datasize = (*count) * typesize;
1291
0
    assert((tmsize_t)datasize > 0);
1292
1293
0
    if (datasize > 100 * 1024 * 1024)
1294
0
    {
1295
        /* Before allocating a huge amount of memory for corrupted files, check
1296
         * if size of requested memory is not greater than file size.
1297
         */
1298
0
        const uint64_t filesize = TIFFGetFileSize(tif);
1299
0
        if (datasize > filesize)
1300
0
        {
1301
0
            TIFFWarningExtR(tif, "ReadDirEntryArray",
1302
0
                            "Requested memory size for tag %d (0x%x) %" PRIu32
1303
0
                            " is greater than filesize %" PRIu64
1304
0
                            ". Memory not allocated, tag not read",
1305
0
                            direntry->tdir_tag, direntry->tdir_tag, datasize,
1306
0
                            filesize);
1307
0
            return (TIFFReadDirEntryErrAlloc);
1308
0
        }
1309
0
    }
1310
1311
0
    if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
1312
0
        return TIFFReadDirEntryErrIo;
1313
1314
0
    if (!isMapped(tif) && (((tif->tif_flags & TIFF_BIGTIFF) && datasize > 8) ||
1315
0
                           (!(tif->tif_flags & TIFF_BIGTIFF) && datasize > 4)))
1316
0
    {
1317
0
        data = NULL;
1318
0
    }
1319
0
    else
1320
0
    {
1321
0
        data = _TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");
1322
0
        if (data == 0)
1323
0
            return (TIFFReadDirEntryErrAlloc);
1324
0
    }
1325
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
1326
0
    {
1327
        /* Only the condition on original_datasize_clamped. The second
1328
         * one is implied, but Coverity Scan cannot see it. */
1329
0
        if (original_datasize_clamped <= 4 && datasize <= 4)
1330
0
            _TIFFmemcpy(data, &direntry->tdir_offset, datasize);
1331
0
        else
1332
0
        {
1333
0
            enum TIFFReadDirEntryErr err;
1334
0
            uint32_t offset = direntry->tdir_offset.toff_long;
1335
0
            if (tif->tif_flags & TIFF_SWAB)
1336
0
                TIFFSwabLong(&offset);
1337
0
            if (isMapped(tif))
1338
0
                err = TIFFReadDirEntryData(tif, (uint64_t)offset,
1339
0
                                           (tmsize_t)datasize, data);
1340
0
            else
1341
0
                err = TIFFReadDirEntryDataAndRealloc(tif, (uint64_t)offset,
1342
0
                                                     (tmsize_t)datasize, &data);
1343
0
            if (err != TIFFReadDirEntryErrOk)
1344
0
            {
1345
0
                _TIFFfreeExt(tif, data);
1346
0
                return (err);
1347
0
            }
1348
0
        }
1349
0
    }
1350
0
    else
1351
0
    {
1352
        /* See above comment for the Classic TIFF case */
1353
0
        if (original_datasize_clamped <= 8 && datasize <= 8)
1354
0
            _TIFFmemcpy(data, &direntry->tdir_offset, datasize);
1355
0
        else
1356
0
        {
1357
0
            enum TIFFReadDirEntryErr err;
1358
0
            uint64_t offset = direntry->tdir_offset.toff_long8;
1359
0
            if (tif->tif_flags & TIFF_SWAB)
1360
0
                TIFFSwabLong8(&offset);
1361
0
            if (isMapped(tif))
1362
0
                err = TIFFReadDirEntryData(tif, (uint64_t)offset,
1363
0
                                           (tmsize_t)datasize, data);
1364
0
            else
1365
0
                err = TIFFReadDirEntryDataAndRealloc(tif, (uint64_t)offset,
1366
0
                                                     (tmsize_t)datasize, &data);
1367
0
            if (err != TIFFReadDirEntryErrOk)
1368
0
            {
1369
0
                _TIFFfreeExt(tif, data);
1370
0
                return (err);
1371
0
            }
1372
0
        }
1373
0
    }
1374
0
    *value = data;
1375
0
    return (TIFFReadDirEntryErrOk);
1376
0
}
1377
1378
static enum TIFFReadDirEntryErr
1379
TIFFReadDirEntryArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t *count,
1380
                      uint32_t desttypesize, void **value)
1381
0
{
1382
0
    return TIFFReadDirEntryArrayWithLimit(tif, direntry, count, desttypesize,
1383
0
                                          value, ~((uint64_t)0));
1384
0
}
1385
1386
static enum TIFFReadDirEntryErr
1387
TIFFReadDirEntryByteArray(TIFF *tif, TIFFDirEntry *direntry, uint8_t **value)
1388
0
{
1389
0
    enum TIFFReadDirEntryErr err;
1390
0
    uint32_t count;
1391
0
    void *origdata;
1392
0
    uint8_t *data;
1393
0
    switch (direntry->tdir_type)
1394
0
    {
1395
0
        case TIFF_ASCII:
1396
0
        case TIFF_UNDEFINED:
1397
0
        case TIFF_BYTE:
1398
0
        case TIFF_SBYTE:
1399
0
        case TIFF_SHORT:
1400
0
        case TIFF_SSHORT:
1401
0
        case TIFF_LONG:
1402
0
        case TIFF_SLONG:
1403
0
        case TIFF_LONG8:
1404
0
        case TIFF_SLONG8:
1405
0
            break;
1406
0
        default:
1407
0
            return (TIFFReadDirEntryErrType);
1408
0
    }
1409
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 1, &origdata);
1410
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1411
0
    {
1412
0
        *value = 0;
1413
0
        return (err);
1414
0
    }
1415
0
    switch (direntry->tdir_type)
1416
0
    {
1417
0
        case TIFF_ASCII:
1418
0
        case TIFF_UNDEFINED:
1419
0
        case TIFF_BYTE:
1420
0
            *value = (uint8_t *)origdata;
1421
0
            return (TIFFReadDirEntryErrOk);
1422
0
        case TIFF_SBYTE:
1423
0
        {
1424
0
            int8_t *m;
1425
0
            uint32_t n;
1426
0
            m = (int8_t *)origdata;
1427
0
            for (n = 0; n < count; n++)
1428
0
            {
1429
0
                err = TIFFReadDirEntryCheckRangeByteSbyte(*m);
1430
0
                if (err != TIFFReadDirEntryErrOk)
1431
0
                {
1432
0
                    _TIFFfreeExt(tif, origdata);
1433
0
                    return (err);
1434
0
                }
1435
0
                m++;
1436
0
            }
1437
0
            *value = (uint8_t *)origdata;
1438
0
            return (TIFFReadDirEntryErrOk);
1439
0
        }
1440
0
    }
1441
0
    data = (uint8_t *)_TIFFmallocExt(tif, count);
1442
0
    if (data == 0)
1443
0
    {
1444
0
        _TIFFfreeExt(tif, origdata);
1445
0
        return (TIFFReadDirEntryErrAlloc);
1446
0
    }
1447
0
    switch (direntry->tdir_type)
1448
0
    {
1449
0
        case TIFF_SHORT:
1450
0
        {
1451
0
            uint16_t *ma;
1452
0
            uint8_t *mb;
1453
0
            uint32_t n;
1454
0
            ma = (uint16_t *)origdata;
1455
0
            mb = data;
1456
0
            for (n = 0; n < count; n++)
1457
0
            {
1458
0
                if (tif->tif_flags & TIFF_SWAB)
1459
0
                    TIFFSwabShort(ma);
1460
0
                err = TIFFReadDirEntryCheckRangeByteShort(*ma);
1461
0
                if (err != TIFFReadDirEntryErrOk)
1462
0
                    break;
1463
0
                *mb++ = (uint8_t)(*ma++);
1464
0
            }
1465
0
        }
1466
0
        break;
1467
0
        case TIFF_SSHORT:
1468
0
        {
1469
0
            int16_t *ma;
1470
0
            uint8_t *mb;
1471
0
            uint32_t n;
1472
0
            ma = (int16_t *)origdata;
1473
0
            mb = data;
1474
0
            for (n = 0; n < count; n++)
1475
0
            {
1476
0
                if (tif->tif_flags & TIFF_SWAB)
1477
0
                    TIFFSwabShort((uint16_t *)ma);
1478
0
                err = TIFFReadDirEntryCheckRangeByteSshort(*ma);
1479
0
                if (err != TIFFReadDirEntryErrOk)
1480
0
                    break;
1481
0
                *mb++ = (uint8_t)(*ma++);
1482
0
            }
1483
0
        }
1484
0
        break;
1485
0
        case TIFF_LONG:
1486
0
        {
1487
0
            uint32_t *ma;
1488
0
            uint8_t *mb;
1489
0
            uint32_t n;
1490
0
            ma = (uint32_t *)origdata;
1491
0
            mb = data;
1492
0
            for (n = 0; n < count; n++)
1493
0
            {
1494
0
                if (tif->tif_flags & TIFF_SWAB)
1495
0
                    TIFFSwabLong(ma);
1496
0
                err = TIFFReadDirEntryCheckRangeByteLong(*ma);
1497
0
                if (err != TIFFReadDirEntryErrOk)
1498
0
                    break;
1499
0
                *mb++ = (uint8_t)(*ma++);
1500
0
            }
1501
0
        }
1502
0
        break;
1503
0
        case TIFF_SLONG:
1504
0
        {
1505
0
            int32_t *ma;
1506
0
            uint8_t *mb;
1507
0
            uint32_t n;
1508
0
            ma = (int32_t *)origdata;
1509
0
            mb = data;
1510
0
            for (n = 0; n < count; n++)
1511
0
            {
1512
0
                if (tif->tif_flags & TIFF_SWAB)
1513
0
                    TIFFSwabLong((uint32_t *)ma);
1514
0
                err = TIFFReadDirEntryCheckRangeByteSlong(*ma);
1515
0
                if (err != TIFFReadDirEntryErrOk)
1516
0
                    break;
1517
0
                *mb++ = (uint8_t)(*ma++);
1518
0
            }
1519
0
        }
1520
0
        break;
1521
0
        case TIFF_LONG8:
1522
0
        {
1523
0
            uint64_t *ma;
1524
0
            uint8_t *mb;
1525
0
            uint32_t n;
1526
0
            ma = (uint64_t *)origdata;
1527
0
            mb = data;
1528
0
            for (n = 0; n < count; n++)
1529
0
            {
1530
0
                if (tif->tif_flags & TIFF_SWAB)
1531
0
                    TIFFSwabLong8(ma);
1532
0
                err = TIFFReadDirEntryCheckRangeByteLong8(*ma);
1533
0
                if (err != TIFFReadDirEntryErrOk)
1534
0
                    break;
1535
0
                *mb++ = (uint8_t)(*ma++);
1536
0
            }
1537
0
        }
1538
0
        break;
1539
0
        case TIFF_SLONG8:
1540
0
        {
1541
0
            int64_t *ma;
1542
0
            uint8_t *mb;
1543
0
            uint32_t n;
1544
0
            ma = (int64_t *)origdata;
1545
0
            mb = data;
1546
0
            for (n = 0; n < count; n++)
1547
0
            {
1548
0
                if (tif->tif_flags & TIFF_SWAB)
1549
0
                    TIFFSwabLong8((uint64_t *)ma);
1550
0
                err = TIFFReadDirEntryCheckRangeByteSlong8(*ma);
1551
0
                if (err != TIFFReadDirEntryErrOk)
1552
0
                    break;
1553
0
                *mb++ = (uint8_t)(*ma++);
1554
0
            }
1555
0
        }
1556
0
        break;
1557
0
    }
1558
0
    _TIFFfreeExt(tif, origdata);
1559
0
    if (err != TIFFReadDirEntryErrOk)
1560
0
    {
1561
0
        _TIFFfreeExt(tif, data);
1562
0
        return (err);
1563
0
    }
1564
0
    *value = data;
1565
0
    return (TIFFReadDirEntryErrOk);
1566
0
}
1567
1568
static enum TIFFReadDirEntryErr
1569
TIFFReadDirEntrySbyteArray(TIFF *tif, TIFFDirEntry *direntry, int8_t **value)
1570
0
{
1571
0
    enum TIFFReadDirEntryErr err;
1572
0
    uint32_t count;
1573
0
    void *origdata;
1574
0
    int8_t *data;
1575
0
    switch (direntry->tdir_type)
1576
0
    {
1577
0
        case TIFF_UNDEFINED:
1578
0
        case TIFF_BYTE:
1579
0
        case TIFF_SBYTE:
1580
0
        case TIFF_SHORT:
1581
0
        case TIFF_SSHORT:
1582
0
        case TIFF_LONG:
1583
0
        case TIFF_SLONG:
1584
0
        case TIFF_LONG8:
1585
0
        case TIFF_SLONG8:
1586
0
            break;
1587
0
        default:
1588
0
            return (TIFFReadDirEntryErrType);
1589
0
    }
1590
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 1, &origdata);
1591
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1592
0
    {
1593
0
        *value = 0;
1594
0
        return (err);
1595
0
    }
1596
0
    switch (direntry->tdir_type)
1597
0
    {
1598
0
        case TIFF_UNDEFINED:
1599
0
        case TIFF_BYTE:
1600
0
        {
1601
0
            uint8_t *m;
1602
0
            uint32_t n;
1603
0
            m = (uint8_t *)origdata;
1604
0
            for (n = 0; n < count; n++)
1605
0
            {
1606
0
                err = TIFFReadDirEntryCheckRangeSbyteByte(*m);
1607
0
                if (err != TIFFReadDirEntryErrOk)
1608
0
                {
1609
0
                    _TIFFfreeExt(tif, origdata);
1610
0
                    return (err);
1611
0
                }
1612
0
                m++;
1613
0
            }
1614
0
            *value = (int8_t *)origdata;
1615
0
            return (TIFFReadDirEntryErrOk);
1616
0
        }
1617
0
        case TIFF_SBYTE:
1618
0
            *value = (int8_t *)origdata;
1619
0
            return (TIFFReadDirEntryErrOk);
1620
0
    }
1621
0
    data = (int8_t *)_TIFFmallocExt(tif, count);
1622
0
    if (data == 0)
1623
0
    {
1624
0
        _TIFFfreeExt(tif, origdata);
1625
0
        return (TIFFReadDirEntryErrAlloc);
1626
0
    }
1627
0
    switch (direntry->tdir_type)
1628
0
    {
1629
0
        case TIFF_SHORT:
1630
0
        {
1631
0
            uint16_t *ma;
1632
0
            int8_t *mb;
1633
0
            uint32_t n;
1634
0
            ma = (uint16_t *)origdata;
1635
0
            mb = data;
1636
0
            for (n = 0; n < count; n++)
1637
0
            {
1638
0
                if (tif->tif_flags & TIFF_SWAB)
1639
0
                    TIFFSwabShort(ma);
1640
0
                err = TIFFReadDirEntryCheckRangeSbyteShort(*ma);
1641
0
                if (err != TIFFReadDirEntryErrOk)
1642
0
                    break;
1643
0
                *mb++ = (int8_t)(*ma++);
1644
0
            }
1645
0
        }
1646
0
        break;
1647
0
        case TIFF_SSHORT:
1648
0
        {
1649
0
            int16_t *ma;
1650
0
            int8_t *mb;
1651
0
            uint32_t n;
1652
0
            ma = (int16_t *)origdata;
1653
0
            mb = data;
1654
0
            for (n = 0; n < count; n++)
1655
0
            {
1656
0
                if (tif->tif_flags & TIFF_SWAB)
1657
0
                    TIFFSwabShort((uint16_t *)ma);
1658
0
                err = TIFFReadDirEntryCheckRangeSbyteSshort(*ma);
1659
0
                if (err != TIFFReadDirEntryErrOk)
1660
0
                    break;
1661
0
                *mb++ = (int8_t)(*ma++);
1662
0
            }
1663
0
        }
1664
0
        break;
1665
0
        case TIFF_LONG:
1666
0
        {
1667
0
            uint32_t *ma;
1668
0
            int8_t *mb;
1669
0
            uint32_t n;
1670
0
            ma = (uint32_t *)origdata;
1671
0
            mb = data;
1672
0
            for (n = 0; n < count; n++)
1673
0
            {
1674
0
                if (tif->tif_flags & TIFF_SWAB)
1675
0
                    TIFFSwabLong(ma);
1676
0
                err = TIFFReadDirEntryCheckRangeSbyteLong(*ma);
1677
0
                if (err != TIFFReadDirEntryErrOk)
1678
0
                    break;
1679
0
                *mb++ = (int8_t)(*ma++);
1680
0
            }
1681
0
        }
1682
0
        break;
1683
0
        case TIFF_SLONG:
1684
0
        {
1685
0
            int32_t *ma;
1686
0
            int8_t *mb;
1687
0
            uint32_t n;
1688
0
            ma = (int32_t *)origdata;
1689
0
            mb = data;
1690
0
            for (n = 0; n < count; n++)
1691
0
            {
1692
0
                if (tif->tif_flags & TIFF_SWAB)
1693
0
                    TIFFSwabLong((uint32_t *)ma);
1694
0
                err = TIFFReadDirEntryCheckRangeSbyteSlong(*ma);
1695
0
                if (err != TIFFReadDirEntryErrOk)
1696
0
                    break;
1697
0
                *mb++ = (int8_t)(*ma++);
1698
0
            }
1699
0
        }
1700
0
        break;
1701
0
        case TIFF_LONG8:
1702
0
        {
1703
0
            uint64_t *ma;
1704
0
            int8_t *mb;
1705
0
            uint32_t n;
1706
0
            ma = (uint64_t *)origdata;
1707
0
            mb = data;
1708
0
            for (n = 0; n < count; n++)
1709
0
            {
1710
0
                if (tif->tif_flags & TIFF_SWAB)
1711
0
                    TIFFSwabLong8(ma);
1712
0
                err = TIFFReadDirEntryCheckRangeSbyteLong8(*ma);
1713
0
                if (err != TIFFReadDirEntryErrOk)
1714
0
                    break;
1715
0
                *mb++ = (int8_t)(*ma++);
1716
0
            }
1717
0
        }
1718
0
        break;
1719
0
        case TIFF_SLONG8:
1720
0
        {
1721
0
            int64_t *ma;
1722
0
            int8_t *mb;
1723
0
            uint32_t n;
1724
0
            ma = (int64_t *)origdata;
1725
0
            mb = data;
1726
0
            for (n = 0; n < count; n++)
1727
0
            {
1728
0
                if (tif->tif_flags & TIFF_SWAB)
1729
0
                    TIFFSwabLong8((uint64_t *)ma);
1730
0
                err = TIFFReadDirEntryCheckRangeSbyteSlong8(*ma);
1731
0
                if (err != TIFFReadDirEntryErrOk)
1732
0
                    break;
1733
0
                *mb++ = (int8_t)(*ma++);
1734
0
            }
1735
0
        }
1736
0
        break;
1737
0
    }
1738
0
    _TIFFfreeExt(tif, origdata);
1739
0
    if (err != TIFFReadDirEntryErrOk)
1740
0
    {
1741
0
        _TIFFfreeExt(tif, data);
1742
0
        return (err);
1743
0
    }
1744
0
    *value = data;
1745
0
    return (TIFFReadDirEntryErrOk);
1746
0
}
1747
1748
static enum TIFFReadDirEntryErr
1749
TIFFReadDirEntryShortArray(TIFF *tif, TIFFDirEntry *direntry, uint16_t **value)
1750
0
{
1751
0
    enum TIFFReadDirEntryErr err;
1752
0
    uint32_t count;
1753
0
    void *origdata;
1754
0
    uint16_t *data;
1755
0
    switch (direntry->tdir_type)
1756
0
    {
1757
0
        case TIFF_BYTE:
1758
0
        case TIFF_SBYTE:
1759
0
        case TIFF_SHORT:
1760
0
        case TIFF_SSHORT:
1761
0
        case TIFF_LONG:
1762
0
        case TIFF_SLONG:
1763
0
        case TIFF_LONG8:
1764
0
        case TIFF_SLONG8:
1765
0
            break;
1766
0
        default:
1767
0
            return (TIFFReadDirEntryErrType);
1768
0
    }
1769
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 2, &origdata);
1770
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1771
0
    {
1772
0
        *value = 0;
1773
0
        return (err);
1774
0
    }
1775
0
    switch (direntry->tdir_type)
1776
0
    {
1777
0
        case TIFF_SHORT:
1778
0
            *value = (uint16_t *)origdata;
1779
0
            if (tif->tif_flags & TIFF_SWAB)
1780
0
                TIFFSwabArrayOfShort(*value, count);
1781
0
            return (TIFFReadDirEntryErrOk);
1782
0
        case TIFF_SSHORT:
1783
0
        {
1784
0
            int16_t *m;
1785
0
            uint32_t n;
1786
0
            m = (int16_t *)origdata;
1787
0
            for (n = 0; n < count; n++)
1788
0
            {
1789
0
                if (tif->tif_flags & TIFF_SWAB)
1790
0
                    TIFFSwabShort((uint16_t *)m);
1791
0
                err = TIFFReadDirEntryCheckRangeShortSshort(*m);
1792
0
                if (err != TIFFReadDirEntryErrOk)
1793
0
                {
1794
0
                    _TIFFfreeExt(tif, origdata);
1795
0
                    return (err);
1796
0
                }
1797
0
                m++;
1798
0
            }
1799
0
            *value = (uint16_t *)origdata;
1800
0
            return (TIFFReadDirEntryErrOk);
1801
0
        }
1802
0
    }
1803
0
    data = (uint16_t *)_TIFFmallocExt(tif, count * 2);
1804
0
    if (data == 0)
1805
0
    {
1806
0
        _TIFFfreeExt(tif, origdata);
1807
0
        return (TIFFReadDirEntryErrAlloc);
1808
0
    }
1809
0
    switch (direntry->tdir_type)
1810
0
    {
1811
0
        case TIFF_BYTE:
1812
0
        {
1813
0
            uint8_t *ma;
1814
0
            uint16_t *mb;
1815
0
            uint32_t n;
1816
0
            ma = (uint8_t *)origdata;
1817
0
            mb = data;
1818
0
            for (n = 0; n < count; n++)
1819
0
                *mb++ = (uint16_t)(*ma++);
1820
0
        }
1821
0
        break;
1822
0
        case TIFF_SBYTE:
1823
0
        {
1824
0
            int8_t *ma;
1825
0
            uint16_t *mb;
1826
0
            uint32_t n;
1827
0
            ma = (int8_t *)origdata;
1828
0
            mb = data;
1829
0
            for (n = 0; n < count; n++)
1830
0
            {
1831
0
                err = TIFFReadDirEntryCheckRangeShortSbyte(*ma);
1832
0
                if (err != TIFFReadDirEntryErrOk)
1833
0
                    break;
1834
0
                *mb++ = (uint16_t)(*ma++);
1835
0
            }
1836
0
        }
1837
0
        break;
1838
0
        case TIFF_LONG:
1839
0
        {
1840
0
            uint32_t *ma;
1841
0
            uint16_t *mb;
1842
0
            uint32_t n;
1843
0
            ma = (uint32_t *)origdata;
1844
0
            mb = data;
1845
0
            for (n = 0; n < count; n++)
1846
0
            {
1847
0
                if (tif->tif_flags & TIFF_SWAB)
1848
0
                    TIFFSwabLong(ma);
1849
0
                err = TIFFReadDirEntryCheckRangeShortLong(*ma);
1850
0
                if (err != TIFFReadDirEntryErrOk)
1851
0
                    break;
1852
0
                *mb++ = (uint16_t)(*ma++);
1853
0
            }
1854
0
        }
1855
0
        break;
1856
0
        case TIFF_SLONG:
1857
0
        {
1858
0
            int32_t *ma;
1859
0
            uint16_t *mb;
1860
0
            uint32_t n;
1861
0
            ma = (int32_t *)origdata;
1862
0
            mb = data;
1863
0
            for (n = 0; n < count; n++)
1864
0
            {
1865
0
                if (tif->tif_flags & TIFF_SWAB)
1866
0
                    TIFFSwabLong((uint32_t *)ma);
1867
0
                err = TIFFReadDirEntryCheckRangeShortSlong(*ma);
1868
0
                if (err != TIFFReadDirEntryErrOk)
1869
0
                    break;
1870
0
                *mb++ = (uint16_t)(*ma++);
1871
0
            }
1872
0
        }
1873
0
        break;
1874
0
        case TIFF_LONG8:
1875
0
        {
1876
0
            uint64_t *ma;
1877
0
            uint16_t *mb;
1878
0
            uint32_t n;
1879
0
            ma = (uint64_t *)origdata;
1880
0
            mb = data;
1881
0
            for (n = 0; n < count; n++)
1882
0
            {
1883
0
                if (tif->tif_flags & TIFF_SWAB)
1884
0
                    TIFFSwabLong8(ma);
1885
0
                err = TIFFReadDirEntryCheckRangeShortLong8(*ma);
1886
0
                if (err != TIFFReadDirEntryErrOk)
1887
0
                    break;
1888
0
                *mb++ = (uint16_t)(*ma++);
1889
0
            }
1890
0
        }
1891
0
        break;
1892
0
        case TIFF_SLONG8:
1893
0
        {
1894
0
            int64_t *ma;
1895
0
            uint16_t *mb;
1896
0
            uint32_t n;
1897
0
            ma = (int64_t *)origdata;
1898
0
            mb = data;
1899
0
            for (n = 0; n < count; n++)
1900
0
            {
1901
0
                if (tif->tif_flags & TIFF_SWAB)
1902
0
                    TIFFSwabLong8((uint64_t *)ma);
1903
0
                err = TIFFReadDirEntryCheckRangeShortSlong8(*ma);
1904
0
                if (err != TIFFReadDirEntryErrOk)
1905
0
                    break;
1906
0
                *mb++ = (uint16_t)(*ma++);
1907
0
            }
1908
0
        }
1909
0
        break;
1910
0
    }
1911
0
    _TIFFfreeExt(tif, origdata);
1912
0
    if (err != TIFFReadDirEntryErrOk)
1913
0
    {
1914
0
        _TIFFfreeExt(tif, data);
1915
0
        return (err);
1916
0
    }
1917
0
    *value = data;
1918
0
    return (TIFFReadDirEntryErrOk);
1919
0
}
1920
1921
static enum TIFFReadDirEntryErr
1922
TIFFReadDirEntrySshortArray(TIFF *tif, TIFFDirEntry *direntry, int16_t **value)
1923
0
{
1924
0
    enum TIFFReadDirEntryErr err;
1925
0
    uint32_t count;
1926
0
    void *origdata;
1927
0
    int16_t *data;
1928
0
    switch (direntry->tdir_type)
1929
0
    {
1930
0
        case TIFF_BYTE:
1931
0
        case TIFF_SBYTE:
1932
0
        case TIFF_SHORT:
1933
0
        case TIFF_SSHORT:
1934
0
        case TIFF_LONG:
1935
0
        case TIFF_SLONG:
1936
0
        case TIFF_LONG8:
1937
0
        case TIFF_SLONG8:
1938
0
            break;
1939
0
        default:
1940
0
            return (TIFFReadDirEntryErrType);
1941
0
    }
1942
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 2, &origdata);
1943
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1944
0
    {
1945
0
        *value = 0;
1946
0
        return (err);
1947
0
    }
1948
0
    switch (direntry->tdir_type)
1949
0
    {
1950
0
        case TIFF_SHORT:
1951
0
        {
1952
0
            uint16_t *m;
1953
0
            uint32_t n;
1954
0
            m = (uint16_t *)origdata;
1955
0
            for (n = 0; n < count; n++)
1956
0
            {
1957
0
                if (tif->tif_flags & TIFF_SWAB)
1958
0
                    TIFFSwabShort(m);
1959
0
                err = TIFFReadDirEntryCheckRangeSshortShort(*m);
1960
0
                if (err != TIFFReadDirEntryErrOk)
1961
0
                {
1962
0
                    _TIFFfreeExt(tif, origdata);
1963
0
                    return (err);
1964
0
                }
1965
0
                m++;
1966
0
            }
1967
0
            *value = (int16_t *)origdata;
1968
0
            return (TIFFReadDirEntryErrOk);
1969
0
        }
1970
0
        case TIFF_SSHORT:
1971
0
            *value = (int16_t *)origdata;
1972
0
            if (tif->tif_flags & TIFF_SWAB)
1973
0
                TIFFSwabArrayOfShort((uint16_t *)(*value), count);
1974
0
            return (TIFFReadDirEntryErrOk);
1975
0
    }
1976
0
    data = (int16_t *)_TIFFmallocExt(tif, count * 2);
1977
0
    if (data == 0)
1978
0
    {
1979
0
        _TIFFfreeExt(tif, origdata);
1980
0
        return (TIFFReadDirEntryErrAlloc);
1981
0
    }
1982
0
    switch (direntry->tdir_type)
1983
0
    {
1984
0
        case TIFF_BYTE:
1985
0
        {
1986
0
            uint8_t *ma;
1987
0
            int16_t *mb;
1988
0
            uint32_t n;
1989
0
            ma = (uint8_t *)origdata;
1990
0
            mb = data;
1991
0
            for (n = 0; n < count; n++)
1992
0
                *mb++ = (int16_t)(*ma++);
1993
0
        }
1994
0
        break;
1995
0
        case TIFF_SBYTE:
1996
0
        {
1997
0
            int8_t *ma;
1998
0
            int16_t *mb;
1999
0
            uint32_t n;
2000
0
            ma = (int8_t *)origdata;
2001
0
            mb = data;
2002
0
            for (n = 0; n < count; n++)
2003
0
                *mb++ = (int16_t)(*ma++);
2004
0
        }
2005
0
        break;
2006
0
        case TIFF_LONG:
2007
0
        {
2008
0
            uint32_t *ma;
2009
0
            int16_t *mb;
2010
0
            uint32_t n;
2011
0
            ma = (uint32_t *)origdata;
2012
0
            mb = data;
2013
0
            for (n = 0; n < count; n++)
2014
0
            {
2015
0
                if (tif->tif_flags & TIFF_SWAB)
2016
0
                    TIFFSwabLong(ma);
2017
0
                err = TIFFReadDirEntryCheckRangeSshortLong(*ma);
2018
0
                if (err != TIFFReadDirEntryErrOk)
2019
0
                    break;
2020
0
                *mb++ = (int16_t)(*ma++);
2021
0
            }
2022
0
        }
2023
0
        break;
2024
0
        case TIFF_SLONG:
2025
0
        {
2026
0
            int32_t *ma;
2027
0
            int16_t *mb;
2028
0
            uint32_t n;
2029
0
            ma = (int32_t *)origdata;
2030
0
            mb = data;
2031
0
            for (n = 0; n < count; n++)
2032
0
            {
2033
0
                if (tif->tif_flags & TIFF_SWAB)
2034
0
                    TIFFSwabLong((uint32_t *)ma);
2035
0
                err = TIFFReadDirEntryCheckRangeSshortSlong(*ma);
2036
0
                if (err != TIFFReadDirEntryErrOk)
2037
0
                    break;
2038
0
                *mb++ = (int16_t)(*ma++);
2039
0
            }
2040
0
        }
2041
0
        break;
2042
0
        case TIFF_LONG8:
2043
0
        {
2044
0
            uint64_t *ma;
2045
0
            int16_t *mb;
2046
0
            uint32_t n;
2047
0
            ma = (uint64_t *)origdata;
2048
0
            mb = data;
2049
0
            for (n = 0; n < count; n++)
2050
0
            {
2051
0
                if (tif->tif_flags & TIFF_SWAB)
2052
0
                    TIFFSwabLong8(ma);
2053
0
                err = TIFFReadDirEntryCheckRangeSshortLong8(*ma);
2054
0
                if (err != TIFFReadDirEntryErrOk)
2055
0
                    break;
2056
0
                *mb++ = (int16_t)(*ma++);
2057
0
            }
2058
0
        }
2059
0
        break;
2060
0
        case TIFF_SLONG8:
2061
0
        {
2062
0
            int64_t *ma;
2063
0
            int16_t *mb;
2064
0
            uint32_t n;
2065
0
            ma = (int64_t *)origdata;
2066
0
            mb = data;
2067
0
            for (n = 0; n < count; n++)
2068
0
            {
2069
0
                if (tif->tif_flags & TIFF_SWAB)
2070
0
                    TIFFSwabLong8((uint64_t *)ma);
2071
0
                err = TIFFReadDirEntryCheckRangeSshortSlong8(*ma);
2072
0
                if (err != TIFFReadDirEntryErrOk)
2073
0
                    break;
2074
0
                *mb++ = (int16_t)(*ma++);
2075
0
            }
2076
0
        }
2077
0
        break;
2078
0
    }
2079
0
    _TIFFfreeExt(tif, origdata);
2080
0
    if (err != TIFFReadDirEntryErrOk)
2081
0
    {
2082
0
        _TIFFfreeExt(tif, data);
2083
0
        return (err);
2084
0
    }
2085
0
    *value = data;
2086
0
    return (TIFFReadDirEntryErrOk);
2087
0
}
2088
2089
static enum TIFFReadDirEntryErr
2090
TIFFReadDirEntryLongArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t **value)
2091
0
{
2092
0
    enum TIFFReadDirEntryErr err;
2093
0
    uint32_t count;
2094
0
    void *origdata;
2095
0
    uint32_t *data;
2096
0
    switch (direntry->tdir_type)
2097
0
    {
2098
0
        case TIFF_BYTE:
2099
0
        case TIFF_SBYTE:
2100
0
        case TIFF_SHORT:
2101
0
        case TIFF_SSHORT:
2102
0
        case TIFF_LONG:
2103
0
        case TIFF_SLONG:
2104
0
        case TIFF_LONG8:
2105
0
        case TIFF_SLONG8:
2106
0
            break;
2107
0
        default:
2108
0
            return (TIFFReadDirEntryErrType);
2109
0
    }
2110
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 4, &origdata);
2111
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2112
0
    {
2113
0
        *value = 0;
2114
0
        return (err);
2115
0
    }
2116
0
    switch (direntry->tdir_type)
2117
0
    {
2118
0
        case TIFF_LONG:
2119
0
            *value = (uint32_t *)origdata;
2120
0
            if (tif->tif_flags & TIFF_SWAB)
2121
0
                TIFFSwabArrayOfLong(*value, count);
2122
0
            return (TIFFReadDirEntryErrOk);
2123
0
        case TIFF_SLONG:
2124
0
        {
2125
0
            int32_t *m;
2126
0
            uint32_t n;
2127
0
            m = (int32_t *)origdata;
2128
0
            for (n = 0; n < count; n++)
2129
0
            {
2130
0
                if (tif->tif_flags & TIFF_SWAB)
2131
0
                    TIFFSwabLong((uint32_t *)m);
2132
0
                err = TIFFReadDirEntryCheckRangeLongSlong(*m);
2133
0
                if (err != TIFFReadDirEntryErrOk)
2134
0
                {
2135
0
                    _TIFFfreeExt(tif, origdata);
2136
0
                    return (err);
2137
0
                }
2138
0
                m++;
2139
0
            }
2140
0
            *value = (uint32_t *)origdata;
2141
0
            return (TIFFReadDirEntryErrOk);
2142
0
        }
2143
0
    }
2144
0
    data = (uint32_t *)_TIFFmallocExt(tif, count * 4);
2145
0
    if (data == 0)
2146
0
    {
2147
0
        _TIFFfreeExt(tif, origdata);
2148
0
        return (TIFFReadDirEntryErrAlloc);
2149
0
    }
2150
0
    switch (direntry->tdir_type)
2151
0
    {
2152
0
        case TIFF_BYTE:
2153
0
        {
2154
0
            uint8_t *ma;
2155
0
            uint32_t *mb;
2156
0
            uint32_t n;
2157
0
            ma = (uint8_t *)origdata;
2158
0
            mb = data;
2159
0
            for (n = 0; n < count; n++)
2160
0
                *mb++ = (uint32_t)(*ma++);
2161
0
        }
2162
0
        break;
2163
0
        case TIFF_SBYTE:
2164
0
        {
2165
0
            int8_t *ma;
2166
0
            uint32_t *mb;
2167
0
            uint32_t n;
2168
0
            ma = (int8_t *)origdata;
2169
0
            mb = data;
2170
0
            for (n = 0; n < count; n++)
2171
0
            {
2172
0
                err = TIFFReadDirEntryCheckRangeLongSbyte(*ma);
2173
0
                if (err != TIFFReadDirEntryErrOk)
2174
0
                    break;
2175
0
                *mb++ = (uint32_t)(*ma++);
2176
0
            }
2177
0
        }
2178
0
        break;
2179
0
        case TIFF_SHORT:
2180
0
        {
2181
0
            uint16_t *ma;
2182
0
            uint32_t *mb;
2183
0
            uint32_t n;
2184
0
            ma = (uint16_t *)origdata;
2185
0
            mb = data;
2186
0
            for (n = 0; n < count; n++)
2187
0
            {
2188
0
                if (tif->tif_flags & TIFF_SWAB)
2189
0
                    TIFFSwabShort(ma);
2190
0
                *mb++ = (uint32_t)(*ma++);
2191
0
            }
2192
0
        }
2193
0
        break;
2194
0
        case TIFF_SSHORT:
2195
0
        {
2196
0
            int16_t *ma;
2197
0
            uint32_t *mb;
2198
0
            uint32_t n;
2199
0
            ma = (int16_t *)origdata;
2200
0
            mb = data;
2201
0
            for (n = 0; n < count; n++)
2202
0
            {
2203
0
                if (tif->tif_flags & TIFF_SWAB)
2204
0
                    TIFFSwabShort((uint16_t *)ma);
2205
0
                err = TIFFReadDirEntryCheckRangeLongSshort(*ma);
2206
0
                if (err != TIFFReadDirEntryErrOk)
2207
0
                    break;
2208
0
                *mb++ = (uint32_t)(*ma++);
2209
0
            }
2210
0
        }
2211
0
        break;
2212
0
        case TIFF_LONG8:
2213
0
        {
2214
0
            uint64_t *ma;
2215
0
            uint32_t *mb;
2216
0
            uint32_t n;
2217
0
            ma = (uint64_t *)origdata;
2218
0
            mb = data;
2219
0
            for (n = 0; n < count; n++)
2220
0
            {
2221
0
                if (tif->tif_flags & TIFF_SWAB)
2222
0
                    TIFFSwabLong8(ma);
2223
0
                err = TIFFReadDirEntryCheckRangeLongLong8(*ma);
2224
0
                if (err != TIFFReadDirEntryErrOk)
2225
0
                    break;
2226
0
                *mb++ = (uint32_t)(*ma++);
2227
0
            }
2228
0
        }
2229
0
        break;
2230
0
        case TIFF_SLONG8:
2231
0
        {
2232
0
            int64_t *ma;
2233
0
            uint32_t *mb;
2234
0
            uint32_t n;
2235
0
            ma = (int64_t *)origdata;
2236
0
            mb = data;
2237
0
            for (n = 0; n < count; n++)
2238
0
            {
2239
0
                if (tif->tif_flags & TIFF_SWAB)
2240
0
                    TIFFSwabLong8((uint64_t *)ma);
2241
0
                err = TIFFReadDirEntryCheckRangeLongSlong8(*ma);
2242
0
                if (err != TIFFReadDirEntryErrOk)
2243
0
                    break;
2244
0
                *mb++ = (uint32_t)(*ma++);
2245
0
            }
2246
0
        }
2247
0
        break;
2248
0
    }
2249
0
    _TIFFfreeExt(tif, origdata);
2250
0
    if (err != TIFFReadDirEntryErrOk)
2251
0
    {
2252
0
        _TIFFfreeExt(tif, data);
2253
0
        return (err);
2254
0
    }
2255
0
    *value = data;
2256
0
    return (TIFFReadDirEntryErrOk);
2257
0
}
2258
2259
static enum TIFFReadDirEntryErr
2260
TIFFReadDirEntrySlongArray(TIFF *tif, TIFFDirEntry *direntry, int32_t **value)
2261
0
{
2262
0
    enum TIFFReadDirEntryErr err;
2263
0
    uint32_t count;
2264
0
    void *origdata;
2265
0
    int32_t *data;
2266
0
    switch (direntry->tdir_type)
2267
0
    {
2268
0
        case TIFF_BYTE:
2269
0
        case TIFF_SBYTE:
2270
0
        case TIFF_SHORT:
2271
0
        case TIFF_SSHORT:
2272
0
        case TIFF_LONG:
2273
0
        case TIFF_SLONG:
2274
0
        case TIFF_LONG8:
2275
0
        case TIFF_SLONG8:
2276
0
            break;
2277
0
        default:
2278
0
            return (TIFFReadDirEntryErrType);
2279
0
    }
2280
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 4, &origdata);
2281
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2282
0
    {
2283
0
        *value = 0;
2284
0
        return (err);
2285
0
    }
2286
0
    switch (direntry->tdir_type)
2287
0
    {
2288
0
        case TIFF_LONG:
2289
0
        {
2290
0
            uint32_t *m;
2291
0
            uint32_t n;
2292
0
            m = (uint32_t *)origdata;
2293
0
            for (n = 0; n < count; n++)
2294
0
            {
2295
0
                if (tif->tif_flags & TIFF_SWAB)
2296
0
                    TIFFSwabLong((uint32_t *)m);
2297
0
                err = TIFFReadDirEntryCheckRangeSlongLong(*m);
2298
0
                if (err != TIFFReadDirEntryErrOk)
2299
0
                {
2300
0
                    _TIFFfreeExt(tif, origdata);
2301
0
                    return (err);
2302
0
                }
2303
0
                m++;
2304
0
            }
2305
0
            *value = (int32_t *)origdata;
2306
0
            return (TIFFReadDirEntryErrOk);
2307
0
        }
2308
0
        case TIFF_SLONG:
2309
0
            *value = (int32_t *)origdata;
2310
0
            if (tif->tif_flags & TIFF_SWAB)
2311
0
                TIFFSwabArrayOfLong((uint32_t *)(*value), count);
2312
0
            return (TIFFReadDirEntryErrOk);
2313
0
    }
2314
0
    data = (int32_t *)_TIFFmallocExt(tif, count * 4);
2315
0
    if (data == 0)
2316
0
    {
2317
0
        _TIFFfreeExt(tif, origdata);
2318
0
        return (TIFFReadDirEntryErrAlloc);
2319
0
    }
2320
0
    switch (direntry->tdir_type)
2321
0
    {
2322
0
        case TIFF_BYTE:
2323
0
        {
2324
0
            uint8_t *ma;
2325
0
            int32_t *mb;
2326
0
            uint32_t n;
2327
0
            ma = (uint8_t *)origdata;
2328
0
            mb = data;
2329
0
            for (n = 0; n < count; n++)
2330
0
                *mb++ = (int32_t)(*ma++);
2331
0
        }
2332
0
        break;
2333
0
        case TIFF_SBYTE:
2334
0
        {
2335
0
            int8_t *ma;
2336
0
            int32_t *mb;
2337
0
            uint32_t n;
2338
0
            ma = (int8_t *)origdata;
2339
0
            mb = data;
2340
0
            for (n = 0; n < count; n++)
2341
0
                *mb++ = (int32_t)(*ma++);
2342
0
        }
2343
0
        break;
2344
0
        case TIFF_SHORT:
2345
0
        {
2346
0
            uint16_t *ma;
2347
0
            int32_t *mb;
2348
0
            uint32_t n;
2349
0
            ma = (uint16_t *)origdata;
2350
0
            mb = data;
2351
0
            for (n = 0; n < count; n++)
2352
0
            {
2353
0
                if (tif->tif_flags & TIFF_SWAB)
2354
0
                    TIFFSwabShort(ma);
2355
0
                *mb++ = (int32_t)(*ma++);
2356
0
            }
2357
0
        }
2358
0
        break;
2359
0
        case TIFF_SSHORT:
2360
0
        {
2361
0
            int16_t *ma;
2362
0
            int32_t *mb;
2363
0
            uint32_t n;
2364
0
            ma = (int16_t *)origdata;
2365
0
            mb = data;
2366
0
            for (n = 0; n < count; n++)
2367
0
            {
2368
0
                if (tif->tif_flags & TIFF_SWAB)
2369
0
                    TIFFSwabShort((uint16_t *)ma);
2370
0
                *mb++ = (int32_t)(*ma++);
2371
0
            }
2372
0
        }
2373
0
        break;
2374
0
        case TIFF_LONG8:
2375
0
        {
2376
0
            uint64_t *ma;
2377
0
            int32_t *mb;
2378
0
            uint32_t n;
2379
0
            ma = (uint64_t *)origdata;
2380
0
            mb = data;
2381
0
            for (n = 0; n < count; n++)
2382
0
            {
2383
0
                if (tif->tif_flags & TIFF_SWAB)
2384
0
                    TIFFSwabLong8(ma);
2385
0
                err = TIFFReadDirEntryCheckRangeSlongLong8(*ma);
2386
0
                if (err != TIFFReadDirEntryErrOk)
2387
0
                    break;
2388
0
                *mb++ = (int32_t)(*ma++);
2389
0
            }
2390
0
        }
2391
0
        break;
2392
0
        case TIFF_SLONG8:
2393
0
        {
2394
0
            int64_t *ma;
2395
0
            int32_t *mb;
2396
0
            uint32_t n;
2397
0
            ma = (int64_t *)origdata;
2398
0
            mb = data;
2399
0
            for (n = 0; n < count; n++)
2400
0
            {
2401
0
                if (tif->tif_flags & TIFF_SWAB)
2402
0
                    TIFFSwabLong8((uint64_t *)ma);
2403
0
                err = TIFFReadDirEntryCheckRangeSlongSlong8(*ma);
2404
0
                if (err != TIFFReadDirEntryErrOk)
2405
0
                    break;
2406
0
                *mb++ = (int32_t)(*ma++);
2407
0
            }
2408
0
        }
2409
0
        break;
2410
0
    }
2411
0
    _TIFFfreeExt(tif, origdata);
2412
0
    if (err != TIFFReadDirEntryErrOk)
2413
0
    {
2414
0
        _TIFFfreeExt(tif, data);
2415
0
        return (err);
2416
0
    }
2417
0
    *value = data;
2418
0
    return (TIFFReadDirEntryErrOk);
2419
0
}
2420
2421
static enum TIFFReadDirEntryErr
2422
TIFFReadDirEntryLong8ArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
2423
                                    uint64_t **value, uint64_t maxcount)
2424
0
{
2425
0
    enum TIFFReadDirEntryErr err;
2426
0
    uint32_t count;
2427
0
    void *origdata;
2428
0
    uint64_t *data;
2429
0
    switch (direntry->tdir_type)
2430
0
    {
2431
0
        case TIFF_BYTE:
2432
0
        case TIFF_SBYTE:
2433
0
        case TIFF_SHORT:
2434
0
        case TIFF_SSHORT:
2435
0
        case TIFF_LONG:
2436
0
        case TIFF_SLONG:
2437
0
        case TIFF_LONG8:
2438
0
        case TIFF_SLONG8:
2439
0
            break;
2440
0
        default:
2441
0
            return (TIFFReadDirEntryErrType);
2442
0
    }
2443
0
    err = TIFFReadDirEntryArrayWithLimit(tif, direntry, &count, 8, &origdata,
2444
0
                                         maxcount);
2445
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2446
0
    {
2447
0
        *value = 0;
2448
0
        return (err);
2449
0
    }
2450
0
    switch (direntry->tdir_type)
2451
0
    {
2452
0
        case TIFF_LONG8:
2453
0
            *value = (uint64_t *)origdata;
2454
0
            if (tif->tif_flags & TIFF_SWAB)
2455
0
                TIFFSwabArrayOfLong8(*value, count);
2456
0
            return (TIFFReadDirEntryErrOk);
2457
0
        case TIFF_SLONG8:
2458
0
        {
2459
0
            int64_t *m;
2460
0
            uint32_t n;
2461
0
            m = (int64_t *)origdata;
2462
0
            for (n = 0; n < count; n++)
2463
0
            {
2464
0
                if (tif->tif_flags & TIFF_SWAB)
2465
0
                    TIFFSwabLong8((uint64_t *)m);
2466
0
                err = TIFFReadDirEntryCheckRangeLong8Slong8(*m);
2467
0
                if (err != TIFFReadDirEntryErrOk)
2468
0
                {
2469
0
                    _TIFFfreeExt(tif, origdata);
2470
0
                    return (err);
2471
0
                }
2472
0
                m++;
2473
0
            }
2474
0
            *value = (uint64_t *)origdata;
2475
0
            return (TIFFReadDirEntryErrOk);
2476
0
        }
2477
0
    }
2478
0
    data = (uint64_t *)_TIFFmallocExt(tif, count * 8);
2479
0
    if (data == 0)
2480
0
    {
2481
0
        _TIFFfreeExt(tif, origdata);
2482
0
        return (TIFFReadDirEntryErrAlloc);
2483
0
    }
2484
0
    switch (direntry->tdir_type)
2485
0
    {
2486
0
        case TIFF_BYTE:
2487
0
        {
2488
0
            uint8_t *ma;
2489
0
            uint64_t *mb;
2490
0
            uint32_t n;
2491
0
            ma = (uint8_t *)origdata;
2492
0
            mb = data;
2493
0
            for (n = 0; n < count; n++)
2494
0
                *mb++ = (uint64_t)(*ma++);
2495
0
        }
2496
0
        break;
2497
0
        case TIFF_SBYTE:
2498
0
        {
2499
0
            int8_t *ma;
2500
0
            uint64_t *mb;
2501
0
            uint32_t n;
2502
0
            ma = (int8_t *)origdata;
2503
0
            mb = data;
2504
0
            for (n = 0; n < count; n++)
2505
0
            {
2506
0
                err = TIFFReadDirEntryCheckRangeLong8Sbyte(*ma);
2507
0
                if (err != TIFFReadDirEntryErrOk)
2508
0
                    break;
2509
0
                *mb++ = (uint64_t)(*ma++);
2510
0
            }
2511
0
        }
2512
0
        break;
2513
0
        case TIFF_SHORT:
2514
0
        {
2515
0
            uint16_t *ma;
2516
0
            uint64_t *mb;
2517
0
            uint32_t n;
2518
0
            ma = (uint16_t *)origdata;
2519
0
            mb = data;
2520
0
            for (n = 0; n < count; n++)
2521
0
            {
2522
0
                if (tif->tif_flags & TIFF_SWAB)
2523
0
                    TIFFSwabShort(ma);
2524
0
                *mb++ = (uint64_t)(*ma++);
2525
0
            }
2526
0
        }
2527
0
        break;
2528
0
        case TIFF_SSHORT:
2529
0
        {
2530
0
            int16_t *ma;
2531
0
            uint64_t *mb;
2532
0
            uint32_t n;
2533
0
            ma = (int16_t *)origdata;
2534
0
            mb = data;
2535
0
            for (n = 0; n < count; n++)
2536
0
            {
2537
0
                if (tif->tif_flags & TIFF_SWAB)
2538
0
                    TIFFSwabShort((uint16_t *)ma);
2539
0
                err = TIFFReadDirEntryCheckRangeLong8Sshort(*ma);
2540
0
                if (err != TIFFReadDirEntryErrOk)
2541
0
                    break;
2542
0
                *mb++ = (uint64_t)(*ma++);
2543
0
            }
2544
0
        }
2545
0
        break;
2546
0
        case TIFF_LONG:
2547
0
        {
2548
0
            uint32_t *ma;
2549
0
            uint64_t *mb;
2550
0
            uint32_t n;
2551
0
            ma = (uint32_t *)origdata;
2552
0
            mb = data;
2553
0
            for (n = 0; n < count; n++)
2554
0
            {
2555
0
                if (tif->tif_flags & TIFF_SWAB)
2556
0
                    TIFFSwabLong(ma);
2557
0
                *mb++ = (uint64_t)(*ma++);
2558
0
            }
2559
0
        }
2560
0
        break;
2561
0
        case TIFF_SLONG:
2562
0
        {
2563
0
            int32_t *ma;
2564
0
            uint64_t *mb;
2565
0
            uint32_t n;
2566
0
            ma = (int32_t *)origdata;
2567
0
            mb = data;
2568
0
            for (n = 0; n < count; n++)
2569
0
            {
2570
0
                if (tif->tif_flags & TIFF_SWAB)
2571
0
                    TIFFSwabLong((uint32_t *)ma);
2572
0
                err = TIFFReadDirEntryCheckRangeLong8Slong(*ma);
2573
0
                if (err != TIFFReadDirEntryErrOk)
2574
0
                    break;
2575
0
                *mb++ = (uint64_t)(*ma++);
2576
0
            }
2577
0
        }
2578
0
        break;
2579
0
    }
2580
0
    _TIFFfreeExt(tif, origdata);
2581
0
    if (err != TIFFReadDirEntryErrOk)
2582
0
    {
2583
0
        _TIFFfreeExt(tif, data);
2584
0
        return (err);
2585
0
    }
2586
0
    *value = data;
2587
0
    return (TIFFReadDirEntryErrOk);
2588
0
}
2589
2590
static enum TIFFReadDirEntryErr
2591
TIFFReadDirEntryLong8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value)
2592
0
{
2593
0
    return TIFFReadDirEntryLong8ArrayWithLimit(tif, direntry, value,
2594
0
                                               ~((uint64_t)0));
2595
0
}
2596
2597
static enum TIFFReadDirEntryErr
2598
TIFFReadDirEntrySlong8Array(TIFF *tif, TIFFDirEntry *direntry, int64_t **value)
2599
0
{
2600
0
    enum TIFFReadDirEntryErr err;
2601
0
    uint32_t count;
2602
0
    void *origdata;
2603
0
    int64_t *data;
2604
0
    switch (direntry->tdir_type)
2605
0
    {
2606
0
        case TIFF_BYTE:
2607
0
        case TIFF_SBYTE:
2608
0
        case TIFF_SHORT:
2609
0
        case TIFF_SSHORT:
2610
0
        case TIFF_LONG:
2611
0
        case TIFF_SLONG:
2612
0
        case TIFF_LONG8:
2613
0
        case TIFF_SLONG8:
2614
0
            break;
2615
0
        default:
2616
0
            return (TIFFReadDirEntryErrType);
2617
0
    }
2618
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 8, &origdata);
2619
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2620
0
    {
2621
0
        *value = 0;
2622
0
        return (err);
2623
0
    }
2624
0
    switch (direntry->tdir_type)
2625
0
    {
2626
0
        case TIFF_LONG8:
2627
0
        {
2628
0
            uint64_t *m;
2629
0
            uint32_t n;
2630
0
            m = (uint64_t *)origdata;
2631
0
            for (n = 0; n < count; n++)
2632
0
            {
2633
0
                if (tif->tif_flags & TIFF_SWAB)
2634
0
                    TIFFSwabLong8(m);
2635
0
                err = TIFFReadDirEntryCheckRangeSlong8Long8(*m);
2636
0
                if (err != TIFFReadDirEntryErrOk)
2637
0
                {
2638
0
                    _TIFFfreeExt(tif, origdata);
2639
0
                    return (err);
2640
0
                }
2641
0
                m++;
2642
0
            }
2643
0
            *value = (int64_t *)origdata;
2644
0
            return (TIFFReadDirEntryErrOk);
2645
0
        }
2646
0
        case TIFF_SLONG8:
2647
0
            *value = (int64_t *)origdata;
2648
0
            if (tif->tif_flags & TIFF_SWAB)
2649
0
                TIFFSwabArrayOfLong8((uint64_t *)(*value), count);
2650
0
            return (TIFFReadDirEntryErrOk);
2651
0
    }
2652
0
    data = (int64_t *)_TIFFmallocExt(tif, count * 8);
2653
0
    if (data == 0)
2654
0
    {
2655
0
        _TIFFfreeExt(tif, origdata);
2656
0
        return (TIFFReadDirEntryErrAlloc);
2657
0
    }
2658
0
    switch (direntry->tdir_type)
2659
0
    {
2660
0
        case TIFF_BYTE:
2661
0
        {
2662
0
            uint8_t *ma;
2663
0
            int64_t *mb;
2664
0
            uint32_t n;
2665
0
            ma = (uint8_t *)origdata;
2666
0
            mb = data;
2667
0
            for (n = 0; n < count; n++)
2668
0
                *mb++ = (int64_t)(*ma++);
2669
0
        }
2670
0
        break;
2671
0
        case TIFF_SBYTE:
2672
0
        {
2673
0
            int8_t *ma;
2674
0
            int64_t *mb;
2675
0
            uint32_t n;
2676
0
            ma = (int8_t *)origdata;
2677
0
            mb = data;
2678
0
            for (n = 0; n < count; n++)
2679
0
                *mb++ = (int64_t)(*ma++);
2680
0
        }
2681
0
        break;
2682
0
        case TIFF_SHORT:
2683
0
        {
2684
0
            uint16_t *ma;
2685
0
            int64_t *mb;
2686
0
            uint32_t n;
2687
0
            ma = (uint16_t *)origdata;
2688
0
            mb = data;
2689
0
            for (n = 0; n < count; n++)
2690
0
            {
2691
0
                if (tif->tif_flags & TIFF_SWAB)
2692
0
                    TIFFSwabShort(ma);
2693
0
                *mb++ = (int64_t)(*ma++);
2694
0
            }
2695
0
        }
2696
0
        break;
2697
0
        case TIFF_SSHORT:
2698
0
        {
2699
0
            int16_t *ma;
2700
0
            int64_t *mb;
2701
0
            uint32_t n;
2702
0
            ma = (int16_t *)origdata;
2703
0
            mb = data;
2704
0
            for (n = 0; n < count; n++)
2705
0
            {
2706
0
                if (tif->tif_flags & TIFF_SWAB)
2707
0
                    TIFFSwabShort((uint16_t *)ma);
2708
0
                *mb++ = (int64_t)(*ma++);
2709
0
            }
2710
0
        }
2711
0
        break;
2712
0
        case TIFF_LONG:
2713
0
        {
2714
0
            uint32_t *ma;
2715
0
            int64_t *mb;
2716
0
            uint32_t n;
2717
0
            ma = (uint32_t *)origdata;
2718
0
            mb = data;
2719
0
            for (n = 0; n < count; n++)
2720
0
            {
2721
0
                if (tif->tif_flags & TIFF_SWAB)
2722
0
                    TIFFSwabLong(ma);
2723
0
                *mb++ = (int64_t)(*ma++);
2724
0
            }
2725
0
        }
2726
0
        break;
2727
0
        case TIFF_SLONG:
2728
0
        {
2729
0
            int32_t *ma;
2730
0
            int64_t *mb;
2731
0
            uint32_t n;
2732
0
            ma = (int32_t *)origdata;
2733
0
            mb = data;
2734
0
            for (n = 0; n < count; n++)
2735
0
            {
2736
0
                if (tif->tif_flags & TIFF_SWAB)
2737
0
                    TIFFSwabLong((uint32_t *)ma);
2738
0
                *mb++ = (int64_t)(*ma++);
2739
0
            }
2740
0
        }
2741
0
        break;
2742
0
    }
2743
0
    _TIFFfreeExt(tif, origdata);
2744
0
    *value = data;
2745
0
    return (TIFFReadDirEntryErrOk);
2746
0
}
2747
2748
static enum TIFFReadDirEntryErr
2749
TIFFReadDirEntryFloatArray(TIFF *tif, TIFFDirEntry *direntry, float **value)
2750
0
{
2751
0
    enum TIFFReadDirEntryErr err;
2752
0
    uint32_t count;
2753
0
    void *origdata;
2754
0
    float *data;
2755
0
    switch (direntry->tdir_type)
2756
0
    {
2757
0
        case TIFF_BYTE:
2758
0
        case TIFF_SBYTE:
2759
0
        case TIFF_SHORT:
2760
0
        case TIFF_SSHORT:
2761
0
        case TIFF_LONG:
2762
0
        case TIFF_SLONG:
2763
0
        case TIFF_LONG8:
2764
0
        case TIFF_SLONG8:
2765
0
        case TIFF_RATIONAL:
2766
0
        case TIFF_SRATIONAL:
2767
0
        case TIFF_FLOAT:
2768
0
        case TIFF_DOUBLE:
2769
0
            break;
2770
0
        default:
2771
0
            return (TIFFReadDirEntryErrType);
2772
0
    }
2773
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 4, &origdata);
2774
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2775
0
    {
2776
0
        *value = 0;
2777
0
        return (err);
2778
0
    }
2779
0
    switch (direntry->tdir_type)
2780
0
    {
2781
0
        case TIFF_FLOAT:
2782
0
            if (tif->tif_flags & TIFF_SWAB)
2783
0
                TIFFSwabArrayOfLong((uint32_t *)origdata, count);
2784
0
            TIFFCvtIEEEDoubleToNative(tif, count, (float *)origdata);
2785
0
            *value = (float *)origdata;
2786
0
            return (TIFFReadDirEntryErrOk);
2787
0
    }
2788
0
    data = (float *)_TIFFmallocExt(tif, count * sizeof(float));
2789
0
    if (data == 0)
2790
0
    {
2791
0
        _TIFFfreeExt(tif, origdata);
2792
0
        return (TIFFReadDirEntryErrAlloc);
2793
0
    }
2794
0
    switch (direntry->tdir_type)
2795
0
    {
2796
0
        case TIFF_BYTE:
2797
0
        {
2798
0
            uint8_t *ma;
2799
0
            float *mb;
2800
0
            uint32_t n;
2801
0
            ma = (uint8_t *)origdata;
2802
0
            mb = data;
2803
0
            for (n = 0; n < count; n++)
2804
0
                *mb++ = (float)(*ma++);
2805
0
        }
2806
0
        break;
2807
0
        case TIFF_SBYTE:
2808
0
        {
2809
0
            int8_t *ma;
2810
0
            float *mb;
2811
0
            uint32_t n;
2812
0
            ma = (int8_t *)origdata;
2813
0
            mb = data;
2814
0
            for (n = 0; n < count; n++)
2815
0
                *mb++ = (float)(*ma++);
2816
0
        }
2817
0
        break;
2818
0
        case TIFF_SHORT:
2819
0
        {
2820
0
            uint16_t *ma;
2821
0
            float *mb;
2822
0
            uint32_t n;
2823
0
            ma = (uint16_t *)origdata;
2824
0
            mb = data;
2825
0
            for (n = 0; n < count; n++)
2826
0
            {
2827
0
                if (tif->tif_flags & TIFF_SWAB)
2828
0
                    TIFFSwabShort(ma);
2829
0
                *mb++ = (float)(*ma++);
2830
0
            }
2831
0
        }
2832
0
        break;
2833
0
        case TIFF_SSHORT:
2834
0
        {
2835
0
            int16_t *ma;
2836
0
            float *mb;
2837
0
            uint32_t n;
2838
0
            ma = (int16_t *)origdata;
2839
0
            mb = data;
2840
0
            for (n = 0; n < count; n++)
2841
0
            {
2842
0
                if (tif->tif_flags & TIFF_SWAB)
2843
0
                    TIFFSwabShort((uint16_t *)ma);
2844
0
                *mb++ = (float)(*ma++);
2845
0
            }
2846
0
        }
2847
0
        break;
2848
0
        case TIFF_LONG:
2849
0
        {
2850
0
            uint32_t *ma;
2851
0
            float *mb;
2852
0
            uint32_t n;
2853
0
            ma = (uint32_t *)origdata;
2854
0
            mb = data;
2855
0
            for (n = 0; n < count; n++)
2856
0
            {
2857
0
                if (tif->tif_flags & TIFF_SWAB)
2858
0
                    TIFFSwabLong(ma);
2859
0
                *mb++ = (float)(*ma++);
2860
0
            }
2861
0
        }
2862
0
        break;
2863
0
        case TIFF_SLONG:
2864
0
        {
2865
0
            int32_t *ma;
2866
0
            float *mb;
2867
0
            uint32_t n;
2868
0
            ma = (int32_t *)origdata;
2869
0
            mb = data;
2870
0
            for (n = 0; n < count; n++)
2871
0
            {
2872
0
                if (tif->tif_flags & TIFF_SWAB)
2873
0
                    TIFFSwabLong((uint32_t *)ma);
2874
0
                *mb++ = (float)(*ma++);
2875
0
            }
2876
0
        }
2877
0
        break;
2878
0
        case TIFF_LONG8:
2879
0
        {
2880
0
            uint64_t *ma;
2881
0
            float *mb;
2882
0
            uint32_t n;
2883
0
            ma = (uint64_t *)origdata;
2884
0
            mb = data;
2885
0
            for (n = 0; n < count; n++)
2886
0
            {
2887
0
                if (tif->tif_flags & TIFF_SWAB)
2888
0
                    TIFFSwabLong8(ma);
2889
0
                *mb++ = (float)(*ma++);
2890
0
            }
2891
0
        }
2892
0
        break;
2893
0
        case TIFF_SLONG8:
2894
0
        {
2895
0
            int64_t *ma;
2896
0
            float *mb;
2897
0
            uint32_t n;
2898
0
            ma = (int64_t *)origdata;
2899
0
            mb = data;
2900
0
            for (n = 0; n < count; n++)
2901
0
            {
2902
0
                if (tif->tif_flags & TIFF_SWAB)
2903
0
                    TIFFSwabLong8((uint64_t *)ma);
2904
0
                *mb++ = (float)(*ma++);
2905
0
            }
2906
0
        }
2907
0
        break;
2908
0
        case TIFF_RATIONAL:
2909
0
        {
2910
0
            uint32_t *ma;
2911
0
            uint32_t maa;
2912
0
            uint32_t mab;
2913
0
            float *mb;
2914
0
            uint32_t n;
2915
0
            ma = (uint32_t *)origdata;
2916
0
            mb = data;
2917
0
            for (n = 0; n < count; n++)
2918
0
            {
2919
0
                if (tif->tif_flags & TIFF_SWAB)
2920
0
                    TIFFSwabLong(ma);
2921
0
                maa = *ma++;
2922
0
                if (tif->tif_flags & TIFF_SWAB)
2923
0
                    TIFFSwabLong(ma);
2924
0
                mab = *ma++;
2925
0
                if (mab == 0)
2926
0
                    *mb++ = 0.0;
2927
0
                else
2928
0
                    *mb++ = (float)maa / (float)mab;
2929
0
            }
2930
0
        }
2931
0
        break;
2932
0
        case TIFF_SRATIONAL:
2933
0
        {
2934
0
            uint32_t *ma;
2935
0
            int32_t maa;
2936
0
            uint32_t mab;
2937
0
            float *mb;
2938
0
            uint32_t n;
2939
0
            ma = (uint32_t *)origdata;
2940
0
            mb = data;
2941
0
            for (n = 0; n < count; n++)
2942
0
            {
2943
0
                if (tif->tif_flags & TIFF_SWAB)
2944
0
                    TIFFSwabLong(ma);
2945
0
                maa = *(int32_t *)ma;
2946
0
                ma++;
2947
0
                if (tif->tif_flags & TIFF_SWAB)
2948
0
                    TIFFSwabLong(ma);
2949
0
                mab = *ma++;
2950
0
                if (mab == 0)
2951
0
                    *mb++ = 0.0;
2952
0
                else
2953
0
                    *mb++ = (float)maa / (float)mab;
2954
0
            }
2955
0
        }
2956
0
        break;
2957
0
        case TIFF_DOUBLE:
2958
0
        {
2959
0
            double *ma;
2960
0
            float *mb;
2961
0
            uint32_t n;
2962
0
            if (tif->tif_flags & TIFF_SWAB)
2963
0
                TIFFSwabArrayOfLong8((uint64_t *)origdata, count);
2964
0
            TIFFCvtIEEEDoubleToNative(tif, count, (double *)origdata);
2965
0
            ma = (double *)origdata;
2966
0
            mb = data;
2967
0
            for (n = 0; n < count; n++)
2968
0
            {
2969
0
                double val = *ma++;
2970
0
                if (val > FLT_MAX)
2971
0
                    val = FLT_MAX;
2972
0
                else if (val < -FLT_MAX)
2973
0
                    val = -FLT_MAX;
2974
0
                *mb++ = (float)val;
2975
0
            }
2976
0
        }
2977
0
        break;
2978
0
    }
2979
0
    _TIFFfreeExt(tif, origdata);
2980
0
    *value = data;
2981
0
    return (TIFFReadDirEntryErrOk);
2982
0
}
2983
2984
static enum TIFFReadDirEntryErr
2985
TIFFReadDirEntryDoubleArray(TIFF *tif, TIFFDirEntry *direntry, double **value)
2986
0
{
2987
0
    enum TIFFReadDirEntryErr err;
2988
0
    uint32_t count;
2989
0
    void *origdata;
2990
0
    double *data;
2991
0
    switch (direntry->tdir_type)
2992
0
    {
2993
0
        case TIFF_BYTE:
2994
0
        case TIFF_SBYTE:
2995
0
        case TIFF_SHORT:
2996
0
        case TIFF_SSHORT:
2997
0
        case TIFF_LONG:
2998
0
        case TIFF_SLONG:
2999
0
        case TIFF_LONG8:
3000
0
        case TIFF_SLONG8:
3001
0
        case TIFF_RATIONAL:
3002
0
        case TIFF_SRATIONAL:
3003
0
        case TIFF_FLOAT:
3004
0
        case TIFF_DOUBLE:
3005
0
            break;
3006
0
        default:
3007
0
            return (TIFFReadDirEntryErrType);
3008
0
    }
3009
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 8, &origdata);
3010
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
3011
0
    {
3012
0
        *value = 0;
3013
0
        return (err);
3014
0
    }
3015
0
    switch (direntry->tdir_type)
3016
0
    {
3017
0
        case TIFF_DOUBLE:
3018
0
            if (tif->tif_flags & TIFF_SWAB)
3019
0
                TIFFSwabArrayOfLong8((uint64_t *)origdata, count);
3020
0
            TIFFCvtIEEEDoubleToNative(tif, count, (double *)origdata);
3021
0
            *value = (double *)origdata;
3022
0
            return (TIFFReadDirEntryErrOk);
3023
0
    }
3024
0
    data = (double *)_TIFFmallocExt(tif, count * sizeof(double));
3025
0
    if (data == 0)
3026
0
    {
3027
0
        _TIFFfreeExt(tif, origdata);
3028
0
        return (TIFFReadDirEntryErrAlloc);
3029
0
    }
3030
0
    switch (direntry->tdir_type)
3031
0
    {
3032
0
        case TIFF_BYTE:
3033
0
        {
3034
0
            uint8_t *ma;
3035
0
            double *mb;
3036
0
            uint32_t n;
3037
0
            ma = (uint8_t *)origdata;
3038
0
            mb = data;
3039
0
            for (n = 0; n < count; n++)
3040
0
                *mb++ = (double)(*ma++);
3041
0
        }
3042
0
        break;
3043
0
        case TIFF_SBYTE:
3044
0
        {
3045
0
            int8_t *ma;
3046
0
            double *mb;
3047
0
            uint32_t n;
3048
0
            ma = (int8_t *)origdata;
3049
0
            mb = data;
3050
0
            for (n = 0; n < count; n++)
3051
0
                *mb++ = (double)(*ma++);
3052
0
        }
3053
0
        break;
3054
0
        case TIFF_SHORT:
3055
0
        {
3056
0
            uint16_t *ma;
3057
0
            double *mb;
3058
0
            uint32_t n;
3059
0
            ma = (uint16_t *)origdata;
3060
0
            mb = data;
3061
0
            for (n = 0; n < count; n++)
3062
0
            {
3063
0
                if (tif->tif_flags & TIFF_SWAB)
3064
0
                    TIFFSwabShort(ma);
3065
0
                *mb++ = (double)(*ma++);
3066
0
            }
3067
0
        }
3068
0
        break;
3069
0
        case TIFF_SSHORT:
3070
0
        {
3071
0
            int16_t *ma;
3072
0
            double *mb;
3073
0
            uint32_t n;
3074
0
            ma = (int16_t *)origdata;
3075
0
            mb = data;
3076
0
            for (n = 0; n < count; n++)
3077
0
            {
3078
0
                if (tif->tif_flags & TIFF_SWAB)
3079
0
                    TIFFSwabShort((uint16_t *)ma);
3080
0
                *mb++ = (double)(*ma++);
3081
0
            }
3082
0
        }
3083
0
        break;
3084
0
        case TIFF_LONG:
3085
0
        {
3086
0
            uint32_t *ma;
3087
0
            double *mb;
3088
0
            uint32_t n;
3089
0
            ma = (uint32_t *)origdata;
3090
0
            mb = data;
3091
0
            for (n = 0; n < count; n++)
3092
0
            {
3093
0
                if (tif->tif_flags & TIFF_SWAB)
3094
0
                    TIFFSwabLong(ma);
3095
0
                *mb++ = (double)(*ma++);
3096
0
            }
3097
0
        }
3098
0
        break;
3099
0
        case TIFF_SLONG:
3100
0
        {
3101
0
            int32_t *ma;
3102
0
            double *mb;
3103
0
            uint32_t n;
3104
0
            ma = (int32_t *)origdata;
3105
0
            mb = data;
3106
0
            for (n = 0; n < count; n++)
3107
0
            {
3108
0
                if (tif->tif_flags & TIFF_SWAB)
3109
0
                    TIFFSwabLong((uint32_t *)ma);
3110
0
                *mb++ = (double)(*ma++);
3111
0
            }
3112
0
        }
3113
0
        break;
3114
0
        case TIFF_LONG8:
3115
0
        {
3116
0
            uint64_t *ma;
3117
0
            double *mb;
3118
0
            uint32_t n;
3119
0
            ma = (uint64_t *)origdata;
3120
0
            mb = data;
3121
0
            for (n = 0; n < count; n++)
3122
0
            {
3123
0
                if (tif->tif_flags & TIFF_SWAB)
3124
0
                    TIFFSwabLong8(ma);
3125
0
                *mb++ = (double)(*ma++);
3126
0
            }
3127
0
        }
3128
0
        break;
3129
0
        case TIFF_SLONG8:
3130
0
        {
3131
0
            int64_t *ma;
3132
0
            double *mb;
3133
0
            uint32_t n;
3134
0
            ma = (int64_t *)origdata;
3135
0
            mb = data;
3136
0
            for (n = 0; n < count; n++)
3137
0
            {
3138
0
                if (tif->tif_flags & TIFF_SWAB)
3139
0
                    TIFFSwabLong8((uint64_t *)ma);
3140
0
                *mb++ = (double)(*ma++);
3141
0
            }
3142
0
        }
3143
0
        break;
3144
0
        case TIFF_RATIONAL:
3145
0
        {
3146
0
            uint32_t *ma;
3147
0
            uint32_t maa;
3148
0
            uint32_t mab;
3149
0
            double *mb;
3150
0
            uint32_t n;
3151
0
            ma = (uint32_t *)origdata;
3152
0
            mb = data;
3153
0
            for (n = 0; n < count; n++)
3154
0
            {
3155
0
                if (tif->tif_flags & TIFF_SWAB)
3156
0
                    TIFFSwabLong(ma);
3157
0
                maa = *ma++;
3158
0
                if (tif->tif_flags & TIFF_SWAB)
3159
0
                    TIFFSwabLong(ma);
3160
0
                mab = *ma++;
3161
0
                if (mab == 0)
3162
0
                    *mb++ = 0.0;
3163
0
                else
3164
0
                    *mb++ = (double)maa / (double)mab;
3165
0
            }
3166
0
        }
3167
0
        break;
3168
0
        case TIFF_SRATIONAL:
3169
0
        {
3170
0
            uint32_t *ma;
3171
0
            int32_t maa;
3172
0
            uint32_t mab;
3173
0
            double *mb;
3174
0
            uint32_t n;
3175
0
            ma = (uint32_t *)origdata;
3176
0
            mb = data;
3177
0
            for (n = 0; n < count; n++)
3178
0
            {
3179
0
                if (tif->tif_flags & TIFF_SWAB)
3180
0
                    TIFFSwabLong(ma);
3181
0
                maa = *(int32_t *)ma;
3182
0
                ma++;
3183
0
                if (tif->tif_flags & TIFF_SWAB)
3184
0
                    TIFFSwabLong(ma);
3185
0
                mab = *ma++;
3186
0
                if (mab == 0)
3187
0
                    *mb++ = 0.0;
3188
0
                else
3189
0
                    *mb++ = (double)maa / (double)mab;
3190
0
            }
3191
0
        }
3192
0
        break;
3193
0
        case TIFF_FLOAT:
3194
0
        {
3195
0
            float *ma;
3196
0
            double *mb;
3197
0
            uint32_t n;
3198
0
            if (tif->tif_flags & TIFF_SWAB)
3199
0
                TIFFSwabArrayOfLong((uint32_t *)origdata, count);
3200
0
            TIFFCvtIEEEFloatToNative(tif, count, (float *)origdata);
3201
0
            ma = (float *)origdata;
3202
0
            mb = data;
3203
0
            for (n = 0; n < count; n++)
3204
0
                *mb++ = (double)(*ma++);
3205
0
        }
3206
0
        break;
3207
0
    }
3208
0
    _TIFFfreeExt(tif, origdata);
3209
0
    *value = data;
3210
0
    return (TIFFReadDirEntryErrOk);
3211
0
}
3212
3213
static enum TIFFReadDirEntryErr
3214
TIFFReadDirEntryIfd8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value)
3215
0
{
3216
0
    enum TIFFReadDirEntryErr err;
3217
0
    uint32_t count;
3218
0
    void *origdata;
3219
0
    uint64_t *data;
3220
0
    switch (direntry->tdir_type)
3221
0
    {
3222
0
        case TIFF_LONG:
3223
0
        case TIFF_LONG8:
3224
0
        case TIFF_IFD:
3225
0
        case TIFF_IFD8:
3226
0
            break;
3227
0
        default:
3228
0
            return (TIFFReadDirEntryErrType);
3229
0
    }
3230
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 8, &origdata);
3231
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
3232
0
    {
3233
0
        *value = 0;
3234
0
        return (err);
3235
0
    }
3236
0
    switch (direntry->tdir_type)
3237
0
    {
3238
0
        case TIFF_LONG8:
3239
0
        case TIFF_IFD8:
3240
0
            *value = (uint64_t *)origdata;
3241
0
            if (tif->tif_flags & TIFF_SWAB)
3242
0
                TIFFSwabArrayOfLong8(*value, count);
3243
0
            return (TIFFReadDirEntryErrOk);
3244
0
    }
3245
0
    data = (uint64_t *)_TIFFmallocExt(tif, count * 8);
3246
0
    if (data == 0)
3247
0
    {
3248
0
        _TIFFfreeExt(tif, origdata);
3249
0
        return (TIFFReadDirEntryErrAlloc);
3250
0
    }
3251
0
    switch (direntry->tdir_type)
3252
0
    {
3253
0
        case TIFF_LONG:
3254
0
        case TIFF_IFD:
3255
0
        {
3256
0
            uint32_t *ma;
3257
0
            uint64_t *mb;
3258
0
            uint32_t n;
3259
0
            ma = (uint32_t *)origdata;
3260
0
            mb = data;
3261
0
            for (n = 0; n < count; n++)
3262
0
            {
3263
0
                if (tif->tif_flags & TIFF_SWAB)
3264
0
                    TIFFSwabLong(ma);
3265
0
                *mb++ = (uint64_t)(*ma++);
3266
0
            }
3267
0
        }
3268
0
        break;
3269
0
    }
3270
0
    _TIFFfreeExt(tif, origdata);
3271
0
    *value = data;
3272
0
    return (TIFFReadDirEntryErrOk);
3273
0
}
3274
3275
static enum TIFFReadDirEntryErr
3276
TIFFReadDirEntryPersampleShort(TIFF *tif, TIFFDirEntry *direntry,
3277
                               uint16_t *value)
3278
0
{
3279
0
    enum TIFFReadDirEntryErr err;
3280
0
    uint16_t *m;
3281
0
    uint16_t *na;
3282
0
    uint16_t nb;
3283
0
    if (direntry->tdir_count < (uint64_t)tif->tif_dir.td_samplesperpixel)
3284
0
        return (TIFFReadDirEntryErrCount);
3285
0
    err = TIFFReadDirEntryShortArray(tif, direntry, &m);
3286
0
    if (err != TIFFReadDirEntryErrOk || m == NULL)
3287
0
        return (err);
3288
0
    na = m;
3289
0
    nb = tif->tif_dir.td_samplesperpixel;
3290
0
    *value = *na++;
3291
0
    nb--;
3292
0
    while (nb > 0)
3293
0
    {
3294
0
        if (*na++ != *value)
3295
0
        {
3296
0
            err = TIFFReadDirEntryErrPsdif;
3297
0
            break;
3298
0
        }
3299
0
        nb--;
3300
0
    }
3301
0
    _TIFFfreeExt(tif, m);
3302
0
    return (err);
3303
0
}
3304
3305
static void TIFFReadDirEntryCheckedByte(TIFF *tif, TIFFDirEntry *direntry,
3306
                                        uint8_t *value)
3307
0
{
3308
0
    (void)tif;
3309
0
    *value = *(uint8_t *)(&direntry->tdir_offset);
3310
0
}
3311
3312
static void TIFFReadDirEntryCheckedSbyte(TIFF *tif, TIFFDirEntry *direntry,
3313
                                         int8_t *value)
3314
0
{
3315
0
    (void)tif;
3316
0
    *value = *(int8_t *)(&direntry->tdir_offset);
3317
0
}
3318
3319
static void TIFFReadDirEntryCheckedShort(TIFF *tif, TIFFDirEntry *direntry,
3320
                                         uint16_t *value)
3321
0
{
3322
0
    *value = direntry->tdir_offset.toff_short;
3323
    /* *value=*(uint16_t*)(&direntry->tdir_offset); */
3324
0
    if (tif->tif_flags & TIFF_SWAB)
3325
0
        TIFFSwabShort(value);
3326
0
}
3327
3328
static void TIFFReadDirEntryCheckedSshort(TIFF *tif, TIFFDirEntry *direntry,
3329
                                          int16_t *value)
3330
0
{
3331
0
    *value = *(int16_t *)(&direntry->tdir_offset);
3332
0
    if (tif->tif_flags & TIFF_SWAB)
3333
0
        TIFFSwabShort((uint16_t *)value);
3334
0
}
3335
3336
static void TIFFReadDirEntryCheckedLong(TIFF *tif, TIFFDirEntry *direntry,
3337
                                        uint32_t *value)
3338
0
{
3339
0
    *value = *(uint32_t *)(&direntry->tdir_offset);
3340
0
    if (tif->tif_flags & TIFF_SWAB)
3341
0
        TIFFSwabLong(value);
3342
0
}
3343
3344
static void TIFFReadDirEntryCheckedSlong(TIFF *tif, TIFFDirEntry *direntry,
3345
                                         int32_t *value)
3346
0
{
3347
0
    *value = *(int32_t *)(&direntry->tdir_offset);
3348
0
    if (tif->tif_flags & TIFF_SWAB)
3349
0
        TIFFSwabLong((uint32_t *)value);
3350
0
}
3351
3352
static enum TIFFReadDirEntryErr
3353
TIFFReadDirEntryCheckedLong8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value)
3354
0
{
3355
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3356
0
    {
3357
0
        enum TIFFReadDirEntryErr err;
3358
0
        uint32_t offset = direntry->tdir_offset.toff_long;
3359
0
        if (tif->tif_flags & TIFF_SWAB)
3360
0
            TIFFSwabLong(&offset);
3361
0
        err = TIFFReadDirEntryData(tif, offset, 8, value);
3362
0
        if (err != TIFFReadDirEntryErrOk)
3363
0
            return (err);
3364
0
    }
3365
0
    else
3366
0
        *value = direntry->tdir_offset.toff_long8;
3367
0
    if (tif->tif_flags & TIFF_SWAB)
3368
0
        TIFFSwabLong8(value);
3369
0
    return (TIFFReadDirEntryErrOk);
3370
0
}
3371
3372
static enum TIFFReadDirEntryErr
3373
TIFFReadDirEntryCheckedSlong8(TIFF *tif, TIFFDirEntry *direntry, int64_t *value)
3374
0
{
3375
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3376
0
    {
3377
0
        enum TIFFReadDirEntryErr err;
3378
0
        uint32_t offset = direntry->tdir_offset.toff_long;
3379
0
        if (tif->tif_flags & TIFF_SWAB)
3380
0
            TIFFSwabLong(&offset);
3381
0
        err = TIFFReadDirEntryData(tif, offset, 8, value);
3382
0
        if (err != TIFFReadDirEntryErrOk)
3383
0
            return (err);
3384
0
    }
3385
0
    else
3386
0
        *value = *(int64_t *)(&direntry->tdir_offset);
3387
0
    if (tif->tif_flags & TIFF_SWAB)
3388
0
        TIFFSwabLong8((uint64_t *)value);
3389
0
    return (TIFFReadDirEntryErrOk);
3390
0
}
3391
3392
static enum TIFFReadDirEntryErr
3393
TIFFReadDirEntryCheckedRational(TIFF *tif, TIFFDirEntry *direntry,
3394
                                double *value)
3395
0
{
3396
0
    UInt64Aligned_t m;
3397
3398
0
    assert(sizeof(double) == 8);
3399
0
    assert(sizeof(uint64_t) == 8);
3400
0
    assert(sizeof(uint32_t) == 4);
3401
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3402
0
    {
3403
0
        enum TIFFReadDirEntryErr err;
3404
0
        uint32_t offset = direntry->tdir_offset.toff_long;
3405
0
        if (tif->tif_flags & TIFF_SWAB)
3406
0
            TIFFSwabLong(&offset);
3407
0
        err = TIFFReadDirEntryData(tif, offset, 8, m.i);
3408
0
        if (err != TIFFReadDirEntryErrOk)
3409
0
            return (err);
3410
0
    }
3411
0
    else
3412
0
        m.l = direntry->tdir_offset.toff_long8;
3413
0
    if (tif->tif_flags & TIFF_SWAB)
3414
0
        TIFFSwabArrayOfLong(m.i, 2);
3415
    /* Not completely sure what we should do when m.i[1]==0, but some */
3416
    /* sanitizers do not like division by 0.0: */
3417
    /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
3418
0
    if (m.i[0] == 0 || m.i[1] == 0)
3419
0
        *value = 0.0;
3420
0
    else
3421
0
        *value = (double)m.i[0] / (double)m.i[1];
3422
0
    return (TIFFReadDirEntryErrOk);
3423
0
}
3424
3425
static enum TIFFReadDirEntryErr
3426
TIFFReadDirEntryCheckedSrational(TIFF *tif, TIFFDirEntry *direntry,
3427
                                 double *value)
3428
0
{
3429
0
    UInt64Aligned_t m;
3430
0
    assert(sizeof(double) == 8);
3431
0
    assert(sizeof(uint64_t) == 8);
3432
0
    assert(sizeof(int32_t) == 4);
3433
0
    assert(sizeof(uint32_t) == 4);
3434
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3435
0
    {
3436
0
        enum TIFFReadDirEntryErr err;
3437
0
        uint32_t offset = direntry->tdir_offset.toff_long;
3438
0
        if (tif->tif_flags & TIFF_SWAB)
3439
0
            TIFFSwabLong(&offset);
3440
0
        err = TIFFReadDirEntryData(tif, offset, 8, m.i);
3441
0
        if (err != TIFFReadDirEntryErrOk)
3442
0
            return (err);
3443
0
    }
3444
0
    else
3445
0
        m.l = direntry->tdir_offset.toff_long8;
3446
0
    if (tif->tif_flags & TIFF_SWAB)
3447
0
        TIFFSwabArrayOfLong(m.i, 2);
3448
    /* Not completely sure what we should do when m.i[1]==0, but some */
3449
    /* sanitizers do not like division by 0.0: */
3450
    /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
3451
0
    if ((int32_t)m.i[0] == 0 || m.i[1] == 0)
3452
0
        *value = 0.0;
3453
0
    else
3454
0
        *value = (double)((int32_t)m.i[0]) / (double)m.i[1];
3455
0
    return (TIFFReadDirEntryErrOk);
3456
0
}
3457
3458
#if 0
3459
static enum TIFFReadDirEntryErr
3460
TIFFReadDirEntryCheckedRationalDirect(TIFF *tif, TIFFDirEntry *direntry,
3461
                                      TIFFRational_t *value)
3462
{ /*--: SetGetRATIONAL_directly:_CustomTag: Read rational (and signed rationals)
3463
     directly --*/
3464
    UInt64Aligned_t m;
3465
3466
    assert(sizeof(double) == 8);
3467
    assert(sizeof(uint64_t) == 8);
3468
    assert(sizeof(uint32_t) == 4);
3469
3470
    if (direntry->tdir_count != 1)
3471
        return (TIFFReadDirEntryErrCount);
3472
3473
    if (direntry->tdir_type != TIFF_RATIONAL &&
3474
        direntry->tdir_type != TIFF_SRATIONAL)
3475
        return (TIFFReadDirEntryErrType);
3476
3477
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3478
    {
3479
        enum TIFFReadDirEntryErr err;
3480
        uint32_t offset = direntry->tdir_offset.toff_long;
3481
        if (tif->tif_flags & TIFF_SWAB)
3482
            TIFFSwabLong(&offset);
3483
        err = TIFFReadDirEntryData(tif, offset, 8, m.i);
3484
        if (err != TIFFReadDirEntryErrOk)
3485
            return (err);
3486
    }
3487
    else
3488
    {
3489
        m.l = direntry->tdir_offset.toff_long8;
3490
    }
3491
3492
    if (tif->tif_flags & TIFF_SWAB)
3493
        TIFFSwabArrayOfLong(m.i, 2);
3494
3495
    value->uNum = m.i[0];
3496
    value->uDenom = m.i[1];
3497
    return (TIFFReadDirEntryErrOk);
3498
} /*-- TIFFReadDirEntryCheckedRationalDirect() --*/
3499
#endif
3500
3501
static void TIFFReadDirEntryCheckedFloat(TIFF *tif, TIFFDirEntry *direntry,
3502
                                         float *value)
3503
0
{
3504
0
    union
3505
0
    {
3506
0
        float f;
3507
0
        uint32_t i;
3508
0
    } float_union;
3509
0
    assert(sizeof(float) == 4);
3510
0
    assert(sizeof(uint32_t) == 4);
3511
0
    assert(sizeof(float_union) == 4);
3512
0
    float_union.i = *(uint32_t *)(&direntry->tdir_offset);
3513
0
    *value = float_union.f;
3514
0
    if (tif->tif_flags & TIFF_SWAB)
3515
0
        TIFFSwabLong((uint32_t *)value);
3516
0
}
3517
3518
static enum TIFFReadDirEntryErr
3519
TIFFReadDirEntryCheckedDouble(TIFF *tif, TIFFDirEntry *direntry, double *value)
3520
0
{
3521
0
    assert(sizeof(double) == 8);
3522
0
    assert(sizeof(uint64_t) == 8);
3523
0
    assert(sizeof(UInt64Aligned_t) == 8);
3524
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3525
0
    {
3526
0
        enum TIFFReadDirEntryErr err;
3527
0
        uint32_t offset = direntry->tdir_offset.toff_long;
3528
0
        if (tif->tif_flags & TIFF_SWAB)
3529
0
            TIFFSwabLong(&offset);
3530
0
        err = TIFFReadDirEntryData(tif, offset, 8, value);
3531
0
        if (err != TIFFReadDirEntryErrOk)
3532
0
            return (err);
3533
0
    }
3534
0
    else
3535
0
    {
3536
0
        UInt64Aligned_t uint64_union;
3537
0
        uint64_union.l = direntry->tdir_offset.toff_long8;
3538
0
        *value = uint64_union.d;
3539
0
    }
3540
0
    if (tif->tif_flags & TIFF_SWAB)
3541
0
        TIFFSwabLong8((uint64_t *)value);
3542
0
    return (TIFFReadDirEntryErrOk);
3543
0
}
3544
3545
static enum TIFFReadDirEntryErr
3546
TIFFReadDirEntryCheckRangeByteSbyte(int8_t value)
3547
0
{
3548
0
    if (value < 0)
3549
0
        return (TIFFReadDirEntryErrRange);
3550
0
    else
3551
0
        return (TIFFReadDirEntryErrOk);
3552
0
}
3553
3554
static enum TIFFReadDirEntryErr
3555
TIFFReadDirEntryCheckRangeByteShort(uint16_t value)
3556
0
{
3557
0
    if (value > 0xFF)
3558
0
        return (TIFFReadDirEntryErrRange);
3559
0
    else
3560
0
        return (TIFFReadDirEntryErrOk);
3561
0
}
3562
3563
static enum TIFFReadDirEntryErr
3564
TIFFReadDirEntryCheckRangeByteSshort(int16_t value)
3565
0
{
3566
0
    if ((value < 0) || (value > 0xFF))
3567
0
        return (TIFFReadDirEntryErrRange);
3568
0
    else
3569
0
        return (TIFFReadDirEntryErrOk);
3570
0
}
3571
3572
static enum TIFFReadDirEntryErr
3573
TIFFReadDirEntryCheckRangeByteLong(uint32_t value)
3574
0
{
3575
0
    if (value > 0xFF)
3576
0
        return (TIFFReadDirEntryErrRange);
3577
0
    else
3578
0
        return (TIFFReadDirEntryErrOk);
3579
0
}
3580
3581
static enum TIFFReadDirEntryErr
3582
TIFFReadDirEntryCheckRangeByteSlong(int32_t value)
3583
0
{
3584
0
    if ((value < 0) || (value > 0xFF))
3585
0
        return (TIFFReadDirEntryErrRange);
3586
0
    else
3587
0
        return (TIFFReadDirEntryErrOk);
3588
0
}
3589
3590
static enum TIFFReadDirEntryErr
3591
TIFFReadDirEntryCheckRangeByteLong8(uint64_t value)
3592
0
{
3593
0
    if (value > 0xFF)
3594
0
        return (TIFFReadDirEntryErrRange);
3595
0
    else
3596
0
        return (TIFFReadDirEntryErrOk);
3597
0
}
3598
3599
static enum TIFFReadDirEntryErr
3600
TIFFReadDirEntryCheckRangeByteSlong8(int64_t value)
3601
0
{
3602
0
    if ((value < 0) || (value > 0xFF))
3603
0
        return (TIFFReadDirEntryErrRange);
3604
0
    else
3605
0
        return (TIFFReadDirEntryErrOk);
3606
0
}
3607
3608
static enum TIFFReadDirEntryErr
3609
TIFFReadDirEntryCheckRangeSbyteByte(uint8_t value)
3610
0
{
3611
0
    if (value > 0x7F)
3612
0
        return (TIFFReadDirEntryErrRange);
3613
0
    else
3614
0
        return (TIFFReadDirEntryErrOk);
3615
0
}
3616
3617
static enum TIFFReadDirEntryErr
3618
TIFFReadDirEntryCheckRangeSbyteShort(uint16_t value)
3619
0
{
3620
0
    if (value > 0x7F)
3621
0
        return (TIFFReadDirEntryErrRange);
3622
0
    else
3623
0
        return (TIFFReadDirEntryErrOk);
3624
0
}
3625
3626
static enum TIFFReadDirEntryErr
3627
TIFFReadDirEntryCheckRangeSbyteSshort(int16_t value)
3628
0
{
3629
0
    if ((value < -0x80) || (value > 0x7F))
3630
0
        return (TIFFReadDirEntryErrRange);
3631
0
    else
3632
0
        return (TIFFReadDirEntryErrOk);
3633
0
}
3634
3635
static enum TIFFReadDirEntryErr
3636
TIFFReadDirEntryCheckRangeSbyteLong(uint32_t value)
3637
0
{
3638
0
    if (value > 0x7F)
3639
0
        return (TIFFReadDirEntryErrRange);
3640
0
    else
3641
0
        return (TIFFReadDirEntryErrOk);
3642
0
}
3643
3644
static enum TIFFReadDirEntryErr
3645
TIFFReadDirEntryCheckRangeSbyteSlong(int32_t value)
3646
0
{
3647
0
    if ((value < -0x80) || (value > 0x7F))
3648
0
        return (TIFFReadDirEntryErrRange);
3649
0
    else
3650
0
        return (TIFFReadDirEntryErrOk);
3651
0
}
3652
3653
static enum TIFFReadDirEntryErr
3654
TIFFReadDirEntryCheckRangeSbyteLong8(uint64_t value)
3655
0
{
3656
0
    if (value > 0x7F)
3657
0
        return (TIFFReadDirEntryErrRange);
3658
0
    else
3659
0
        return (TIFFReadDirEntryErrOk);
3660
0
}
3661
3662
static enum TIFFReadDirEntryErr
3663
TIFFReadDirEntryCheckRangeSbyteSlong8(int64_t value)
3664
0
{
3665
0
    if ((value < -0x80) || (value > 0x7F))
3666
0
        return (TIFFReadDirEntryErrRange);
3667
0
    else
3668
0
        return (TIFFReadDirEntryErrOk);
3669
0
}
3670
3671
static enum TIFFReadDirEntryErr
3672
TIFFReadDirEntryCheckRangeShortSbyte(int8_t value)
3673
0
{
3674
0
    if (value < 0)
3675
0
        return (TIFFReadDirEntryErrRange);
3676
0
    else
3677
0
        return (TIFFReadDirEntryErrOk);
3678
0
}
3679
3680
static enum TIFFReadDirEntryErr
3681
TIFFReadDirEntryCheckRangeShortSshort(int16_t value)
3682
0
{
3683
0
    if (value < 0)
3684
0
        return (TIFFReadDirEntryErrRange);
3685
0
    else
3686
0
        return (TIFFReadDirEntryErrOk);
3687
0
}
3688
3689
static enum TIFFReadDirEntryErr
3690
TIFFReadDirEntryCheckRangeShortLong(uint32_t value)
3691
0
{
3692
0
    if (value > 0xFFFF)
3693
0
        return (TIFFReadDirEntryErrRange);
3694
0
    else
3695
0
        return (TIFFReadDirEntryErrOk);
3696
0
}
3697
3698
static enum TIFFReadDirEntryErr
3699
TIFFReadDirEntryCheckRangeShortSlong(int32_t value)
3700
0
{
3701
0
    if ((value < 0) || (value > 0xFFFF))
3702
0
        return (TIFFReadDirEntryErrRange);
3703
0
    else
3704
0
        return (TIFFReadDirEntryErrOk);
3705
0
}
3706
3707
static enum TIFFReadDirEntryErr
3708
TIFFReadDirEntryCheckRangeShortLong8(uint64_t value)
3709
0
{
3710
0
    if (value > 0xFFFF)
3711
0
        return (TIFFReadDirEntryErrRange);
3712
0
    else
3713
0
        return (TIFFReadDirEntryErrOk);
3714
0
}
3715
3716
static enum TIFFReadDirEntryErr
3717
TIFFReadDirEntryCheckRangeShortSlong8(int64_t value)
3718
0
{
3719
0
    if ((value < 0) || (value > 0xFFFF))
3720
0
        return (TIFFReadDirEntryErrRange);
3721
0
    else
3722
0
        return (TIFFReadDirEntryErrOk);
3723
0
}
3724
3725
static enum TIFFReadDirEntryErr
3726
TIFFReadDirEntryCheckRangeSshortShort(uint16_t value)
3727
0
{
3728
0
    if (value > 0x7FFF)
3729
0
        return (TIFFReadDirEntryErrRange);
3730
0
    else
3731
0
        return (TIFFReadDirEntryErrOk);
3732
0
}
3733
3734
static enum TIFFReadDirEntryErr
3735
TIFFReadDirEntryCheckRangeSshortLong(uint32_t value)
3736
0
{
3737
0
    if (value > 0x7FFF)
3738
0
        return (TIFFReadDirEntryErrRange);
3739
0
    else
3740
0
        return (TIFFReadDirEntryErrOk);
3741
0
}
3742
3743
static enum TIFFReadDirEntryErr
3744
TIFFReadDirEntryCheckRangeSshortSlong(int32_t value)
3745
0
{
3746
0
    if ((value < -0x8000) || (value > 0x7FFF))
3747
0
        return (TIFFReadDirEntryErrRange);
3748
0
    else
3749
0
        return (TIFFReadDirEntryErrOk);
3750
0
}
3751
3752
static enum TIFFReadDirEntryErr
3753
TIFFReadDirEntryCheckRangeSshortLong8(uint64_t value)
3754
0
{
3755
0
    if (value > 0x7FFF)
3756
0
        return (TIFFReadDirEntryErrRange);
3757
0
    else
3758
0
        return (TIFFReadDirEntryErrOk);
3759
0
}
3760
3761
static enum TIFFReadDirEntryErr
3762
TIFFReadDirEntryCheckRangeSshortSlong8(int64_t value)
3763
0
{
3764
0
    if ((value < -0x8000) || (value > 0x7FFF))
3765
0
        return (TIFFReadDirEntryErrRange);
3766
0
    else
3767
0
        return (TIFFReadDirEntryErrOk);
3768
0
}
3769
3770
static enum TIFFReadDirEntryErr
3771
TIFFReadDirEntryCheckRangeLongSbyte(int8_t value)
3772
0
{
3773
0
    if (value < 0)
3774
0
        return (TIFFReadDirEntryErrRange);
3775
0
    else
3776
0
        return (TIFFReadDirEntryErrOk);
3777
0
}
3778
3779
static enum TIFFReadDirEntryErr
3780
TIFFReadDirEntryCheckRangeLongSshort(int16_t value)
3781
0
{
3782
0
    if (value < 0)
3783
0
        return (TIFFReadDirEntryErrRange);
3784
0
    else
3785
0
        return (TIFFReadDirEntryErrOk);
3786
0
}
3787
3788
static enum TIFFReadDirEntryErr
3789
TIFFReadDirEntryCheckRangeLongSlong(int32_t value)
3790
0
{
3791
0
    if (value < 0)
3792
0
        return (TIFFReadDirEntryErrRange);
3793
0
    else
3794
0
        return (TIFFReadDirEntryErrOk);
3795
0
}
3796
3797
static enum TIFFReadDirEntryErr
3798
TIFFReadDirEntryCheckRangeLongLong8(uint64_t value)
3799
0
{
3800
0
    if (value > UINT32_MAX)
3801
0
        return (TIFFReadDirEntryErrRange);
3802
0
    else
3803
0
        return (TIFFReadDirEntryErrOk);
3804
0
}
3805
3806
static enum TIFFReadDirEntryErr
3807
TIFFReadDirEntryCheckRangeLongSlong8(int64_t value)
3808
0
{
3809
0
    if ((value < 0) || (value > (int64_t)UINT32_MAX))
3810
0
        return (TIFFReadDirEntryErrRange);
3811
0
    else
3812
0
        return (TIFFReadDirEntryErrOk);
3813
0
}
3814
3815
static enum TIFFReadDirEntryErr
3816
TIFFReadDirEntryCheckRangeSlongLong(uint32_t value)
3817
0
{
3818
0
    if (value > 0x7FFFFFFFUL)
3819
0
        return (TIFFReadDirEntryErrRange);
3820
0
    else
3821
0
        return (TIFFReadDirEntryErrOk);
3822
0
}
3823
3824
/* Check that the 8-byte unsigned value can fit in a 4-byte unsigned range */
3825
static enum TIFFReadDirEntryErr
3826
TIFFReadDirEntryCheckRangeSlongLong8(uint64_t value)
3827
0
{
3828
0
    if (value > 0x7FFFFFFF)
3829
0
        return (TIFFReadDirEntryErrRange);
3830
0
    else
3831
0
        return (TIFFReadDirEntryErrOk);
3832
0
}
3833
3834
/* Check that the 8-byte signed value can fit in a 4-byte signed range */
3835
static enum TIFFReadDirEntryErr
3836
TIFFReadDirEntryCheckRangeSlongSlong8(int64_t value)
3837
0
{
3838
0
    if ((value < 0 - ((int64_t)0x7FFFFFFF + 1)) || (value > 0x7FFFFFFF))
3839
0
        return (TIFFReadDirEntryErrRange);
3840
0
    else
3841
0
        return (TIFFReadDirEntryErrOk);
3842
0
}
3843
3844
static enum TIFFReadDirEntryErr
3845
TIFFReadDirEntryCheckRangeLong8Sbyte(int8_t value)
3846
0
{
3847
0
    if (value < 0)
3848
0
        return (TIFFReadDirEntryErrRange);
3849
0
    else
3850
0
        return (TIFFReadDirEntryErrOk);
3851
0
}
3852
3853
static enum TIFFReadDirEntryErr
3854
TIFFReadDirEntryCheckRangeLong8Sshort(int16_t value)
3855
0
{
3856
0
    if (value < 0)
3857
0
        return (TIFFReadDirEntryErrRange);
3858
0
    else
3859
0
        return (TIFFReadDirEntryErrOk);
3860
0
}
3861
3862
static enum TIFFReadDirEntryErr
3863
TIFFReadDirEntryCheckRangeLong8Slong(int32_t value)
3864
0
{
3865
0
    if (value < 0)
3866
0
        return (TIFFReadDirEntryErrRange);
3867
0
    else
3868
0
        return (TIFFReadDirEntryErrOk);
3869
0
}
3870
3871
static enum TIFFReadDirEntryErr
3872
TIFFReadDirEntryCheckRangeLong8Slong8(int64_t value)
3873
0
{
3874
0
    if (value < 0)
3875
0
        return (TIFFReadDirEntryErrRange);
3876
0
    else
3877
0
        return (TIFFReadDirEntryErrOk);
3878
0
}
3879
3880
static enum TIFFReadDirEntryErr
3881
TIFFReadDirEntryCheckRangeSlong8Long8(uint64_t value)
3882
0
{
3883
0
    if (value > INT64_MAX)
3884
0
        return (TIFFReadDirEntryErrRange);
3885
0
    else
3886
0
        return (TIFFReadDirEntryErrOk);
3887
0
}
3888
3889
static enum TIFFReadDirEntryErr TIFFReadDirEntryData(TIFF *tif, uint64_t offset,
3890
                                                     tmsize_t size, void *dest)
3891
0
{
3892
0
    assert(size > 0);
3893
0
    if (!isMapped(tif))
3894
0
    {
3895
0
        if (!SeekOK(tif, offset))
3896
0
            return (TIFFReadDirEntryErrIo);
3897
0
        if (!ReadOK(tif, dest, size))
3898
0
            return (TIFFReadDirEntryErrIo);
3899
0
    }
3900
0
    else
3901
0
    {
3902
0
        size_t ma, mb;
3903
0
        ma = (size_t)offset;
3904
0
        if ((uint64_t)ma != offset || ma > (~(size_t)0) - (size_t)size)
3905
0
        {
3906
0
            return TIFFReadDirEntryErrIo;
3907
0
        }
3908
0
        mb = ma + size;
3909
0
        if (mb > (uint64_t)tif->tif_size)
3910
0
            return (TIFFReadDirEntryErrIo);
3911
0
        _TIFFmemcpy(dest, tif->tif_base + ma, size);
3912
0
    }
3913
0
    return (TIFFReadDirEntryErrOk);
3914
0
}
3915
3916
static void TIFFReadDirEntryOutputErr(TIFF *tif, enum TIFFReadDirEntryErr err,
3917
                                      const char *module, const char *tagname,
3918
                                      int recover)
3919
0
{
3920
0
    if (!recover)
3921
0
    {
3922
0
        switch (err)
3923
0
        {
3924
0
            case TIFFReadDirEntryErrCount:
3925
0
                TIFFErrorExtR(tif, module, "Incorrect count for \"%s\"",
3926
0
                              tagname);
3927
0
                break;
3928
0
            case TIFFReadDirEntryErrType:
3929
0
                TIFFErrorExtR(tif, module, "Incompatible type for \"%s\"",
3930
0
                              tagname);
3931
0
                break;
3932
0
            case TIFFReadDirEntryErrIo:
3933
0
                TIFFErrorExtR(tif, module, "IO error during reading of \"%s\"",
3934
0
                              tagname);
3935
0
                break;
3936
0
            case TIFFReadDirEntryErrRange:
3937
0
                TIFFErrorExtR(tif, module, "Incorrect value for \"%s\"",
3938
0
                              tagname);
3939
0
                break;
3940
0
            case TIFFReadDirEntryErrPsdif:
3941
0
                TIFFErrorExtR(
3942
0
                    tif, module,
3943
0
                    "Cannot handle different values per sample for \"%s\"",
3944
0
                    tagname);
3945
0
                break;
3946
0
            case TIFFReadDirEntryErrSizesan:
3947
0
                TIFFErrorExtR(tif, module,
3948
0
                              "Sanity check on size of \"%s\" value failed",
3949
0
                              tagname);
3950
0
                break;
3951
0
            case TIFFReadDirEntryErrAlloc:
3952
0
                TIFFErrorExtR(tif, module, "Out of memory reading of \"%s\"",
3953
0
                              tagname);
3954
0
                break;
3955
0
            default:
3956
0
                assert(0); /* we should never get here */
3957
0
                break;
3958
0
        }
3959
0
    }
3960
0
    else
3961
0
    {
3962
0
        switch (err)
3963
0
        {
3964
0
            case TIFFReadDirEntryErrCount:
3965
0
                TIFFWarningExtR(tif, module,
3966
0
                                "Incorrect count for \"%s\"; tag ignored",
3967
0
                                tagname);
3968
0
                break;
3969
0
            case TIFFReadDirEntryErrType:
3970
0
                TIFFWarningExtR(tif, module,
3971
0
                                "Incompatible type for \"%s\"; tag ignored",
3972
0
                                tagname);
3973
0
                break;
3974
0
            case TIFFReadDirEntryErrIo:
3975
0
                TIFFWarningExtR(
3976
0
                    tif, module,
3977
0
                    "IO error during reading of \"%s\"; tag ignored", tagname);
3978
0
                break;
3979
0
            case TIFFReadDirEntryErrRange:
3980
0
                TIFFWarningExtR(tif, module,
3981
0
                                "Incorrect value for \"%s\"; tag ignored",
3982
0
                                tagname);
3983
0
                break;
3984
0
            case TIFFReadDirEntryErrPsdif:
3985
0
                TIFFWarningExtR(tif, module,
3986
0
                                "Cannot handle different values per sample for "
3987
0
                                "\"%s\"; tag ignored",
3988
0
                                tagname);
3989
0
                break;
3990
0
            case TIFFReadDirEntryErrSizesan:
3991
0
                TIFFWarningExtR(
3992
0
                    tif, module,
3993
0
                    "Sanity check on size of \"%s\" value failed; tag ignored",
3994
0
                    tagname);
3995
0
                break;
3996
0
            case TIFFReadDirEntryErrAlloc:
3997
0
                TIFFWarningExtR(tif, module,
3998
0
                                "Out of memory reading of \"%s\"; tag ignored",
3999
0
                                tagname);
4000
0
                break;
4001
0
            default:
4002
0
                assert(0); /* we should never get here */
4003
0
                break;
4004
0
        }
4005
0
    }
4006
0
}
4007
4008
/*
4009
 * Return the maximum number of color channels specified for a given photometric
4010
 * type. 0 is returned if photometric type isn't supported or no default value
4011
 * is defined by the specification.
4012
 */
4013
static int _TIFFGetMaxColorChannels(uint16_t photometric)
4014
0
{
4015
0
    switch (photometric)
4016
0
    {
4017
0
        case PHOTOMETRIC_PALETTE:
4018
0
        case PHOTOMETRIC_MINISWHITE:
4019
0
        case PHOTOMETRIC_MINISBLACK:
4020
0
            return 1;
4021
0
        case PHOTOMETRIC_YCBCR:
4022
0
        case PHOTOMETRIC_RGB:
4023
0
        case PHOTOMETRIC_CIELAB:
4024
0
        case PHOTOMETRIC_LOGLUV:
4025
0
        case PHOTOMETRIC_ITULAB:
4026
0
        case PHOTOMETRIC_ICCLAB:
4027
0
            return 3;
4028
0
        case PHOTOMETRIC_SEPARATED:
4029
0
        case PHOTOMETRIC_MASK:
4030
0
            return 4;
4031
0
        case PHOTOMETRIC_LOGL:
4032
0
        case PHOTOMETRIC_CFA:
4033
0
        default:
4034
0
            return 0;
4035
0
    }
4036
0
}
4037
4038
static int ByteCountLooksBad(TIFF *tif)
4039
0
{
4040
    /*
4041
     * Assume we have wrong StripByteCount value (in case
4042
     * of single strip) in following cases:
4043
     *   - it is equal to zero along with StripOffset;
4044
     *   - it is larger than file itself (in case of uncompressed
4045
     *     image);
4046
     *   - it is smaller than the size of the bytes per row
4047
     *     multiplied on the number of rows.  The last case should
4048
     *     not be checked in the case of writing new image,
4049
     *     because we may do not know the exact strip size
4050
     *     until the whole image will be written and directory
4051
     *     dumped out.
4052
     */
4053
0
    uint64_t bytecount = TIFFGetStrileByteCount(tif, 0);
4054
0
    uint64_t offset = TIFFGetStrileOffset(tif, 0);
4055
0
    uint64_t filesize;
4056
4057
0
    if (offset == 0)
4058
0
        return 0;
4059
0
    if (bytecount == 0)
4060
0
        return 1;
4061
0
    if (tif->tif_dir.td_compression != COMPRESSION_NONE)
4062
0
        return 0;
4063
0
    filesize = TIFFGetFileSize(tif);
4064
0
    if (offset <= filesize && bytecount > filesize - offset)
4065
0
        return 1;
4066
0
    if (tif->tif_mode == O_RDONLY)
4067
0
    {
4068
0
        uint64_t scanlinesize = TIFFScanlineSize64(tif);
4069
0
        if (tif->tif_dir.td_imagelength > 0 &&
4070
0
            scanlinesize > UINT64_MAX / tif->tif_dir.td_imagelength)
4071
0
        {
4072
0
            return 1;
4073
0
        }
4074
0
        if (bytecount < scanlinesize * tif->tif_dir.td_imagelength)
4075
0
            return 1;
4076
0
    }
4077
0
    return 0;
4078
0
}
4079
4080
/*
4081
 * To evaluate the IFD data size when reading, save the offset and data size of
4082
 * all data that does not fit into the IFD entries themselves.
4083
 */
4084
static bool EvaluateIFDdatasizeReading(TIFF *tif, TIFFDirEntry *dp)
4085
0
{
4086
0
    const uint64_t data_width = TIFFDataWidth(dp->tdir_type);
4087
0
    uint64_t datalength;
4088
0
    if (data_width != 0 && dp->tdir_count > UINT64_MAX / data_width)
4089
0
    {
4090
0
        TIFFErrorExtR(tif, "EvaluateIFDdatasizeReading",
4091
0
                      "Too large IFD data size");
4092
0
        return false;
4093
0
    }
4094
0
    datalength = dp->tdir_count * data_width;
4095
0
    if (datalength > ((tif->tif_flags & TIFF_BIGTIFF) ? 0x8U : 0x4U))
4096
0
    {
4097
0
        if (tif->tif_dir.td_dirdatasize_read > UINT64_MAX - datalength)
4098
0
        {
4099
0
            TIFFErrorExtR(tif, "EvaluateIFDdatasizeReading",
4100
0
                          "Too large IFD data size");
4101
0
            return false;
4102
0
        }
4103
0
        tif->tif_dir.td_dirdatasize_read += datalength;
4104
0
        if (!(tif->tif_flags & TIFF_BIGTIFF))
4105
0
        {
4106
            /* The offset of TIFFDirEntry are not swapped when read in. That has
4107
             * to be done when used. */
4108
0
            uint32_t offset = dp->tdir_offset.toff_long;
4109
0
            if (tif->tif_flags & TIFF_SWAB)
4110
0
                TIFFSwabLong(&offset);
4111
0
            tif->tif_dir
4112
0
                .td_dirdatasize_offsets[tif->tif_dir.td_dirdatasize_Noffsets]
4113
0
                .offset = (uint64_t)offset;
4114
0
        }
4115
0
        else
4116
0
        {
4117
0
            tif->tif_dir
4118
0
                .td_dirdatasize_offsets[tif->tif_dir.td_dirdatasize_Noffsets]
4119
0
                .offset = dp->tdir_offset.toff_long8;
4120
0
            if (tif->tif_flags & TIFF_SWAB)
4121
0
                TIFFSwabLong8(
4122
0
                    &tif->tif_dir
4123
0
                         .td_dirdatasize_offsets[tif->tif_dir
4124
0
                                                     .td_dirdatasize_Noffsets]
4125
0
                         .offset);
4126
0
        }
4127
0
        tif->tif_dir
4128
0
            .td_dirdatasize_offsets[tif->tif_dir.td_dirdatasize_Noffsets]
4129
0
            .length = datalength;
4130
0
        tif->tif_dir.td_dirdatasize_Noffsets++;
4131
0
    }
4132
0
    return true;
4133
0
}
4134
4135
/*
4136
 * Compare function for qsort() sorting TIFFEntryOffsetAndLength array entries.
4137
 */
4138
static int cmpTIFFEntryOffsetAndLength(const void *a, const void *b)
4139
0
{
4140
0
    const TIFFEntryOffsetAndLength *ta = (const TIFFEntryOffsetAndLength *)a;
4141
0
    const TIFFEntryOffsetAndLength *tb = (const TIFFEntryOffsetAndLength *)b;
4142
    /* Compare offsets */
4143
0
    if (ta->offset > tb->offset)
4144
0
        return 1;
4145
0
    else if (ta->offset < tb->offset)
4146
0
        return -1;
4147
0
    else
4148
0
        return 0;
4149
0
}
4150
4151
/*
4152
 * Determine the IFD data size after reading an IFD from the file that can be
4153
 * overwritten and saving it in tif_dir.td_dirdatasize_read. This data size
4154
 * includes the IFD entries themselves as well as the data that does not fit
4155
 * directly into the IFD entries but is located directly after the IFD entries
4156
 * in the file.
4157
 */
4158
static void CalcFinalIFDdatasizeReading(TIFF *tif, uint16_t dircount)
4159
0
{
4160
0
    uint64_t IFDendoffset;
4161
0
    uint64_t size;
4162
0
    uint64_t offset;
4163
0
    uint32_t i;
4164
    /* IFD data size is only needed if file-writing is enabled.
4165
     * This also avoids the seek() to EOF to determine the file size, which
4166
     * causes the stdin-streaming-friendly mode of libtiff for GDAL to fail. */
4167
0
    if (tif->tif_mode == O_RDONLY)
4168
0
        return;
4169
4170
    /* Sort TIFFEntryOffsetAndLength array in ascending order. */
4171
0
    qsort(tif->tif_dir.td_dirdatasize_offsets,
4172
0
          tif->tif_dir.td_dirdatasize_Noffsets,
4173
0
          sizeof(TIFFEntryOffsetAndLength), cmpTIFFEntryOffsetAndLength);
4174
4175
    /* Get offset of end of IFD entry space. */
4176
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
4177
0
        IFDendoffset = tif->tif_diroff + 2 + dircount * 12 + 4;
4178
0
    else
4179
0
        IFDendoffset = tif->tif_diroff + 8 + dircount * 20 + 8;
4180
4181
    /* Check which offsets are right behind IFD entries. However, LibTIFF
4182
     * increments the writing address for every external data to an even offset.
4183
     * Thus gaps of 1 byte can occur. */
4184
0
    size = 0;
4185
0
    for (i = 0; i < tif->tif_dir.td_dirdatasize_Noffsets; i++)
4186
0
    {
4187
0
        offset = tif->tif_dir.td_dirdatasize_offsets[i].offset;
4188
0
        if (offset == IFDendoffset)
4189
0
        {
4190
0
            size += tif->tif_dir.td_dirdatasize_offsets[i].length;
4191
0
            IFDendoffset += tif->tif_dir.td_dirdatasize_offsets[i].length;
4192
0
        }
4193
0
        else if (offset == IFDendoffset + 1)
4194
0
        {
4195
            /* Add gap byte after previous IFD data set. */
4196
0
            size += tif->tif_dir.td_dirdatasize_offsets[i].length + 1;
4197
0
            IFDendoffset += tif->tif_dir.td_dirdatasize_offsets[i].length;
4198
0
        }
4199
0
        else
4200
0
        {
4201
            /* Further data is no more continuously after IFD */
4202
0
            break;
4203
0
        }
4204
0
    }
4205
    /* Check for gap byte of some easy cases. This should cover 90% of cases.
4206
     * Otherwise, IFD will be re-written even it might be safely overwritten. */
4207
0
    if (tif->tif_nextdiroff != 0)
4208
0
    {
4209
0
        if (tif->tif_nextdiroff == IFDendoffset + 1)
4210
0
            size++;
4211
0
    }
4212
0
    else
4213
0
    {
4214
        /* Check for IFD data ends at EOF. Then IFD can always be safely
4215
         * overwritten. */
4216
0
        offset = TIFFSeekFile(tif, 0, SEEK_END);
4217
0
        if (offset == IFDendoffset)
4218
0
        {
4219
0
            tif->tif_dir.td_dirdatasize_read = UINT64_MAX;
4220
0
            return;
4221
0
        }
4222
0
    }
4223
4224
    /* Finally, add the size of the IFD tag entries themselves. */
4225
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
4226
0
        tif->tif_dir.td_dirdatasize_read = 2 + dircount * 12 + 4 + size;
4227
0
    else
4228
0
        tif->tif_dir.td_dirdatasize_read = 8 + dircount * 20 + 8 + size;
4229
0
} /*-- CalcFinalIFDdatasizeReading() --*/
4230
4231
/*
4232
 * Read the next TIFF directory from a file and convert it to the internal
4233
 * format. We read directories sequentially.
4234
 */
4235
int TIFFReadDirectory(TIFF *tif)
4236
0
{
4237
0
    static const char module[] = "TIFFReadDirectory";
4238
0
    TIFFDirEntry *dir;
4239
0
    uint16_t dircount;
4240
0
    TIFFDirEntry *dp;
4241
0
    uint16_t di;
4242
0
    const TIFFField *fip;
4243
0
    uint32_t fii = FAILED_FII;
4244
0
    toff_t nextdiroff;
4245
0
    int bitspersample_read = FALSE;
4246
0
    int color_channels;
4247
4248
0
    if (tif->tif_nextdiroff == 0)
4249
0
    {
4250
        /* In this special case, tif_diroff needs also to be set to 0.
4251
         * This is behind the last IFD, thus no checking or reading necessary.
4252
         */
4253
0
        tif->tif_diroff = tif->tif_nextdiroff;
4254
0
        return 0;
4255
0
    }
4256
4257
0
    nextdiroff = tif->tif_nextdiroff;
4258
    /* tif_curdir++ and tif_nextdiroff should only be updated after SUCCESSFUL
4259
     * reading of the directory. Otherwise, invalid IFD offsets could corrupt
4260
     * the IFD list. */
4261
0
    if (!_TIFFCheckDirNumberAndOffset(tif,
4262
0
                                      tif->tif_curdir ==
4263
0
                                              TIFF_NON_EXISTENT_DIR_NUMBER
4264
0
                                          ? 0
4265
0
                                          : tif->tif_curdir + 1,
4266
0
                                      nextdiroff))
4267
0
    {
4268
0
        return 0; /* bad offset (IFD looping or more than TIFF_MAX_DIR_COUNT
4269
                     IFDs) */
4270
0
    }
4271
0
    dircount = TIFFFetchDirectory(tif, nextdiroff, &dir, &tif->tif_nextdiroff);
4272
0
    if (!dircount)
4273
0
    {
4274
0
        TIFFErrorExtR(tif, module,
4275
0
                      "Failed to read directory at offset %" PRIu64,
4276
0
                      nextdiroff);
4277
0
        return 0;
4278
0
    }
4279
    /* Set global values after a valid directory has been fetched.
4280
     * tif_diroff is already set to nextdiroff in TIFFFetchDirectory() in the
4281
     * beginning. */
4282
0
    if (tif->tif_curdir == TIFF_NON_EXISTENT_DIR_NUMBER)
4283
0
        tif->tif_curdir = 0;
4284
0
    else
4285
0
        tif->tif_curdir++;
4286
4287
0
    TIFFReadDirectoryCheckOrder(tif, dir, dircount);
4288
4289
    /*
4290
     * Mark duplicates of any tag to be ignored (bugzilla 1994)
4291
     * to avoid certain pathological problems.
4292
     */
4293
0
    {
4294
0
        TIFFDirEntry *ma;
4295
0
        uint16_t mb;
4296
0
        for (ma = dir, mb = 0; mb < dircount; ma++, mb++)
4297
0
        {
4298
0
            TIFFDirEntry *na;
4299
0
            uint16_t nb;
4300
0
            for (na = ma + 1, nb = mb + 1; nb < dircount; na++, nb++)
4301
0
            {
4302
0
                if (ma->tdir_tag == na->tdir_tag)
4303
0
                {
4304
0
                    na->tdir_ignore = TRUE;
4305
0
                }
4306
0
            }
4307
0
        }
4308
0
    }
4309
4310
0
    tif->tif_flags &= ~TIFF_BEENWRITING; /* reset before new dir */
4311
0
    tif->tif_flags &= ~TIFF_BUF4WRITE;   /* reset before new dir */
4312
0
    tif->tif_flags &= ~TIFF_CHOPPEDUPARRAYS;
4313
4314
    /* free any old stuff and reinit */
4315
0
    (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
4316
0
    TIFFFreeDirectory(tif);
4317
0
    TIFFDefaultDirectory(tif);
4318
4319
    /* After setup a fresh directory indicate that now active IFD is also
4320
     * present on file, even if its entries could not be read successfully
4321
     * below.  */
4322
0
    tif->tif_dir.td_iswrittentofile = TRUE;
4323
4324
    /* Allocate arrays for offset values outside IFD entry for IFD data size
4325
     * checking. Note: Counter are reset within TIFFFreeDirectory(). */
4326
0
    tif->tif_dir.td_dirdatasize_offsets =
4327
0
        (TIFFEntryOffsetAndLength *)_TIFFmallocExt(
4328
0
            tif, dircount * sizeof(TIFFEntryOffsetAndLength));
4329
0
    if (tif->tif_dir.td_dirdatasize_offsets == NULL)
4330
0
    {
4331
0
        TIFFErrorExtR(
4332
0
            tif, module,
4333
0
            "Failed to allocate memory for counting IFD data size at reading");
4334
0
        goto bad;
4335
0
    }
4336
    /*
4337
     * Electronic Arts writes gray-scale TIFF files
4338
     * without a PlanarConfiguration directory entry.
4339
     * Thus we setup a default value here, even though
4340
     * the TIFF spec says there is no default value.
4341
     * After PlanarConfiguration is preset in TIFFDefaultDirectory()
4342
     * the following setting is not needed, but does not harm either.
4343
     */
4344
0
    TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
4345
    /*
4346
     * Setup default value and then make a pass over
4347
     * the fields to check type and tag information,
4348
     * and to extract info required to size data
4349
     * structures.  A second pass is made afterwards
4350
     * to read in everything not taken in the first pass.
4351
     * But we must process the Compression tag first
4352
     * in order to merge in codec-private tag definitions (otherwise
4353
     * we may get complaints about unknown tags).  However, the
4354
     * Compression tag may be dependent on the SamplesPerPixel
4355
     * tag value because older TIFF specs permitted Compression
4356
     * to be written as a SamplesPerPixel-count tag entry.
4357
     * Thus if we don't first figure out the correct SamplesPerPixel
4358
     * tag value then we may end up ignoring the Compression tag
4359
     * value because it has an incorrect count value (if the
4360
     * true value of SamplesPerPixel is not 1).
4361
     */
4362
0
    dp =
4363
0
        TIFFReadDirectoryFindEntry(tif, dir, dircount, TIFFTAG_SAMPLESPERPIXEL);
4364
0
    if (dp)
4365
0
    {
4366
0
        if (!TIFFFetchNormalTag(tif, dp, 0))
4367
0
            goto bad;
4368
0
        dp->tdir_ignore = TRUE;
4369
0
    }
4370
0
    dp = TIFFReadDirectoryFindEntry(tif, dir, dircount, TIFFTAG_COMPRESSION);
4371
0
    if (dp)
4372
0
    {
4373
        /*
4374
         * The 5.0 spec says the Compression tag has one value, while
4375
         * earlier specs say it has one value per sample.  Because of
4376
         * this, we accept the tag if one value is supplied with either
4377
         * count.
4378
         */
4379
0
        uint16_t value;
4380
0
        enum TIFFReadDirEntryErr err;
4381
0
        err = TIFFReadDirEntryShort(tif, dp, &value);
4382
0
        if (err == TIFFReadDirEntryErrCount)
4383
0
            err = TIFFReadDirEntryPersampleShort(tif, dp, &value);
4384
0
        if (err != TIFFReadDirEntryErrOk)
4385
0
        {
4386
0
            TIFFReadDirEntryOutputErr(tif, err, module, "Compression", 0);
4387
0
            goto bad;
4388
0
        }
4389
0
        if (!TIFFSetField(tif, TIFFTAG_COMPRESSION, value))
4390
0
            goto bad;
4391
0
        dp->tdir_ignore = TRUE;
4392
0
    }
4393
0
    else
4394
0
    {
4395
0
        if (!TIFFSetField(tif, TIFFTAG_COMPRESSION, COMPRESSION_NONE))
4396
0
            goto bad;
4397
0
    }
4398
    /*
4399
     * First real pass over the directory.
4400
     */
4401
0
    for (di = 0, dp = dir; di < dircount; di++, dp++)
4402
0
    {
4403
0
        if (!dp->tdir_ignore)
4404
0
        {
4405
0
            const TIFFField *fld;
4406
0
            TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
4407
0
            if (fii == FAILED_FII)
4408
0
            {
4409
0
                TIFFWarningExtR(tif, module,
4410
0
                                "Unknown field with tag %" PRIu16 " (0x%" PRIx16
4411
0
                                ") encountered",
4412
0
                                dp->tdir_tag, dp->tdir_tag);
4413
                /* the following knowingly leaks the
4414
                   anonymous field structure */
4415
0
                fld = _TIFFCreateAnonField(
4416
0
                    tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
4417
0
                if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
4418
0
                {
4419
0
                    TIFFWarningExtR(
4420
0
                        tif, module,
4421
0
                        "Registering anonymous field with tag %" PRIu16
4422
0
                        " (0x%" PRIx16 ") failed",
4423
0
                        dp->tdir_tag, dp->tdir_tag);
4424
0
                    dp->tdir_ignore = TRUE;
4425
0
                }
4426
0
                else
4427
0
                {
4428
0
                    TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
4429
0
                    assert(fii != FAILED_FII);
4430
0
                }
4431
0
            }
4432
0
        }
4433
0
        if (!dp->tdir_ignore)
4434
0
        {
4435
0
            fip = tif->tif_fields[fii];
4436
0
            if (fip->field_bit == FIELD_IGNORE)
4437
0
                dp->tdir_ignore = TRUE;
4438
0
            else
4439
0
            {
4440
0
                switch (dp->tdir_tag)
4441
0
                {
4442
0
                    case TIFFTAG_STRIPOFFSETS:
4443
0
                    case TIFFTAG_STRIPBYTECOUNTS:
4444
0
                    case TIFFTAG_TILEOFFSETS:
4445
0
                    case TIFFTAG_TILEBYTECOUNTS:
4446
0
                        TIFFSetFieldBit(tif, fip->field_bit);
4447
0
                        break;
4448
0
                    case TIFFTAG_IMAGEWIDTH:
4449
0
                    case TIFFTAG_IMAGELENGTH:
4450
0
                    case TIFFTAG_IMAGEDEPTH:
4451
0
                    case TIFFTAG_TILELENGTH:
4452
0
                    case TIFFTAG_TILEWIDTH:
4453
0
                    case TIFFTAG_TILEDEPTH:
4454
0
                    case TIFFTAG_PLANARCONFIG:
4455
0
                    case TIFFTAG_ROWSPERSTRIP:
4456
0
                    case TIFFTAG_EXTRASAMPLES:
4457
0
                        if (!TIFFFetchNormalTag(tif, dp, 0))
4458
0
                            goto bad;
4459
0
                        dp->tdir_ignore = TRUE;
4460
0
                        break;
4461
0
                    default:
4462
0
                        if (!_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag))
4463
0
                            dp->tdir_ignore = TRUE;
4464
0
                        break;
4465
0
                }
4466
0
            }
4467
0
        }
4468
0
    }
4469
    /*
4470
     * XXX: OJPEG hack.
4471
     * If a) compression is OJPEG, b) planarconfig tag says it's separate,
4472
     * c) strip offsets/bytecounts tag are both present and
4473
     * d) both contain exactly one value, then we consistently find
4474
     * that the buggy implementation of the buggy compression scheme
4475
     * matches contig planarconfig best. So we 'fix-up' the tag here
4476
     */
4477
0
    if ((tif->tif_dir.td_compression == COMPRESSION_OJPEG) &&
4478
0
        (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE))
4479
0
    {
4480
0
        if (!_TIFFFillStriles(tif))
4481
0
            goto bad;
4482
0
        dp = TIFFReadDirectoryFindEntry(tif, dir, dircount,
4483
0
                                        TIFFTAG_STRIPOFFSETS);
4484
0
        if ((dp != 0) && (dp->tdir_count == 1))
4485
0
        {
4486
0
            dp = TIFFReadDirectoryFindEntry(tif, dir, dircount,
4487
0
                                            TIFFTAG_STRIPBYTECOUNTS);
4488
0
            if ((dp != 0) && (dp->tdir_count == 1))
4489
0
            {
4490
0
                tif->tif_dir.td_planarconfig = PLANARCONFIG_CONTIG;
4491
0
                TIFFWarningExtR(tif, module,
4492
0
                                "Planarconfig tag value assumed incorrect, "
4493
0
                                "assuming data is contig instead of chunky");
4494
0
            }
4495
0
        }
4496
0
    }
4497
    /*
4498
     * Allocate directory structure and setup defaults.
4499
     */
4500
0
    if (!TIFFFieldSet(tif, FIELD_IMAGEDIMENSIONS))
4501
0
    {
4502
0
        MissingRequired(tif, "ImageLength");
4503
0
        goto bad;
4504
0
    }
4505
4506
    /*
4507
     * Second pass: extract other information.
4508
     */
4509
0
    for (di = 0, dp = dir; di < dircount; di++, dp++)
4510
0
    {
4511
0
        if (!dp->tdir_ignore)
4512
0
        {
4513
0
            switch (dp->tdir_tag)
4514
0
            {
4515
0
                case TIFFTAG_MINSAMPLEVALUE:
4516
0
                case TIFFTAG_MAXSAMPLEVALUE:
4517
0
                case TIFFTAG_BITSPERSAMPLE:
4518
0
                case TIFFTAG_DATATYPE:
4519
0
                case TIFFTAG_SAMPLEFORMAT:
4520
                    /*
4521
                     * The MinSampleValue, MaxSampleValue, BitsPerSample
4522
                     * DataType and SampleFormat tags are supposed to be
4523
                     * written as one value/sample, but some vendors
4524
                     * incorrectly write one value only -- so we accept
4525
                     * that as well (yuck). Other vendors write correct
4526
                     * value for NumberOfSamples, but incorrect one for
4527
                     * BitsPerSample and friends, and we will read this
4528
                     * too.
4529
                     */
4530
0
                    {
4531
0
                        uint16_t value;
4532
0
                        enum TIFFReadDirEntryErr err;
4533
0
                        err = TIFFReadDirEntryShort(tif, dp, &value);
4534
0
                        if (!EvaluateIFDdatasizeReading(tif, dp))
4535
0
                            goto bad;
4536
0
                        if (err == TIFFReadDirEntryErrCount)
4537
0
                            err =
4538
0
                                TIFFReadDirEntryPersampleShort(tif, dp, &value);
4539
0
                        if (err != TIFFReadDirEntryErrOk)
4540
0
                        {
4541
0
                            fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4542
0
                            TIFFReadDirEntryOutputErr(
4543
0
                                tif, err, module,
4544
0
                                fip ? fip->field_name : "unknown tagname", 0);
4545
0
                            goto bad;
4546
0
                        }
4547
0
                        if (!TIFFSetField(tif, dp->tdir_tag, value))
4548
0
                            goto bad;
4549
0
                        if (dp->tdir_tag == TIFFTAG_BITSPERSAMPLE)
4550
0
                            bitspersample_read = TRUE;
4551
0
                    }
4552
0
                    break;
4553
0
                case TIFFTAG_SMINSAMPLEVALUE:
4554
0
                case TIFFTAG_SMAXSAMPLEVALUE:
4555
0
                {
4556
4557
0
                    double *data = NULL;
4558
0
                    enum TIFFReadDirEntryErr err;
4559
0
                    uint32_t saved_flags;
4560
0
                    int m;
4561
0
                    if (dp->tdir_count !=
4562
0
                        (uint64_t)tif->tif_dir.td_samplesperpixel)
4563
0
                        err = TIFFReadDirEntryErrCount;
4564
0
                    else
4565
0
                        err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
4566
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
4567
0
                        goto bad;
4568
0
                    if (err != TIFFReadDirEntryErrOk)
4569
0
                    {
4570
0
                        fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4571
0
                        TIFFReadDirEntryOutputErr(
4572
0
                            tif, err, module,
4573
0
                            fip ? fip->field_name : "unknown tagname", 0);
4574
0
                        goto bad;
4575
0
                    }
4576
0
                    saved_flags = tif->tif_flags;
4577
0
                    tif->tif_flags |= TIFF_PERSAMPLE;
4578
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
4579
0
                    tif->tif_flags = saved_flags;
4580
0
                    _TIFFfreeExt(tif, data);
4581
0
                    if (!m)
4582
0
                        goto bad;
4583
0
                }
4584
0
                break;
4585
0
                case TIFFTAG_STRIPOFFSETS:
4586
0
                case TIFFTAG_TILEOFFSETS:
4587
0
                {
4588
0
                    switch (dp->tdir_type)
4589
0
                    {
4590
0
                        case TIFF_SHORT:
4591
0
                        case TIFF_LONG:
4592
0
                        case TIFF_LONG8:
4593
0
                            break;
4594
0
                        default:
4595
                            /* Warn except if directory typically created with
4596
                             * TIFFDeferStrileArrayWriting() */
4597
0
                            if (!(tif->tif_mode == O_RDWR &&
4598
0
                                  dp->tdir_count == 0 && dp->tdir_type == 0 &&
4599
0
                                  dp->tdir_offset.toff_long8 == 0))
4600
0
                            {
4601
0
                                fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4602
0
                                TIFFWarningExtR(
4603
0
                                    tif, module, "Invalid data type for tag %s",
4604
0
                                    fip ? fip->field_name : "unknown tagname");
4605
0
                            }
4606
0
                            break;
4607
0
                    }
4608
0
                    _TIFFmemcpy(&(tif->tif_dir.td_stripoffset_entry), dp,
4609
0
                                sizeof(TIFFDirEntry));
4610
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
4611
0
                        goto bad;
4612
0
                }
4613
0
                break;
4614
0
                case TIFFTAG_STRIPBYTECOUNTS:
4615
0
                case TIFFTAG_TILEBYTECOUNTS:
4616
0
                {
4617
0
                    switch (dp->tdir_type)
4618
0
                    {
4619
0
                        case TIFF_SHORT:
4620
0
                        case TIFF_LONG:
4621
0
                        case TIFF_LONG8:
4622
0
                            break;
4623
0
                        default:
4624
                            /* Warn except if directory typically created with
4625
                             * TIFFDeferStrileArrayWriting() */
4626
0
                            if (!(tif->tif_mode == O_RDWR &&
4627
0
                                  dp->tdir_count == 0 && dp->tdir_type == 0 &&
4628
0
                                  dp->tdir_offset.toff_long8 == 0))
4629
0
                            {
4630
0
                                fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4631
0
                                TIFFWarningExtR(
4632
0
                                    tif, module, "Invalid data type for tag %s",
4633
0
                                    fip ? fip->field_name : "unknown tagname");
4634
0
                            }
4635
0
                            break;
4636
0
                    }
4637
0
                    _TIFFmemcpy(&(tif->tif_dir.td_stripbytecount_entry), dp,
4638
0
                                sizeof(TIFFDirEntry));
4639
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
4640
0
                        goto bad;
4641
0
                }
4642
0
                break;
4643
0
                case TIFFTAG_COLORMAP:
4644
0
                case TIFFTAG_TRANSFERFUNCTION:
4645
0
                {
4646
0
                    enum TIFFReadDirEntryErr err;
4647
0
                    uint32_t countpersample;
4648
0
                    uint32_t countrequired;
4649
0
                    uint32_t incrementpersample;
4650
0
                    uint16_t *value = NULL;
4651
                    /* It would be dangerous to instantiate those tag values */
4652
                    /* since if td_bitspersample has not yet been read (due to
4653
                     */
4654
                    /* unordered tags), it could be read afterwards with a */
4655
                    /* values greater than the default one (1), which may cause
4656
                     */
4657
                    /* crashes in user code */
4658
0
                    if (!bitspersample_read)
4659
0
                    {
4660
0
                        fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4661
0
                        TIFFWarningExtR(
4662
0
                            tif, module,
4663
0
                            "Ignoring %s since BitsPerSample tag not found",
4664
0
                            fip ? fip->field_name : "unknown tagname");
4665
0
                        continue;
4666
0
                    }
4667
                    /* ColorMap or TransferFunction for high bit */
4668
                    /* depths do not make much sense and could be */
4669
                    /* used as a denial of service vector */
4670
0
                    if (tif->tif_dir.td_bitspersample > 24)
4671
0
                    {
4672
0
                        fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4673
0
                        TIFFWarningExtR(
4674
0
                            tif, module,
4675
0
                            "Ignoring %s because BitsPerSample=%" PRIu16 ">24",
4676
0
                            fip ? fip->field_name : "unknown tagname",
4677
0
                            tif->tif_dir.td_bitspersample);
4678
0
                        continue;
4679
0
                    }
4680
0
                    countpersample = (1U << tif->tif_dir.td_bitspersample);
4681
0
                    if ((dp->tdir_tag == TIFFTAG_TRANSFERFUNCTION) &&
4682
0
                        (dp->tdir_count == (uint64_t)countpersample))
4683
0
                    {
4684
0
                        countrequired = countpersample;
4685
0
                        incrementpersample = 0;
4686
0
                    }
4687
0
                    else
4688
0
                    {
4689
0
                        countrequired = 3 * countpersample;
4690
0
                        incrementpersample = countpersample;
4691
0
                    }
4692
0
                    if (dp->tdir_count != (uint64_t)countrequired)
4693
0
                        err = TIFFReadDirEntryErrCount;
4694
0
                    else
4695
0
                        err = TIFFReadDirEntryShortArray(tif, dp, &value);
4696
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
4697
0
                        goto bad;
4698
0
                    if (err != TIFFReadDirEntryErrOk)
4699
0
                    {
4700
0
                        fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4701
0
                        TIFFReadDirEntryOutputErr(
4702
0
                            tif, err, module,
4703
0
                            fip ? fip->field_name : "unknown tagname", 1);
4704
0
                    }
4705
0
                    else
4706
0
                    {
4707
0
                        TIFFSetField(tif, dp->tdir_tag, value,
4708
0
                                     value + incrementpersample,
4709
0
                                     value + 2 * incrementpersample);
4710
0
                        _TIFFfreeExt(tif, value);
4711
0
                    }
4712
0
                }
4713
0
                break;
4714
                    /* BEGIN REV 4.0 COMPATIBILITY */
4715
0
                case TIFFTAG_OSUBFILETYPE:
4716
0
                {
4717
0
                    uint16_t valueo;
4718
0
                    uint32_t value;
4719
0
                    if (TIFFReadDirEntryShort(tif, dp, &valueo) ==
4720
0
                        TIFFReadDirEntryErrOk)
4721
0
                    {
4722
0
                        switch (valueo)
4723
0
                        {
4724
0
                            case OFILETYPE_REDUCEDIMAGE:
4725
0
                                value = FILETYPE_REDUCEDIMAGE;
4726
0
                                break;
4727
0
                            case OFILETYPE_PAGE:
4728
0
                                value = FILETYPE_PAGE;
4729
0
                                break;
4730
0
                            default:
4731
0
                                value = 0;
4732
0
                                break;
4733
0
                        }
4734
0
                        if (value != 0)
4735
0
                            TIFFSetField(tif, TIFFTAG_SUBFILETYPE, value);
4736
0
                    }
4737
0
                }
4738
0
                break;
4739
                /* END REV 4.0 COMPATIBILITY */
4740
#if 0
4741
                case TIFFTAG_EP_BATTERYLEVEL:
4742
                    /* TIFFTAG_EP_BATTERYLEVEL can be RATIONAL or ASCII.
4743
                     * LibTiff defines it as ASCII and converts RATIONAL to an
4744
                     * ASCII string. */
4745
                    switch (dp->tdir_type)
4746
                    {
4747
                        case TIFF_RATIONAL:
4748
                        {
4749
                            /* Read rational and convert to ASCII*/
4750
                            enum TIFFReadDirEntryErr err;
4751
                            TIFFRational_t rValue;
4752
                            err = TIFFReadDirEntryCheckedRationalDirect(
4753
                                tif, dp, &rValue);
4754
                            if (err != TIFFReadDirEntryErrOk)
4755
                            {
4756
                                fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4757
                                TIFFReadDirEntryOutputErr(
4758
                                    tif, err, module,
4759
                                    fip ? fip->field_name : "unknown tagname",
4760
                                    1);
4761
                            }
4762
                            else
4763
                            {
4764
                                char szAux[32];
4765
                                snprintf(szAux, sizeof(szAux) - 1, "%d/%d",
4766
                                         rValue.uNum, rValue.uDenom);
4767
                                TIFFSetField(tif, dp->tdir_tag, szAux);
4768
                            }
4769
                        }
4770
                        break;
4771
                        case TIFF_ASCII:
4772
                            (void)TIFFFetchNormalTag(tif, dp, TRUE);
4773
                            break;
4774
                        default:
4775
                            fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4776
                            TIFFWarningExtR(tif, module,
4777
                                            "Invalid data type for tag %s. "
4778
                                            "ASCII or RATIONAL expected",
4779
                                            fip ? fip->field_name
4780
                                                : "unknown tagname");
4781
                            break;
4782
                    }
4783
                    break;
4784
#endif
4785
0
                default:
4786
0
                    (void)TIFFFetchNormalTag(tif, dp, TRUE);
4787
0
                    break;
4788
0
            } /* -- switch (dp->tdir_tag) -- */
4789
0
        }     /* -- if (!dp->tdir_ignore) */
4790
0
    }         /* -- for-loop -- */
4791
4792
    /* Evaluate final IFD data size. */
4793
0
    CalcFinalIFDdatasizeReading(tif, dircount);
4794
4795
    /*
4796
     * OJPEG hack:
4797
     * - If a) compression is OJPEG, and b) photometric tag is missing,
4798
     * then we consistently find that photometric should be YCbCr
4799
     * - If a) compression is OJPEG, and b) photometric tag says it's RGB,
4800
     * then we consistently find that the buggy implementation of the
4801
     * buggy compression scheme matches photometric YCbCr instead.
4802
     * - If a) compression is OJPEG, and b) bitspersample tag is missing,
4803
     * then we consistently find bitspersample should be 8.
4804
     * - If a) compression is OJPEG, b) samplesperpixel tag is missing,
4805
     * and c) photometric is RGB or YCbCr, then we consistently find
4806
     * samplesperpixel should be 3
4807
     * - If a) compression is OJPEG, b) samplesperpixel tag is missing,
4808
     * and c) photometric is MINISWHITE or MINISBLACK, then we consistently
4809
     * find samplesperpixel should be 3
4810
     */
4811
0
    if (tif->tif_dir.td_compression == COMPRESSION_OJPEG)
4812
0
    {
4813
0
        if (!TIFFFieldSet(tif, FIELD_PHOTOMETRIC))
4814
0
        {
4815
0
            TIFFWarningExtR(
4816
0
                tif, module,
4817
0
                "Photometric tag is missing, assuming data is YCbCr");
4818
0
            if (!TIFFSetField(tif, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_YCBCR))
4819
0
                goto bad;
4820
0
        }
4821
0
        else if (tif->tif_dir.td_photometric == PHOTOMETRIC_RGB)
4822
0
        {
4823
0
            tif->tif_dir.td_photometric = PHOTOMETRIC_YCBCR;
4824
0
            TIFFWarningExtR(tif, module,
4825
0
                            "Photometric tag value assumed incorrect, "
4826
0
                            "assuming data is YCbCr instead of RGB");
4827
0
        }
4828
0
        if (!TIFFFieldSet(tif, FIELD_BITSPERSAMPLE))
4829
0
        {
4830
0
            TIFFWarningExtR(
4831
0
                tif, module,
4832
0
                "BitsPerSample tag is missing, assuming 8 bits per sample");
4833
0
            if (!TIFFSetField(tif, TIFFTAG_BITSPERSAMPLE, 8))
4834
0
                goto bad;
4835
0
        }
4836
0
        if (!TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
4837
0
        {
4838
0
            if (tif->tif_dir.td_photometric == PHOTOMETRIC_RGB)
4839
0
            {
4840
0
                TIFFWarningExtR(tif, module,
4841
0
                                "SamplesPerPixel tag is missing, "
4842
0
                                "assuming correct SamplesPerPixel value is 3");
4843
0
                if (!TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 3))
4844
0
                    goto bad;
4845
0
            }
4846
0
            if (tif->tif_dir.td_photometric == PHOTOMETRIC_YCBCR)
4847
0
            {
4848
0
                TIFFWarningExtR(tif, module,
4849
0
                                "SamplesPerPixel tag is missing, "
4850
0
                                "applying correct SamplesPerPixel value of 3");
4851
0
                if (!TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 3))
4852
0
                    goto bad;
4853
0
            }
4854
0
            else if ((tif->tif_dir.td_photometric == PHOTOMETRIC_MINISWHITE) ||
4855
0
                     (tif->tif_dir.td_photometric == PHOTOMETRIC_MINISBLACK))
4856
0
            {
4857
                /*
4858
                 * SamplesPerPixel tag is missing, but is not required
4859
                 * by spec.  Assume correct SamplesPerPixel value of 1.
4860
                 */
4861
0
                if (!TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 1))
4862
0
                    goto bad;
4863
0
            }
4864
0
        }
4865
0
    }
4866
4867
    /*
4868
     * Setup appropriate structures (by strip or by tile)
4869
     * We do that only after the above OJPEG hack which alters SamplesPerPixel
4870
     * and thus influences the number of strips in the separate planarconfig.
4871
     */
4872
0
    if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS))
4873
0
    {
4874
0
        tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
4875
0
        tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
4876
0
        tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
4877
0
        tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
4878
0
        tif->tif_flags &= ~TIFF_ISTILED;
4879
0
    }
4880
0
    else
4881
0
    {
4882
0
        tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
4883
0
        tif->tif_flags |= TIFF_ISTILED;
4884
0
    }
4885
0
    if (!tif->tif_dir.td_nstrips)
4886
0
    {
4887
0
        TIFFErrorExtR(tif, module, "Cannot handle zero number of %s",
4888
0
                      isTiled(tif) ? "tiles" : "strips");
4889
0
        goto bad;
4890
0
    }
4891
0
    tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
4892
0
    if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
4893
0
        tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
4894
0
    if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS))
4895
0
    {
4896
#ifdef OJPEG_SUPPORT
4897
        if ((tif->tif_dir.td_compression == COMPRESSION_OJPEG) &&
4898
            (isTiled(tif) == 0) && (tif->tif_dir.td_nstrips == 1))
4899
        {
4900
            /*
4901
             * XXX: OJPEG hack.
4902
             * If a) compression is OJPEG, b) it's not a tiled TIFF,
4903
             * and c) the number of strips is 1,
4904
             * then we tolerate the absence of stripoffsets tag,
4905
             * because, presumably, all required data is in the
4906
             * JpegInterchangeFormat stream.
4907
             */
4908
            TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
4909
        }
4910
        else
4911
#endif
4912
0
        {
4913
0
            MissingRequired(tif, isTiled(tif) ? "TileOffsets" : "StripOffsets");
4914
0
            goto bad;
4915
0
        }
4916
0
    }
4917
4918
0
    if (tif->tif_mode == O_RDWR &&
4919
0
        tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
4920
0
        tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
4921
0
        tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
4922
0
        tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
4923
0
        tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
4924
0
        tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
4925
0
        tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
4926
0
        tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0)
4927
0
    {
4928
        /* Directory typically created with TIFFDeferStrileArrayWriting() */
4929
0
        TIFFSetupStrips(tif);
4930
0
    }
4931
0
    else if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD))
4932
0
    {
4933
0
        if (tif->tif_dir.td_stripoffset_entry.tdir_tag != 0)
4934
0
        {
4935
0
            if (!TIFFFetchStripThing(tif, &(tif->tif_dir.td_stripoffset_entry),
4936
0
                                     tif->tif_dir.td_nstrips,
4937
0
                                     &tif->tif_dir.td_stripoffset_p))
4938
0
            {
4939
0
                goto bad;
4940
0
            }
4941
0
        }
4942
0
        if (tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0)
4943
0
        {
4944
0
            if (!TIFFFetchStripThing(
4945
0
                    tif, &(tif->tif_dir.td_stripbytecount_entry),
4946
0
                    tif->tif_dir.td_nstrips, &tif->tif_dir.td_stripbytecount_p))
4947
0
            {
4948
0
                goto bad;
4949
0
            }
4950
0
        }
4951
0
    }
4952
4953
    /*
4954
     * Make sure all non-color channels are extrasamples.
4955
     * If it's not the case, define them as such.
4956
     */
4957
0
    color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
4958
0
    if (color_channels &&
4959
0
        tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples >
4960
0
            color_channels)
4961
0
    {
4962
0
        uint16_t old_extrasamples;
4963
0
        uint16_t *new_sampleinfo;
4964
4965
0
        TIFFWarningExtR(
4966
0
            tif, module,
4967
0
            "Sum of Photometric type-related "
4968
0
            "color channels and ExtraSamples doesn't match SamplesPerPixel. "
4969
0
            "Defining non-color channels as ExtraSamples.");
4970
4971
0
        old_extrasamples = tif->tif_dir.td_extrasamples;
4972
0
        tif->tif_dir.td_extrasamples =
4973
0
            (uint16_t)(tif->tif_dir.td_samplesperpixel - color_channels);
4974
4975
        // sampleinfo should contain information relative to these new extra
4976
        // samples
4977
0
        new_sampleinfo = (uint16_t *)_TIFFcallocExt(
4978
0
            tif, tif->tif_dir.td_extrasamples, sizeof(uint16_t));
4979
0
        if (!new_sampleinfo)
4980
0
        {
4981
0
            TIFFErrorExtR(tif, module,
4982
0
                          "Failed to allocate memory for "
4983
0
                          "temporary new sampleinfo array "
4984
0
                          "(%" PRIu16 " 16 bit elements)",
4985
0
                          tif->tif_dir.td_extrasamples);
4986
0
            goto bad;
4987
0
        }
4988
4989
0
        if (old_extrasamples > 0)
4990
0
            memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo,
4991
0
                   old_extrasamples * sizeof(uint16_t));
4992
0
        _TIFFsetShortArrayExt(tif, &tif->tif_dir.td_sampleinfo, new_sampleinfo,
4993
0
                              tif->tif_dir.td_extrasamples);
4994
0
        _TIFFfreeExt(tif, new_sampleinfo);
4995
0
    }
4996
4997
    /*
4998
     * Verify Palette image has a Colormap.
4999
     */
5000
0
    if (tif->tif_dir.td_photometric == PHOTOMETRIC_PALETTE &&
5001
0
        !TIFFFieldSet(tif, FIELD_COLORMAP))
5002
0
    {
5003
0
        if (tif->tif_dir.td_bitspersample >= 8 &&
5004
0
            tif->tif_dir.td_samplesperpixel == 3)
5005
0
            tif->tif_dir.td_photometric = PHOTOMETRIC_RGB;
5006
0
        else if (tif->tif_dir.td_bitspersample >= 8)
5007
0
            tif->tif_dir.td_photometric = PHOTOMETRIC_MINISBLACK;
5008
0
        else
5009
0
        {
5010
0
            MissingRequired(tif, "Colormap");
5011
0
            goto bad;
5012
0
        }
5013
0
    }
5014
    /*
5015
     * OJPEG hack:
5016
     * We do no further messing with strip/tile offsets/bytecounts in OJPEG
5017
     * TIFFs
5018
     */
5019
0
    if (tif->tif_dir.td_compression != COMPRESSION_OJPEG)
5020
0
    {
5021
        /*
5022
         * Attempt to deal with a missing StripByteCounts tag.
5023
         */
5024
0
        if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS))
5025
0
        {
5026
            /*
5027
             * Some manufacturers violate the spec by not giving
5028
             * the size of the strips.  In this case, assume there
5029
             * is one uncompressed strip of data.
5030
             */
5031
0
            if ((tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
5032
0
                 tif->tif_dir.td_nstrips > 1) ||
5033
0
                (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE &&
5034
0
                 tif->tif_dir.td_nstrips !=
5035
0
                     (uint32_t)tif->tif_dir.td_samplesperpixel))
5036
0
            {
5037
0
                MissingRequired(tif, "StripByteCounts");
5038
0
                goto bad;
5039
0
            }
5040
0
            TIFFWarningExtR(
5041
0
                tif, module,
5042
0
                "TIFF directory is missing required "
5043
0
                "\"StripByteCounts\" field, calculating from imagelength");
5044
0
            if (EstimateStripByteCounts(tif, dir, dircount) < 0)
5045
0
                goto bad;
5046
0
        }
5047
0
        else if (tif->tif_dir.td_nstrips == 1 &&
5048
0
                 !(tif->tif_flags & TIFF_ISTILED) && ByteCountLooksBad(tif))
5049
0
        {
5050
            /*
5051
             * XXX: Plexus (and others) sometimes give a value of
5052
             * zero for a tag when they don't know what the
5053
             * correct value is!  Try and handle the simple case
5054
             * of estimating the size of a one strip image.
5055
             */
5056
0
            TIFFWarningExtR(tif, module,
5057
0
                            "Bogus \"StripByteCounts\" field, ignoring and "
5058
0
                            "calculating from imagelength");
5059
0
            if (EstimateStripByteCounts(tif, dir, dircount) < 0)
5060
0
                goto bad;
5061
0
        }
5062
0
        else if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD) &&
5063
0
                 tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
5064
0
                 tif->tif_dir.td_nstrips > 2 &&
5065
0
                 tif->tif_dir.td_compression == COMPRESSION_NONE &&
5066
0
                 TIFFGetStrileByteCount(tif, 0) !=
5067
0
                     TIFFGetStrileByteCount(tif, 1) &&
5068
0
                 TIFFGetStrileByteCount(tif, 0) != 0 &&
5069
0
                 TIFFGetStrileByteCount(tif, 1) != 0)
5070
0
        {
5071
            /*
5072
             * XXX: Some vendors fill StripByteCount array with
5073
             * absolutely wrong values (it can be equal to
5074
             * StripOffset array, for example). Catch this case
5075
             * here.
5076
             *
5077
             * We avoid this check if deferring strile loading
5078
             * as it would always force us to load the strip/tile
5079
             * information.
5080
             */
5081
0
            TIFFWarningExtR(tif, module,
5082
0
                            "Wrong \"StripByteCounts\" field, ignoring and "
5083
0
                            "calculating from imagelength");
5084
0
            if (EstimateStripByteCounts(tif, dir, dircount) < 0)
5085
0
                goto bad;
5086
0
        }
5087
0
    }
5088
0
    if (dir)
5089
0
    {
5090
0
        _TIFFfreeExt(tif, dir);
5091
0
        dir = NULL;
5092
0
    }
5093
0
    if (!TIFFFieldSet(tif, FIELD_MAXSAMPLEVALUE))
5094
0
    {
5095
0
        if (tif->tif_dir.td_bitspersample >= 16)
5096
0
            tif->tif_dir.td_maxsamplevalue = 0xFFFF;
5097
0
        else
5098
0
            tif->tif_dir.td_maxsamplevalue =
5099
0
                (uint16_t)((1L << tif->tif_dir.td_bitspersample) - 1);
5100
0
    }
5101
5102
#ifdef STRIPBYTECOUNTSORTED_UNUSED
5103
    /*
5104
     * XXX: We can optimize checking for the strip bounds using the sorted
5105
     * bytecounts array. See also comments for TIFFAppendToStrip()
5106
     * function in tif_write.c.
5107
     */
5108
    if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD) && tif->tif_dir.td_nstrips > 1)
5109
    {
5110
        uint32_t strip;
5111
5112
        tif->tif_dir.td_stripbytecountsorted = 1;
5113
        for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++)
5114
        {
5115
            if (TIFFGetStrileOffset(tif, strip - 1) >
5116
                TIFFGetStrileOffset(tif, strip))
5117
            {
5118
                tif->tif_dir.td_stripbytecountsorted = 0;
5119
                break;
5120
            }
5121
        }
5122
    }
5123
#endif
5124
5125
    /*
5126
     * An opportunity for compression mode dependent tag fixup
5127
     */
5128
0
    (*tif->tif_fixuptags)(tif);
5129
5130
    /*
5131
     * Some manufacturers make life difficult by writing
5132
     * large amounts of uncompressed data as a single strip.
5133
     * This is contrary to the recommendations of the spec.
5134
     * The following makes an attempt at breaking such images
5135
     * into strips closer to the recommended 8k bytes.  A
5136
     * side effect, however, is that the RowsPerStrip tag
5137
     * value may be changed.
5138
     */
5139
0
    if ((tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG) &&
5140
0
        (tif->tif_dir.td_nstrips == 1) &&
5141
0
        (tif->tif_dir.td_compression == COMPRESSION_NONE) &&
5142
0
        ((tif->tif_flags & (TIFF_STRIPCHOP | TIFF_ISTILED)) == TIFF_STRIPCHOP))
5143
0
    {
5144
0
        ChopUpSingleUncompressedStrip(tif);
5145
0
    }
5146
5147
    /* There are also uncompressed striped files with strips larger than */
5148
    /* 2 GB, which make them unfriendly with a lot of code. If possible, */
5149
    /* try to expose smaller "virtual" strips. */
5150
0
    if (tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
5151
0
        tif->tif_dir.td_compression == COMPRESSION_NONE &&
5152
0
        (tif->tif_flags & (TIFF_STRIPCHOP | TIFF_ISTILED)) == TIFF_STRIPCHOP &&
5153
0
        TIFFStripSize64(tif) > 0x7FFFFFFFUL)
5154
0
    {
5155
0
        TryChopUpUncompressedBigTiff(tif);
5156
0
    }
5157
5158
    /*
5159
     * Clear the dirty directory flag.
5160
     */
5161
0
    tif->tif_flags &= ~TIFF_DIRTYDIRECT;
5162
0
    tif->tif_flags &= ~TIFF_DIRTYSTRIP;
5163
5164
    /*
5165
     * Reinitialize i/o since we are starting on a new directory.
5166
     */
5167
0
    tif->tif_row = (uint32_t)-1;
5168
0
    tif->tif_curstrip = (uint32_t)-1;
5169
0
    tif->tif_col = (uint32_t)-1;
5170
0
    tif->tif_curtile = (uint32_t)-1;
5171
0
    tif->tif_tilesize = (tmsize_t)-1;
5172
5173
0
    tif->tif_scanlinesize = TIFFScanlineSize(tif);
5174
0
    if (!tif->tif_scanlinesize)
5175
0
    {
5176
0
        TIFFErrorExtR(tif, module, "Cannot handle zero scanline size");
5177
0
        return (0);
5178
0
    }
5179
5180
0
    if (isTiled(tif))
5181
0
    {
5182
0
        tif->tif_tilesize = TIFFTileSize(tif);
5183
0
        if (!tif->tif_tilesize)
5184
0
        {
5185
0
            TIFFErrorExtR(tif, module, "Cannot handle zero tile size");
5186
0
            return (0);
5187
0
        }
5188
0
    }
5189
0
    else
5190
0
    {
5191
0
        if (!TIFFStripSize(tif))
5192
0
        {
5193
0
            TIFFErrorExtR(tif, module, "Cannot handle zero strip size");
5194
0
            return (0);
5195
0
        }
5196
0
    }
5197
0
    return (1);
5198
0
bad:
5199
0
    if (dir)
5200
0
        _TIFFfreeExt(tif, dir);
5201
0
    return (0);
5202
0
} /*-- TIFFReadDirectory() --*/
5203
5204
static void TIFFReadDirectoryCheckOrder(TIFF *tif, TIFFDirEntry *dir,
5205
                                        uint16_t dircount)
5206
0
{
5207
0
    static const char module[] = "TIFFReadDirectoryCheckOrder";
5208
0
    uint32_t m;
5209
0
    uint16_t n;
5210
0
    TIFFDirEntry *o;
5211
0
    m = 0;
5212
0
    for (n = 0, o = dir; n < dircount; n++, o++)
5213
0
    {
5214
0
        if (o->tdir_tag < m)
5215
0
        {
5216
0
            TIFFWarningExtR(tif, module,
5217
0
                            "Invalid TIFF directory; tags are not sorted in "
5218
0
                            "ascending order");
5219
0
            break;
5220
0
        }
5221
0
        m = o->tdir_tag + 1;
5222
0
    }
5223
0
}
5224
5225
static TIFFDirEntry *TIFFReadDirectoryFindEntry(TIFF *tif, TIFFDirEntry *dir,
5226
                                                uint16_t dircount,
5227
                                                uint16_t tagid)
5228
0
{
5229
0
    TIFFDirEntry *m;
5230
0
    uint16_t n;
5231
0
    (void)tif;
5232
0
    for (m = dir, n = 0; n < dircount; m++, n++)
5233
0
    {
5234
0
        if (m->tdir_tag == tagid)
5235
0
            return (m);
5236
0
    }
5237
0
    return (0);
5238
0
}
5239
5240
static void TIFFReadDirectoryFindFieldInfo(TIFF *tif, uint16_t tagid,
5241
                                           uint32_t *fii)
5242
0
{
5243
0
    int32_t ma, mb, mc;
5244
0
    ma = -1;
5245
0
    mc = (int32_t)tif->tif_nfields;
5246
0
    while (1)
5247
0
    {
5248
0
        if (ma + 1 == mc)
5249
0
        {
5250
0
            *fii = FAILED_FII;
5251
0
            return;
5252
0
        }
5253
0
        mb = (ma + mc) / 2;
5254
0
        if (tif->tif_fields[mb]->field_tag == (uint32_t)tagid)
5255
0
            break;
5256
0
        if (tif->tif_fields[mb]->field_tag < (uint32_t)tagid)
5257
0
            ma = mb;
5258
0
        else
5259
0
            mc = mb;
5260
0
    }
5261
0
    while (1)
5262
0
    {
5263
0
        if (mb == 0)
5264
0
            break;
5265
0
        if (tif->tif_fields[mb - 1]->field_tag != (uint32_t)tagid)
5266
0
            break;
5267
0
        mb--;
5268
0
    }
5269
0
    *fii = mb;
5270
0
}
5271
5272
/*
5273
 * Read custom directory from the arbitrary offset.
5274
 * The code is very similar to TIFFReadDirectory().
5275
 */
5276
int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
5277
                            const TIFFFieldArray *infoarray)
5278
0
{
5279
0
    static const char module[] = "TIFFReadCustomDirectory";
5280
0
    TIFFDirEntry *dir;
5281
0
    uint16_t dircount;
5282
0
    TIFFDirEntry *dp;
5283
0
    uint16_t di;
5284
0
    const TIFFField *fip;
5285
0
    uint32_t fii;
5286
5287
0
    dircount = TIFFFetchDirectory(tif, diroff, &dir, NULL);
5288
0
    if (!dircount)
5289
0
    {
5290
0
        TIFFErrorExtR(tif, module,
5291
0
                      "Failed to read custom directory at offset %" PRIu64,
5292
0
                      diroff);
5293
0
        return 0;
5294
0
    }
5295
0
    TIFFReadDirectoryCheckOrder(tif, dir, dircount);
5296
5297
    /*
5298
     * Mark duplicates of any tag to be ignored (bugzilla 1994)
5299
     * to avoid certain pathological problems.
5300
     */
5301
0
    {
5302
0
        TIFFDirEntry *ma;
5303
0
        uint16_t mb;
5304
0
        for (ma = dir, mb = 0; mb < dircount; ma++, mb++)
5305
0
        {
5306
0
            TIFFDirEntry *na;
5307
0
            uint16_t nb;
5308
0
            for (na = ma + 1, nb = mb + 1; nb < dircount; na++, nb++)
5309
0
            {
5310
0
                if (ma->tdir_tag == na->tdir_tag)
5311
0
                {
5312
0
                    na->tdir_ignore = TRUE;
5313
0
                }
5314
0
            }
5315
0
        }
5316
0
    }
5317
5318
    /* Free any old stuff and reinit. */
5319
0
    (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
5320
0
    TIFFFreeDirectory(tif);
5321
    /* Even if custom directories do not need the default settings of a standard
5322
     * IFD, the pointer to the TIFFSetField() and TIFFGetField() (i.e.
5323
     * tif->tif_tagmethods.vsetfield and tif->tif_tagmethods.vgetfield) need to
5324
     * be initialized, which is done in TIFFDefaultDirectory().
5325
     * After that, the field array for the custom tags needs to be setup again.
5326
     */
5327
0
    TIFFDefaultDirectory(tif);
5328
0
    _TIFFSetupFields(tif, infoarray);
5329
5330
    /* Allocate arrays for offset values outside IFD entry for IFD data size
5331
     * checking. Note: Counter are reset within TIFFFreeDirectory(). */
5332
0
    tif->tif_dir.td_dirdatasize_offsets =
5333
0
        (TIFFEntryOffsetAndLength *)_TIFFmallocExt(
5334
0
            tif, dircount * sizeof(TIFFEntryOffsetAndLength));
5335
0
    if (tif->tif_dir.td_dirdatasize_offsets == NULL)
5336
0
    {
5337
0
        TIFFErrorExtR(
5338
0
            tif, module,
5339
0
            "Failed to allocate memory for counting IFD data size at reading");
5340
0
        if (dir)
5341
0
            _TIFFfreeExt(tif, dir);
5342
0
        return 0;
5343
0
    }
5344
5345
0
    for (di = 0, dp = dir; di < dircount; di++, dp++)
5346
0
    {
5347
0
        TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
5348
0
        if (fii == FAILED_FII)
5349
0
        {
5350
0
            const TIFFField *fld;
5351
0
            TIFFWarningExtR(tif, module,
5352
0
                            "Unknown field with tag %" PRIu16 " (0x%" PRIx16
5353
0
                            ") encountered",
5354
0
                            dp->tdir_tag, dp->tdir_tag);
5355
0
            fld = _TIFFCreateAnonField(
5356
0
                tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
5357
0
            if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
5358
0
            {
5359
0
                TIFFWarningExtR(tif, module,
5360
0
                                "Registering anonymous field with tag %" PRIu16
5361
0
                                " (0x%" PRIx16 ") failed",
5362
0
                                dp->tdir_tag, dp->tdir_tag);
5363
0
                dp->tdir_ignore = TRUE;
5364
0
            }
5365
0
            else
5366
0
            {
5367
0
                TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
5368
0
                assert(fii != FAILED_FII);
5369
0
            }
5370
0
        }
5371
0
        if (!dp->tdir_ignore)
5372
0
        {
5373
0
            fip = tif->tif_fields[fii];
5374
0
            if (fip->field_bit == FIELD_IGNORE)
5375
0
                dp->tdir_ignore = TRUE;
5376
0
            else
5377
0
            {
5378
                /* check data type */
5379
0
                while ((fip->field_type != TIFF_ANY) &&
5380
0
                       (fip->field_type != dp->tdir_type))
5381
0
                {
5382
0
                    fii++;
5383
0
                    if ((fii == tif->tif_nfields) ||
5384
0
                        (tif->tif_fields[fii]->field_tag !=
5385
0
                         (uint32_t)dp->tdir_tag))
5386
0
                    {
5387
0
                        fii = 0xFFFF;
5388
0
                        break;
5389
0
                    }
5390
0
                    fip = tif->tif_fields[fii];
5391
0
                }
5392
0
                if (fii == 0xFFFF)
5393
0
                {
5394
0
                    TIFFWarningExtR(tif, module,
5395
0
                                    "Wrong data type %" PRIu16
5396
0
                                    " for \"%s\"; tag ignored",
5397
0
                                    dp->tdir_type, fip->field_name);
5398
0
                    dp->tdir_ignore = TRUE;
5399
0
                }
5400
0
                else
5401
0
                {
5402
                    /* check count if known in advance */
5403
0
                    if ((fip->field_readcount != TIFF_VARIABLE) &&
5404
0
                        (fip->field_readcount != TIFF_VARIABLE2))
5405
0
                    {
5406
0
                        uint32_t expected;
5407
0
                        if (fip->field_readcount == TIFF_SPP)
5408
0
                            expected =
5409
0
                                (uint32_t)tif->tif_dir.td_samplesperpixel;
5410
0
                        else
5411
0
                            expected = (uint32_t)fip->field_readcount;
5412
0
                        if (!CheckDirCount(tif, dp, expected))
5413
0
                            dp->tdir_ignore = TRUE;
5414
0
                    }
5415
0
                }
5416
0
            }
5417
0
            if (!dp->tdir_ignore)
5418
0
            {
5419
0
                switch (dp->tdir_tag)
5420
0
                {
5421
0
                    case EXIFTAG_SUBJECTDISTANCE:
5422
0
                        if (!TIFFFieldIsAnonymous(fip))
5423
0
                        {
5424
                            /* should only be called on a Exif directory */
5425
                            /* when exifFields[] is active */
5426
0
                            (void)TIFFFetchSubjectDistance(tif, dp);
5427
0
                        }
5428
0
                        else
5429
0
                        {
5430
0
                            (void)TIFFFetchNormalTag(tif, dp, TRUE);
5431
0
                        }
5432
0
                        break;
5433
0
                    default:
5434
0
                        (void)TIFFFetchNormalTag(tif, dp, TRUE);
5435
0
                        break;
5436
0
                }
5437
0
            } /*-- if (!dp->tdir_ignore) */
5438
0
        }
5439
0
    }
5440
    /* Evaluate final IFD data size. */
5441
0
    CalcFinalIFDdatasizeReading(tif, dircount);
5442
5443
    /* To be able to return from SubIFD or custom-IFD to main-IFD */
5444
0
    tif->tif_setdirectory_force_absolute = TRUE;
5445
0
    if (dir)
5446
0
        _TIFFfreeExt(tif, dir);
5447
0
    return 1;
5448
0
}
5449
5450
/*
5451
 * EXIF is important special case of custom IFD, so we have a special
5452
 * function to read it.
5453
 */
5454
int TIFFReadEXIFDirectory(TIFF *tif, toff_t diroff)
5455
0
{
5456
0
    return TIFFReadCustomDirectory(tif, diroff, _TIFFGetExifFields());
5457
0
}
5458
5459
/*
5460
 *--: EXIF-GPS custom directory reading as another special case of custom IFD.
5461
 */
5462
int TIFFReadGPSDirectory(TIFF *tif, toff_t diroff)
5463
0
{
5464
0
    return TIFFReadCustomDirectory(tif, diroff, _TIFFGetGpsFields());
5465
0
}
5466
5467
static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
5468
                                   uint16_t dircount)
5469
0
{
5470
0
    static const char module[] = "EstimateStripByteCounts";
5471
0
    uint64_t allocsize;
5472
0
    uint64_t filesize;
5473
5474
0
    TIFFDirEntry *dp;
5475
0
    TIFFDirectory *td = &tif->tif_dir;
5476
0
    uint32_t strip;
5477
5478
    /* Do not try to load stripbytecount as we will compute it */
5479
0
    if (!_TIFFFillStrilesInternal(tif, 0))
5480
0
        return -1;
5481
5482
0
    allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
5483
0
    filesize = 0;
5484
0
    if (allocsize > 100 * 1024 * 1024)
5485
0
    {
5486
        /* Before allocating a huge amount of memory for corrupted files, check
5487
         * if size of requested memory is not greater than file size. */
5488
0
        filesize = TIFFGetFileSize(tif);
5489
0
        if (allocsize > filesize)
5490
0
        {
5491
0
            TIFFWarningExtR(
5492
0
                tif, module,
5493
0
                "Requested memory size for StripByteCounts of %" PRIu64
5494
0
                " is greater than filesize %" PRIu64 ". Memory not allocated",
5495
0
                allocsize, filesize);
5496
0
            return -1;
5497
0
        }
5498
0
    }
5499
5500
0
    if (td->td_stripbytecount_p)
5501
0
        _TIFFfreeExt(tif, td->td_stripbytecount_p);
5502
0
    td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc(
5503
0
        tif, td->td_nstrips, sizeof(uint64_t), "for \"StripByteCounts\" array");
5504
0
    if (td->td_stripbytecount_p == NULL)
5505
0
        return -1;
5506
5507
0
    if (td->td_compression != COMPRESSION_NONE)
5508
0
    {
5509
0
        uint64_t space;
5510
0
        uint16_t n;
5511
0
        if (!(tif->tif_flags & TIFF_BIGTIFF))
5512
0
            space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4;
5513
0
        else
5514
0
            space = sizeof(TIFFHeaderBig) + 8 + dircount * 20 + 8;
5515
        /* calculate amount of space used by indirect values */
5516
0
        for (dp = dir, n = dircount; n > 0; n--, dp++)
5517
0
        {
5518
0
            uint32_t typewidth;
5519
0
            uint64_t datasize;
5520
0
            typewidth = TIFFDataWidth((TIFFDataType)dp->tdir_type);
5521
0
            if (typewidth == 0)
5522
0
            {
5523
0
                TIFFErrorExtR(
5524
0
                    tif, module,
5525
0
                    "Cannot determine size of unknown tag type %" PRIu16,
5526
0
                    dp->tdir_type);
5527
0
                return -1;
5528
0
            }
5529
0
            if (dp->tdir_count > UINT64_MAX / typewidth)
5530
0
                return -1;
5531
0
            datasize = (uint64_t)typewidth * dp->tdir_count;
5532
0
            if (!(tif->tif_flags & TIFF_BIGTIFF))
5533
0
            {
5534
0
                if (datasize <= 4)
5535
0
                    datasize = 0;
5536
0
            }
5537
0
            else
5538
0
            {
5539
0
                if (datasize <= 8)
5540
0
                    datasize = 0;
5541
0
            }
5542
0
            if (space > UINT64_MAX - datasize)
5543
0
                return -1;
5544
0
            space += datasize;
5545
0
        }
5546
0
        if (filesize == 0)
5547
0
            filesize = TIFFGetFileSize(tif);
5548
0
        if (filesize < space)
5549
            /* we should perhaps return in error ? */
5550
0
            space = filesize;
5551
0
        else
5552
0
            space = filesize - space;
5553
0
        if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
5554
0
            space /= td->td_samplesperpixel;
5555
0
        for (strip = 0; strip < td->td_nstrips; strip++)
5556
0
            td->td_stripbytecount_p[strip] = space;
5557
        /*
5558
         * This gross hack handles the case were the offset to
5559
         * the last strip is past the place where we think the strip
5560
         * should begin.  Since a strip of data must be contiguous,
5561
         * it's safe to assume that we've overestimated the amount
5562
         * of data in the strip and trim this number back accordingly.
5563
         */
5564
0
        strip--;
5565
0
        if (td->td_stripoffset_p[strip] >
5566
0
            UINT64_MAX - td->td_stripbytecount_p[strip])
5567
0
            return -1;
5568
0
        if (td->td_stripoffset_p[strip] + td->td_stripbytecount_p[strip] >
5569
0
            filesize)
5570
0
        {
5571
0
            if (td->td_stripoffset_p[strip] >= filesize)
5572
0
            {
5573
                /* Not sure what we should in that case... */
5574
0
                td->td_stripbytecount_p[strip] = 0;
5575
0
            }
5576
0
            else
5577
0
            {
5578
0
                td->td_stripbytecount_p[strip] =
5579
0
                    filesize - td->td_stripoffset_p[strip];
5580
0
            }
5581
0
        }
5582
0
    }
5583
0
    else if (isTiled(tif))
5584
0
    {
5585
0
        uint64_t bytespertile = TIFFTileSize64(tif);
5586
5587
0
        for (strip = 0; strip < td->td_nstrips; strip++)
5588
0
            td->td_stripbytecount_p[strip] = bytespertile;
5589
0
    }
5590
0
    else
5591
0
    {
5592
0
        uint64_t rowbytes = TIFFScanlineSize64(tif);
5593
0
        uint32_t rowsperstrip = td->td_imagelength / td->td_stripsperimage;
5594
0
        for (strip = 0; strip < td->td_nstrips; strip++)
5595
0
        {
5596
0
            if (rowbytes > 0 && rowsperstrip > UINT64_MAX / rowbytes)
5597
0
                return -1;
5598
0
            td->td_stripbytecount_p[strip] = rowbytes * rowsperstrip;
5599
0
        }
5600
0
    }
5601
0
    TIFFSetFieldBit(tif, FIELD_STRIPBYTECOUNTS);
5602
0
    if (!TIFFFieldSet(tif, FIELD_ROWSPERSTRIP))
5603
0
        td->td_rowsperstrip = td->td_imagelength;
5604
0
    return 1;
5605
0
}
5606
5607
static void MissingRequired(TIFF *tif, const char *tagname)
5608
0
{
5609
0
    static const char module[] = "MissingRequired";
5610
5611
0
    TIFFErrorExtR(tif, module,
5612
0
                  "TIFF directory is missing required \"%s\" field", tagname);
5613
0
}
5614
5615
static unsigned long hashFuncOffsetToNumber(const void *elt)
5616
75.0k
{
5617
75.0k
    const TIFFOffsetAndDirNumber *offsetAndDirNumber =
5618
75.0k
        (const TIFFOffsetAndDirNumber *)elt;
5619
75.0k
    const uint32_t hash = (uint32_t)(offsetAndDirNumber->offset >> 32) ^
5620
75.0k
                          ((uint32_t)offsetAndDirNumber->offset & 0xFFFFFFFFU);
5621
75.0k
    return hash;
5622
75.0k
}
5623
5624
static bool equalFuncOffsetToNumber(const void *elt1, const void *elt2)
5625
18.7k
{
5626
18.7k
    const TIFFOffsetAndDirNumber *offsetAndDirNumber1 =
5627
18.7k
        (const TIFFOffsetAndDirNumber *)elt1;
5628
18.7k
    const TIFFOffsetAndDirNumber *offsetAndDirNumber2 =
5629
18.7k
        (const TIFFOffsetAndDirNumber *)elt2;
5630
18.7k
    return offsetAndDirNumber1->offset == offsetAndDirNumber2->offset;
5631
18.7k
}
5632
5633
static unsigned long hashFuncNumberToOffset(const void *elt)
5634
56.3k
{
5635
56.3k
    const TIFFOffsetAndDirNumber *offsetAndDirNumber =
5636
56.3k
        (const TIFFOffsetAndDirNumber *)elt;
5637
56.3k
    return offsetAndDirNumber->dirNumber;
5638
56.3k
}
5639
5640
static bool equalFuncNumberToOffset(const void *elt1, const void *elt2)
5641
4
{
5642
4
    const TIFFOffsetAndDirNumber *offsetAndDirNumber1 =
5643
4
        (const TIFFOffsetAndDirNumber *)elt1;
5644
4
    const TIFFOffsetAndDirNumber *offsetAndDirNumber2 =
5645
4
        (const TIFFOffsetAndDirNumber *)elt2;
5646
4
    return offsetAndDirNumber1->dirNumber == offsetAndDirNumber2->dirNumber;
5647
4
}
5648
5649
/*
5650
 * Check the directory number and offset against the list of already seen
5651
 * directory numbers and offsets. This is a trick to prevent IFD looping.
5652
 * The one can create TIFF file with looped directory pointers. We will
5653
 * maintain a list of already seen directories and check every IFD offset
5654
 * and its IFD number against that list. However, the offset of an IFD number
5655
 * can change - e.g. when writing updates to file.
5656
 * Returns 1 if all is ok; 0 if last directory or IFD loop is encountered,
5657
 * or an error has occurred.
5658
 */
5659
int _TIFFCheckDirNumberAndOffset(TIFF *tif, tdir_t dirn, uint64_t diroff)
5660
37.5k
{
5661
37.5k
    TIFFOffsetAndDirNumber entry;
5662
37.5k
    TIFFOffsetAndDirNumber *entryPtr;
5663
37.5k
    TIFFOffsetAndDirNumber *foundEntry;
5664
37.5k
    if (diroff == 0) /* no more directories */
5665
0
        return 0;
5666
5667
37.5k
    if (tif->tif_map_dir_offset_to_number == NULL)
5668
18.7k
    {
5669
18.7k
        tif->tif_map_dir_offset_to_number = TIFFHashSetNew(
5670
18.7k
            hashFuncOffsetToNumber, equalFuncOffsetToNumber, free);
5671
18.7k
        if (tif->tif_map_dir_offset_to_number == NULL)
5672
0
        {
5673
0
            TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5674
0
                          "Not enough memory");
5675
0
            return 1;
5676
0
        }
5677
18.7k
    }
5678
5679
37.5k
    if (tif->tif_map_dir_number_to_offset == NULL)
5680
18.7k
    {
5681
        /* No free callback for this map, as it shares the same items as
5682
         * tif->tif_map_dir_offset_to_number. */
5683
18.7k
        tif->tif_map_dir_number_to_offset = TIFFHashSetNew(
5684
18.7k
            hashFuncNumberToOffset, equalFuncNumberToOffset, NULL);
5685
18.7k
        if (tif->tif_map_dir_number_to_offset == NULL)
5686
0
        {
5687
0
            TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5688
0
                          "Not enough memory");
5689
0
            return 1;
5690
0
        }
5691
18.7k
    }
5692
5693
    /* Check if offset is already in the list:
5694
     * - yes: check, if offset is at the same IFD number - if not, it is an IFD
5695
     * loop
5696
     * -  no: add to list or update offset at that IFD number
5697
     */
5698
37.5k
    entry.offset = diroff;
5699
37.5k
    entry.dirNumber = dirn;
5700
5701
37.5k
    foundEntry =
5702
37.5k
        (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5703
37.5k
            tif->tif_map_dir_offset_to_number, &entry);
5704
37.5k
    if (foundEntry)
5705
18.7k
    {
5706
18.7k
        if (foundEntry->dirNumber == dirn)
5707
18.7k
        {
5708
18.7k
            return 1;
5709
18.7k
        }
5710
0
        else
5711
0
        {
5712
0
            TIFFWarningExtR(tif, "_TIFFCheckDirNumberAndOffset",
5713
0
                            "TIFF directory %d has IFD looping to directory %u "
5714
0
                            "at offset 0x%" PRIx64 " (%" PRIu64 ")",
5715
0
                            (int)dirn - 1, foundEntry->dirNumber, diroff,
5716
0
                            diroff);
5717
0
            return 0;
5718
0
        }
5719
18.7k
    }
5720
5721
    /* Check if offset of an IFD has been changed and update offset of that IFD
5722
     * number. */
5723
18.7k
    foundEntry = (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5724
18.7k
        tif->tif_map_dir_number_to_offset, &entry);
5725
18.7k
    if (foundEntry)
5726
0
    {
5727
0
        if (foundEntry->offset != diroff)
5728
0
        {
5729
0
            TIFFOffsetAndDirNumber entryOld;
5730
0
            TIFFOffsetAndDirNumber *foundEntryOld;
5731
0
            entryOld.offset = foundEntry->offset;
5732
0
            entryOld.dirNumber = dirn;
5733
            /* We must remove first from tif_map_dir_number_to_offset as the */
5734
            /* entry is owned (and thus freed) by */
5735
            /* tif_map_dir_offset_to_number */
5736
0
            foundEntryOld =
5737
0
                (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5738
0
                    tif->tif_map_dir_number_to_offset, &entryOld);
5739
0
            if (foundEntryOld)
5740
0
            {
5741
0
                TIFFHashSetRemove(tif->tif_map_dir_number_to_offset,
5742
0
                                  foundEntryOld);
5743
0
            }
5744
0
            foundEntryOld = (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5745
0
                tif->tif_map_dir_offset_to_number, &entryOld);
5746
0
            if (foundEntryOld)
5747
0
            {
5748
0
                TIFFHashSetRemove(tif->tif_map_dir_offset_to_number,
5749
0
                                  foundEntryOld);
5750
0
            }
5751
5752
0
            entryPtr = (TIFFOffsetAndDirNumber *)malloc(
5753
0
                sizeof(TIFFOffsetAndDirNumber));
5754
0
            if (entryPtr == NULL)
5755
0
            {
5756
0
                return 0;
5757
0
            }
5758
5759
            /* Add IFD offset and dirn to IFD directory list */
5760
0
            *entryPtr = entry;
5761
5762
0
            if (!TIFFHashSetInsert(tif->tif_map_dir_offset_to_number, entryPtr))
5763
0
            {
5764
0
                TIFFErrorExtR(
5765
0
                    tif, "_TIFFCheckDirNumberAndOffset",
5766
0
                    "Insertion in tif_map_dir_offset_to_number failed");
5767
0
                return 0;
5768
0
            }
5769
0
            if (!TIFFHashSetInsert(tif->tif_map_dir_number_to_offset, entryPtr))
5770
0
            {
5771
0
                TIFFErrorExtR(
5772
0
                    tif, "_TIFFCheckDirNumberAndOffset",
5773
0
                    "Insertion in tif_map_dir_number_to_offset failed");
5774
0
                return 0;
5775
0
            }
5776
0
        }
5777
0
        return 1;
5778
0
    }
5779
5780
    /* Arbitrary (hopefully big enough) limit */
5781
18.7k
    if (TIFFHashSetSize(tif->tif_map_dir_offset_to_number) >=
5782
18.7k
        TIFF_MAX_DIR_COUNT)
5783
0
    {
5784
0
        TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5785
0
                      "Cannot handle more than %u TIFF directories",
5786
0
                      TIFF_MAX_DIR_COUNT);
5787
0
        return 0;
5788
0
    }
5789
5790
18.7k
    entryPtr =
5791
18.7k
        (TIFFOffsetAndDirNumber *)malloc(sizeof(TIFFOffsetAndDirNumber));
5792
18.7k
    if (entryPtr == NULL)
5793
0
    {
5794
0
        TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5795
0
                      "malloc(sizeof(TIFFOffsetAndDirNumber)) failed");
5796
0
        return 0;
5797
0
    }
5798
5799
    /* Add IFD offset and dirn to IFD directory list */
5800
18.7k
    *entryPtr = entry;
5801
5802
18.7k
    if (!TIFFHashSetInsert(tif->tif_map_dir_offset_to_number, entryPtr))
5803
0
    {
5804
0
        TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5805
0
                      "Insertion in tif_map_dir_offset_to_number failed");
5806
0
        return 0;
5807
0
    }
5808
18.7k
    if (!TIFFHashSetInsert(tif->tif_map_dir_number_to_offset, entryPtr))
5809
0
    {
5810
0
        TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5811
0
                      "Insertion in tif_map_dir_number_to_offset failed");
5812
0
        return 0;
5813
0
    }
5814
5815
18.7k
    return 1;
5816
18.7k
} /* --- _TIFFCheckDirNumberAndOffset() ---*/
5817
5818
/*
5819
 * Retrieve the matching IFD directory number of a given IFD offset
5820
 * from the list of directories already seen.
5821
 * Returns 1 if the offset was in the list and the directory number
5822
 * can be returned.
5823
 * Otherwise returns 0 or if an error occurred.
5824
 */
5825
int _TIFFGetDirNumberFromOffset(TIFF *tif, uint64_t diroff, tdir_t *dirn)
5826
0
{
5827
0
    TIFFOffsetAndDirNumber entry;
5828
0
    TIFFOffsetAndDirNumber *foundEntry;
5829
0
    if (diroff == 0) /* no more directories */
5830
0
        return 0;
5831
5832
    /* Check if offset is already in the list and return matching directory
5833
     * number. Otherwise update IFD list using TIFFNumberOfDirectories() and
5834
     * search again in IFD list.
5835
     */
5836
0
    if (tif->tif_map_dir_offset_to_number == NULL)
5837
0
        return 0;
5838
0
    entry.offset = diroff;
5839
0
    entry.dirNumber = 0; /* not used */
5840
5841
0
    foundEntry =
5842
0
        (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5843
0
            tif->tif_map_dir_offset_to_number, &entry);
5844
0
    if (foundEntry)
5845
0
    {
5846
0
        *dirn = foundEntry->dirNumber;
5847
0
        return 1;
5848
0
    }
5849
5850
    /* This updates the directory list for all main-IFDs in the file. */
5851
0
    TIFFNumberOfDirectories(tif);
5852
5853
0
    foundEntry = (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5854
0
        tif->tif_map_dir_offset_to_number, &entry);
5855
0
    if (foundEntry)
5856
0
    {
5857
0
        *dirn = foundEntry->dirNumber;
5858
0
        return 1;
5859
0
    }
5860
5861
0
    return 0;
5862
0
} /*--- _TIFFGetDirNumberFromOffset() ---*/
5863
5864
/*
5865
 * Retrieve the matching IFD directory offset of a given IFD number
5866
 * from the list of directories already seen.
5867
 * Returns 1 if the offset was in the list of already seen IFDs and the
5868
 * directory offset can be returned. The directory list is not updated.
5869
 * Otherwise returns 0 or if an error occurred.
5870
 */
5871
int _TIFFGetOffsetFromDirNumber(TIFF *tif, tdir_t dirn, uint64_t *diroff)
5872
0
{
5873
0
    TIFFOffsetAndDirNumber entry;
5874
0
    TIFFOffsetAndDirNumber *foundEntry;
5875
5876
0
    if (tif->tif_map_dir_number_to_offset == NULL)
5877
0
        return 0;
5878
0
    entry.offset = 0; /* not used */
5879
0
    entry.dirNumber = dirn;
5880
5881
0
    foundEntry =
5882
0
        (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5883
0
            tif->tif_map_dir_number_to_offset, &entry);
5884
0
    if (foundEntry)
5885
0
    {
5886
0
        *diroff = foundEntry->offset;
5887
0
        return 1;
5888
0
    }
5889
5890
0
    return 0;
5891
0
} /*--- _TIFFGetOffsetFromDirNumber() ---*/
5892
5893
/*
5894
 * Remove an entry from the directory list of already seen directories
5895
 * by directory offset.
5896
 * If an entry is to be removed from the list, it is also okay if the entry
5897
 * is not in the list or the list does not exist.
5898
 */
5899
int _TIFFRemoveEntryFromDirectoryListByOffset(TIFF *tif, uint64_t diroff)
5900
2
{
5901
2
    TIFFOffsetAndDirNumber entryOld;
5902
2
    TIFFOffsetAndDirNumber *foundEntryOldOff;
5903
2
    if (tif->tif_map_dir_offset_to_number == NULL)
5904
0
        return 1;
5905
5906
2
    entryOld.offset = diroff;
5907
2
    entryOld.dirNumber = 0;
5908
    /* We must remove first from tif_map_dir_number_to_offset as the
5909
     * entry is owned (and thus freed) by tif_map_dir_offset_to_number.
5910
     * However, we need firstly to find the directory number from offset. */
5911
5912
2
    foundEntryOldOff =
5913
2
        (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5914
2
            tif->tif_map_dir_offset_to_number, &entryOld);
5915
2
    if (foundEntryOldOff)
5916
2
    {
5917
2
        entryOld.dirNumber = foundEntryOldOff->dirNumber;
5918
2
        if (tif->tif_map_dir_number_to_offset != NULL)
5919
2
        {
5920
2
            TIFFOffsetAndDirNumber *foundEntryOldDir =
5921
2
                (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5922
2
                    tif->tif_map_dir_number_to_offset, &entryOld);
5923
2
            if (foundEntryOldDir)
5924
2
            {
5925
2
                TIFFHashSetRemove(tif->tif_map_dir_number_to_offset,
5926
2
                                  foundEntryOldDir);
5927
2
                TIFFHashSetRemove(tif->tif_map_dir_offset_to_number,
5928
2
                                  foundEntryOldOff);
5929
2
                return 1;
5930
2
            }
5931
2
        }
5932
0
        else
5933
0
        {
5934
0
            TIFFErrorExtR(tif, "_TIFFRemoveEntryFromDirectoryListByOffset",
5935
0
                          "Unexpectedly tif_map_dir_number_to_offset is "
5936
0
                          "missing but tif_map_dir_offset_to_number exists.");
5937
0
            return 0;
5938
0
        }
5939
2
    }
5940
0
    return 1;
5941
2
} /*--- _TIFFRemoveEntryFromDirectoryListByOffset() ---*/
5942
5943
/*
5944
 * Check the count field of a directory entry against a known value.  The
5945
 * caller is expected to skip/ignore the tag if there is a mismatch.
5946
 */
5947
static int CheckDirCount(TIFF *tif, TIFFDirEntry *dir, uint32_t count)
5948
0
{
5949
0
    if ((uint64_t)count > dir->tdir_count)
5950
0
    {
5951
0
        const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
5952
0
        TIFFWarningExtR(tif, tif->tif_name,
5953
0
                        "incorrect count for field \"%s\" (%" PRIu64
5954
0
                        ", expecting %" PRIu32 "); tag ignored",
5955
0
                        fip ? fip->field_name : "unknown tagname",
5956
0
                        dir->tdir_count, count);
5957
0
        return (0);
5958
0
    }
5959
0
    else if ((uint64_t)count < dir->tdir_count)
5960
0
    {
5961
0
        const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
5962
0
        TIFFWarningExtR(tif, tif->tif_name,
5963
0
                        "incorrect count for field \"%s\" (%" PRIu64
5964
0
                        ", expecting %" PRIu32 "); tag trimmed",
5965
0
                        fip ? fip->field_name : "unknown tagname",
5966
0
                        dir->tdir_count, count);
5967
0
        dir->tdir_count = count;
5968
0
        return (1);
5969
0
    }
5970
0
    return (1);
5971
0
}
5972
5973
/*
5974
 * Read IFD structure from the specified offset. If the pointer to
5975
 * nextdiroff variable has been specified, read it too. Function returns a
5976
 * number of fields in the directory or 0 if failed.
5977
 */
5978
static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
5979
                                   TIFFDirEntry **pdir, uint64_t *nextdiroff)
5980
0
{
5981
0
    static const char module[] = "TIFFFetchDirectory";
5982
5983
0
    void *origdir;
5984
0
    uint16_t dircount16;
5985
0
    uint32_t dirsize;
5986
0
    TIFFDirEntry *dir;
5987
0
    uint8_t *ma;
5988
0
    TIFFDirEntry *mb;
5989
0
    uint16_t n;
5990
0
    uint64_t filesize;
5991
0
    uint64_t allocsize;
5992
0
    assert(pdir);
5993
5994
0
    tif->tif_diroff = diroff;
5995
0
    if (nextdiroff)
5996
0
        *nextdiroff = 0;
5997
0
    if (!isMapped(tif))
5998
0
    {
5999
0
        if (!SeekOK(tif, tif->tif_diroff))
6000
0
        {
6001
0
            TIFFErrorExtR(tif, module,
6002
0
                          "%s: Seek error accessing TIFF directory",
6003
0
                          tif->tif_name);
6004
0
            return 0;
6005
0
        }
6006
0
        if (!(tif->tif_flags & TIFF_BIGTIFF))
6007
0
        {
6008
0
            if (!ReadOK(tif, &dircount16, sizeof(uint16_t)))
6009
0
            {
6010
0
                TIFFErrorExtR(tif, module,
6011
0
                              "%s: Can not read TIFF directory count",
6012
0
                              tif->tif_name);
6013
0
                return 0;
6014
0
            }
6015
0
            if (tif->tif_flags & TIFF_SWAB)
6016
0
                TIFFSwabShort(&dircount16);
6017
0
            if (dircount16 > 4096)
6018
0
            {
6019
0
                TIFFErrorExtR(tif, module,
6020
0
                              "Sanity check on directory count failed, this is "
6021
0
                              "probably not a valid IFD offset");
6022
0
                return 0;
6023
0
            }
6024
0
            dirsize = 12;
6025
0
        }
6026
0
        else
6027
0
        {
6028
0
            uint64_t dircount64;
6029
0
            if (!ReadOK(tif, &dircount64, sizeof(uint64_t)))
6030
0
            {
6031
0
                TIFFErrorExtR(tif, module,
6032
0
                              "%s: Can not read TIFF directory count",
6033
0
                              tif->tif_name);
6034
0
                return 0;
6035
0
            }
6036
0
            if (tif->tif_flags & TIFF_SWAB)
6037
0
                TIFFSwabLong8(&dircount64);
6038
0
            if (dircount64 > 4096)
6039
0
            {
6040
0
                TIFFErrorExtR(tif, module,
6041
0
                              "Sanity check on directory count failed, this is "
6042
0
                              "probably not a valid IFD offset");
6043
0
                return 0;
6044
0
            }
6045
0
            dircount16 = (uint16_t)dircount64;
6046
0
            dirsize = 20;
6047
0
        }
6048
0
        origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
6049
0
                                   "to read TIFF directory");
6050
0
        if (origdir == NULL)
6051
0
            return 0;
6052
0
        if (!ReadOK(tif, origdir, (tmsize_t)(dircount16 * dirsize)))
6053
0
        {
6054
0
            TIFFErrorExtR(tif, module, "%.100s: Can not read TIFF directory",
6055
0
                          tif->tif_name);
6056
0
            _TIFFfreeExt(tif, origdir);
6057
0
            return 0;
6058
0
        }
6059
        /*
6060
         * Read offset to next directory for sequential scans if
6061
         * needed.
6062
         */
6063
0
        if (nextdiroff)
6064
0
        {
6065
0
            if (!(tif->tif_flags & TIFF_BIGTIFF))
6066
0
            {
6067
0
                uint32_t nextdiroff32;
6068
0
                if (!ReadOK(tif, &nextdiroff32, sizeof(uint32_t)))
6069
0
                    nextdiroff32 = 0;
6070
0
                if (tif->tif_flags & TIFF_SWAB)
6071
0
                    TIFFSwabLong(&nextdiroff32);
6072
0
                *nextdiroff = nextdiroff32;
6073
0
            }
6074
0
            else
6075
0
            {
6076
0
                if (!ReadOK(tif, nextdiroff, sizeof(uint64_t)))
6077
0
                    *nextdiroff = 0;
6078
0
                if (tif->tif_flags & TIFF_SWAB)
6079
0
                    TIFFSwabLong8(nextdiroff);
6080
0
            }
6081
0
        }
6082
0
    }
6083
0
    else
6084
0
    {
6085
0
        tmsize_t m;
6086
0
        tmsize_t off;
6087
0
        if (tif->tif_diroff > (uint64_t)INT64_MAX)
6088
0
        {
6089
0
            TIFFErrorExtR(tif, module, "Can not read TIFF directory count");
6090
0
            return (0);
6091
0
        }
6092
0
        off = (tmsize_t)tif->tif_diroff;
6093
6094
        /*
6095
         * Check for integer overflow when validating the dir_off,
6096
         * otherwise a very high offset may cause an OOB read and
6097
         * crash the client. Make two comparisons instead of
6098
         *
6099
         *  off + sizeof(uint16_t) > tif->tif_size
6100
         *
6101
         * to avoid overflow.
6102
         */
6103
0
        if (!(tif->tif_flags & TIFF_BIGTIFF))
6104
0
        {
6105
0
            m = off + sizeof(uint16_t);
6106
0
            if ((m < off) || (m < (tmsize_t)sizeof(uint16_t)) ||
6107
0
                (m > tif->tif_size))
6108
0
            {
6109
0
                TIFFErrorExtR(tif, module, "Can not read TIFF directory count");
6110
0
                return 0;
6111
0
            }
6112
0
            else
6113
0
            {
6114
0
                _TIFFmemcpy(&dircount16, tif->tif_base + off, sizeof(uint16_t));
6115
0
            }
6116
0
            off += sizeof(uint16_t);
6117
0
            if (tif->tif_flags & TIFF_SWAB)
6118
0
                TIFFSwabShort(&dircount16);
6119
0
            if (dircount16 > 4096)
6120
0
            {
6121
0
                TIFFErrorExtR(tif, module,
6122
0
                              "Sanity check on directory count failed, this is "
6123
0
                              "probably not a valid IFD offset");
6124
0
                return 0;
6125
0
            }
6126
0
            dirsize = 12;
6127
0
        }
6128
0
        else
6129
0
        {
6130
0
            uint64_t dircount64;
6131
0
            m = off + sizeof(uint64_t);
6132
0
            if ((m < off) || (m < (tmsize_t)sizeof(uint64_t)) ||
6133
0
                (m > tif->tif_size))
6134
0
            {
6135
0
                TIFFErrorExtR(tif, module, "Can not read TIFF directory count");
6136
0
                return 0;
6137
0
            }
6138
0
            else
6139
0
            {
6140
0
                _TIFFmemcpy(&dircount64, tif->tif_base + off, sizeof(uint64_t));
6141
0
            }
6142
0
            off += sizeof(uint64_t);
6143
0
            if (tif->tif_flags & TIFF_SWAB)
6144
0
                TIFFSwabLong8(&dircount64);
6145
0
            if (dircount64 > 4096)
6146
0
            {
6147
0
                TIFFErrorExtR(tif, module,
6148
0
                              "Sanity check on directory count failed, this is "
6149
0
                              "probably not a valid IFD offset");
6150
0
                return 0;
6151
0
            }
6152
0
            dircount16 = (uint16_t)dircount64;
6153
0
            dirsize = 20;
6154
0
        }
6155
0
        if (dircount16 == 0)
6156
0
        {
6157
0
            TIFFErrorExtR(tif, module,
6158
0
                          "Sanity check on directory count failed, zero tag "
6159
0
                          "directories not supported");
6160
0
            return 0;
6161
0
        }
6162
        /* Before allocating a huge amount of memory for corrupted files, check
6163
         * if size of requested memory is not greater than file size. */
6164
0
        filesize = TIFFGetFileSize(tif);
6165
0
        allocsize = (uint64_t)dircount16 * dirsize;
6166
0
        if (allocsize > filesize)
6167
0
        {
6168
0
            TIFFWarningExtR(
6169
0
                tif, module,
6170
0
                "Requested memory size for TIFF directory of %" PRIu64
6171
0
                " is greater than filesize %" PRIu64
6172
0
                ". Memory not allocated, TIFF directory not read",
6173
0
                allocsize, filesize);
6174
0
            return 0;
6175
0
        }
6176
0
        origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
6177
0
                                   "to read TIFF directory");
6178
0
        if (origdir == NULL)
6179
0
            return 0;
6180
0
        m = off + dircount16 * dirsize;
6181
0
        if ((m < off) || (m < (tmsize_t)(dircount16 * dirsize)) ||
6182
0
            (m > tif->tif_size))
6183
0
        {
6184
0
            TIFFErrorExtR(tif, module, "Can not read TIFF directory");
6185
0
            _TIFFfreeExt(tif, origdir);
6186
0
            return 0;
6187
0
        }
6188
0
        else
6189
0
        {
6190
0
            _TIFFmemcpy(origdir, tif->tif_base + off, dircount16 * dirsize);
6191
0
        }
6192
0
        if (nextdiroff)
6193
0
        {
6194
0
            off += dircount16 * dirsize;
6195
0
            if (!(tif->tif_flags & TIFF_BIGTIFF))
6196
0
            {
6197
0
                uint32_t nextdiroff32;
6198
0
                m = off + sizeof(uint32_t);
6199
0
                if ((m < off) || (m < (tmsize_t)sizeof(uint32_t)) ||
6200
0
                    (m > tif->tif_size))
6201
0
                    nextdiroff32 = 0;
6202
0
                else
6203
0
                    _TIFFmemcpy(&nextdiroff32, tif->tif_base + off,
6204
0
                                sizeof(uint32_t));
6205
0
                if (tif->tif_flags & TIFF_SWAB)
6206
0
                    TIFFSwabLong(&nextdiroff32);
6207
0
                *nextdiroff = nextdiroff32;
6208
0
            }
6209
0
            else
6210
0
            {
6211
0
                m = off + sizeof(uint64_t);
6212
0
                if ((m < off) || (m < (tmsize_t)sizeof(uint64_t)) ||
6213
0
                    (m > tif->tif_size))
6214
0
                    *nextdiroff = 0;
6215
0
                else
6216
0
                    _TIFFmemcpy(nextdiroff, tif->tif_base + off,
6217
0
                                sizeof(uint64_t));
6218
0
                if (tif->tif_flags & TIFF_SWAB)
6219
0
                    TIFFSwabLong8(nextdiroff);
6220
0
            }
6221
0
        }
6222
0
    }
6223
    /* No check against filesize needed here because "dir" should have same size
6224
     * than "origdir" checked above. */
6225
0
    dir = (TIFFDirEntry *)_TIFFCheckMalloc(
6226
0
        tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory");
6227
0
    if (dir == 0)
6228
0
    {
6229
0
        _TIFFfreeExt(tif, origdir);
6230
0
        return 0;
6231
0
    }
6232
0
    ma = (uint8_t *)origdir;
6233
0
    mb = dir;
6234
0
    for (n = 0; n < dircount16; n++)
6235
0
    {
6236
0
        mb->tdir_ignore = FALSE;
6237
0
        if (tif->tif_flags & TIFF_SWAB)
6238
0
            TIFFSwabShort((uint16_t *)ma);
6239
0
        mb->tdir_tag = *(uint16_t *)ma;
6240
0
        ma += sizeof(uint16_t);
6241
0
        if (tif->tif_flags & TIFF_SWAB)
6242
0
            TIFFSwabShort((uint16_t *)ma);
6243
0
        mb->tdir_type = *(uint16_t *)ma;
6244
0
        ma += sizeof(uint16_t);
6245
0
        if (!(tif->tif_flags & TIFF_BIGTIFF))
6246
0
        {
6247
0
            if (tif->tif_flags & TIFF_SWAB)
6248
0
                TIFFSwabLong((uint32_t *)ma);
6249
0
            mb->tdir_count = (uint64_t)(*(uint32_t *)ma);
6250
0
            ma += sizeof(uint32_t);
6251
0
            mb->tdir_offset.toff_long8 = 0;
6252
0
            *(uint32_t *)(&mb->tdir_offset) = *(uint32_t *)ma;
6253
0
            ma += sizeof(uint32_t);
6254
0
        }
6255
0
        else
6256
0
        {
6257
0
            if (tif->tif_flags & TIFF_SWAB)
6258
0
                TIFFSwabLong8((uint64_t *)ma);
6259
0
            mb->tdir_count = TIFFReadUInt64(ma);
6260
0
            ma += sizeof(uint64_t);
6261
0
            mb->tdir_offset.toff_long8 = TIFFReadUInt64(ma);
6262
0
            ma += sizeof(uint64_t);
6263
0
        }
6264
0
        mb++;
6265
0
    }
6266
0
    _TIFFfreeExt(tif, origdir);
6267
0
    *pdir = dir;
6268
0
    return dircount16;
6269
0
}
6270
6271
/*
6272
 * Fetch a tag that is not handled by special case code.
6273
 */
6274
static int TIFFFetchNormalTag(TIFF *tif, TIFFDirEntry *dp, int recover)
6275
0
{
6276
0
    static const char module[] = "TIFFFetchNormalTag";
6277
0
    enum TIFFReadDirEntryErr err;
6278
0
    uint32_t fii;
6279
0
    const TIFFField *fip = NULL;
6280
0
    TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
6281
0
    if (fii == FAILED_FII)
6282
0
    {
6283
0
        TIFFErrorExtR(tif, "TIFFFetchNormalTag",
6284
0
                      "No definition found for tag %" PRIu16, dp->tdir_tag);
6285
0
        return 0;
6286
0
    }
6287
0
    fip = tif->tif_fields[fii];
6288
0
    assert(fip != NULL); /* should not happen */
6289
0
    assert(fip->set_field_type !=
6290
0
           TIFF_SETGET_OTHER); /* if so, we shouldn't arrive here but deal with
6291
                                  this in specialized code */
6292
0
    assert(fip->set_field_type !=
6293
0
           TIFF_SETGET_INT); /* if so, we shouldn't arrive here as this is only
6294
                                the case for pseudo-tags */
6295
0
    err = TIFFReadDirEntryErrOk;
6296
0
    switch (fip->set_field_type)
6297
0
    {
6298
0
        case TIFF_SETGET_UNDEFINED:
6299
0
            TIFFErrorExtR(
6300
0
                tif, "TIFFFetchNormalTag",
6301
0
                "Defined set_field_type of custom tag %u (%s) is "
6302
0
                "TIFF_SETGET_UNDEFINED and thus tag is not read from file",
6303
0
                fip->field_tag, fip->field_name);
6304
0
            break;
6305
0
        case TIFF_SETGET_ASCII:
6306
0
        {
6307
0
            uint8_t *data;
6308
0
            assert(fip->field_passcount == 0);
6309
0
            err = TIFFReadDirEntryByteArray(tif, dp, &data);
6310
0
            if (err == TIFFReadDirEntryErrOk)
6311
0
            {
6312
0
                size_t mb = 0;
6313
0
                int n;
6314
0
                if (data != NULL)
6315
0
                {
6316
0
                    if (dp->tdir_count > 0 && data[dp->tdir_count - 1] == 0)
6317
0
                    {
6318
                        /* optimization: if data is known to be 0 terminated, we
6319
                         * can use strlen() */
6320
0
                        mb = strlen((const char *)data);
6321
0
                    }
6322
0
                    else
6323
0
                    {
6324
                        /* general case. equivalent to non-portable */
6325
                        /* mb = strnlen((const char*)data,
6326
                         * (uint32_t)dp->tdir_count); */
6327
0
                        uint8_t *ma = data;
6328
0
                        while (mb < (uint32_t)dp->tdir_count)
6329
0
                        {
6330
0
                            if (*ma == 0)
6331
0
                                break;
6332
0
                            ma++;
6333
0
                            mb++;
6334
0
                        }
6335
0
                    }
6336
0
                }
6337
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6338
0
                {
6339
0
                    if (data != NULL)
6340
0
                        _TIFFfreeExt(tif, data);
6341
0
                    return (0);
6342
0
                }
6343
0
                if (mb + 1 < (uint32_t)dp->tdir_count)
6344
0
                    TIFFWarningExtR(
6345
0
                        tif, module,
6346
0
                        "ASCII value for tag \"%s\" contains null byte in "
6347
0
                        "value; value incorrectly truncated during reading due "
6348
0
                        "to implementation limitations",
6349
0
                        fip->field_name);
6350
0
                else if (mb + 1 > (uint32_t)dp->tdir_count)
6351
0
                {
6352
0
                    uint8_t *o;
6353
0
                    TIFFWarningExtR(tif, module,
6354
0
                                    "ASCII value for tag \"%s\" does not end "
6355
0
                                    "in null byte. Forcing it to be null",
6356
0
                                    fip->field_name);
6357
                    /* TIFFReadDirEntryArrayWithLimit() ensures this can't be
6358
                     * larger than MAX_SIZE_TAG_DATA */
6359
0
                    assert((uint32_t)dp->tdir_count + 1 == dp->tdir_count + 1);
6360
0
                    o =
6361
0
                        _TIFFmallocExt(tif, (uint32_t)dp->tdir_count + 1);
6362
0
                    if (o == NULL)
6363
0
                    {
6364
0
                        if (data != NULL)
6365
0
                            _TIFFfreeExt(tif, data);
6366
0
                        return (0);
6367
0
                    }
6368
0
                    if (dp->tdir_count > 0)
6369
0
                    {
6370
0
                        _TIFFmemcpy(o, data, (uint32_t)dp->tdir_count);
6371
0
                    }
6372
0
                    o[(uint32_t)dp->tdir_count] = 0;
6373
0
                    if (data != 0)
6374
0
                        _TIFFfreeExt(tif, data);
6375
0
                    data = o;
6376
0
                }
6377
0
                n = TIFFSetField(tif, dp->tdir_tag, data);
6378
0
                if (data != 0)
6379
0
                    _TIFFfreeExt(tif, data);
6380
0
                if (!n)
6381
0
                    return (0);
6382
0
            }
6383
0
        }
6384
0
        break;
6385
0
        case TIFF_SETGET_UINT8:
6386
0
        {
6387
0
            uint8_t data = 0;
6388
0
            assert(fip->field_readcount == 1);
6389
0
            assert(fip->field_passcount == 0);
6390
0
            err = TIFFReadDirEntryByte(tif, dp, &data);
6391
0
            if (err == TIFFReadDirEntryErrOk)
6392
0
            {
6393
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6394
0
                    return (0);
6395
0
            }
6396
0
        }
6397
0
        break;
6398
0
        case TIFF_SETGET_SINT8:
6399
0
        {
6400
0
            int8_t data = 0;
6401
0
            assert(fip->field_readcount == 1);
6402
0
            assert(fip->field_passcount == 0);
6403
0
            err = TIFFReadDirEntrySbyte(tif, dp, &data);
6404
0
            if (err == TIFFReadDirEntryErrOk)
6405
0
            {
6406
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6407
0
                    return (0);
6408
0
            }
6409
0
        }
6410
0
        break;
6411
0
        case TIFF_SETGET_UINT16:
6412
0
        {
6413
0
            uint16_t data;
6414
0
            assert(fip->field_readcount == 1);
6415
0
            assert(fip->field_passcount == 0);
6416
0
            err = TIFFReadDirEntryShort(tif, dp, &data);
6417
0
            if (err == TIFFReadDirEntryErrOk)
6418
0
            {
6419
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6420
0
                    return (0);
6421
0
            }
6422
0
        }
6423
0
        break;
6424
0
        case TIFF_SETGET_SINT16:
6425
0
        {
6426
0
            int16_t data;
6427
0
            assert(fip->field_readcount == 1);
6428
0
            assert(fip->field_passcount == 0);
6429
0
            err = TIFFReadDirEntrySshort(tif, dp, &data);
6430
0
            if (err == TIFFReadDirEntryErrOk)
6431
0
            {
6432
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6433
0
                    return (0);
6434
0
            }
6435
0
        }
6436
0
        break;
6437
0
        case TIFF_SETGET_UINT32:
6438
0
        {
6439
0
            uint32_t data;
6440
0
            assert(fip->field_readcount == 1);
6441
0
            assert(fip->field_passcount == 0);
6442
0
            err = TIFFReadDirEntryLong(tif, dp, &data);
6443
0
            if (err == TIFFReadDirEntryErrOk)
6444
0
            {
6445
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6446
0
                    return (0);
6447
0
            }
6448
0
        }
6449
0
        break;
6450
0
        case TIFF_SETGET_SINT32:
6451
0
        {
6452
0
            int32_t data;
6453
0
            assert(fip->field_readcount == 1);
6454
0
            assert(fip->field_passcount == 0);
6455
0
            err = TIFFReadDirEntrySlong(tif, dp, &data);
6456
0
            if (err == TIFFReadDirEntryErrOk)
6457
0
            {
6458
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6459
0
                    return (0);
6460
0
            }
6461
0
        }
6462
0
        break;
6463
0
        case TIFF_SETGET_UINT64:
6464
0
        {
6465
0
            uint64_t data;
6466
0
            assert(fip->field_readcount == 1);
6467
0
            assert(fip->field_passcount == 0);
6468
0
            err = TIFFReadDirEntryLong8(tif, dp, &data);
6469
0
            if (err == TIFFReadDirEntryErrOk)
6470
0
            {
6471
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6472
0
                    return 0;
6473
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6474
0
                    return (0);
6475
0
            }
6476
0
        }
6477
0
        break;
6478
0
        case TIFF_SETGET_SINT64:
6479
0
        {
6480
0
            int64_t data;
6481
0
            assert(fip->field_readcount == 1);
6482
0
            assert(fip->field_passcount == 0);
6483
0
            err = TIFFReadDirEntrySlong8(tif, dp, &data);
6484
0
            if (err == TIFFReadDirEntryErrOk)
6485
0
            {
6486
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6487
0
                    return 0;
6488
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6489
0
                    return (0);
6490
0
            }
6491
0
        }
6492
0
        break;
6493
0
        case TIFF_SETGET_FLOAT:
6494
0
        {
6495
0
            float data;
6496
0
            assert(fip->field_readcount == 1);
6497
0
            assert(fip->field_passcount == 0);
6498
0
            err = TIFFReadDirEntryFloat(tif, dp, &data);
6499
0
            if (err == TIFFReadDirEntryErrOk)
6500
0
            {
6501
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6502
0
                    return 0;
6503
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6504
0
                    return (0);
6505
0
            }
6506
0
        }
6507
0
        break;
6508
0
        case TIFF_SETGET_DOUBLE:
6509
0
        {
6510
0
            double data;
6511
0
            assert(fip->field_readcount == 1);
6512
0
            assert(fip->field_passcount == 0);
6513
0
            err = TIFFReadDirEntryDouble(tif, dp, &data);
6514
0
            if (err == TIFFReadDirEntryErrOk)
6515
0
            {
6516
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6517
0
                    return 0;
6518
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6519
0
                    return (0);
6520
0
            }
6521
0
        }
6522
0
        break;
6523
0
        case TIFF_SETGET_IFD8:
6524
0
        {
6525
0
            uint64_t data;
6526
0
            assert(fip->field_readcount == 1);
6527
0
            assert(fip->field_passcount == 0);
6528
0
            err = TIFFReadDirEntryIfd8(tif, dp, &data);
6529
0
            if (err == TIFFReadDirEntryErrOk)
6530
0
            {
6531
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6532
0
                    return 0;
6533
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6534
0
                    return (0);
6535
0
            }
6536
0
        }
6537
0
        break;
6538
0
        case TIFF_SETGET_UINT16_PAIR:
6539
0
        {
6540
0
            uint16_t *data;
6541
0
            assert(fip->field_readcount == 2);
6542
0
            assert(fip->field_passcount == 0);
6543
0
            if (dp->tdir_count != 2)
6544
0
            {
6545
0
                TIFFWarningExtR(tif, module,
6546
0
                                "incorrect count for field \"%s\", expected 2, "
6547
0
                                "got %" PRIu64,
6548
0
                                fip->field_name, dp->tdir_count);
6549
0
                return (0);
6550
0
            }
6551
0
            err = TIFFReadDirEntryShortArray(tif, dp, &data);
6552
0
            if (err == TIFFReadDirEntryErrOk)
6553
0
            {
6554
0
                int m;
6555
0
                assert(data); /* avoid CLang static Analyzer false positive */
6556
0
                m = TIFFSetField(tif, dp->tdir_tag, data[0], data[1]);
6557
0
                _TIFFfreeExt(tif, data);
6558
0
                if (!m)
6559
0
                    return (0);
6560
0
            }
6561
0
        }
6562
0
        break;
6563
0
        case TIFF_SETGET_C0_UINT8:
6564
0
        {
6565
0
            uint8_t *data;
6566
0
            assert(fip->field_readcount >= 1);
6567
0
            assert(fip->field_passcount == 0);
6568
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6569
0
            {
6570
0
                TIFFWarningExtR(tif, module,
6571
0
                                "incorrect count for field \"%s\", expected "
6572
0
                                "%d, got %" PRIu64,
6573
0
                                fip->field_name, (int)fip->field_readcount,
6574
0
                                dp->tdir_count);
6575
0
                return (0);
6576
0
            }
6577
0
            else
6578
0
            {
6579
0
                err = TIFFReadDirEntryByteArray(tif, dp, &data);
6580
0
                if (err == TIFFReadDirEntryErrOk)
6581
0
                {
6582
0
                    int m;
6583
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6584
0
                    {
6585
0
                        if (data != 0)
6586
0
                            _TIFFfreeExt(tif, data);
6587
0
                        return 0;
6588
0
                    }
6589
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6590
0
                    if (data != 0)
6591
0
                        _TIFFfreeExt(tif, data);
6592
0
                    if (!m)
6593
0
                        return (0);
6594
0
                }
6595
0
            }
6596
0
        }
6597
0
        break;
6598
0
        case TIFF_SETGET_C0_SINT8:
6599
0
        {
6600
0
            int8_t *data;
6601
0
            assert(fip->field_readcount >= 1);
6602
0
            assert(fip->field_passcount == 0);
6603
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6604
0
            {
6605
0
                TIFFWarningExtR(tif, module,
6606
0
                                "incorrect count for field \"%s\", expected "
6607
0
                                "%d, got %" PRIu64,
6608
0
                                fip->field_name, (int)fip->field_readcount,
6609
0
                                dp->tdir_count);
6610
0
                return (0);
6611
0
            }
6612
0
            else
6613
0
            {
6614
0
                err = TIFFReadDirEntrySbyteArray(tif, dp, &data);
6615
0
                if (err == TIFFReadDirEntryErrOk)
6616
0
                {
6617
0
                    int m;
6618
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6619
0
                    {
6620
0
                        if (data != 0)
6621
0
                            _TIFFfreeExt(tif, data);
6622
0
                        return 0;
6623
0
                    }
6624
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6625
0
                    if (data != 0)
6626
0
                        _TIFFfreeExt(tif, data);
6627
0
                    if (!m)
6628
0
                        return (0);
6629
0
                }
6630
0
            }
6631
0
        }
6632
0
        break;
6633
0
        case TIFF_SETGET_C0_UINT16:
6634
0
        {
6635
0
            uint16_t *data;
6636
0
            assert(fip->field_readcount >= 1);
6637
0
            assert(fip->field_passcount == 0);
6638
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6639
0
            {
6640
0
                TIFFWarningExtR(tif, module,
6641
0
                                "incorrect count for field \"%s\", expected "
6642
0
                                "%d, got %" PRIu64,
6643
0
                                fip->field_name, (int)fip->field_readcount,
6644
0
                                dp->tdir_count);
6645
0
                return (0);
6646
0
            }
6647
0
            else
6648
0
            {
6649
0
                err = TIFFReadDirEntryShortArray(tif, dp, &data);
6650
0
                if (err == TIFFReadDirEntryErrOk)
6651
0
                {
6652
0
                    int m;
6653
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6654
0
                    {
6655
0
                        if (data != 0)
6656
0
                            _TIFFfreeExt(tif, data);
6657
0
                        return 0;
6658
0
                    }
6659
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6660
0
                    if (data != 0)
6661
0
                        _TIFFfreeExt(tif, data);
6662
0
                    if (!m)
6663
0
                        return (0);
6664
0
                }
6665
0
            }
6666
0
        }
6667
0
        break;
6668
0
        case TIFF_SETGET_C0_SINT16:
6669
0
        {
6670
0
            int16_t *data;
6671
0
            assert(fip->field_readcount >= 1);
6672
0
            assert(fip->field_passcount == 0);
6673
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6674
0
            {
6675
0
                TIFFWarningExtR(tif, module,
6676
0
                                "incorrect count for field \"%s\", expected "
6677
0
                                "%d, got %" PRIu64,
6678
0
                                fip->field_name, (int)fip->field_readcount,
6679
0
                                dp->tdir_count);
6680
0
                return (0);
6681
0
            }
6682
0
            else
6683
0
            {
6684
0
                err = TIFFReadDirEntrySshortArray(tif, dp, &data);
6685
0
                if (err == TIFFReadDirEntryErrOk)
6686
0
                {
6687
0
                    int m;
6688
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6689
0
                    {
6690
0
                        if (data != 0)
6691
0
                            _TIFFfreeExt(tif, data);
6692
0
                        return 0;
6693
0
                    }
6694
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6695
0
                    if (data != 0)
6696
0
                        _TIFFfreeExt(tif, data);
6697
0
                    if (!m)
6698
0
                        return (0);
6699
0
                }
6700
0
            }
6701
0
        }
6702
0
        break;
6703
0
        case TIFF_SETGET_C0_UINT32:
6704
0
        {
6705
0
            uint32_t *data;
6706
0
            assert(fip->field_readcount >= 1);
6707
0
            assert(fip->field_passcount == 0);
6708
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6709
0
            {
6710
0
                TIFFWarningExtR(tif, module,
6711
0
                                "incorrect count for field \"%s\", expected "
6712
0
                                "%d, got %" PRIu64,
6713
0
                                fip->field_name, (int)fip->field_readcount,
6714
0
                                dp->tdir_count);
6715
0
                return (0);
6716
0
            }
6717
0
            else
6718
0
            {
6719
0
                err = TIFFReadDirEntryLongArray(tif, dp, &data);
6720
0
                if (err == TIFFReadDirEntryErrOk)
6721
0
                {
6722
0
                    int m;
6723
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6724
0
                    {
6725
0
                        if (data != 0)
6726
0
                            _TIFFfreeExt(tif, data);
6727
0
                        return 0;
6728
0
                    }
6729
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6730
0
                    if (data != 0)
6731
0
                        _TIFFfreeExt(tif, data);
6732
0
                    if (!m)
6733
0
                        return (0);
6734
0
                }
6735
0
            }
6736
0
        }
6737
0
        break;
6738
0
        case TIFF_SETGET_C0_SINT32:
6739
0
        {
6740
0
            int32_t *data;
6741
0
            assert(fip->field_readcount >= 1);
6742
0
            assert(fip->field_passcount == 0);
6743
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6744
0
            {
6745
0
                TIFFWarningExtR(tif, module,
6746
0
                                "incorrect count for field \"%s\", expected "
6747
0
                                "%d, got %" PRIu64,
6748
0
                                fip->field_name, (int)fip->field_readcount,
6749
0
                                dp->tdir_count);
6750
0
                return (0);
6751
0
            }
6752
0
            else
6753
0
            {
6754
0
                err = TIFFReadDirEntrySlongArray(tif, dp, &data);
6755
0
                if (err == TIFFReadDirEntryErrOk)
6756
0
                {
6757
0
                    int m;
6758
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6759
0
                    {
6760
0
                        if (data != 0)
6761
0
                            _TIFFfreeExt(tif, data);
6762
0
                        return 0;
6763
0
                    }
6764
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6765
0
                    if (data != 0)
6766
0
                        _TIFFfreeExt(tif, data);
6767
0
                    if (!m)
6768
0
                        return (0);
6769
0
                }
6770
0
            }
6771
0
        }
6772
0
        break;
6773
0
        case TIFF_SETGET_C0_UINT64:
6774
0
        {
6775
0
            uint64_t *data;
6776
0
            assert(fip->field_readcount >= 1);
6777
0
            assert(fip->field_passcount == 0);
6778
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6779
0
            {
6780
0
                TIFFWarningExtR(tif, module,
6781
0
                                "incorrect count for field \"%s\", expected "
6782
0
                                "%d, got %" PRIu64,
6783
0
                                fip->field_name, (int)fip->field_readcount,
6784
0
                                dp->tdir_count);
6785
0
                return (0);
6786
0
            }
6787
0
            else
6788
0
            {
6789
0
                err = TIFFReadDirEntryLong8Array(tif, dp, &data);
6790
0
                if (err == TIFFReadDirEntryErrOk)
6791
0
                {
6792
0
                    int m;
6793
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6794
0
                    {
6795
0
                        if (data != 0)
6796
0
                            _TIFFfreeExt(tif, data);
6797
0
                        return 0;
6798
0
                    }
6799
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6800
0
                    if (data != 0)
6801
0
                        _TIFFfreeExt(tif, data);
6802
0
                    if (!m)
6803
0
                        return (0);
6804
0
                }
6805
0
            }
6806
0
        }
6807
0
        break;
6808
0
        case TIFF_SETGET_C0_SINT64:
6809
0
        {
6810
0
            int64_t *data;
6811
0
            assert(fip->field_readcount >= 1);
6812
0
            assert(fip->field_passcount == 0);
6813
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6814
0
            {
6815
0
                TIFFWarningExtR(tif, module,
6816
0
                                "incorrect count for field \"%s\", expected "
6817
0
                                "%d, got %" PRIu64,
6818
0
                                fip->field_name, (int)fip->field_readcount,
6819
0
                                dp->tdir_count);
6820
0
                return (0);
6821
0
            }
6822
0
            else
6823
0
            {
6824
0
                err = TIFFReadDirEntrySlong8Array(tif, dp, &data);
6825
0
                if (err == TIFFReadDirEntryErrOk)
6826
0
                {
6827
0
                    int m;
6828
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6829
0
                    {
6830
0
                        if (data != 0)
6831
0
                            _TIFFfreeExt(tif, data);
6832
0
                        return 0;
6833
0
                    }
6834
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6835
0
                    if (data != 0)
6836
0
                        _TIFFfreeExt(tif, data);
6837
0
                    if (!m)
6838
0
                        return (0);
6839
0
                }
6840
0
            }
6841
0
        }
6842
0
        break;
6843
0
        case TIFF_SETGET_C0_FLOAT:
6844
0
        {
6845
0
            float *data;
6846
0
            assert(fip->field_readcount >= 1);
6847
0
            assert(fip->field_passcount == 0);
6848
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6849
0
            {
6850
0
                TIFFWarningExtR(tif, module,
6851
0
                                "incorrect count for field \"%s\", expected "
6852
0
                                "%d, got %" PRIu64,
6853
0
                                fip->field_name, (int)fip->field_readcount,
6854
0
                                dp->tdir_count);
6855
0
                return (0);
6856
0
            }
6857
0
            else
6858
0
            {
6859
0
                err = TIFFReadDirEntryFloatArray(tif, dp, &data);
6860
0
                if (err == TIFFReadDirEntryErrOk)
6861
0
                {
6862
0
                    int m;
6863
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6864
0
                    {
6865
0
                        if (data != 0)
6866
0
                            _TIFFfreeExt(tif, data);
6867
0
                        return 0;
6868
0
                    }
6869
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6870
0
                    if (data != 0)
6871
0
                        _TIFFfreeExt(tif, data);
6872
0
                    if (!m)
6873
0
                        return (0);
6874
0
                }
6875
0
            }
6876
0
        }
6877
0
        break;
6878
        /*--: Rational2Double: Extend for Double Arrays and Rational-Arrays read
6879
         * into Double-Arrays. */
6880
0
        case TIFF_SETGET_C0_DOUBLE:
6881
0
        {
6882
0
            double *data;
6883
0
            assert(fip->field_readcount >= 1);
6884
0
            assert(fip->field_passcount == 0);
6885
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6886
0
            {
6887
0
                TIFFWarningExtR(tif, module,
6888
0
                                "incorrect count for field \"%s\", expected "
6889
0
                                "%d, got %" PRIu64,
6890
0
                                fip->field_name, (int)fip->field_readcount,
6891
0
                                dp->tdir_count);
6892
0
                return (0);
6893
0
            }
6894
0
            else
6895
0
            {
6896
0
                err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
6897
0
                if (err == TIFFReadDirEntryErrOk)
6898
0
                {
6899
0
                    int m;
6900
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6901
0
                    {
6902
0
                        if (data != 0)
6903
0
                            _TIFFfreeExt(tif, data);
6904
0
                        return 0;
6905
0
                    }
6906
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6907
0
                    if (data != 0)
6908
0
                        _TIFFfreeExt(tif, data);
6909
0
                    if (!m)
6910
0
                        return (0);
6911
0
                }
6912
0
            }
6913
0
        }
6914
0
        break;
6915
0
        case TIFF_SETGET_C16_ASCII:
6916
0
        {
6917
0
            uint8_t *data;
6918
0
            assert(fip->field_readcount == TIFF_VARIABLE);
6919
0
            assert(fip->field_passcount == 1);
6920
0
            if (dp->tdir_count > 0xFFFF)
6921
0
                err = TIFFReadDirEntryErrCount;
6922
0
            else
6923
0
            {
6924
0
                err = TIFFReadDirEntryByteArray(tif, dp, &data);
6925
0
                if (err == TIFFReadDirEntryErrOk)
6926
0
                {
6927
0
                    int m;
6928
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6929
0
                    {
6930
0
                        if (data != 0)
6931
0
                            _TIFFfreeExt(tif, data);
6932
0
                        return 0;
6933
0
                    }
6934
0
                    if (data != 0 && dp->tdir_count > 0 &&
6935
0
                        data[dp->tdir_count - 1] != '\0')
6936
0
                    {
6937
0
                        uint8_t *o;
6938
0
                        TIFFWarningExtR(tif, module,
6939
0
                                        "ASCII value for ASCII array tag "
6940
0
                                        "\"%s\" does not end in null "
6941
0
                                        "byte. Forcing it to be null",
6942
0
                                        fip->field_name);
6943
                        /* Enlarge buffer and add terminating null. */
6944
0
                        o =
6945
0
                            _TIFFmallocExt(tif, (uint32_t)dp->tdir_count + 1);
6946
0
                        if (o == NULL)
6947
0
                        {
6948
0
                            if (data != NULL)
6949
0
                                _TIFFfreeExt(tif, data);
6950
0
                            return (0);
6951
0
                        }
6952
0
                        if (dp->tdir_count > 0)
6953
0
                        {
6954
0
                            _TIFFmemcpy(o, data, (uint32_t)dp->tdir_count);
6955
0
                        }
6956
0
                        o[(uint32_t)dp->tdir_count] = 0;
6957
0
                        dp->tdir_count++; /* Increment for added null. */
6958
0
                        if (data != 0)
6959
0
                            _TIFFfreeExt(tif, data);
6960
0
                        data = o;
6961
0
                    }
6962
0
                    m = TIFFSetField(tif, dp->tdir_tag,
6963
0
                                     (uint16_t)(dp->tdir_count), data);
6964
0
                    if (data != 0)
6965
0
                        _TIFFfreeExt(tif, data);
6966
0
                    if (!m)
6967
0
                        return (0);
6968
0
                }
6969
0
            }
6970
0
        }
6971
0
        break;
6972
0
        case TIFF_SETGET_C16_UINT8:
6973
0
        {
6974
0
            uint8_t *data;
6975
0
            assert(fip->field_readcount == TIFF_VARIABLE);
6976
0
            assert(fip->field_passcount == 1);
6977
0
            if (dp->tdir_count > 0xFFFF)
6978
0
                err = TIFFReadDirEntryErrCount;
6979
0
            else
6980
0
            {
6981
0
                err = TIFFReadDirEntryByteArray(tif, dp, &data);
6982
0
                if (err == TIFFReadDirEntryErrOk)
6983
0
                {
6984
0
                    int m;
6985
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6986
0
                    {
6987
0
                        if (data != 0)
6988
0
                            _TIFFfreeExt(tif, data);
6989
0
                        return 0;
6990
0
                    }
6991
0
                    m = TIFFSetField(tif, dp->tdir_tag,
6992
0
                                     (uint16_t)(dp->tdir_count), data);
6993
0
                    if (data != 0)
6994
0
                        _TIFFfreeExt(tif, data);
6995
0
                    if (!m)
6996
0
                        return (0);
6997
0
                }
6998
0
            }
6999
0
        }
7000
0
        break;
7001
0
        case TIFF_SETGET_C16_SINT8:
7002
0
        {
7003
0
            int8_t *data;
7004
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7005
0
            assert(fip->field_passcount == 1);
7006
0
            if (dp->tdir_count > 0xFFFF)
7007
0
                err = TIFFReadDirEntryErrCount;
7008
0
            else
7009
0
            {
7010
0
                err = TIFFReadDirEntrySbyteArray(tif, dp, &data);
7011
0
                if (err == TIFFReadDirEntryErrOk)
7012
0
                {
7013
0
                    int m;
7014
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7015
0
                    {
7016
0
                        if (data != 0)
7017
0
                            _TIFFfreeExt(tif, data);
7018
0
                        return 0;
7019
0
                    }
7020
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7021
0
                                     (uint16_t)(dp->tdir_count), data);
7022
0
                    if (data != 0)
7023
0
                        _TIFFfreeExt(tif, data);
7024
0
                    if (!m)
7025
0
                        return (0);
7026
0
                }
7027
0
            }
7028
0
        }
7029
0
        break;
7030
0
        case TIFF_SETGET_C16_UINT16:
7031
0
        {
7032
0
            uint16_t *data;
7033
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7034
0
            assert(fip->field_passcount == 1);
7035
0
            if (dp->tdir_count > 0xFFFF)
7036
0
                err = TIFFReadDirEntryErrCount;
7037
0
            else
7038
0
            {
7039
0
                err = TIFFReadDirEntryShortArray(tif, dp, &data);
7040
0
                if (err == TIFFReadDirEntryErrOk)
7041
0
                {
7042
0
                    int m;
7043
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7044
0
                    {
7045
0
                        if (data != 0)
7046
0
                            _TIFFfreeExt(tif, data);
7047
0
                        return 0;
7048
0
                    }
7049
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7050
0
                                     (uint16_t)(dp->tdir_count), data);
7051
0
                    if (data != 0)
7052
0
                        _TIFFfreeExt(tif, data);
7053
0
                    if (!m)
7054
0
                        return (0);
7055
0
                }
7056
0
            }
7057
0
        }
7058
0
        break;
7059
0
        case TIFF_SETGET_C16_SINT16:
7060
0
        {
7061
0
            int16_t *data;
7062
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7063
0
            assert(fip->field_passcount == 1);
7064
0
            if (dp->tdir_count > 0xFFFF)
7065
0
                err = TIFFReadDirEntryErrCount;
7066
0
            else
7067
0
            {
7068
0
                err = TIFFReadDirEntrySshortArray(tif, dp, &data);
7069
0
                if (err == TIFFReadDirEntryErrOk)
7070
0
                {
7071
0
                    int m;
7072
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7073
0
                    {
7074
0
                        if (data != 0)
7075
0
                            _TIFFfreeExt(tif, data);
7076
0
                        return 0;
7077
0
                    }
7078
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7079
0
                                     (uint16_t)(dp->tdir_count), data);
7080
0
                    if (data != 0)
7081
0
                        _TIFFfreeExt(tif, data);
7082
0
                    if (!m)
7083
0
                        return (0);
7084
0
                }
7085
0
            }
7086
0
        }
7087
0
        break;
7088
0
        case TIFF_SETGET_C16_UINT32:
7089
0
        {
7090
0
            uint32_t *data;
7091
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7092
0
            assert(fip->field_passcount == 1);
7093
0
            if (dp->tdir_count > 0xFFFF)
7094
0
                err = TIFFReadDirEntryErrCount;
7095
0
            else
7096
0
            {
7097
0
                err = TIFFReadDirEntryLongArray(tif, dp, &data);
7098
0
                if (err == TIFFReadDirEntryErrOk)
7099
0
                {
7100
0
                    int m;
7101
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7102
0
                    {
7103
0
                        if (data != 0)
7104
0
                            _TIFFfreeExt(tif, data);
7105
0
                        return 0;
7106
0
                    }
7107
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7108
0
                                     (uint16_t)(dp->tdir_count), data);
7109
0
                    if (data != 0)
7110
0
                        _TIFFfreeExt(tif, data);
7111
0
                    if (!m)
7112
0
                        return (0);
7113
0
                }
7114
0
            }
7115
0
        }
7116
0
        break;
7117
0
        case TIFF_SETGET_C16_SINT32:
7118
0
        {
7119
0
            int32_t *data;
7120
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7121
0
            assert(fip->field_passcount == 1);
7122
0
            if (dp->tdir_count > 0xFFFF)
7123
0
                err = TIFFReadDirEntryErrCount;
7124
0
            else
7125
0
            {
7126
0
                err = TIFFReadDirEntrySlongArray(tif, dp, &data);
7127
0
                if (err == TIFFReadDirEntryErrOk)
7128
0
                {
7129
0
                    int m;
7130
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7131
0
                    {
7132
0
                        if (data != 0)
7133
0
                            _TIFFfreeExt(tif, data);
7134
0
                        return 0;
7135
0
                    }
7136
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7137
0
                                     (uint16_t)(dp->tdir_count), data);
7138
0
                    if (data != 0)
7139
0
                        _TIFFfreeExt(tif, data);
7140
0
                    if (!m)
7141
0
                        return (0);
7142
0
                }
7143
0
            }
7144
0
        }
7145
0
        break;
7146
0
        case TIFF_SETGET_C16_UINT64:
7147
0
        {
7148
0
            uint64_t *data;
7149
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7150
0
            assert(fip->field_passcount == 1);
7151
0
            if (dp->tdir_count > 0xFFFF)
7152
0
                err = TIFFReadDirEntryErrCount;
7153
0
            else
7154
0
            {
7155
0
                err = TIFFReadDirEntryLong8Array(tif, dp, &data);
7156
0
                if (err == TIFFReadDirEntryErrOk)
7157
0
                {
7158
0
                    int m;
7159
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7160
0
                    {
7161
0
                        if (data != 0)
7162
0
                            _TIFFfreeExt(tif, data);
7163
0
                        return 0;
7164
0
                    }
7165
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7166
0
                                     (uint16_t)(dp->tdir_count), data);
7167
0
                    if (data != 0)
7168
0
                        _TIFFfreeExt(tif, data);
7169
0
                    if (!m)
7170
0
                        return (0);
7171
0
                }
7172
0
            }
7173
0
        }
7174
0
        break;
7175
0
        case TIFF_SETGET_C16_SINT64:
7176
0
        {
7177
0
            int64_t *data;
7178
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7179
0
            assert(fip->field_passcount == 1);
7180
0
            if (dp->tdir_count > 0xFFFF)
7181
0
                err = TIFFReadDirEntryErrCount;
7182
0
            else
7183
0
            {
7184
0
                err = TIFFReadDirEntrySlong8Array(tif, dp, &data);
7185
0
                if (err == TIFFReadDirEntryErrOk)
7186
0
                {
7187
0
                    int m;
7188
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7189
0
                    {
7190
0
                        if (data != 0)
7191
0
                            _TIFFfreeExt(tif, data);
7192
0
                        return 0;
7193
0
                    }
7194
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7195
0
                                     (uint16_t)(dp->tdir_count), data);
7196
0
                    if (data != 0)
7197
0
                        _TIFFfreeExt(tif, data);
7198
0
                    if (!m)
7199
0
                        return (0);
7200
0
                }
7201
0
            }
7202
0
        }
7203
0
        break;
7204
0
        case TIFF_SETGET_C16_FLOAT:
7205
0
        {
7206
0
            float *data;
7207
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7208
0
            assert(fip->field_passcount == 1);
7209
0
            if (dp->tdir_count > 0xFFFF)
7210
0
                err = TIFFReadDirEntryErrCount;
7211
0
            else
7212
0
            {
7213
0
                err = TIFFReadDirEntryFloatArray(tif, dp, &data);
7214
0
                if (err == TIFFReadDirEntryErrOk)
7215
0
                {
7216
0
                    int m;
7217
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7218
0
                    {
7219
0
                        if (data != 0)
7220
0
                            _TIFFfreeExt(tif, data);
7221
0
                        return 0;
7222
0
                    }
7223
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7224
0
                                     (uint16_t)(dp->tdir_count), data);
7225
0
                    if (data != 0)
7226
0
                        _TIFFfreeExt(tif, data);
7227
0
                    if (!m)
7228
0
                        return (0);
7229
0
                }
7230
0
            }
7231
0
        }
7232
0
        break;
7233
0
        case TIFF_SETGET_C16_DOUBLE:
7234
0
        {
7235
0
            double *data;
7236
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7237
0
            assert(fip->field_passcount == 1);
7238
0
            if (dp->tdir_count > 0xFFFF)
7239
0
                err = TIFFReadDirEntryErrCount;
7240
0
            else
7241
0
            {
7242
0
                err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
7243
0
                if (err == TIFFReadDirEntryErrOk)
7244
0
                {
7245
0
                    int m;
7246
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7247
0
                    {
7248
0
                        if (data != 0)
7249
0
                            _TIFFfreeExt(tif, data);
7250
0
                        return 0;
7251
0
                    }
7252
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7253
0
                                     (uint16_t)(dp->tdir_count), data);
7254
0
                    if (data != 0)
7255
0
                        _TIFFfreeExt(tif, data);
7256
0
                    if (!m)
7257
0
                        return (0);
7258
0
                }
7259
0
            }
7260
0
        }
7261
0
        break;
7262
0
        case TIFF_SETGET_C16_IFD8:
7263
0
        {
7264
0
            uint64_t *data;
7265
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7266
0
            assert(fip->field_passcount == 1);
7267
0
            if (dp->tdir_count > 0xFFFF)
7268
0
                err = TIFFReadDirEntryErrCount;
7269
0
            else
7270
0
            {
7271
0
                err = TIFFReadDirEntryIfd8Array(tif, dp, &data);
7272
0
                if (err == TIFFReadDirEntryErrOk)
7273
0
                {
7274
0
                    int m;
7275
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7276
0
                    {
7277
0
                        if (data != 0)
7278
0
                            _TIFFfreeExt(tif, data);
7279
0
                        return 0;
7280
0
                    }
7281
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7282
0
                                     (uint16_t)(dp->tdir_count), data);
7283
0
                    if (data != 0)
7284
0
                        _TIFFfreeExt(tif, data);
7285
0
                    if (!m)
7286
0
                        return (0);
7287
0
                }
7288
0
            }
7289
0
        }
7290
0
        break;
7291
0
        case TIFF_SETGET_C32_ASCII:
7292
0
        {
7293
0
            uint8_t *data;
7294
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7295
0
            assert(fip->field_passcount == 1);
7296
0
            err = TIFFReadDirEntryByteArray(tif, dp, &data);
7297
0
            if (err == TIFFReadDirEntryErrOk)
7298
0
            {
7299
0
                int m;
7300
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7301
0
                {
7302
0
                    if (data != 0)
7303
0
                        _TIFFfreeExt(tif, data);
7304
0
                    return 0;
7305
0
                }
7306
0
                if (data != 0 && dp->tdir_count > 0 &&
7307
0
                    data[dp->tdir_count - 1] != '\0')
7308
0
                {
7309
0
                    uint8_t *o;
7310
0
                    TIFFWarningExtR(
7311
0
                        tif, module,
7312
0
                        "ASCII value for ASCII array tag \"%s\" does not end "
7313
0
                        "in null byte. Forcing it to be null",
7314
0
                        fip->field_name);
7315
                    /* Enlarge buffer and add terminating null. */
7316
0
                    o =
7317
0
                        _TIFFmallocExt(tif, (uint32_t)dp->tdir_count + 1);
7318
0
                    if (o == NULL)
7319
0
                    {
7320
0
                        if (data != NULL)
7321
0
                            _TIFFfreeExt(tif, data);
7322
0
                        return (0);
7323
0
                    }
7324
0
                    if (dp->tdir_count > 0)
7325
0
                    {
7326
0
                        _TIFFmemcpy(o, data, (uint32_t)dp->tdir_count);
7327
0
                    }
7328
0
                    o[(uint32_t)dp->tdir_count] = 0;
7329
0
                    dp->tdir_count++; /* Increment for added null. */
7330
0
                    if (data != 0)
7331
0
                        _TIFFfreeExt(tif, data);
7332
0
                    data = o;
7333
0
                }
7334
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7335
0
                                 data);
7336
0
                if (data != 0)
7337
0
                    _TIFFfreeExt(tif, data);
7338
0
                if (!m)
7339
0
                    return (0);
7340
0
            }
7341
0
        }
7342
0
        break;
7343
0
        case TIFF_SETGET_C32_UINT8:
7344
0
        {
7345
0
            uint8_t *data;
7346
0
            uint32_t count = 0;
7347
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7348
0
            assert(fip->field_passcount == 1);
7349
0
            if (fip->field_tag == TIFFTAG_RICHTIFFIPTC &&
7350
0
                dp->tdir_type == TIFF_LONG)
7351
0
            {
7352
                /* Adobe's software (wrongly) writes RichTIFFIPTC tag with
7353
                 * data type LONG instead of UNDEFINED. Work around this
7354
                 * frequently found issue */
7355
0
                void *origdata;
7356
0
                err = TIFFReadDirEntryArray(tif, dp, &count, 4, &origdata);
7357
0
                if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
7358
0
                {
7359
0
                    data = NULL;
7360
0
                }
7361
0
                else
7362
0
                {
7363
0
                    if (tif->tif_flags & TIFF_SWAB)
7364
0
                        TIFFSwabArrayOfLong((uint32_t *)origdata, count);
7365
0
                    data = (uint8_t *)origdata;
7366
0
                    count = (uint32_t)(count * 4);
7367
0
                }
7368
0
            }
7369
0
            else
7370
0
            {
7371
0
                err = TIFFReadDirEntryByteArray(tif, dp, &data);
7372
0
                count = (uint32_t)(dp->tdir_count);
7373
0
            }
7374
0
            if (err == TIFFReadDirEntryErrOk)
7375
0
            {
7376
0
                int m;
7377
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7378
0
                {
7379
0
                    if (data != 0)
7380
0
                        _TIFFfreeExt(tif, data);
7381
0
                    return 0;
7382
0
                }
7383
0
                m = TIFFSetField(tif, dp->tdir_tag, count, data);
7384
0
                if (data != 0)
7385
0
                    _TIFFfreeExt(tif, data);
7386
0
                if (!m)
7387
0
                    return (0);
7388
0
            }
7389
0
        }
7390
0
        break;
7391
0
        case TIFF_SETGET_C32_SINT8:
7392
0
        {
7393
0
            int8_t *data = NULL;
7394
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7395
0
            assert(fip->field_passcount == 1);
7396
0
            err = TIFFReadDirEntrySbyteArray(tif, dp, &data);
7397
0
            if (err == TIFFReadDirEntryErrOk)
7398
0
            {
7399
0
                int m;
7400
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7401
0
                {
7402
0
                    if (data != 0)
7403
0
                        _TIFFfreeExt(tif, data);
7404
0
                    return 0;
7405
0
                }
7406
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7407
0
                                 data);
7408
0
                if (data != 0)
7409
0
                    _TIFFfreeExt(tif, data);
7410
0
                if (!m)
7411
0
                    return (0);
7412
0
            }
7413
0
        }
7414
0
        break;
7415
0
        case TIFF_SETGET_C32_UINT16:
7416
0
        {
7417
0
            uint16_t *data;
7418
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7419
0
            assert(fip->field_passcount == 1);
7420
0
            err = TIFFReadDirEntryShortArray(tif, dp, &data);
7421
0
            if (err == TIFFReadDirEntryErrOk)
7422
0
            {
7423
0
                int m;
7424
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7425
0
                {
7426
0
                    if (data != 0)
7427
0
                        _TIFFfreeExt(tif, data);
7428
0
                    return 0;
7429
0
                }
7430
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7431
0
                                 data);
7432
0
                if (data != 0)
7433
0
                    _TIFFfreeExt(tif, data);
7434
0
                if (!m)
7435
0
                    return (0);
7436
0
            }
7437
0
        }
7438
0
        break;
7439
0
        case TIFF_SETGET_C32_SINT16:
7440
0
        {
7441
0
            int16_t *data = NULL;
7442
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7443
0
            assert(fip->field_passcount == 1);
7444
0
            err = TIFFReadDirEntrySshortArray(tif, dp, &data);
7445
0
            if (err == TIFFReadDirEntryErrOk)
7446
0
            {
7447
0
                int m;
7448
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7449
0
                {
7450
0
                    if (data != 0)
7451
0
                        _TIFFfreeExt(tif, data);
7452
0
                    return 0;
7453
0
                }
7454
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7455
0
                                 data);
7456
0
                if (data != 0)
7457
0
                    _TIFFfreeExt(tif, data);
7458
0
                if (!m)
7459
0
                    return (0);
7460
0
            }
7461
0
        }
7462
0
        break;
7463
0
        case TIFF_SETGET_C32_UINT32:
7464
0
        {
7465
0
            uint32_t *data;
7466
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7467
0
            assert(fip->field_passcount == 1);
7468
0
            err = TIFFReadDirEntryLongArray(tif, dp, &data);
7469
0
            if (err == TIFFReadDirEntryErrOk)
7470
0
            {
7471
0
                int m;
7472
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7473
0
                {
7474
0
                    if (data != 0)
7475
0
                        _TIFFfreeExt(tif, data);
7476
0
                    return 0;
7477
0
                }
7478
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7479
0
                                 data);
7480
0
                if (data != 0)
7481
0
                    _TIFFfreeExt(tif, data);
7482
0
                if (!m)
7483
0
                    return (0);
7484
0
            }
7485
0
        }
7486
0
        break;
7487
0
        case TIFF_SETGET_C32_SINT32:
7488
0
        {
7489
0
            int32_t *data = NULL;
7490
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7491
0
            assert(fip->field_passcount == 1);
7492
0
            err = TIFFReadDirEntrySlongArray(tif, dp, &data);
7493
0
            if (err == TIFFReadDirEntryErrOk)
7494
0
            {
7495
0
                int m;
7496
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7497
0
                {
7498
0
                    if (data != 0)
7499
0
                        _TIFFfreeExt(tif, data);
7500
0
                    return 0;
7501
0
                }
7502
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7503
0
                                 data);
7504
0
                if (data != 0)
7505
0
                    _TIFFfreeExt(tif, data);
7506
0
                if (!m)
7507
0
                    return (0);
7508
0
            }
7509
0
        }
7510
0
        break;
7511
0
        case TIFF_SETGET_C32_UINT64:
7512
0
        {
7513
0
            uint64_t *data;
7514
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7515
0
            assert(fip->field_passcount == 1);
7516
0
            err = TIFFReadDirEntryLong8Array(tif, dp, &data);
7517
0
            if (err == TIFFReadDirEntryErrOk)
7518
0
            {
7519
0
                int m;
7520
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7521
0
                {
7522
0
                    if (data != 0)
7523
0
                        _TIFFfreeExt(tif, data);
7524
0
                    return 0;
7525
0
                }
7526
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7527
0
                                 data);
7528
0
                if (data != 0)
7529
0
                    _TIFFfreeExt(tif, data);
7530
0
                if (!m)
7531
0
                    return (0);
7532
0
            }
7533
0
        }
7534
0
        break;
7535
0
        case TIFF_SETGET_C32_SINT64:
7536
0
        {
7537
0
            int64_t *data = NULL;
7538
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7539
0
            assert(fip->field_passcount == 1);
7540
0
            err = TIFFReadDirEntrySlong8Array(tif, dp, &data);
7541
0
            if (err == TIFFReadDirEntryErrOk)
7542
0
            {
7543
0
                int m;
7544
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7545
0
                {
7546
0
                    if (data != 0)
7547
0
                        _TIFFfreeExt(tif, data);
7548
0
                    return 0;
7549
0
                }
7550
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7551
0
                                 data);
7552
0
                if (data != 0)
7553
0
                    _TIFFfreeExt(tif, data);
7554
0
                if (!m)
7555
0
                    return (0);
7556
0
            }
7557
0
        }
7558
0
        break;
7559
0
        case TIFF_SETGET_C32_FLOAT:
7560
0
        {
7561
0
            float *data;
7562
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7563
0
            assert(fip->field_passcount == 1);
7564
0
            err = TIFFReadDirEntryFloatArray(tif, dp, &data);
7565
0
            if (err == TIFFReadDirEntryErrOk)
7566
0
            {
7567
0
                int m;
7568
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7569
0
                {
7570
0
                    if (data != 0)
7571
0
                        _TIFFfreeExt(tif, data);
7572
0
                    return 0;
7573
0
                }
7574
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7575
0
                                 data);
7576
0
                if (data != 0)
7577
0
                    _TIFFfreeExt(tif, data);
7578
0
                if (!m)
7579
0
                    return (0);
7580
0
            }
7581
0
        }
7582
0
        break;
7583
0
        case TIFF_SETGET_C32_DOUBLE:
7584
0
        {
7585
0
            double *data;
7586
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7587
0
            assert(fip->field_passcount == 1);
7588
0
            err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
7589
0
            if (err == TIFFReadDirEntryErrOk)
7590
0
            {
7591
0
                int m;
7592
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7593
0
                {
7594
0
                    if (data != 0)
7595
0
                        _TIFFfreeExt(tif, data);
7596
0
                    return 0;
7597
0
                }
7598
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7599
0
                                 data);
7600
0
                if (data != 0)
7601
0
                    _TIFFfreeExt(tif, data);
7602
0
                if (!m)
7603
0
                    return (0);
7604
0
            }
7605
0
        }
7606
0
        break;
7607
0
        case TIFF_SETGET_C32_IFD8:
7608
0
        {
7609
0
            uint64_t *data;
7610
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7611
0
            assert(fip->field_passcount == 1);
7612
0
            err = TIFFReadDirEntryIfd8Array(tif, dp, &data);
7613
0
            if (err == TIFFReadDirEntryErrOk)
7614
0
            {
7615
0
                int m;
7616
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7617
0
                {
7618
0
                    if (data != 0)
7619
0
                        _TIFFfreeExt(tif, data);
7620
0
                    return 0;
7621
0
                }
7622
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7623
0
                                 data);
7624
0
                if (data != 0)
7625
0
                    _TIFFfreeExt(tif, data);
7626
0
                if (!m)
7627
0
                    return (0);
7628
0
            }
7629
0
        }
7630
0
        break;
7631
0
        default:
7632
0
            assert(0); /* we should never get here */
7633
0
            break;
7634
0
    }
7635
0
    if (err != TIFFReadDirEntryErrOk)
7636
0
    {
7637
0
        TIFFReadDirEntryOutputErr(tif, err, module, fip->field_name, recover);
7638
0
        return (0);
7639
0
    }
7640
0
    return (1);
7641
0
}
7642
7643
/*
7644
 * Fetch a set of offsets or lengths.
7645
 * While this routine says "strips", in fact it's also used for tiles.
7646
 */
7647
static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
7648
                               uint64_t **lpp)
7649
0
{
7650
0
    static const char module[] = "TIFFFetchStripThing";
7651
0
    enum TIFFReadDirEntryErr err;
7652
0
    uint64_t *data;
7653
0
    err = TIFFReadDirEntryLong8ArrayWithLimit(tif, dir, &data, nstrips);
7654
0
    if (err != TIFFReadDirEntryErrOk)
7655
0
    {
7656
0
        const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
7657
0
        TIFFReadDirEntryOutputErr(tif, err, module,
7658
0
                                  fip ? fip->field_name : "unknown tagname", 0);
7659
0
        return (0);
7660
0
    }
7661
0
    if (dir->tdir_count < (uint64_t)nstrips)
7662
0
    {
7663
0
        uint64_t *resizeddata;
7664
0
        const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
7665
0
        const char *pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT");
7666
0
        uint32_t max_nstrips = 1000000;
7667
0
        uint64_t allocsize;
7668
0
        if (pszMax)
7669
0
            max_nstrips = (uint32_t)atoi(pszMax);
7670
0
        TIFFReadDirEntryOutputErr(tif, TIFFReadDirEntryErrCount, module,
7671
0
                                  fip ? fip->field_name : "unknown tagname",
7672
0
                                  (nstrips <= max_nstrips));
7673
7674
0
        if (nstrips > max_nstrips)
7675
0
        {
7676
0
            _TIFFfreeExt(tif, data);
7677
0
            return (0);
7678
0
        }
7679
7680
0
        allocsize = (uint64_t)nstrips * sizeof(uint64_t);
7681
0
        if (allocsize > 100 * 1024 * 1024)
7682
0
        {
7683
            /* Before allocating a huge amount of memory for corrupted files,
7684
             * check if size of requested memory is not greater than file size.
7685
             */
7686
0
            const uint64_t filesize = TIFFGetFileSize(tif);
7687
0
            if (allocsize > filesize)
7688
0
            {
7689
0
                TIFFWarningExtR(
7690
0
                    tif, module,
7691
0
                    "Requested memory size for StripArray of %" PRIu64
7692
0
                    " is greater than filesize %" PRIu64
7693
0
                    ". Memory not allocated",
7694
0
                    allocsize, filesize);
7695
0
                _TIFFfreeExt(tif, data);
7696
0
                return (0);
7697
0
            }
7698
0
        }
7699
0
        resizeddata = (uint64_t *)_TIFFCheckMalloc(
7700
0
            tif, nstrips, sizeof(uint64_t), "for strip array");
7701
0
        if (resizeddata == 0)
7702
0
        {
7703
0
            _TIFFfreeExt(tif, data);
7704
0
            return (0);
7705
0
        }
7706
0
        if (dir->tdir_count)
7707
0
            _TIFFmemcpy(resizeddata, data,
7708
0
                        (uint32_t)dir->tdir_count * sizeof(uint64_t));
7709
0
        _TIFFmemset(resizeddata + (uint32_t)dir->tdir_count, 0,
7710
0
                    (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
7711
0
        _TIFFfreeExt(tif, data);
7712
0
        data = resizeddata;
7713
0
    }
7714
0
    *lpp = data;
7715
0
    return (1);
7716
0
}
7717
7718
/*
7719
 * Fetch and set the SubjectDistance EXIF tag.
7720
 */
7721
static int TIFFFetchSubjectDistance(TIFF *tif, TIFFDirEntry *dir)
7722
0
{
7723
0
    static const char module[] = "TIFFFetchSubjectDistance";
7724
0
    enum TIFFReadDirEntryErr err;
7725
0
    UInt64Aligned_t m;
7726
0
    m.l = 0;
7727
0
    assert(sizeof(double) == 8);
7728
0
    assert(sizeof(uint64_t) == 8);
7729
0
    assert(sizeof(uint32_t) == 4);
7730
0
    if (dir->tdir_count != 1)
7731
0
        err = TIFFReadDirEntryErrCount;
7732
0
    else if (dir->tdir_type != TIFF_RATIONAL)
7733
0
        err = TIFFReadDirEntryErrType;
7734
0
    else
7735
0
    {
7736
0
        if (!(tif->tif_flags & TIFF_BIGTIFF))
7737
0
        {
7738
0
            uint32_t offset;
7739
0
            offset = *(uint32_t *)(&dir->tdir_offset);
7740
0
            if (tif->tif_flags & TIFF_SWAB)
7741
0
                TIFFSwabLong(&offset);
7742
0
            err = TIFFReadDirEntryData(tif, offset, 8, m.i);
7743
0
        }
7744
0
        else
7745
0
        {
7746
0
            m.l = dir->tdir_offset.toff_long8;
7747
0
            err = TIFFReadDirEntryErrOk;
7748
0
        }
7749
0
    }
7750
0
    if (err == TIFFReadDirEntryErrOk)
7751
0
    {
7752
0
        double n;
7753
0
        if (tif->tif_flags & TIFF_SWAB)
7754
0
            TIFFSwabArrayOfLong(m.i, 2);
7755
0
        if (m.i[0] == 0)
7756
0
            n = 0.0;
7757
0
        else if (m.i[0] == 0xFFFFFFFF || m.i[1] == 0)
7758
            /*
7759
             * XXX: Numerator 0xFFFFFFFF means that we have infinite
7760
             * distance. Indicate that with a negative floating point
7761
             * SubjectDistance value.
7762
             */
7763
0
            n = -1.0;
7764
0
        else
7765
0
            n = (double)m.i[0] / (double)m.i[1];
7766
0
        return (TIFFSetField(tif, dir->tdir_tag, n));
7767
0
    }
7768
0
    else
7769
0
    {
7770
0
        TIFFReadDirEntryOutputErr(tif, err, module, "SubjectDistance", TRUE);
7771
0
        return (0);
7772
0
    }
7773
0
}
7774
7775
static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
7776
                                      uint64_t stripbytes,
7777
                                      uint32_t rowsperstrip)
7778
0
{
7779
0
    TIFFDirectory *td = &tif->tif_dir;
7780
0
    uint64_t bytecount;
7781
0
    uint64_t offset;
7782
0
    uint64_t last_offset;
7783
0
    uint64_t last_bytecount;
7784
0
    uint32_t i;
7785
0
    uint64_t *newcounts;
7786
0
    uint64_t *newoffsets;
7787
0
    uint64_t allocsize;
7788
7789
0
    offset = TIFFGetStrileOffset(tif, 0);
7790
0
    last_offset = TIFFGetStrileOffset(tif, td->td_nstrips - 1);
7791
0
    last_bytecount = TIFFGetStrileByteCount(tif, td->td_nstrips - 1);
7792
0
    if (last_offset > UINT64_MAX - last_bytecount ||
7793
0
        last_offset + last_bytecount < offset)
7794
0
    {
7795
0
        return;
7796
0
    }
7797
0
    bytecount = last_offset + last_bytecount - offset;
7798
7799
    /* Before allocating a huge amount of memory for corrupted files, check if
7800
     * size of StripByteCount and StripOffset tags is not greater than
7801
     * file size.
7802
     */
7803
0
    allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
7804
0
    if (allocsize > 100 * 1024 * 1024)
7805
0
    {
7806
0
        const uint64_t filesize = TIFFGetFileSize(tif);
7807
0
        if (allocsize > filesize)
7808
0
        {
7809
0
            TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
7810
0
                            "Requested memory size for StripByteCount and "
7811
0
                            "StripOffsets %" PRIu64
7812
0
                            " is greater than filesize %" PRIu64
7813
0
                            ". Memory not allocated",
7814
0
                            allocsize, filesize);
7815
0
            return;
7816
0
        }
7817
0
    }
7818
7819
0
    newcounts =
7820
0
        (uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t),
7821
0
                                     "for chopped \"StripByteCounts\" array");
7822
0
    newoffsets = (uint64_t *)_TIFFCheckMalloc(
7823
0
        tif, nstrips, sizeof(uint64_t), "for chopped \"StripOffsets\" array");
7824
0
    if (newcounts == NULL || newoffsets == NULL)
7825
0
    {
7826
        /*
7827
         * Unable to allocate new strip information, give up and use
7828
         * the original one strip information.
7829
         */
7830
0
        if (newcounts != NULL)
7831
0
            _TIFFfreeExt(tif, newcounts);
7832
0
        if (newoffsets != NULL)
7833
0
            _TIFFfreeExt(tif, newoffsets);
7834
0
        return;
7835
0
    }
7836
7837
    /*
7838
     * Fill the strip information arrays with new bytecounts and offsets
7839
     * that reflect the broken-up format.
7840
     */
7841
0
    for (i = 0; i < nstrips; i++)
7842
0
    {
7843
0
        if (stripbytes > bytecount)
7844
0
            stripbytes = bytecount;
7845
0
        newcounts[i] = stripbytes;
7846
0
        newoffsets[i] = stripbytes ? offset : 0;
7847
0
        offset += stripbytes;
7848
0
        bytecount -= stripbytes;
7849
0
    }
7850
7851
    /*
7852
     * Replace old single strip info with multi-strip info.
7853
     */
7854
0
    td->td_stripsperimage = td->td_nstrips = nstrips;
7855
0
    TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
7856
7857
0
    _TIFFfreeExt(tif, td->td_stripbytecount_p);
7858
0
    _TIFFfreeExt(tif, td->td_stripoffset_p);
7859
0
    td->td_stripbytecount_p = newcounts;
7860
0
    td->td_stripoffset_p = newoffsets;
7861
#ifdef STRIPBYTECOUNTSORTED_UNUSED
7862
    td->td_stripbytecountsorted = 1;
7863
#endif
7864
0
    tif->tif_flags |= TIFF_CHOPPEDUPARRAYS;
7865
0
}
7866
7867
/*
7868
 * Replace a single strip (tile) of uncompressed data by multiple strips
7869
 * (tiles), each approximately STRIP_SIZE_DEFAULT bytes. This is useful for
7870
 * dealing with large images or for dealing with machines with a limited
7871
 * amount memory.
7872
 */
7873
static void ChopUpSingleUncompressedStrip(TIFF *tif)
7874
0
{
7875
0
    register TIFFDirectory *td = &tif->tif_dir;
7876
0
    uint64_t bytecount;
7877
0
    uint64_t offset;
7878
0
    uint32_t rowblock;
7879
0
    uint64_t rowblockbytes;
7880
0
    uint64_t stripbytes;
7881
0
    uint32_t nstrips;
7882
0
    uint32_t rowsperstrip;
7883
7884
0
    bytecount = TIFFGetStrileByteCount(tif, 0);
7885
    /* On a newly created file, just re-opened to be filled, we */
7886
    /* don't want strip chop to trigger as it is going to cause issues */
7887
    /* later ( StripOffsets and StripByteCounts improperly filled) . */
7888
0
    if (bytecount == 0 && tif->tif_mode != O_RDONLY)
7889
0
        return;
7890
0
    offset = TIFFGetStrileByteCount(tif, 0);
7891
0
    assert(td->td_planarconfig == PLANARCONFIG_CONTIG);
7892
0
    if ((td->td_photometric == PHOTOMETRIC_YCBCR) && (!isUpSampled(tif)))
7893
0
        rowblock = td->td_ycbcrsubsampling[1];
7894
0
    else
7895
0
        rowblock = 1;
7896
0
    rowblockbytes = TIFFVTileSize64(tif, rowblock);
7897
    /*
7898
     * Make the rows hold at least one scanline, but fill specified amount
7899
     * of data if possible.
7900
     */
7901
0
    if (rowblockbytes > STRIP_SIZE_DEFAULT)
7902
0
    {
7903
0
        stripbytes = rowblockbytes;
7904
0
        rowsperstrip = rowblock;
7905
0
    }
7906
0
    else if (rowblockbytes > 0)
7907
0
    {
7908
0
        uint32_t rowblocksperstrip;
7909
0
        rowblocksperstrip = (uint32_t)(STRIP_SIZE_DEFAULT / rowblockbytes);
7910
0
        rowsperstrip = rowblocksperstrip * rowblock;
7911
0
        stripbytes = rowblocksperstrip * rowblockbytes;
7912
0
    }
7913
0
    else
7914
0
        return;
7915
7916
    /*
7917
     * never increase the number of rows per strip
7918
     */
7919
0
    if (rowsperstrip >= td->td_rowsperstrip || rowsperstrip == 0)
7920
0
        return;
7921
0
    nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
7922
0
    if (nstrips == 0)
7923
0
        return;
7924
7925
    /* If we are going to allocate a lot of memory, make sure that the */
7926
    /* file is as big as needed */
7927
0
    if (tif->tif_mode == O_RDONLY && nstrips > 1000000 &&
7928
0
        (offset >= TIFFGetFileSize(tif) ||
7929
0
         stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)))
7930
0
    {
7931
0
        return;
7932
0
    }
7933
7934
0
    allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
7935
0
}
7936
7937
/*
7938
 * Replace a file with contiguous strips > 2 GB of uncompressed data by
7939
 * multiple smaller strips. This is useful for
7940
 * dealing with large images or for dealing with machines with a limited
7941
 * amount memory.
7942
 */
7943
static void TryChopUpUncompressedBigTiff(TIFF *tif)
7944
0
{
7945
0
    TIFFDirectory *td = &tif->tif_dir;
7946
0
    uint32_t rowblock;
7947
0
    uint64_t rowblockbytes;
7948
0
    uint32_t i;
7949
0
    uint64_t stripsize;
7950
0
    uint32_t rowblocksperstrip;
7951
0
    uint32_t rowsperstrip;
7952
0
    uint64_t stripbytes;
7953
0
    uint32_t nstrips;
7954
7955
0
    stripsize = TIFFStripSize64(tif);
7956
7957
0
    assert(tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG);
7958
0
    assert(tif->tif_dir.td_compression == COMPRESSION_NONE);
7959
0
    assert((tif->tif_flags & (TIFF_STRIPCHOP | TIFF_ISTILED)) ==
7960
0
           TIFF_STRIPCHOP);
7961
0
    assert(stripsize > 0x7FFFFFFFUL);
7962
7963
    /* On a newly created file, just re-opened to be filled, we */
7964
    /* don't want strip chop to trigger as it is going to cause issues */
7965
    /* later ( StripOffsets and StripByteCounts improperly filled) . */
7966
0
    if (TIFFGetStrileByteCount(tif, 0) == 0 && tif->tif_mode != O_RDONLY)
7967
0
        return;
7968
7969
0
    if ((td->td_photometric == PHOTOMETRIC_YCBCR) && (!isUpSampled(tif)))
7970
0
        rowblock = td->td_ycbcrsubsampling[1];
7971
0
    else
7972
0
        rowblock = 1;
7973
0
    rowblockbytes = TIFFVStripSize64(tif, rowblock);
7974
0
    if (rowblockbytes == 0 || rowblockbytes > 0x7FFFFFFFUL)
7975
0
    {
7976
        /* In case of file with gigantic width */
7977
0
        return;
7978
0
    }
7979
7980
    /* Check that the strips are contiguous and of the expected size */
7981
0
    for (i = 0; i < td->td_nstrips; i++)
7982
0
    {
7983
0
        if (i == td->td_nstrips - 1)
7984
0
        {
7985
0
            if (TIFFGetStrileByteCount(tif, i) <
7986
0
                TIFFVStripSize64(tif,
7987
0
                                 td->td_imagelength - i * td->td_rowsperstrip))
7988
0
            {
7989
0
                return;
7990
0
            }
7991
0
        }
7992
0
        else
7993
0
        {
7994
0
            if (TIFFGetStrileByteCount(tif, i) != stripsize)
7995
0
            {
7996
0
                return;
7997
0
            }
7998
0
            if (i > 0 && TIFFGetStrileOffset(tif, i) !=
7999
0
                             TIFFGetStrileOffset(tif, i - 1) +
8000
0
                                 TIFFGetStrileByteCount(tif, i - 1))
8001
0
            {
8002
0
                return;
8003
0
            }
8004
0
        }
8005
0
    }
8006
8007
    /* Aim for 512 MB strips (that will still be manageable by 32 bit builds */
8008
0
    rowblocksperstrip = (uint32_t)(512 * 1024 * 1024 / rowblockbytes);
8009
0
    if (rowblocksperstrip == 0)
8010
0
        rowblocksperstrip = 1;
8011
0
    rowsperstrip = rowblocksperstrip * rowblock;
8012
0
    stripbytes = rowblocksperstrip * rowblockbytes;
8013
0
    assert(stripbytes <= 0x7FFFFFFFUL);
8014
8015
0
    if (rowsperstrip == 0)
8016
0
        return;
8017
0
    nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
8018
0
    if (nstrips == 0)
8019
0
        return;
8020
8021
    /* If we are going to allocate a lot of memory, make sure that the */
8022
    /* file is as big as needed */
8023
0
    if (tif->tif_mode == O_RDONLY && nstrips > 1000000)
8024
0
    {
8025
0
        uint64_t last_offset = TIFFGetStrileOffset(tif, td->td_nstrips - 1);
8026
0
        uint64_t filesize = TIFFGetFileSize(tif);
8027
0
        uint64_t last_bytecount =
8028
0
            TIFFGetStrileByteCount(tif, td->td_nstrips - 1);
8029
0
        if (last_offset > filesize || last_bytecount > filesize - last_offset)
8030
0
        {
8031
0
            return;
8032
0
        }
8033
0
    }
8034
8035
0
    allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
8036
0
}
8037
8038
TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
8039
static uint64_t _TIFFUnsanitizedAddUInt64AndInt(uint64_t a, int b)
8040
0
{
8041
0
    return a + b;
8042
0
}
8043
8044
/* Read the value of [Strip|Tile]Offset or [Strip|Tile]ByteCount around
8045
 * strip/tile of number strile. Also fetch the neighbouring values using a
8046
 * 4096 byte page size.
8047
 */
8048
static int _TIFFPartialReadStripArray(TIFF *tif, TIFFDirEntry *dirent,
8049
                                      int strile, uint64_t *panVals)
8050
0
{
8051
0
    static const char module[] = "_TIFFPartialReadStripArray";
8052
0
#define IO_CACHE_PAGE_SIZE 4096
8053
8054
0
    size_t sizeofval;
8055
0
    const int bSwab = (tif->tif_flags & TIFF_SWAB) != 0;
8056
0
    int sizeofvalint;
8057
0
    uint64_t nBaseOffset;
8058
0
    uint64_t nOffset;
8059
0
    uint64_t nOffsetStartPage;
8060
0
    uint64_t nOffsetEndPage;
8061
0
    tmsize_t nToRead;
8062
0
    tmsize_t nRead;
8063
0
    uint64_t nLastStripOffset;
8064
0
    int iStartBefore;
8065
0
    int i;
8066
0
    const uint32_t arraySize = tif->tif_dir.td_stripoffsetbyteallocsize;
8067
0
    unsigned char buffer[2 * IO_CACHE_PAGE_SIZE];
8068
8069
0
    assert(dirent->tdir_count > 4);
8070
8071
0
    if (dirent->tdir_type == TIFF_SHORT)
8072
0
    {
8073
0
        sizeofval = sizeof(uint16_t);
8074
0
    }
8075
0
    else if (dirent->tdir_type == TIFF_LONG)
8076
0
    {
8077
0
        sizeofval = sizeof(uint32_t);
8078
0
    }
8079
0
    else if (dirent->tdir_type == TIFF_LONG8)
8080
0
    {
8081
0
        sizeofval = sizeof(uint64_t);
8082
0
    }
8083
0
    else if (dirent->tdir_type == TIFF_SLONG8)
8084
0
    {
8085
        /* Non conformant but used by some images as in */
8086
        /* https://github.com/OSGeo/gdal/issues/2165 */
8087
0
        sizeofval = sizeof(int64_t);
8088
0
    }
8089
0
    else
8090
0
    {
8091
0
        TIFFErrorExtR(tif, module,
8092
0
                      "Invalid type for [Strip|Tile][Offset/ByteCount] tag");
8093
0
        panVals[strile] = 0;
8094
0
        return 0;
8095
0
    }
8096
0
    sizeofvalint = (int)(sizeofval);
8097
8098
0
    if (tif->tif_flags & TIFF_BIGTIFF)
8099
0
    {
8100
0
        uint64_t offset = dirent->tdir_offset.toff_long8;
8101
0
        if (bSwab)
8102
0
            TIFFSwabLong8(&offset);
8103
0
        nBaseOffset = offset;
8104
0
    }
8105
0
    else
8106
0
    {
8107
0
        uint32_t offset = dirent->tdir_offset.toff_long;
8108
0
        if (bSwab)
8109
0
            TIFFSwabLong(&offset);
8110
0
        nBaseOffset = offset;
8111
0
    }
8112
    /* To avoid later unsigned integer overflows */
8113
0
    if (nBaseOffset > (uint64_t)INT64_MAX)
8114
0
    {
8115
0
        TIFFErrorExtR(tif, module, "Cannot read offset/size for strile %d",
8116
0
                      strile);
8117
0
        panVals[strile] = 0;
8118
0
        return 0;
8119
0
    }
8120
0
    nOffset = nBaseOffset + sizeofval * strile;
8121
0
    nOffsetStartPage = (nOffset / IO_CACHE_PAGE_SIZE) * IO_CACHE_PAGE_SIZE;
8122
0
    nOffsetEndPage = nOffsetStartPage + IO_CACHE_PAGE_SIZE;
8123
8124
0
    if (nOffset + sizeofval > nOffsetEndPage)
8125
0
        nOffsetEndPage += IO_CACHE_PAGE_SIZE;
8126
0
#undef IO_CACHE_PAGE_SIZE
8127
8128
0
    nLastStripOffset = nBaseOffset + arraySize * sizeofval;
8129
0
    if (nLastStripOffset < nOffsetEndPage)
8130
0
        nOffsetEndPage = nLastStripOffset;
8131
0
    if (nOffsetStartPage >= nOffsetEndPage)
8132
0
    {
8133
0
        TIFFErrorExtR(tif, module, "Cannot read offset/size for strile %d",
8134
0
                      strile);
8135
0
        panVals[strile] = 0;
8136
0
        return 0;
8137
0
    }
8138
0
    if (!SeekOK(tif, nOffsetStartPage))
8139
0
    {
8140
0
        panVals[strile] = 0;
8141
0
        return 0;
8142
0
    }
8143
8144
0
    nToRead = (tmsize_t)(nOffsetEndPage - nOffsetStartPage);
8145
0
    nRead = TIFFReadFile(tif, buffer, nToRead);
8146
0
    if (nRead < nToRead)
8147
0
    {
8148
0
        TIFFErrorExtR(tif, module,
8149
0
                      "Cannot read offset/size for strile around ~%d", strile);
8150
0
        return 0;
8151
0
    }
8152
0
    iStartBefore = -(int)((nOffset - nOffsetStartPage) / sizeofval);
8153
0
    if (strile + iStartBefore < 0)
8154
0
        iStartBefore = -strile;
8155
0
    for (i = iStartBefore;
8156
0
         (uint32_t)(strile + i) < arraySize &&
8157
0
         _TIFFUnsanitizedAddUInt64AndInt(nOffset, (i + 1) * sizeofvalint) <=
8158
0
             nOffsetEndPage;
8159
0
         ++i)
8160
0
    {
8161
0
        if (dirent->tdir_type == TIFF_SHORT)
8162
0
        {
8163
0
            uint16_t val;
8164
0
            memcpy(&val,
8165
0
                   buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
8166
0
                   sizeof(val));
8167
0
            if (bSwab)
8168
0
                TIFFSwabShort(&val);
8169
0
            panVals[strile + i] = val;
8170
0
        }
8171
0
        else if (dirent->tdir_type == TIFF_LONG)
8172
0
        {
8173
0
            uint32_t val;
8174
0
            memcpy(&val,
8175
0
                   buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
8176
0
                   sizeof(val));
8177
0
            if (bSwab)
8178
0
                TIFFSwabLong(&val);
8179
0
            panVals[strile + i] = val;
8180
0
        }
8181
0
        else if (dirent->tdir_type == TIFF_LONG8)
8182
0
        {
8183
0
            uint64_t val;
8184
0
            memcpy(&val,
8185
0
                   buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
8186
0
                   sizeof(val));
8187
0
            if (bSwab)
8188
0
                TIFFSwabLong8(&val);
8189
0
            panVals[strile + i] = val;
8190
0
        }
8191
0
        else /* if( dirent->tdir_type == TIFF_SLONG8 ) */
8192
0
        {
8193
            /* Non conformant data type */
8194
0
            int64_t val;
8195
0
            memcpy(&val,
8196
0
                   buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
8197
0
                   sizeof(val));
8198
0
            if (bSwab)
8199
0
                TIFFSwabLong8((uint64_t *)&val);
8200
0
            panVals[strile + i] = (uint64_t)val;
8201
0
        }
8202
0
    }
8203
0
    return 1;
8204
0
}
8205
8206
static int _TIFFFetchStrileValue(TIFF *tif, uint32_t strile,
8207
                                 TIFFDirEntry *dirent, uint64_t **parray)
8208
0
{
8209
0
    static const char module[] = "_TIFFFetchStrileValue";
8210
0
    TIFFDirectory *td = &tif->tif_dir;
8211
0
    if (strile >= dirent->tdir_count)
8212
0
    {
8213
0
        return 0;
8214
0
    }
8215
0
    if (strile >= td->td_stripoffsetbyteallocsize)
8216
0
    {
8217
0
        uint32_t nStripArrayAllocBefore = td->td_stripoffsetbyteallocsize;
8218
0
        uint32_t nStripArrayAllocNew;
8219
0
        uint64_t nArraySize64;
8220
0
        size_t nArraySize;
8221
0
        uint64_t *offsetArray;
8222
0
        uint64_t *bytecountArray;
8223
8224
0
        if (strile > 1000000)
8225
0
        {
8226
0
            uint64_t filesize = TIFFGetFileSize(tif);
8227
            /* Avoid excessive memory allocation attempt */
8228
            /* For such a big blockid we need at least a TIFF_LONG per strile */
8229
            /* for the offset array. */
8230
0
            if (strile > filesize / sizeof(uint32_t))
8231
0
            {
8232
0
                TIFFErrorExtR(tif, module, "File too short");
8233
0
                return 0;
8234
0
            }
8235
0
        }
8236
8237
0
        if (td->td_stripoffsetbyteallocsize == 0 &&
8238
0
            td->td_nstrips < 1024 * 1024)
8239
0
        {
8240
0
            nStripArrayAllocNew = td->td_nstrips;
8241
0
        }
8242
0
        else
8243
0
        {
8244
0
#define TIFF_MAX(a, b) (((a) > (b)) ? (a) : (b))
8245
0
#define TIFF_MIN(a, b) (((a) < (b)) ? (a) : (b))
8246
0
            nStripArrayAllocNew = TIFF_MAX(strile + 1, 1024U * 512U);
8247
0
            if (nStripArrayAllocNew < 0xFFFFFFFFU / 2)
8248
0
                nStripArrayAllocNew *= 2;
8249
0
            nStripArrayAllocNew = TIFF_MIN(nStripArrayAllocNew, td->td_nstrips);
8250
0
        }
8251
0
        assert(strile < nStripArrayAllocNew);
8252
0
        nArraySize64 = (uint64_t)sizeof(uint64_t) * nStripArrayAllocNew;
8253
0
        nArraySize = (size_t)(nArraySize64);
8254
#if SIZEOF_SIZE_T == 4
8255
        if (nArraySize != nArraySize64)
8256
        {
8257
            TIFFErrorExtR(tif, module,
8258
                          "Cannot allocate strip offset and bytecount arrays");
8259
            return 0;
8260
        }
8261
#endif
8262
0
        offsetArray = (uint64_t *)(_TIFFreallocExt(tif, td->td_stripoffset_p,
8263
0
                                                   nArraySize));
8264
0
        bytecountArray = (uint64_t *)(_TIFFreallocExt(
8265
0
            tif, td->td_stripbytecount_p, nArraySize));
8266
0
        if (offsetArray)
8267
0
            td->td_stripoffset_p = offsetArray;
8268
0
        if (bytecountArray)
8269
0
            td->td_stripbytecount_p = bytecountArray;
8270
0
        if (offsetArray && bytecountArray)
8271
0
        {
8272
0
            td->td_stripoffsetbyteallocsize = nStripArrayAllocNew;
8273
            /* Initialize new entries to ~0 / -1 */
8274
            /* coverity[overrun-buffer-arg] */
8275
0
            memset(td->td_stripoffset_p + nStripArrayAllocBefore, 0xFF,
8276
0
                   (td->td_stripoffsetbyteallocsize - nStripArrayAllocBefore) *
8277
0
                       sizeof(uint64_t));
8278
            /* coverity[overrun-buffer-arg] */
8279
0
            memset(td->td_stripbytecount_p + nStripArrayAllocBefore, 0xFF,
8280
0
                   (td->td_stripoffsetbyteallocsize - nStripArrayAllocBefore) *
8281
0
                       sizeof(uint64_t));
8282
0
        }
8283
0
        else
8284
0
        {
8285
0
            TIFFErrorExtR(tif, module,
8286
0
                          "Cannot allocate strip offset and bytecount arrays");
8287
0
            _TIFFfreeExt(tif, td->td_stripoffset_p);
8288
0
            td->td_stripoffset_p = NULL;
8289
0
            _TIFFfreeExt(tif, td->td_stripbytecount_p);
8290
0
            td->td_stripbytecount_p = NULL;
8291
0
            td->td_stripoffsetbyteallocsize = 0;
8292
0
        }
8293
0
    }
8294
0
    if (*parray == NULL || strile >= td->td_stripoffsetbyteallocsize)
8295
0
        return 0;
8296
8297
0
    if (~((*parray)[strile]) == 0)
8298
0
    {
8299
0
        if (!_TIFFPartialReadStripArray(tif, dirent, strile, *parray))
8300
0
        {
8301
0
            (*parray)[strile] = 0;
8302
0
            return 0;
8303
0
        }
8304
0
    }
8305
8306
0
    return 1;
8307
0
}
8308
8309
static uint64_t _TIFFGetStrileOffsetOrByteCountValue(TIFF *tif, uint32_t strile,
8310
                                                     TIFFDirEntry *dirent,
8311
                                                     uint64_t **parray,
8312
                                                     int *pbErr)
8313
0
{
8314
0
    TIFFDirectory *td = &tif->tif_dir;
8315
0
    if (pbErr)
8316
0
        *pbErr = 0;
8317
0
    if ((tif->tif_flags & TIFF_DEFERSTRILELOAD) &&
8318
0
        !(tif->tif_flags & TIFF_CHOPPEDUPARRAYS))
8319
0
    {
8320
0
        if (!(tif->tif_flags & TIFF_LAZYSTRILELOAD) ||
8321
            /* If the values may fit in the toff_long/toff_long8 member */
8322
            /* then use _TIFFFillStriles to simplify _TIFFFetchStrileValue */
8323
0
            dirent->tdir_count <= 4)
8324
0
        {
8325
0
            if (!_TIFFFillStriles(tif))
8326
0
            {
8327
0
                if (pbErr)
8328
0
                    *pbErr = 1;
8329
                /* Do not return, as we want this function to always */
8330
                /* return the same value if called several times with */
8331
                /* the same arguments */
8332
0
            }
8333
0
        }
8334
0
        else
8335
0
        {
8336
0
            if (!_TIFFFetchStrileValue(tif, strile, dirent, parray))
8337
0
            {
8338
0
                if (pbErr)
8339
0
                    *pbErr = 1;
8340
0
                return 0;
8341
0
            }
8342
0
        }
8343
0
    }
8344
0
    if (*parray == NULL || strile >= td->td_nstrips)
8345
0
    {
8346
0
        if (pbErr)
8347
0
            *pbErr = 1;
8348
0
        return 0;
8349
0
    }
8350
0
    return (*parray)[strile];
8351
0
}
8352
8353
/* Return the value of the TileOffsets/StripOffsets array for the specified
8354
 * tile/strile */
8355
uint64_t TIFFGetStrileOffset(TIFF *tif, uint32_t strile)
8356
0
{
8357
0
    return TIFFGetStrileOffsetWithErr(tif, strile, NULL);
8358
0
}
8359
8360
/* Return the value of the TileOffsets/StripOffsets array for the specified
8361
 * tile/strile */
8362
uint64_t TIFFGetStrileOffsetWithErr(TIFF *tif, uint32_t strile, int *pbErr)
8363
0
{
8364
0
    TIFFDirectory *td = &tif->tif_dir;
8365
0
    return _TIFFGetStrileOffsetOrByteCountValue(tif, strile,
8366
0
                                                &(td->td_stripoffset_entry),
8367
0
                                                &(td->td_stripoffset_p), pbErr);
8368
0
}
8369
8370
/* Return the value of the TileByteCounts/StripByteCounts array for the
8371
 * specified tile/strile */
8372
uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile)
8373
0
{
8374
0
    return TIFFGetStrileByteCountWithErr(tif, strile, NULL);
8375
0
}
8376
8377
/* Return the value of the TileByteCounts/StripByteCounts array for the
8378
 * specified tile/strile */
8379
uint64_t TIFFGetStrileByteCountWithErr(TIFF *tif, uint32_t strile, int *pbErr)
8380
0
{
8381
0
    TIFFDirectory *td = &tif->tif_dir;
8382
0
    return _TIFFGetStrileOffsetOrByteCountValue(
8383
0
        tif, strile, &(td->td_stripbytecount_entry), &(td->td_stripbytecount_p),
8384
0
        pbErr);
8385
0
}
8386
8387
76.8k
int _TIFFFillStriles(TIFF *tif) { return _TIFFFillStrilesInternal(tif, 1); }
8388
8389
static int _TIFFFillStrilesInternal(TIFF *tif, int loadStripByteCount)
8390
76.8k
{
8391
76.8k
    register TIFFDirectory *td = &tif->tif_dir;
8392
76.8k
    int return_value = 1;
8393
8394
    /* Do not do anything if TIFF_DEFERSTRILELOAD is not set */
8395
76.8k
    if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD) ||
8396
76.8k
        (tif->tif_flags & TIFF_CHOPPEDUPARRAYS) != 0)
8397
76.8k
        return 1;
8398
8399
0
    if (tif->tif_flags & TIFF_LAZYSTRILELOAD)
8400
0
    {
8401
        /* In case of lazy loading, reload completely the arrays */
8402
0
        _TIFFfreeExt(tif, td->td_stripoffset_p);
8403
0
        _TIFFfreeExt(tif, td->td_stripbytecount_p);
8404
0
        td->td_stripoffset_p = NULL;
8405
0
        td->td_stripbytecount_p = NULL;
8406
0
        td->td_stripoffsetbyteallocsize = 0;
8407
0
        tif->tif_flags &= ~TIFF_LAZYSTRILELOAD;
8408
0
    }
8409
8410
    /* If stripoffset array is already loaded, exit with success */
8411
0
    if (td->td_stripoffset_p != NULL)
8412
0
        return 1;
8413
8414
    /* If tdir_count was canceled, then we already got there, but in error */
8415
0
    if (td->td_stripoffset_entry.tdir_count == 0)
8416
0
        return 0;
8417
8418
0
    if (!TIFFFetchStripThing(tif, &(td->td_stripoffset_entry), td->td_nstrips,
8419
0
                             &td->td_stripoffset_p))
8420
0
    {
8421
0
        return_value = 0;
8422
0
    }
8423
8424
0
    if (loadStripByteCount &&
8425
0
        !TIFFFetchStripThing(tif, &(td->td_stripbytecount_entry),
8426
0
                             td->td_nstrips, &td->td_stripbytecount_p))
8427
0
    {
8428
0
        return_value = 0;
8429
0
    }
8430
8431
0
    _TIFFmemset(&(td->td_stripoffset_entry), 0, sizeof(TIFFDirEntry));
8432
0
    _TIFFmemset(&(td->td_stripbytecount_entry), 0, sizeof(TIFFDirEntry));
8433
8434
#ifdef STRIPBYTECOUNTSORTED_UNUSED
8435
    if (tif->tif_dir.td_nstrips > 1 && return_value == 1)
8436
    {
8437
        uint32_t strip;
8438
8439
        tif->tif_dir.td_stripbytecountsorted = 1;
8440
        for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++)
8441
        {
8442
            if (tif->tif_dir.td_stripoffset_p[strip - 1] >
8443
                tif->tif_dir.td_stripoffset_p[strip])
8444
            {
8445
                tif->tif_dir.td_stripbytecountsorted = 0;
8446
                break;
8447
            }
8448
        }
8449
    }
8450
#endif
8451
8452
0
    return return_value;
8453
0
}