Coverage Report

Created: 2024-07-27 06:28

/src/libtiff/libtiff/tif_dirread.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 1988-1997 Sam Leffler
3
 * Copyright (c) 1991-1997 Silicon Graphics, Inc.
4
 *
5
 * Permission to use, copy, modify, distribute, and sell this software and
6
 * its documentation for any purpose is hereby granted without fee, provided
7
 * that (i) the above copyright notices and this permission notice appear in
8
 * all copies of the software and related documentation, and (ii) the names of
9
 * Sam Leffler and Silicon Graphics may not be used in any advertising or
10
 * publicity relating to the software without the specific, prior written
11
 * permission of Sam Leffler and Silicon Graphics.
12
 *
13
 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
14
 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
15
 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
16
 *
17
 * IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
18
 * ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
19
 * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
20
 * WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
21
 * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
22
 * OF THIS SOFTWARE.
23
 */
24
25
/*
26
 * TIFF Library.
27
 *
28
 * Directory Read Support Routines.
29
 */
30
31
/* Suggested pending improvements:
32
 * - add a field 'field_info' to the TIFFDirEntry structure, and set that with
33
 *   the pointer to the appropriate TIFFField structure early on in
34
 *   TIFFReadDirectory, so as to eliminate current possibly repetitive lookup.
35
 */
36
37
#include "tiffconf.h"
38
#include "tiffiop.h"
39
#include <float.h>
40
#include <limits.h>
41
#include <stdlib.h>
42
#include <string.h>
43
44
227k
#define FAILED_FII ((uint32_t)-1)
45
46
#ifdef HAVE_IEEEFP
47
#define TIFFCvtIEEEFloatToNative(tif, n, fp)
48
#define TIFFCvtIEEEDoubleToNative(tif, n, dp)
49
#else
50
extern void TIFFCvtIEEEFloatToNative(TIFF *, uint32_t, float *);
51
extern void TIFFCvtIEEEDoubleToNative(TIFF *, uint32_t, double *);
52
#endif
53
54
enum TIFFReadDirEntryErr
55
{
56
    TIFFReadDirEntryErrOk = 0,
57
    TIFFReadDirEntryErrCount = 1,
58
    TIFFReadDirEntryErrType = 2,
59
    TIFFReadDirEntryErrIo = 3,
60
    TIFFReadDirEntryErrRange = 4,
61
    TIFFReadDirEntryErrPsdif = 5,
62
    TIFFReadDirEntryErrSizesan = 6,
63
    TIFFReadDirEntryErrAlloc = 7,
64
};
65
66
static enum TIFFReadDirEntryErr
67
TIFFReadDirEntryByte(TIFF *tif, TIFFDirEntry *direntry, uint8_t *value);
68
static enum TIFFReadDirEntryErr
69
TIFFReadDirEntrySbyte(TIFF *tif, TIFFDirEntry *direntry, int8_t *value);
70
static enum TIFFReadDirEntryErr
71
TIFFReadDirEntryShort(TIFF *tif, TIFFDirEntry *direntry, uint16_t *value);
72
static enum TIFFReadDirEntryErr
73
TIFFReadDirEntrySshort(TIFF *tif, TIFFDirEntry *direntry, int16_t *value);
74
static enum TIFFReadDirEntryErr
75
TIFFReadDirEntryLong(TIFF *tif, TIFFDirEntry *direntry, uint32_t *value);
76
static enum TIFFReadDirEntryErr
77
TIFFReadDirEntrySlong(TIFF *tif, TIFFDirEntry *direntry, int32_t *value);
78
static enum TIFFReadDirEntryErr
79
TIFFReadDirEntryLong8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value);
80
static enum TIFFReadDirEntryErr
81
TIFFReadDirEntrySlong8(TIFF *tif, TIFFDirEntry *direntry, int64_t *value);
82
static enum TIFFReadDirEntryErr
83
TIFFReadDirEntryFloat(TIFF *tif, TIFFDirEntry *direntry, float *value);
84
static enum TIFFReadDirEntryErr
85
TIFFReadDirEntryDouble(TIFF *tif, TIFFDirEntry *direntry, double *value);
86
static enum TIFFReadDirEntryErr
87
TIFFReadDirEntryIfd8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value);
88
89
static enum TIFFReadDirEntryErr
90
TIFFReadDirEntryArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t *count,
91
                      uint32_t desttypesize, void **value);
92
static enum TIFFReadDirEntryErr
93
TIFFReadDirEntryByteArray(TIFF *tif, TIFFDirEntry *direntry, uint8_t **value);
94
static enum TIFFReadDirEntryErr
95
TIFFReadDirEntrySbyteArray(TIFF *tif, TIFFDirEntry *direntry, int8_t **value);
96
static enum TIFFReadDirEntryErr
97
TIFFReadDirEntryShortArray(TIFF *tif, TIFFDirEntry *direntry, uint16_t **value);
98
static enum TIFFReadDirEntryErr
99
TIFFReadDirEntrySshortArray(TIFF *tif, TIFFDirEntry *direntry, int16_t **value);
100
static enum TIFFReadDirEntryErr
101
TIFFReadDirEntryLongArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t **value);
102
static enum TIFFReadDirEntryErr
103
TIFFReadDirEntrySlongArray(TIFF *tif, TIFFDirEntry *direntry, int32_t **value);
104
static enum TIFFReadDirEntryErr
105
TIFFReadDirEntryLong8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value);
106
static enum TIFFReadDirEntryErr
107
TIFFReadDirEntrySlong8Array(TIFF *tif, TIFFDirEntry *direntry, int64_t **value);
108
static enum TIFFReadDirEntryErr
109
TIFFReadDirEntryFloatArray(TIFF *tif, TIFFDirEntry *direntry, float **value);
110
static enum TIFFReadDirEntryErr
111
TIFFReadDirEntryDoubleArray(TIFF *tif, TIFFDirEntry *direntry, double **value);
112
static enum TIFFReadDirEntryErr
113
TIFFReadDirEntryIfd8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value);
114
115
static enum TIFFReadDirEntryErr
116
TIFFReadDirEntryPersampleShort(TIFF *tif, TIFFDirEntry *direntry,
117
                               uint16_t *value);
118
119
static void TIFFReadDirEntryCheckedByte(TIFF *tif, TIFFDirEntry *direntry,
120
                                        uint8_t *value);
121
static void TIFFReadDirEntryCheckedSbyte(TIFF *tif, TIFFDirEntry *direntry,
122
                                         int8_t *value);
123
static void TIFFReadDirEntryCheckedShort(TIFF *tif, TIFFDirEntry *direntry,
124
                                         uint16_t *value);
125
static void TIFFReadDirEntryCheckedSshort(TIFF *tif, TIFFDirEntry *direntry,
126
                                          int16_t *value);
127
static void TIFFReadDirEntryCheckedLong(TIFF *tif, TIFFDirEntry *direntry,
128
                                        uint32_t *value);
129
static void TIFFReadDirEntryCheckedSlong(TIFF *tif, TIFFDirEntry *direntry,
130
                                         int32_t *value);
131
static enum TIFFReadDirEntryErr
132
TIFFReadDirEntryCheckedLong8(TIFF *tif, TIFFDirEntry *direntry,
133
                             uint64_t *value);
134
static enum TIFFReadDirEntryErr
135
TIFFReadDirEntryCheckedSlong8(TIFF *tif, TIFFDirEntry *direntry,
136
                              int64_t *value);
137
static enum TIFFReadDirEntryErr
138
TIFFReadDirEntryCheckedRational(TIFF *tif, TIFFDirEntry *direntry,
139
                                double *value);
140
static enum TIFFReadDirEntryErr
141
TIFFReadDirEntryCheckedSrational(TIFF *tif, TIFFDirEntry *direntry,
142
                                 double *value);
143
static void TIFFReadDirEntryCheckedFloat(TIFF *tif, TIFFDirEntry *direntry,
144
                                         float *value);
145
static enum TIFFReadDirEntryErr
146
TIFFReadDirEntryCheckedDouble(TIFF *tif, TIFFDirEntry *direntry, double *value);
147
#if 0
148
static enum TIFFReadDirEntryErr
149
TIFFReadDirEntryCheckedRationalDirect(TIFF *tif, TIFFDirEntry *direntry,
150
                                      TIFFRational_t *value);
151
#endif
152
static enum TIFFReadDirEntryErr
153
TIFFReadDirEntryCheckRangeByteSbyte(int8_t value);
154
static enum TIFFReadDirEntryErr
155
TIFFReadDirEntryCheckRangeByteShort(uint16_t value);
156
static enum TIFFReadDirEntryErr
157
TIFFReadDirEntryCheckRangeByteSshort(int16_t value);
158
static enum TIFFReadDirEntryErr
159
TIFFReadDirEntryCheckRangeByteLong(uint32_t value);
160
static enum TIFFReadDirEntryErr
161
TIFFReadDirEntryCheckRangeByteSlong(int32_t value);
162
static enum TIFFReadDirEntryErr
163
TIFFReadDirEntryCheckRangeByteLong8(uint64_t value);
164
static enum TIFFReadDirEntryErr
165
TIFFReadDirEntryCheckRangeByteSlong8(int64_t value);
166
167
static enum TIFFReadDirEntryErr
168
TIFFReadDirEntryCheckRangeSbyteByte(uint8_t value);
169
static enum TIFFReadDirEntryErr
170
TIFFReadDirEntryCheckRangeSbyteShort(uint16_t value);
171
static enum TIFFReadDirEntryErr
172
TIFFReadDirEntryCheckRangeSbyteSshort(int16_t value);
173
static enum TIFFReadDirEntryErr
174
TIFFReadDirEntryCheckRangeSbyteLong(uint32_t value);
175
static enum TIFFReadDirEntryErr
176
TIFFReadDirEntryCheckRangeSbyteSlong(int32_t value);
177
static enum TIFFReadDirEntryErr
178
TIFFReadDirEntryCheckRangeSbyteLong8(uint64_t value);
179
static enum TIFFReadDirEntryErr
180
TIFFReadDirEntryCheckRangeSbyteSlong8(int64_t value);
181
182
static enum TIFFReadDirEntryErr
183
TIFFReadDirEntryCheckRangeShortSbyte(int8_t value);
184
static enum TIFFReadDirEntryErr
185
TIFFReadDirEntryCheckRangeShortSshort(int16_t value);
186
static enum TIFFReadDirEntryErr
187
TIFFReadDirEntryCheckRangeShortLong(uint32_t value);
188
static enum TIFFReadDirEntryErr
189
TIFFReadDirEntryCheckRangeShortSlong(int32_t value);
190
static enum TIFFReadDirEntryErr
191
TIFFReadDirEntryCheckRangeShortLong8(uint64_t value);
192
static enum TIFFReadDirEntryErr
193
TIFFReadDirEntryCheckRangeShortSlong8(int64_t value);
194
195
static enum TIFFReadDirEntryErr
196
TIFFReadDirEntryCheckRangeSshortShort(uint16_t value);
197
static enum TIFFReadDirEntryErr
198
TIFFReadDirEntryCheckRangeSshortLong(uint32_t value);
199
static enum TIFFReadDirEntryErr
200
TIFFReadDirEntryCheckRangeSshortSlong(int32_t value);
201
static enum TIFFReadDirEntryErr
202
TIFFReadDirEntryCheckRangeSshortLong8(uint64_t value);
203
static enum TIFFReadDirEntryErr
204
TIFFReadDirEntryCheckRangeSshortSlong8(int64_t value);
205
206
static enum TIFFReadDirEntryErr
207
TIFFReadDirEntryCheckRangeLongSbyte(int8_t value);
208
static enum TIFFReadDirEntryErr
209
TIFFReadDirEntryCheckRangeLongSshort(int16_t value);
210
static enum TIFFReadDirEntryErr
211
TIFFReadDirEntryCheckRangeLongSlong(int32_t value);
212
static enum TIFFReadDirEntryErr
213
TIFFReadDirEntryCheckRangeLongLong8(uint64_t value);
214
static enum TIFFReadDirEntryErr
215
TIFFReadDirEntryCheckRangeLongSlong8(int64_t value);
216
217
static enum TIFFReadDirEntryErr
218
TIFFReadDirEntryCheckRangeSlongLong(uint32_t value);
219
static enum TIFFReadDirEntryErr
220
TIFFReadDirEntryCheckRangeSlongLong8(uint64_t value);
221
static enum TIFFReadDirEntryErr
222
TIFFReadDirEntryCheckRangeSlongSlong8(int64_t value);
223
224
static enum TIFFReadDirEntryErr
225
TIFFReadDirEntryCheckRangeLong8Sbyte(int8_t value);
226
static enum TIFFReadDirEntryErr
227
TIFFReadDirEntryCheckRangeLong8Sshort(int16_t value);
228
static enum TIFFReadDirEntryErr
229
TIFFReadDirEntryCheckRangeLong8Slong(int32_t value);
230
static enum TIFFReadDirEntryErr
231
TIFFReadDirEntryCheckRangeLong8Slong8(int64_t value);
232
233
static enum TIFFReadDirEntryErr
234
TIFFReadDirEntryCheckRangeSlong8Long8(uint64_t value);
235
236
static enum TIFFReadDirEntryErr TIFFReadDirEntryData(TIFF *tif, uint64_t offset,
237
                                                     tmsize_t size, void *dest);
238
static void TIFFReadDirEntryOutputErr(TIFF *tif, enum TIFFReadDirEntryErr err,
239
                                      const char *module, const char *tagname,
240
                                      int recover);
241
242
static void TIFFReadDirectoryCheckOrder(TIFF *tif, TIFFDirEntry *dir,
243
                                        uint16_t dircount);
244
static TIFFDirEntry *TIFFReadDirectoryFindEntry(TIFF *tif, TIFFDirEntry *dir,
245
                                                uint16_t dircount,
246
                                                uint16_t tagid);
247
static void TIFFReadDirectoryFindFieldInfo(TIFF *tif, uint16_t tagid,
248
                                           uint32_t *fii);
249
250
static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
251
                                   uint16_t dircount);
252
static void MissingRequired(TIFF *, const char *);
253
static int CheckDirCount(TIFF *, TIFFDirEntry *, uint32_t);
254
static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
255
                                   TIFFDirEntry **pdir, uint64_t *nextdiroff);
256
static int TIFFFetchNormalTag(TIFF *, TIFFDirEntry *, int recover);
257
static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
258
                               uint64_t **lpp);
259
static int TIFFFetchSubjectDistance(TIFF *, TIFFDirEntry *);
260
static void ChopUpSingleUncompressedStrip(TIFF *);
261
static void TryChopUpUncompressedBigTiff(TIFF *);
262
static uint64_t TIFFReadUInt64(const uint8_t *value);
263
static int _TIFFGetMaxColorChannels(uint16_t photometric);
264
265
static int _TIFFFillStrilesInternal(TIFF *tif, int loadStripByteCount);
266
267
typedef union _UInt64Aligned_t
268
{
269
    double d;
270
    uint64_t l;
271
    uint32_t i[2];
272
    uint16_t s[4];
273
    uint8_t c[8];
274
} UInt64Aligned_t;
275
276
/*
277
  Unaligned safe copy of a uint64_t value from an octet array.
278
*/
279
static uint64_t TIFFReadUInt64(const uint8_t *value)
280
0
{
281
0
    UInt64Aligned_t result;
282
283
0
    result.c[0] = value[0];
284
0
    result.c[1] = value[1];
285
0
    result.c[2] = value[2];
286
0
    result.c[3] = value[3];
287
0
    result.c[4] = value[4];
288
0
    result.c[5] = value[5];
289
0
    result.c[6] = value[6];
290
0
    result.c[7] = value[7];
291
292
0
    return result.l;
293
0
}
294
295
static enum TIFFReadDirEntryErr
296
TIFFReadDirEntryByte(TIFF *tif, TIFFDirEntry *direntry, uint8_t *value)
297
0
{
298
0
    enum TIFFReadDirEntryErr err;
299
0
    if (direntry->tdir_count != 1)
300
0
        return (TIFFReadDirEntryErrCount);
301
0
    switch (direntry->tdir_type)
302
0
    {
303
0
        case TIFF_BYTE:
304
0
        case TIFF_UNDEFINED: /* Support to read TIFF_UNDEFINED with
305
                                field_readcount==1 */
306
0
            TIFFReadDirEntryCheckedByte(tif, direntry, value);
307
0
            return (TIFFReadDirEntryErrOk);
308
0
        case TIFF_SBYTE:
309
0
        {
310
0
            int8_t m;
311
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
312
0
            err = TIFFReadDirEntryCheckRangeByteSbyte(m);
313
0
            if (err != TIFFReadDirEntryErrOk)
314
0
                return (err);
315
0
            *value = (uint8_t)m;
316
0
            return (TIFFReadDirEntryErrOk);
317
0
        }
318
0
        case TIFF_SHORT:
319
0
        {
320
0
            uint16_t m;
321
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
322
0
            err = TIFFReadDirEntryCheckRangeByteShort(m);
323
0
            if (err != TIFFReadDirEntryErrOk)
324
0
                return (err);
325
0
            *value = (uint8_t)m;
326
0
            return (TIFFReadDirEntryErrOk);
327
0
        }
328
0
        case TIFF_SSHORT:
329
0
        {
330
0
            int16_t m;
331
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
332
0
            err = TIFFReadDirEntryCheckRangeByteSshort(m);
333
0
            if (err != TIFFReadDirEntryErrOk)
334
0
                return (err);
335
0
            *value = (uint8_t)m;
336
0
            return (TIFFReadDirEntryErrOk);
337
0
        }
338
0
        case TIFF_LONG:
339
0
        {
340
0
            uint32_t m;
341
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
342
0
            err = TIFFReadDirEntryCheckRangeByteLong(m);
343
0
            if (err != TIFFReadDirEntryErrOk)
344
0
                return (err);
345
0
            *value = (uint8_t)m;
346
0
            return (TIFFReadDirEntryErrOk);
347
0
        }
348
0
        case TIFF_SLONG:
349
0
        {
350
0
            int32_t m;
351
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
352
0
            err = TIFFReadDirEntryCheckRangeByteSlong(m);
353
0
            if (err != TIFFReadDirEntryErrOk)
354
0
                return (err);
355
0
            *value = (uint8_t)m;
356
0
            return (TIFFReadDirEntryErrOk);
357
0
        }
358
0
        case TIFF_LONG8:
359
0
        {
360
0
            uint64_t m;
361
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
362
0
            if (err != TIFFReadDirEntryErrOk)
363
0
                return (err);
364
0
            err = TIFFReadDirEntryCheckRangeByteLong8(m);
365
0
            if (err != TIFFReadDirEntryErrOk)
366
0
                return (err);
367
0
            *value = (uint8_t)m;
368
0
            return (TIFFReadDirEntryErrOk);
369
0
        }
370
0
        case TIFF_SLONG8:
371
0
        {
372
0
            int64_t m;
373
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
374
0
            if (err != TIFFReadDirEntryErrOk)
375
0
                return (err);
376
0
            err = TIFFReadDirEntryCheckRangeByteSlong8(m);
377
0
            if (err != TIFFReadDirEntryErrOk)
378
0
                return (err);
379
0
            *value = (uint8_t)m;
380
0
            return (TIFFReadDirEntryErrOk);
381
0
        }
382
0
        default:
383
0
            return (TIFFReadDirEntryErrType);
384
0
    }
385
0
}
386
387
static enum TIFFReadDirEntryErr
388
TIFFReadDirEntrySbyte(TIFF *tif, TIFFDirEntry *direntry, int8_t *value)
389
0
{
390
0
    enum TIFFReadDirEntryErr err;
391
0
    if (direntry->tdir_count != 1)
392
0
        return (TIFFReadDirEntryErrCount);
393
0
    switch (direntry->tdir_type)
394
0
    {
395
0
        case TIFF_BYTE:
396
0
        case TIFF_UNDEFINED: /* Support to read TIFF_UNDEFINED with
397
                                field_readcount==1 */
398
0
        {
399
0
            uint8_t m;
400
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
401
0
            err = TIFFReadDirEntryCheckRangeSbyteByte(m);
402
0
            if (err != TIFFReadDirEntryErrOk)
403
0
                return (err);
404
0
            *value = (int8_t)m;
405
0
            return (TIFFReadDirEntryErrOk);
406
0
        }
407
0
        case TIFF_SBYTE:
408
0
        {
409
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, value);
410
0
            return (TIFFReadDirEntryErrOk);
411
0
        }
412
0
        case TIFF_SHORT:
413
0
        {
414
0
            uint16_t m;
415
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
416
0
            err = TIFFReadDirEntryCheckRangeSbyteShort(m);
417
0
            if (err != TIFFReadDirEntryErrOk)
418
0
                return (err);
419
0
            *value = (int8_t)m;
420
0
            return (TIFFReadDirEntryErrOk);
421
0
        }
422
0
        case TIFF_SSHORT:
423
0
        {
424
0
            int16_t m;
425
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
426
0
            err = TIFFReadDirEntryCheckRangeSbyteSshort(m);
427
0
            if (err != TIFFReadDirEntryErrOk)
428
0
                return (err);
429
0
            *value = (int8_t)m;
430
0
            return (TIFFReadDirEntryErrOk);
431
0
        }
432
0
        case TIFF_LONG:
433
0
        {
434
0
            uint32_t m;
435
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
436
0
            err = TIFFReadDirEntryCheckRangeSbyteLong(m);
437
0
            if (err != TIFFReadDirEntryErrOk)
438
0
                return (err);
439
0
            *value = (int8_t)m;
440
0
            return (TIFFReadDirEntryErrOk);
441
0
        }
442
0
        case TIFF_SLONG:
443
0
        {
444
0
            int32_t m;
445
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
446
0
            err = TIFFReadDirEntryCheckRangeSbyteSlong(m);
447
0
            if (err != TIFFReadDirEntryErrOk)
448
0
                return (err);
449
0
            *value = (int8_t)m;
450
0
            return (TIFFReadDirEntryErrOk);
451
0
        }
452
0
        case TIFF_LONG8:
453
0
        {
454
0
            uint64_t m;
455
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
456
0
            if (err != TIFFReadDirEntryErrOk)
457
0
                return (err);
458
0
            err = TIFFReadDirEntryCheckRangeSbyteLong8(m);
459
0
            if (err != TIFFReadDirEntryErrOk)
460
0
                return (err);
461
0
            *value = (int8_t)m;
462
0
            return (TIFFReadDirEntryErrOk);
463
0
        }
464
0
        case TIFF_SLONG8:
465
0
        {
466
0
            int64_t m;
467
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
468
0
            if (err != TIFFReadDirEntryErrOk)
469
0
                return (err);
470
0
            err = TIFFReadDirEntryCheckRangeSbyteSlong8(m);
471
0
            if (err != TIFFReadDirEntryErrOk)
472
0
                return (err);
473
0
            *value = (int8_t)m;
474
0
            return (TIFFReadDirEntryErrOk);
475
0
        }
476
0
        default:
477
0
            return (TIFFReadDirEntryErrType);
478
0
    }
479
0
} /*-- TIFFReadDirEntrySbyte() --*/
480
481
static enum TIFFReadDirEntryErr
482
TIFFReadDirEntryShort(TIFF *tif, TIFFDirEntry *direntry, uint16_t *value)
483
69.2k
{
484
69.2k
    enum TIFFReadDirEntryErr err;
485
69.2k
    if (direntry->tdir_count != 1)
486
0
        return (TIFFReadDirEntryErrCount);
487
69.2k
    switch (direntry->tdir_type)
488
69.2k
    {
489
0
        case TIFF_BYTE:
490
0
        {
491
0
            uint8_t m;
492
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
493
0
            *value = (uint16_t)m;
494
0
            return (TIFFReadDirEntryErrOk);
495
0
        }
496
0
        case TIFF_SBYTE:
497
0
        {
498
0
            int8_t m;
499
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
500
0
            err = TIFFReadDirEntryCheckRangeShortSbyte(m);
501
0
            if (err != TIFFReadDirEntryErrOk)
502
0
                return (err);
503
0
            *value = (uint16_t)m;
504
0
            return (TIFFReadDirEntryErrOk);
505
0
        }
506
69.2k
        case TIFF_SHORT:
507
69.2k
            TIFFReadDirEntryCheckedShort(tif, direntry, value);
508
69.2k
            return (TIFFReadDirEntryErrOk);
509
0
        case TIFF_SSHORT:
510
0
        {
511
0
            int16_t m;
512
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
513
0
            err = TIFFReadDirEntryCheckRangeShortSshort(m);
514
0
            if (err != TIFFReadDirEntryErrOk)
515
0
                return (err);
516
0
            *value = (uint16_t)m;
517
0
            return (TIFFReadDirEntryErrOk);
518
0
        }
519
0
        case TIFF_LONG:
520
0
        {
521
0
            uint32_t m;
522
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
523
0
            err = TIFFReadDirEntryCheckRangeShortLong(m);
524
0
            if (err != TIFFReadDirEntryErrOk)
525
0
                return (err);
526
0
            *value = (uint16_t)m;
527
0
            return (TIFFReadDirEntryErrOk);
528
0
        }
529
0
        case TIFF_SLONG:
530
0
        {
531
0
            int32_t m;
532
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
533
0
            err = TIFFReadDirEntryCheckRangeShortSlong(m);
534
0
            if (err != TIFFReadDirEntryErrOk)
535
0
                return (err);
536
0
            *value = (uint16_t)m;
537
0
            return (TIFFReadDirEntryErrOk);
538
0
        }
539
0
        case TIFF_LONG8:
540
0
        {
541
0
            uint64_t m;
542
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
543
0
            if (err != TIFFReadDirEntryErrOk)
544
0
                return (err);
545
0
            err = TIFFReadDirEntryCheckRangeShortLong8(m);
546
0
            if (err != TIFFReadDirEntryErrOk)
547
0
                return (err);
548
0
            *value = (uint16_t)m;
549
0
            return (TIFFReadDirEntryErrOk);
550
0
        }
551
0
        case TIFF_SLONG8:
552
0
        {
553
0
            int64_t m;
554
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
555
0
            if (err != TIFFReadDirEntryErrOk)
556
0
                return (err);
557
0
            err = TIFFReadDirEntryCheckRangeShortSlong8(m);
558
0
            if (err != TIFFReadDirEntryErrOk)
559
0
                return (err);
560
0
            *value = (uint16_t)m;
561
0
            return (TIFFReadDirEntryErrOk);
562
0
        }
563
0
        default:
564
0
            return (TIFFReadDirEntryErrType);
565
69.2k
    }
566
69.2k
} /*-- TIFFReadDirEntryShort() --*/
567
568
static enum TIFFReadDirEntryErr
569
TIFFReadDirEntrySshort(TIFF *tif, TIFFDirEntry *direntry, int16_t *value)
570
0
{
571
0
    enum TIFFReadDirEntryErr err;
572
0
    if (direntry->tdir_count != 1)
573
0
        return (TIFFReadDirEntryErrCount);
574
0
    switch (direntry->tdir_type)
575
0
    {
576
0
        case TIFF_BYTE:
577
0
        {
578
0
            uint8_t m;
579
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
580
0
            *value = (int16_t)m;
581
0
            return (TIFFReadDirEntryErrOk);
582
0
        }
583
0
        case TIFF_SBYTE:
584
0
        {
585
0
            int8_t m;
586
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
587
0
            *value = (int16_t)m;
588
0
            return (TIFFReadDirEntryErrOk);
589
0
        }
590
0
        case TIFF_SHORT:
591
0
        {
592
0
            uint16_t m;
593
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
594
0
            err = TIFFReadDirEntryCheckRangeSshortShort(m);
595
0
            if (err != TIFFReadDirEntryErrOk)
596
0
                return (err);
597
0
            *value = (uint16_t)m;
598
0
            return (TIFFReadDirEntryErrOk);
599
0
        }
600
0
        case TIFF_SSHORT:
601
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, value);
602
0
            return (TIFFReadDirEntryErrOk);
603
0
        case TIFF_LONG:
604
0
        {
605
0
            uint32_t m;
606
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
607
0
            err = TIFFReadDirEntryCheckRangeSshortLong(m);
608
0
            if (err != TIFFReadDirEntryErrOk)
609
0
                return (err);
610
0
            *value = (int16_t)m;
611
0
            return (TIFFReadDirEntryErrOk);
612
0
        }
613
0
        case TIFF_SLONG:
614
0
        {
615
0
            int32_t m;
616
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
617
0
            err = TIFFReadDirEntryCheckRangeSshortSlong(m);
618
0
            if (err != TIFFReadDirEntryErrOk)
619
0
                return (err);
620
0
            *value = (int16_t)m;
621
0
            return (TIFFReadDirEntryErrOk);
622
0
        }
623
0
        case TIFF_LONG8:
624
0
        {
625
0
            uint64_t m;
626
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
627
0
            if (err != TIFFReadDirEntryErrOk)
628
0
                return (err);
629
0
            err = TIFFReadDirEntryCheckRangeSshortLong8(m);
630
0
            if (err != TIFFReadDirEntryErrOk)
631
0
                return (err);
632
0
            *value = (int16_t)m;
633
0
            return (TIFFReadDirEntryErrOk);
634
0
        }
635
0
        case TIFF_SLONG8:
636
0
        {
637
0
            int64_t m;
638
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
639
0
            if (err != TIFFReadDirEntryErrOk)
640
0
                return (err);
641
0
            err = TIFFReadDirEntryCheckRangeSshortSlong8(m);
642
0
            if (err != TIFFReadDirEntryErrOk)
643
0
                return (err);
644
0
            *value = (int16_t)m;
645
0
            return (TIFFReadDirEntryErrOk);
646
0
        }
647
0
        default:
648
0
            return (TIFFReadDirEntryErrType);
649
0
    }
650
0
} /*-- TIFFReadDirEntrySshort() --*/
651
652
static enum TIFFReadDirEntryErr
653
TIFFReadDirEntryLong(TIFF *tif, TIFFDirEntry *direntry, uint32_t *value)
654
29.6k
{
655
29.6k
    enum TIFFReadDirEntryErr err;
656
29.6k
    if (direntry->tdir_count != 1)
657
0
        return (TIFFReadDirEntryErrCount);
658
29.6k
    switch (direntry->tdir_type)
659
29.6k
    {
660
0
        case TIFF_BYTE:
661
0
        {
662
0
            uint8_t m;
663
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
664
0
            *value = (uint32_t)m;
665
0
            return (TIFFReadDirEntryErrOk);
666
0
        }
667
0
        case TIFF_SBYTE:
668
0
        {
669
0
            int8_t m;
670
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
671
0
            err = TIFFReadDirEntryCheckRangeLongSbyte(m);
672
0
            if (err != TIFFReadDirEntryErrOk)
673
0
                return (err);
674
0
            *value = (uint32_t)m;
675
0
            return (TIFFReadDirEntryErrOk);
676
0
        }
677
29.6k
        case TIFF_SHORT:
678
29.6k
        {
679
29.6k
            uint16_t m;
680
29.6k
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
681
29.6k
            *value = (uint32_t)m;
682
29.6k
            return (TIFFReadDirEntryErrOk);
683
0
        }
684
0
        case TIFF_SSHORT:
685
0
        {
686
0
            int16_t m;
687
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
688
0
            err = TIFFReadDirEntryCheckRangeLongSshort(m);
689
0
            if (err != TIFFReadDirEntryErrOk)
690
0
                return (err);
691
0
            *value = (uint32_t)m;
692
0
            return (TIFFReadDirEntryErrOk);
693
0
        }
694
0
        case TIFF_LONG:
695
0
            TIFFReadDirEntryCheckedLong(tif, direntry, value);
696
0
            return (TIFFReadDirEntryErrOk);
697
0
        case TIFF_SLONG:
698
0
        {
699
0
            int32_t m;
700
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
701
0
            err = TIFFReadDirEntryCheckRangeLongSlong(m);
702
0
            if (err != TIFFReadDirEntryErrOk)
703
0
                return (err);
704
0
            *value = (uint32_t)m;
705
0
            return (TIFFReadDirEntryErrOk);
706
0
        }
707
0
        case TIFF_LONG8:
708
0
        {
709
0
            uint64_t m;
710
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
711
0
            if (err != TIFFReadDirEntryErrOk)
712
0
                return (err);
713
0
            err = TIFFReadDirEntryCheckRangeLongLong8(m);
714
0
            if (err != TIFFReadDirEntryErrOk)
715
0
                return (err);
716
0
            *value = (uint32_t)m;
717
0
            return (TIFFReadDirEntryErrOk);
718
0
        }
719
0
        case TIFF_SLONG8:
720
0
        {
721
0
            int64_t m;
722
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
723
0
            if (err != TIFFReadDirEntryErrOk)
724
0
                return (err);
725
0
            err = TIFFReadDirEntryCheckRangeLongSlong8(m);
726
0
            if (err != TIFFReadDirEntryErrOk)
727
0
                return (err);
728
0
            *value = (uint32_t)m;
729
0
            return (TIFFReadDirEntryErrOk);
730
0
        }
731
0
        default:
732
0
            return (TIFFReadDirEntryErrType);
733
29.6k
    }
734
29.6k
} /*-- TIFFReadDirEntryLong() --*/
735
736
static enum TIFFReadDirEntryErr
737
TIFFReadDirEntrySlong(TIFF *tif, TIFFDirEntry *direntry, int32_t *value)
738
0
{
739
0
    enum TIFFReadDirEntryErr err;
740
0
    if (direntry->tdir_count != 1)
741
0
        return (TIFFReadDirEntryErrCount);
742
0
    switch (direntry->tdir_type)
743
0
    {
744
0
        case TIFF_BYTE:
745
0
        {
746
0
            uint8_t m;
747
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
748
0
            *value = (int32_t)m;
749
0
            return (TIFFReadDirEntryErrOk);
750
0
        }
751
0
        case TIFF_SBYTE:
752
0
        {
753
0
            int8_t m;
754
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
755
0
            *value = (int32_t)m;
756
0
            return (TIFFReadDirEntryErrOk);
757
0
        }
758
0
        case TIFF_SHORT:
759
0
        {
760
0
            uint16_t m;
761
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
762
0
            *value = (int32_t)m;
763
0
            return (TIFFReadDirEntryErrOk);
764
0
        }
765
0
        case TIFF_SSHORT:
766
0
        {
767
0
            int16_t m;
768
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
769
0
            *value = (int32_t)m;
770
0
            return (TIFFReadDirEntryErrOk);
771
0
        }
772
0
        case TIFF_LONG:
773
0
        {
774
0
            uint32_t m;
775
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
776
0
            err = TIFFReadDirEntryCheckRangeSlongLong(m);
777
0
            if (err != TIFFReadDirEntryErrOk)
778
0
                return (err);
779
0
            *value = (int32_t)m;
780
0
            return (TIFFReadDirEntryErrOk);
781
0
        }
782
0
        case TIFF_SLONG:
783
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, value);
784
0
            return (TIFFReadDirEntryErrOk);
785
0
        case TIFF_LONG8:
786
0
        {
787
0
            uint64_t m;
788
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
789
0
            if (err != TIFFReadDirEntryErrOk)
790
0
                return (err);
791
0
            err = TIFFReadDirEntryCheckRangeSlongLong8(m);
792
0
            if (err != TIFFReadDirEntryErrOk)
793
0
                return (err);
794
0
            *value = (int32_t)m;
795
0
            return (TIFFReadDirEntryErrOk);
796
0
        }
797
0
        case TIFF_SLONG8:
798
0
        {
799
0
            int64_t m;
800
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
801
0
            if (err != TIFFReadDirEntryErrOk)
802
0
                return (err);
803
0
            err = TIFFReadDirEntryCheckRangeSlongSlong8(m);
804
0
            if (err != TIFFReadDirEntryErrOk)
805
0
                return (err);
806
0
            *value = (int32_t)m;
807
0
            return (TIFFReadDirEntryErrOk);
808
0
        }
809
0
        default:
810
0
            return (TIFFReadDirEntryErrType);
811
0
    }
812
0
} /*-- TIFFReadDirEntrySlong() --*/
813
814
static enum TIFFReadDirEntryErr
815
TIFFReadDirEntryLong8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value)
816
0
{
817
0
    enum TIFFReadDirEntryErr err;
818
0
    if (direntry->tdir_count != 1)
819
0
        return (TIFFReadDirEntryErrCount);
820
0
    switch (direntry->tdir_type)
821
0
    {
822
0
        case TIFF_BYTE:
823
0
        {
824
0
            uint8_t m;
825
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
826
0
            *value = (uint64_t)m;
827
0
            return (TIFFReadDirEntryErrOk);
828
0
        }
829
0
        case TIFF_SBYTE:
830
0
        {
831
0
            int8_t m;
832
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
833
0
            err = TIFFReadDirEntryCheckRangeLong8Sbyte(m);
834
0
            if (err != TIFFReadDirEntryErrOk)
835
0
                return (err);
836
0
            *value = (uint64_t)m;
837
0
            return (TIFFReadDirEntryErrOk);
838
0
        }
839
0
        case TIFF_SHORT:
840
0
        {
841
0
            uint16_t m;
842
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
843
0
            *value = (uint64_t)m;
844
0
            return (TIFFReadDirEntryErrOk);
845
0
        }
846
0
        case TIFF_SSHORT:
847
0
        {
848
0
            int16_t m;
849
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
850
0
            err = TIFFReadDirEntryCheckRangeLong8Sshort(m);
851
0
            if (err != TIFFReadDirEntryErrOk)
852
0
                return (err);
853
0
            *value = (uint64_t)m;
854
0
            return (TIFFReadDirEntryErrOk);
855
0
        }
856
0
        case TIFF_LONG:
857
0
        {
858
0
            uint32_t m;
859
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
860
0
            *value = (uint64_t)m;
861
0
            return (TIFFReadDirEntryErrOk);
862
0
        }
863
0
        case TIFF_SLONG:
864
0
        {
865
0
            int32_t m;
866
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
867
0
            err = TIFFReadDirEntryCheckRangeLong8Slong(m);
868
0
            if (err != TIFFReadDirEntryErrOk)
869
0
                return (err);
870
0
            *value = (uint64_t)m;
871
0
            return (TIFFReadDirEntryErrOk);
872
0
        }
873
0
        case TIFF_LONG8:
874
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, value);
875
0
            return (err);
876
0
        case TIFF_SLONG8:
877
0
        {
878
0
            int64_t m;
879
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
880
0
            if (err != TIFFReadDirEntryErrOk)
881
0
                return (err);
882
0
            err = TIFFReadDirEntryCheckRangeLong8Slong8(m);
883
0
            if (err != TIFFReadDirEntryErrOk)
884
0
                return (err);
885
0
            *value = (uint64_t)m;
886
0
            return (TIFFReadDirEntryErrOk);
887
0
        }
888
0
        default:
889
0
            return (TIFFReadDirEntryErrType);
890
0
    }
891
0
} /*-- TIFFReadDirEntryLong8() --*/
892
893
static enum TIFFReadDirEntryErr
894
TIFFReadDirEntrySlong8(TIFF *tif, TIFFDirEntry *direntry, int64_t *value)
895
0
{
896
0
    enum TIFFReadDirEntryErr err;
897
0
    if (direntry->tdir_count != 1)
898
0
        return (TIFFReadDirEntryErrCount);
899
0
    switch (direntry->tdir_type)
900
0
    {
901
0
        case TIFF_BYTE:
902
0
        {
903
0
            uint8_t m;
904
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
905
0
            *value = (int64_t)m;
906
0
            return (TIFFReadDirEntryErrOk);
907
0
        }
908
0
        case TIFF_SBYTE:
909
0
        {
910
0
            int8_t m;
911
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
912
0
            *value = (int64_t)m;
913
0
            return (TIFFReadDirEntryErrOk);
914
0
        }
915
0
        case TIFF_SHORT:
916
0
        {
917
0
            uint16_t m;
918
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
919
0
            *value = (int64_t)m;
920
0
            return (TIFFReadDirEntryErrOk);
921
0
        }
922
0
        case TIFF_SSHORT:
923
0
        {
924
0
            int16_t m;
925
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
926
0
            *value = (int64_t)m;
927
0
            return (TIFFReadDirEntryErrOk);
928
0
        }
929
0
        case TIFF_LONG:
930
0
        {
931
0
            uint32_t m;
932
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
933
0
            *value = (int64_t)m;
934
0
            return (TIFFReadDirEntryErrOk);
935
0
        }
936
0
        case TIFF_SLONG:
937
0
        {
938
0
            int32_t m;
939
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
940
0
            *value = (int64_t)m;
941
0
            return (TIFFReadDirEntryErrOk);
942
0
        }
943
0
        case TIFF_LONG8:
944
0
        {
945
0
            uint64_t m;
946
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
947
0
            if (err != TIFFReadDirEntryErrOk)
948
0
                return (err);
949
0
            err = TIFFReadDirEntryCheckRangeSlong8Long8(m);
950
0
            if (err != TIFFReadDirEntryErrOk)
951
0
                return (err);
952
0
            *value = (int64_t)m;
953
0
            return (TIFFReadDirEntryErrOk);
954
0
        }
955
0
        case TIFF_SLONG8:
956
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, value);
957
0
            return (err);
958
0
        default:
959
0
            return (TIFFReadDirEntryErrType);
960
0
    }
961
0
} /*-- TIFFReadDirEntrySlong8() --*/
962
963
static enum TIFFReadDirEntryErr
964
TIFFReadDirEntryFloat(TIFF *tif, TIFFDirEntry *direntry, float *value)
965
19.7k
{
966
19.7k
    enum TIFFReadDirEntryErr err;
967
19.7k
    if (direntry->tdir_count != 1)
968
0
        return (TIFFReadDirEntryErrCount);
969
19.7k
    switch (direntry->tdir_type)
970
19.7k
    {
971
0
        case TIFF_BYTE:
972
0
        {
973
0
            uint8_t m;
974
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
975
0
            *value = (float)m;
976
0
            return (TIFFReadDirEntryErrOk);
977
0
        }
978
0
        case TIFF_SBYTE:
979
0
        {
980
0
            int8_t m;
981
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
982
0
            *value = (float)m;
983
0
            return (TIFFReadDirEntryErrOk);
984
0
        }
985
0
        case TIFF_SHORT:
986
0
        {
987
0
            uint16_t m;
988
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
989
0
            *value = (float)m;
990
0
            return (TIFFReadDirEntryErrOk);
991
0
        }
992
0
        case TIFF_SSHORT:
993
0
        {
994
0
            int16_t m;
995
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
996
0
            *value = (float)m;
997
0
            return (TIFFReadDirEntryErrOk);
998
0
        }
999
0
        case TIFF_LONG:
1000
0
        {
1001
0
            uint32_t m;
1002
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
1003
0
            *value = (float)m;
1004
0
            return (TIFFReadDirEntryErrOk);
1005
0
        }
1006
0
        case TIFF_SLONG:
1007
0
        {
1008
0
            int32_t m;
1009
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
1010
0
            *value = (float)m;
1011
0
            return (TIFFReadDirEntryErrOk);
1012
0
        }
1013
0
        case TIFF_LONG8:
1014
0
        {
1015
0
            uint64_t m;
1016
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
1017
0
            if (err != TIFFReadDirEntryErrOk)
1018
0
                return (err);
1019
0
            *value = (float)m;
1020
0
            return (TIFFReadDirEntryErrOk);
1021
0
        }
1022
0
        case TIFF_SLONG8:
1023
0
        {
1024
0
            int64_t m;
1025
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
1026
0
            if (err != TIFFReadDirEntryErrOk)
1027
0
                return (err);
1028
0
            *value = (float)m;
1029
0
            return (TIFFReadDirEntryErrOk);
1030
0
        }
1031
19.7k
        case TIFF_RATIONAL:
1032
19.7k
        {
1033
19.7k
            double m;
1034
19.7k
            err = TIFFReadDirEntryCheckedRational(tif, direntry, &m);
1035
19.7k
            if (err != TIFFReadDirEntryErrOk)
1036
0
                return (err);
1037
19.7k
            *value = (float)m;
1038
19.7k
            return (TIFFReadDirEntryErrOk);
1039
19.7k
        }
1040
0
        case TIFF_SRATIONAL:
1041
0
        {
1042
0
            double m;
1043
0
            err = TIFFReadDirEntryCheckedSrational(tif, direntry, &m);
1044
0
            if (err != TIFFReadDirEntryErrOk)
1045
0
                return (err);
1046
0
            *value = (float)m;
1047
0
            return (TIFFReadDirEntryErrOk);
1048
0
        }
1049
0
        case TIFF_FLOAT:
1050
0
            TIFFReadDirEntryCheckedFloat(tif, direntry, value);
1051
0
            return (TIFFReadDirEntryErrOk);
1052
0
        case TIFF_DOUBLE:
1053
0
        {
1054
0
            double m;
1055
0
            err = TIFFReadDirEntryCheckedDouble(tif, direntry, &m);
1056
0
            if (err != TIFFReadDirEntryErrOk)
1057
0
                return (err);
1058
0
            if ((m > FLT_MAX) || (m < -FLT_MAX))
1059
0
                return (TIFFReadDirEntryErrRange);
1060
0
            *value = (float)m;
1061
0
            return (TIFFReadDirEntryErrOk);
1062
0
        }
1063
0
        default:
1064
0
            return (TIFFReadDirEntryErrType);
1065
19.7k
    }
1066
19.7k
}
1067
1068
static enum TIFFReadDirEntryErr
1069
TIFFReadDirEntryDouble(TIFF *tif, TIFFDirEntry *direntry, double *value)
1070
0
{
1071
0
    enum TIFFReadDirEntryErr err;
1072
0
    if (direntry->tdir_count != 1)
1073
0
        return (TIFFReadDirEntryErrCount);
1074
0
    switch (direntry->tdir_type)
1075
0
    {
1076
0
        case TIFF_BYTE:
1077
0
        {
1078
0
            uint8_t m;
1079
0
            TIFFReadDirEntryCheckedByte(tif, direntry, &m);
1080
0
            *value = (double)m;
1081
0
            return (TIFFReadDirEntryErrOk);
1082
0
        }
1083
0
        case TIFF_SBYTE:
1084
0
        {
1085
0
            int8_t m;
1086
0
            TIFFReadDirEntryCheckedSbyte(tif, direntry, &m);
1087
0
            *value = (double)m;
1088
0
            return (TIFFReadDirEntryErrOk);
1089
0
        }
1090
0
        case TIFF_SHORT:
1091
0
        {
1092
0
            uint16_t m;
1093
0
            TIFFReadDirEntryCheckedShort(tif, direntry, &m);
1094
0
            *value = (double)m;
1095
0
            return (TIFFReadDirEntryErrOk);
1096
0
        }
1097
0
        case TIFF_SSHORT:
1098
0
        {
1099
0
            int16_t m;
1100
0
            TIFFReadDirEntryCheckedSshort(tif, direntry, &m);
1101
0
            *value = (double)m;
1102
0
            return (TIFFReadDirEntryErrOk);
1103
0
        }
1104
0
        case TIFF_LONG:
1105
0
        {
1106
0
            uint32_t m;
1107
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
1108
0
            *value = (double)m;
1109
0
            return (TIFFReadDirEntryErrOk);
1110
0
        }
1111
0
        case TIFF_SLONG:
1112
0
        {
1113
0
            int32_t m;
1114
0
            TIFFReadDirEntryCheckedSlong(tif, direntry, &m);
1115
0
            *value = (double)m;
1116
0
            return (TIFFReadDirEntryErrOk);
1117
0
        }
1118
0
        case TIFF_LONG8:
1119
0
        {
1120
0
            uint64_t m;
1121
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, &m);
1122
0
            if (err != TIFFReadDirEntryErrOk)
1123
0
                return (err);
1124
0
            *value = (double)m;
1125
0
            return (TIFFReadDirEntryErrOk);
1126
0
        }
1127
0
        case TIFF_SLONG8:
1128
0
        {
1129
0
            int64_t m;
1130
0
            err = TIFFReadDirEntryCheckedSlong8(tif, direntry, &m);
1131
0
            if (err != TIFFReadDirEntryErrOk)
1132
0
                return (err);
1133
0
            *value = (double)m;
1134
0
            return (TIFFReadDirEntryErrOk);
1135
0
        }
1136
0
        case TIFF_RATIONAL:
1137
0
            err = TIFFReadDirEntryCheckedRational(tif, direntry, value);
1138
0
            return (err);
1139
0
        case TIFF_SRATIONAL:
1140
0
            err = TIFFReadDirEntryCheckedSrational(tif, direntry, value);
1141
0
            return (err);
1142
0
        case TIFF_FLOAT:
1143
0
        {
1144
0
            float m;
1145
0
            TIFFReadDirEntryCheckedFloat(tif, direntry, &m);
1146
0
            *value = (double)m;
1147
0
            return (TIFFReadDirEntryErrOk);
1148
0
        }
1149
0
        case TIFF_DOUBLE:
1150
0
            err = TIFFReadDirEntryCheckedDouble(tif, direntry, value);
1151
0
            return (err);
1152
0
        default:
1153
0
            return (TIFFReadDirEntryErrType);
1154
0
    }
1155
0
}
1156
1157
static enum TIFFReadDirEntryErr
1158
TIFFReadDirEntryIfd8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value)
1159
0
{
1160
0
    enum TIFFReadDirEntryErr err;
1161
0
    if (direntry->tdir_count != 1)
1162
0
        return (TIFFReadDirEntryErrCount);
1163
0
    switch (direntry->tdir_type)
1164
0
    {
1165
0
        case TIFF_LONG:
1166
0
        case TIFF_IFD:
1167
0
        {
1168
0
            uint32_t m;
1169
0
            TIFFReadDirEntryCheckedLong(tif, direntry, &m);
1170
0
            *value = (uint64_t)m;
1171
0
            return (TIFFReadDirEntryErrOk);
1172
0
        }
1173
0
        case TIFF_LONG8:
1174
0
        case TIFF_IFD8:
1175
0
            err = TIFFReadDirEntryCheckedLong8(tif, direntry, value);
1176
0
            return (err);
1177
0
        default:
1178
0
            return (TIFFReadDirEntryErrType);
1179
0
    }
1180
0
}
1181
1182
0
#define INITIAL_THRESHOLD (1024 * 1024)
1183
0
#define THRESHOLD_MULTIPLIER 10
1184
#define MAX_THRESHOLD                                                          \
1185
0
    (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER *      \
1186
0
     INITIAL_THRESHOLD)
1187
1188
static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc(TIFF *tif,
1189
                                                               uint64_t offset,
1190
                                                               tmsize_t size,
1191
                                                               void **pdest)
1192
0
{
1193
0
#if SIZEOF_SIZE_T == 8
1194
0
    tmsize_t threshold = INITIAL_THRESHOLD;
1195
0
#endif
1196
0
    tmsize_t already_read = 0;
1197
1198
0
    assert(!isMapped(tif));
1199
1200
0
    if (!SeekOK(tif, offset))
1201
0
        return (TIFFReadDirEntryErrIo);
1202
1203
    /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
1204
    /* so as to avoid allocating too much memory in case the file is too */
1205
    /* short. We could ask for the file size, but this might be */
1206
    /* expensive with some I/O layers (think of reading a gzipped file) */
1207
    /* Restrict to 64 bit processes, so as to avoid reallocs() */
1208
    /* on 32 bit processes where virtual memory is scarce.  */
1209
0
    while (already_read < size)
1210
0
    {
1211
0
        void *new_dest;
1212
0
        tmsize_t bytes_read;
1213
0
        tmsize_t to_read = size - already_read;
1214
0
#if SIZEOF_SIZE_T == 8
1215
0
        if (to_read >= threshold && threshold < MAX_THRESHOLD)
1216
0
        {
1217
0
            to_read = threshold;
1218
0
            threshold *= THRESHOLD_MULTIPLIER;
1219
0
        }
1220
0
#endif
1221
1222
0
        new_dest =
1223
0
            (uint8_t *)_TIFFreallocExt(tif, *pdest, already_read + to_read);
1224
0
        if (new_dest == NULL)
1225
0
        {
1226
0
            TIFFErrorExtR(tif, tif->tif_name,
1227
0
                          "Failed to allocate memory for %s "
1228
0
                          "(%" TIFF_SSIZE_FORMAT
1229
0
                          " elements of %" TIFF_SSIZE_FORMAT " bytes each)",
1230
0
                          "TIFFReadDirEntryArray", (tmsize_t)1,
1231
0
                          already_read + to_read);
1232
0
            return TIFFReadDirEntryErrAlloc;
1233
0
        }
1234
0
        *pdest = new_dest;
1235
1236
0
        bytes_read = TIFFReadFile(tif, (char *)*pdest + already_read, to_read);
1237
0
        already_read += bytes_read;
1238
0
        if (bytes_read != to_read)
1239
0
        {
1240
0
            return TIFFReadDirEntryErrIo;
1241
0
        }
1242
0
    }
1243
0
    return TIFFReadDirEntryErrOk;
1244
0
}
1245
1246
/* Caution: if raising that value, make sure int32 / uint32 overflows can't
1247
 * occur elsewhere */
1248
39.5k
#define MAX_SIZE_TAG_DATA 2147483647U
1249
1250
static enum TIFFReadDirEntryErr
1251
TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
1252
                               uint32_t *count, uint32_t desttypesize,
1253
                               void **value, uint64_t maxcount)
1254
19.7k
{
1255
19.7k
    int typesize;
1256
19.7k
    uint32_t datasize;
1257
19.7k
    void *data;
1258
19.7k
    uint64_t target_count64;
1259
19.7k
    int original_datasize_clamped;
1260
19.7k
    typesize = TIFFDataWidth(direntry->tdir_type);
1261
1262
19.7k
    target_count64 =
1263
19.7k
        (direntry->tdir_count > maxcount) ? maxcount : direntry->tdir_count;
1264
1265
19.7k
    if ((target_count64 == 0) || (typesize == 0))
1266
0
    {
1267
0
        *value = 0;
1268
0
        return (TIFFReadDirEntryErrOk);
1269
0
    }
1270
19.7k
    (void)desttypesize;
1271
1272
    /* We just want to know if the original tag size is more than 4 bytes
1273
     * (classic TIFF) or 8 bytes (BigTIFF)
1274
     */
1275
19.7k
    original_datasize_clamped =
1276
19.7k
        ((direntry->tdir_count > 10) ? 10 : (int)direntry->tdir_count) *
1277
19.7k
        typesize;
1278
1279
    /*
1280
     * As a sanity check, make sure we have no more than a 2GB tag array
1281
     * in either the current data type or the dest data type.  This also
1282
     * avoids problems with overflow of tmsize_t on 32bit systems.
1283
     */
1284
19.7k
    if ((uint64_t)(MAX_SIZE_TAG_DATA / typesize) < target_count64)
1285
0
        return (TIFFReadDirEntryErrSizesan);
1286
19.7k
    if ((uint64_t)(MAX_SIZE_TAG_DATA / desttypesize) < target_count64)
1287
0
        return (TIFFReadDirEntryErrSizesan);
1288
1289
19.7k
    *count = (uint32_t)target_count64;
1290
19.7k
    datasize = (*count) * typesize;
1291
19.7k
    assert((tmsize_t)datasize > 0);
1292
1293
19.7k
    if (datasize > 100 * 1024 * 1024)
1294
0
    {
1295
        /* Before allocating a huge amount of memory for corrupted files, check
1296
         * if size of requested memory is not greater than file size.
1297
         */
1298
0
        const uint64_t filesize = TIFFGetFileSize(tif);
1299
0
        if (datasize > filesize)
1300
0
        {
1301
0
            TIFFWarningExtR(tif, "ReadDirEntryArray",
1302
0
                            "Requested memory size for tag %d (0x%x) %" PRIu32
1303
0
                            " is greater than filesize %" PRIu64
1304
0
                            ". Memory not allocated, tag not read",
1305
0
                            direntry->tdir_tag, direntry->tdir_tag, datasize,
1306
0
                            filesize);
1307
0
            return (TIFFReadDirEntryErrAlloc);
1308
0
        }
1309
0
    }
1310
1311
19.7k
    if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
1312
0
        return TIFFReadDirEntryErrIo;
1313
1314
19.7k
    if (!isMapped(tif) && (((tif->tif_flags & TIFF_BIGTIFF) && datasize > 8) ||
1315
19.7k
                           (!(tif->tif_flags & TIFF_BIGTIFF) && datasize > 4)))
1316
0
    {
1317
0
        data = NULL;
1318
0
    }
1319
19.7k
    else
1320
19.7k
    {
1321
19.7k
        data = _TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");
1322
19.7k
        if (data == 0)
1323
0
            return (TIFFReadDirEntryErrAlloc);
1324
19.7k
    }
1325
19.7k
    if (!(tif->tif_flags & TIFF_BIGTIFF))
1326
19.7k
    {
1327
        /* Only the condition on original_datasize_clamped. The second
1328
         * one is implied, but Coverity Scan cannot see it. */
1329
19.7k
        if (original_datasize_clamped <= 4 && datasize <= 4)
1330
19.7k
            _TIFFmemcpy(data, &direntry->tdir_offset, datasize);
1331
0
        else
1332
0
        {
1333
0
            enum TIFFReadDirEntryErr err;
1334
0
            uint32_t offset = direntry->tdir_offset.toff_long;
1335
0
            if (tif->tif_flags & TIFF_SWAB)
1336
0
                TIFFSwabLong(&offset);
1337
0
            if (isMapped(tif))
1338
0
                err = TIFFReadDirEntryData(tif, (uint64_t)offset,
1339
0
                                           (tmsize_t)datasize, data);
1340
0
            else
1341
0
                err = TIFFReadDirEntryDataAndRealloc(tif, (uint64_t)offset,
1342
0
                                                     (tmsize_t)datasize, &data);
1343
0
            if (err != TIFFReadDirEntryErrOk)
1344
0
            {
1345
0
                _TIFFfreeExt(tif, data);
1346
0
                return (err);
1347
0
            }
1348
0
        }
1349
19.7k
    }
1350
0
    else
1351
0
    {
1352
        /* See above comment for the Classic TIFF case */
1353
0
        if (original_datasize_clamped <= 8 && datasize <= 8)
1354
0
            _TIFFmemcpy(data, &direntry->tdir_offset, datasize);
1355
0
        else
1356
0
        {
1357
0
            enum TIFFReadDirEntryErr err;
1358
0
            uint64_t offset = direntry->tdir_offset.toff_long8;
1359
0
            if (tif->tif_flags & TIFF_SWAB)
1360
0
                TIFFSwabLong8(&offset);
1361
0
            if (isMapped(tif))
1362
0
                err = TIFFReadDirEntryData(tif, (uint64_t)offset,
1363
0
                                           (tmsize_t)datasize, data);
1364
0
            else
1365
0
                err = TIFFReadDirEntryDataAndRealloc(tif, (uint64_t)offset,
1366
0
                                                     (tmsize_t)datasize, &data);
1367
0
            if (err != TIFFReadDirEntryErrOk)
1368
0
            {
1369
0
                _TIFFfreeExt(tif, data);
1370
0
                return (err);
1371
0
            }
1372
0
        }
1373
0
    }
1374
19.7k
    *value = data;
1375
19.7k
    return (TIFFReadDirEntryErrOk);
1376
19.7k
}
1377
1378
static enum TIFFReadDirEntryErr
1379
TIFFReadDirEntryArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t *count,
1380
                      uint32_t desttypesize, void **value)
1381
0
{
1382
0
    return TIFFReadDirEntryArrayWithLimit(tif, direntry, count, desttypesize,
1383
0
                                          value, ~((uint64_t)0));
1384
0
}
1385
1386
static enum TIFFReadDirEntryErr
1387
TIFFReadDirEntryByteArray(TIFF *tif, TIFFDirEntry *direntry, uint8_t **value)
1388
0
{
1389
0
    enum TIFFReadDirEntryErr err;
1390
0
    uint32_t count;
1391
0
    void *origdata;
1392
0
    uint8_t *data;
1393
0
    switch (direntry->tdir_type)
1394
0
    {
1395
0
        case TIFF_ASCII:
1396
0
        case TIFF_UNDEFINED:
1397
0
        case TIFF_BYTE:
1398
0
        case TIFF_SBYTE:
1399
0
        case TIFF_SHORT:
1400
0
        case TIFF_SSHORT:
1401
0
        case TIFF_LONG:
1402
0
        case TIFF_SLONG:
1403
0
        case TIFF_LONG8:
1404
0
        case TIFF_SLONG8:
1405
0
            break;
1406
0
        default:
1407
0
            return (TIFFReadDirEntryErrType);
1408
0
    }
1409
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 1, &origdata);
1410
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1411
0
    {
1412
0
        *value = 0;
1413
0
        return (err);
1414
0
    }
1415
0
    switch (direntry->tdir_type)
1416
0
    {
1417
0
        case TIFF_ASCII:
1418
0
        case TIFF_UNDEFINED:
1419
0
        case TIFF_BYTE:
1420
0
            *value = (uint8_t *)origdata;
1421
0
            return (TIFFReadDirEntryErrOk);
1422
0
        case TIFF_SBYTE:
1423
0
        {
1424
0
            int8_t *m;
1425
0
            uint32_t n;
1426
0
            m = (int8_t *)origdata;
1427
0
            for (n = 0; n < count; n++)
1428
0
            {
1429
0
                err = TIFFReadDirEntryCheckRangeByteSbyte(*m);
1430
0
                if (err != TIFFReadDirEntryErrOk)
1431
0
                {
1432
0
                    _TIFFfreeExt(tif, origdata);
1433
0
                    return (err);
1434
0
                }
1435
0
                m++;
1436
0
            }
1437
0
            *value = (uint8_t *)origdata;
1438
0
            return (TIFFReadDirEntryErrOk);
1439
0
        }
1440
0
    }
1441
0
    data = (uint8_t *)_TIFFmallocExt(tif, count);
1442
0
    if (data == 0)
1443
0
    {
1444
0
        _TIFFfreeExt(tif, origdata);
1445
0
        return (TIFFReadDirEntryErrAlloc);
1446
0
    }
1447
0
    switch (direntry->tdir_type)
1448
0
    {
1449
0
        case TIFF_SHORT:
1450
0
        {
1451
0
            uint16_t *ma;
1452
0
            uint8_t *mb;
1453
0
            uint32_t n;
1454
0
            ma = (uint16_t *)origdata;
1455
0
            mb = data;
1456
0
            for (n = 0; n < count; n++)
1457
0
            {
1458
0
                if (tif->tif_flags & TIFF_SWAB)
1459
0
                    TIFFSwabShort(ma);
1460
0
                err = TIFFReadDirEntryCheckRangeByteShort(*ma);
1461
0
                if (err != TIFFReadDirEntryErrOk)
1462
0
                    break;
1463
0
                *mb++ = (uint8_t)(*ma++);
1464
0
            }
1465
0
        }
1466
0
        break;
1467
0
        case TIFF_SSHORT:
1468
0
        {
1469
0
            int16_t *ma;
1470
0
            uint8_t *mb;
1471
0
            uint32_t n;
1472
0
            ma = (int16_t *)origdata;
1473
0
            mb = data;
1474
0
            for (n = 0; n < count; n++)
1475
0
            {
1476
0
                if (tif->tif_flags & TIFF_SWAB)
1477
0
                    TIFFSwabShort((uint16_t *)ma);
1478
0
                err = TIFFReadDirEntryCheckRangeByteSshort(*ma);
1479
0
                if (err != TIFFReadDirEntryErrOk)
1480
0
                    break;
1481
0
                *mb++ = (uint8_t)(*ma++);
1482
0
            }
1483
0
        }
1484
0
        break;
1485
0
        case TIFF_LONG:
1486
0
        {
1487
0
            uint32_t *ma;
1488
0
            uint8_t *mb;
1489
0
            uint32_t n;
1490
0
            ma = (uint32_t *)origdata;
1491
0
            mb = data;
1492
0
            for (n = 0; n < count; n++)
1493
0
            {
1494
0
                if (tif->tif_flags & TIFF_SWAB)
1495
0
                    TIFFSwabLong(ma);
1496
0
                err = TIFFReadDirEntryCheckRangeByteLong(*ma);
1497
0
                if (err != TIFFReadDirEntryErrOk)
1498
0
                    break;
1499
0
                *mb++ = (uint8_t)(*ma++);
1500
0
            }
1501
0
        }
1502
0
        break;
1503
0
        case TIFF_SLONG:
1504
0
        {
1505
0
            int32_t *ma;
1506
0
            uint8_t *mb;
1507
0
            uint32_t n;
1508
0
            ma = (int32_t *)origdata;
1509
0
            mb = data;
1510
0
            for (n = 0; n < count; n++)
1511
0
            {
1512
0
                if (tif->tif_flags & TIFF_SWAB)
1513
0
                    TIFFSwabLong((uint32_t *)ma);
1514
0
                err = TIFFReadDirEntryCheckRangeByteSlong(*ma);
1515
0
                if (err != TIFFReadDirEntryErrOk)
1516
0
                    break;
1517
0
                *mb++ = (uint8_t)(*ma++);
1518
0
            }
1519
0
        }
1520
0
        break;
1521
0
        case TIFF_LONG8:
1522
0
        {
1523
0
            uint64_t *ma;
1524
0
            uint8_t *mb;
1525
0
            uint32_t n;
1526
0
            ma = (uint64_t *)origdata;
1527
0
            mb = data;
1528
0
            for (n = 0; n < count; n++)
1529
0
            {
1530
0
                if (tif->tif_flags & TIFF_SWAB)
1531
0
                    TIFFSwabLong8(ma);
1532
0
                err = TIFFReadDirEntryCheckRangeByteLong8(*ma);
1533
0
                if (err != TIFFReadDirEntryErrOk)
1534
0
                    break;
1535
0
                *mb++ = (uint8_t)(*ma++);
1536
0
            }
1537
0
        }
1538
0
        break;
1539
0
        case TIFF_SLONG8:
1540
0
        {
1541
0
            int64_t *ma;
1542
0
            uint8_t *mb;
1543
0
            uint32_t n;
1544
0
            ma = (int64_t *)origdata;
1545
0
            mb = data;
1546
0
            for (n = 0; n < count; n++)
1547
0
            {
1548
0
                if (tif->tif_flags & TIFF_SWAB)
1549
0
                    TIFFSwabLong8((uint64_t *)ma);
1550
0
                err = TIFFReadDirEntryCheckRangeByteSlong8(*ma);
1551
0
                if (err != TIFFReadDirEntryErrOk)
1552
0
                    break;
1553
0
                *mb++ = (uint8_t)(*ma++);
1554
0
            }
1555
0
        }
1556
0
        break;
1557
0
    }
1558
0
    _TIFFfreeExt(tif, origdata);
1559
0
    if (err != TIFFReadDirEntryErrOk)
1560
0
    {
1561
0
        _TIFFfreeExt(tif, data);
1562
0
        return (err);
1563
0
    }
1564
0
    *value = data;
1565
0
    return (TIFFReadDirEntryErrOk);
1566
0
}
1567
1568
static enum TIFFReadDirEntryErr
1569
TIFFReadDirEntrySbyteArray(TIFF *tif, TIFFDirEntry *direntry, int8_t **value)
1570
0
{
1571
0
    enum TIFFReadDirEntryErr err;
1572
0
    uint32_t count;
1573
0
    void *origdata;
1574
0
    int8_t *data;
1575
0
    switch (direntry->tdir_type)
1576
0
    {
1577
0
        case TIFF_UNDEFINED:
1578
0
        case TIFF_BYTE:
1579
0
        case TIFF_SBYTE:
1580
0
        case TIFF_SHORT:
1581
0
        case TIFF_SSHORT:
1582
0
        case TIFF_LONG:
1583
0
        case TIFF_SLONG:
1584
0
        case TIFF_LONG8:
1585
0
        case TIFF_SLONG8:
1586
0
            break;
1587
0
        default:
1588
0
            return (TIFFReadDirEntryErrType);
1589
0
    }
1590
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 1, &origdata);
1591
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1592
0
    {
1593
0
        *value = 0;
1594
0
        return (err);
1595
0
    }
1596
0
    switch (direntry->tdir_type)
1597
0
    {
1598
0
        case TIFF_UNDEFINED:
1599
0
        case TIFF_BYTE:
1600
0
        {
1601
0
            uint8_t *m;
1602
0
            uint32_t n;
1603
0
            m = (uint8_t *)origdata;
1604
0
            for (n = 0; n < count; n++)
1605
0
            {
1606
0
                err = TIFFReadDirEntryCheckRangeSbyteByte(*m);
1607
0
                if (err != TIFFReadDirEntryErrOk)
1608
0
                {
1609
0
                    _TIFFfreeExt(tif, origdata);
1610
0
                    return (err);
1611
0
                }
1612
0
                m++;
1613
0
            }
1614
0
            *value = (int8_t *)origdata;
1615
0
            return (TIFFReadDirEntryErrOk);
1616
0
        }
1617
0
        case TIFF_SBYTE:
1618
0
            *value = (int8_t *)origdata;
1619
0
            return (TIFFReadDirEntryErrOk);
1620
0
    }
1621
0
    data = (int8_t *)_TIFFmallocExt(tif, count);
1622
0
    if (data == 0)
1623
0
    {
1624
0
        _TIFFfreeExt(tif, origdata);
1625
0
        return (TIFFReadDirEntryErrAlloc);
1626
0
    }
1627
0
    switch (direntry->tdir_type)
1628
0
    {
1629
0
        case TIFF_SHORT:
1630
0
        {
1631
0
            uint16_t *ma;
1632
0
            int8_t *mb;
1633
0
            uint32_t n;
1634
0
            ma = (uint16_t *)origdata;
1635
0
            mb = data;
1636
0
            for (n = 0; n < count; n++)
1637
0
            {
1638
0
                if (tif->tif_flags & TIFF_SWAB)
1639
0
                    TIFFSwabShort(ma);
1640
0
                err = TIFFReadDirEntryCheckRangeSbyteShort(*ma);
1641
0
                if (err != TIFFReadDirEntryErrOk)
1642
0
                    break;
1643
0
                *mb++ = (int8_t)(*ma++);
1644
0
            }
1645
0
        }
1646
0
        break;
1647
0
        case TIFF_SSHORT:
1648
0
        {
1649
0
            int16_t *ma;
1650
0
            int8_t *mb;
1651
0
            uint32_t n;
1652
0
            ma = (int16_t *)origdata;
1653
0
            mb = data;
1654
0
            for (n = 0; n < count; n++)
1655
0
            {
1656
0
                if (tif->tif_flags & TIFF_SWAB)
1657
0
                    TIFFSwabShort((uint16_t *)ma);
1658
0
                err = TIFFReadDirEntryCheckRangeSbyteSshort(*ma);
1659
0
                if (err != TIFFReadDirEntryErrOk)
1660
0
                    break;
1661
0
                *mb++ = (int8_t)(*ma++);
1662
0
            }
1663
0
        }
1664
0
        break;
1665
0
        case TIFF_LONG:
1666
0
        {
1667
0
            uint32_t *ma;
1668
0
            int8_t *mb;
1669
0
            uint32_t n;
1670
0
            ma = (uint32_t *)origdata;
1671
0
            mb = data;
1672
0
            for (n = 0; n < count; n++)
1673
0
            {
1674
0
                if (tif->tif_flags & TIFF_SWAB)
1675
0
                    TIFFSwabLong(ma);
1676
0
                err = TIFFReadDirEntryCheckRangeSbyteLong(*ma);
1677
0
                if (err != TIFFReadDirEntryErrOk)
1678
0
                    break;
1679
0
                *mb++ = (int8_t)(*ma++);
1680
0
            }
1681
0
        }
1682
0
        break;
1683
0
        case TIFF_SLONG:
1684
0
        {
1685
0
            int32_t *ma;
1686
0
            int8_t *mb;
1687
0
            uint32_t n;
1688
0
            ma = (int32_t *)origdata;
1689
0
            mb = data;
1690
0
            for (n = 0; n < count; n++)
1691
0
            {
1692
0
                if (tif->tif_flags & TIFF_SWAB)
1693
0
                    TIFFSwabLong((uint32_t *)ma);
1694
0
                err = TIFFReadDirEntryCheckRangeSbyteSlong(*ma);
1695
0
                if (err != TIFFReadDirEntryErrOk)
1696
0
                    break;
1697
0
                *mb++ = (int8_t)(*ma++);
1698
0
            }
1699
0
        }
1700
0
        break;
1701
0
        case TIFF_LONG8:
1702
0
        {
1703
0
            uint64_t *ma;
1704
0
            int8_t *mb;
1705
0
            uint32_t n;
1706
0
            ma = (uint64_t *)origdata;
1707
0
            mb = data;
1708
0
            for (n = 0; n < count; n++)
1709
0
            {
1710
0
                if (tif->tif_flags & TIFF_SWAB)
1711
0
                    TIFFSwabLong8(ma);
1712
0
                err = TIFFReadDirEntryCheckRangeSbyteLong8(*ma);
1713
0
                if (err != TIFFReadDirEntryErrOk)
1714
0
                    break;
1715
0
                *mb++ = (int8_t)(*ma++);
1716
0
            }
1717
0
        }
1718
0
        break;
1719
0
        case TIFF_SLONG8:
1720
0
        {
1721
0
            int64_t *ma;
1722
0
            int8_t *mb;
1723
0
            uint32_t n;
1724
0
            ma = (int64_t *)origdata;
1725
0
            mb = data;
1726
0
            for (n = 0; n < count; n++)
1727
0
            {
1728
0
                if (tif->tif_flags & TIFF_SWAB)
1729
0
                    TIFFSwabLong8((uint64_t *)ma);
1730
0
                err = TIFFReadDirEntryCheckRangeSbyteSlong8(*ma);
1731
0
                if (err != TIFFReadDirEntryErrOk)
1732
0
                    break;
1733
0
                *mb++ = (int8_t)(*ma++);
1734
0
            }
1735
0
        }
1736
0
        break;
1737
0
    }
1738
0
    _TIFFfreeExt(tif, origdata);
1739
0
    if (err != TIFFReadDirEntryErrOk)
1740
0
    {
1741
0
        _TIFFfreeExt(tif, data);
1742
0
        return (err);
1743
0
    }
1744
0
    *value = data;
1745
0
    return (TIFFReadDirEntryErrOk);
1746
0
}
1747
1748
static enum TIFFReadDirEntryErr
1749
TIFFReadDirEntryShortArray(TIFF *tif, TIFFDirEntry *direntry, uint16_t **value)
1750
0
{
1751
0
    enum TIFFReadDirEntryErr err;
1752
0
    uint32_t count;
1753
0
    void *origdata;
1754
0
    uint16_t *data;
1755
0
    switch (direntry->tdir_type)
1756
0
    {
1757
0
        case TIFF_BYTE:
1758
0
        case TIFF_SBYTE:
1759
0
        case TIFF_SHORT:
1760
0
        case TIFF_SSHORT:
1761
0
        case TIFF_LONG:
1762
0
        case TIFF_SLONG:
1763
0
        case TIFF_LONG8:
1764
0
        case TIFF_SLONG8:
1765
0
            break;
1766
0
        default:
1767
0
            return (TIFFReadDirEntryErrType);
1768
0
    }
1769
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 2, &origdata);
1770
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1771
0
    {
1772
0
        *value = 0;
1773
0
        return (err);
1774
0
    }
1775
0
    switch (direntry->tdir_type)
1776
0
    {
1777
0
        case TIFF_SHORT:
1778
0
            *value = (uint16_t *)origdata;
1779
0
            if (tif->tif_flags & TIFF_SWAB)
1780
0
                TIFFSwabArrayOfShort(*value, count);
1781
0
            return (TIFFReadDirEntryErrOk);
1782
0
        case TIFF_SSHORT:
1783
0
        {
1784
0
            int16_t *m;
1785
0
            uint32_t n;
1786
0
            m = (int16_t *)origdata;
1787
0
            for (n = 0; n < count; n++)
1788
0
            {
1789
0
                if (tif->tif_flags & TIFF_SWAB)
1790
0
                    TIFFSwabShort((uint16_t *)m);
1791
0
                err = TIFFReadDirEntryCheckRangeShortSshort(*m);
1792
0
                if (err != TIFFReadDirEntryErrOk)
1793
0
                {
1794
0
                    _TIFFfreeExt(tif, origdata);
1795
0
                    return (err);
1796
0
                }
1797
0
                m++;
1798
0
            }
1799
0
            *value = (uint16_t *)origdata;
1800
0
            return (TIFFReadDirEntryErrOk);
1801
0
        }
1802
0
    }
1803
0
    data = (uint16_t *)_TIFFmallocExt(tif, count * 2);
1804
0
    if (data == 0)
1805
0
    {
1806
0
        _TIFFfreeExt(tif, origdata);
1807
0
        return (TIFFReadDirEntryErrAlloc);
1808
0
    }
1809
0
    switch (direntry->tdir_type)
1810
0
    {
1811
0
        case TIFF_BYTE:
1812
0
        {
1813
0
            uint8_t *ma;
1814
0
            uint16_t *mb;
1815
0
            uint32_t n;
1816
0
            ma = (uint8_t *)origdata;
1817
0
            mb = data;
1818
0
            for (n = 0; n < count; n++)
1819
0
                *mb++ = (uint16_t)(*ma++);
1820
0
        }
1821
0
        break;
1822
0
        case TIFF_SBYTE:
1823
0
        {
1824
0
            int8_t *ma;
1825
0
            uint16_t *mb;
1826
0
            uint32_t n;
1827
0
            ma = (int8_t *)origdata;
1828
0
            mb = data;
1829
0
            for (n = 0; n < count; n++)
1830
0
            {
1831
0
                err = TIFFReadDirEntryCheckRangeShortSbyte(*ma);
1832
0
                if (err != TIFFReadDirEntryErrOk)
1833
0
                    break;
1834
0
                *mb++ = (uint16_t)(*ma++);
1835
0
            }
1836
0
        }
1837
0
        break;
1838
0
        case TIFF_LONG:
1839
0
        {
1840
0
            uint32_t *ma;
1841
0
            uint16_t *mb;
1842
0
            uint32_t n;
1843
0
            ma = (uint32_t *)origdata;
1844
0
            mb = data;
1845
0
            for (n = 0; n < count; n++)
1846
0
            {
1847
0
                if (tif->tif_flags & TIFF_SWAB)
1848
0
                    TIFFSwabLong(ma);
1849
0
                err = TIFFReadDirEntryCheckRangeShortLong(*ma);
1850
0
                if (err != TIFFReadDirEntryErrOk)
1851
0
                    break;
1852
0
                *mb++ = (uint16_t)(*ma++);
1853
0
            }
1854
0
        }
1855
0
        break;
1856
0
        case TIFF_SLONG:
1857
0
        {
1858
0
            int32_t *ma;
1859
0
            uint16_t *mb;
1860
0
            uint32_t n;
1861
0
            ma = (int32_t *)origdata;
1862
0
            mb = data;
1863
0
            for (n = 0; n < count; n++)
1864
0
            {
1865
0
                if (tif->tif_flags & TIFF_SWAB)
1866
0
                    TIFFSwabLong((uint32_t *)ma);
1867
0
                err = TIFFReadDirEntryCheckRangeShortSlong(*ma);
1868
0
                if (err != TIFFReadDirEntryErrOk)
1869
0
                    break;
1870
0
                *mb++ = (uint16_t)(*ma++);
1871
0
            }
1872
0
        }
1873
0
        break;
1874
0
        case TIFF_LONG8:
1875
0
        {
1876
0
            uint64_t *ma;
1877
0
            uint16_t *mb;
1878
0
            uint32_t n;
1879
0
            ma = (uint64_t *)origdata;
1880
0
            mb = data;
1881
0
            for (n = 0; n < count; n++)
1882
0
            {
1883
0
                if (tif->tif_flags & TIFF_SWAB)
1884
0
                    TIFFSwabLong8(ma);
1885
0
                err = TIFFReadDirEntryCheckRangeShortLong8(*ma);
1886
0
                if (err != TIFFReadDirEntryErrOk)
1887
0
                    break;
1888
0
                *mb++ = (uint16_t)(*ma++);
1889
0
            }
1890
0
        }
1891
0
        break;
1892
0
        case TIFF_SLONG8:
1893
0
        {
1894
0
            int64_t *ma;
1895
0
            uint16_t *mb;
1896
0
            uint32_t n;
1897
0
            ma = (int64_t *)origdata;
1898
0
            mb = data;
1899
0
            for (n = 0; n < count; n++)
1900
0
            {
1901
0
                if (tif->tif_flags & TIFF_SWAB)
1902
0
                    TIFFSwabLong8((uint64_t *)ma);
1903
0
                err = TIFFReadDirEntryCheckRangeShortSlong8(*ma);
1904
0
                if (err != TIFFReadDirEntryErrOk)
1905
0
                    break;
1906
0
                *mb++ = (uint16_t)(*ma++);
1907
0
            }
1908
0
        }
1909
0
        break;
1910
0
    }
1911
0
    _TIFFfreeExt(tif, origdata);
1912
0
    if (err != TIFFReadDirEntryErrOk)
1913
0
    {
1914
0
        _TIFFfreeExt(tif, data);
1915
0
        return (err);
1916
0
    }
1917
0
    *value = data;
1918
0
    return (TIFFReadDirEntryErrOk);
1919
0
}
1920
1921
static enum TIFFReadDirEntryErr
1922
TIFFReadDirEntrySshortArray(TIFF *tif, TIFFDirEntry *direntry, int16_t **value)
1923
0
{
1924
0
    enum TIFFReadDirEntryErr err;
1925
0
    uint32_t count;
1926
0
    void *origdata;
1927
0
    int16_t *data;
1928
0
    switch (direntry->tdir_type)
1929
0
    {
1930
0
        case TIFF_BYTE:
1931
0
        case TIFF_SBYTE:
1932
0
        case TIFF_SHORT:
1933
0
        case TIFF_SSHORT:
1934
0
        case TIFF_LONG:
1935
0
        case TIFF_SLONG:
1936
0
        case TIFF_LONG8:
1937
0
        case TIFF_SLONG8:
1938
0
            break;
1939
0
        default:
1940
0
            return (TIFFReadDirEntryErrType);
1941
0
    }
1942
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 2, &origdata);
1943
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
1944
0
    {
1945
0
        *value = 0;
1946
0
        return (err);
1947
0
    }
1948
0
    switch (direntry->tdir_type)
1949
0
    {
1950
0
        case TIFF_SHORT:
1951
0
        {
1952
0
            uint16_t *m;
1953
0
            uint32_t n;
1954
0
            m = (uint16_t *)origdata;
1955
0
            for (n = 0; n < count; n++)
1956
0
            {
1957
0
                if (tif->tif_flags & TIFF_SWAB)
1958
0
                    TIFFSwabShort(m);
1959
0
                err = TIFFReadDirEntryCheckRangeSshortShort(*m);
1960
0
                if (err != TIFFReadDirEntryErrOk)
1961
0
                {
1962
0
                    _TIFFfreeExt(tif, origdata);
1963
0
                    return (err);
1964
0
                }
1965
0
                m++;
1966
0
            }
1967
0
            *value = (int16_t *)origdata;
1968
0
            return (TIFFReadDirEntryErrOk);
1969
0
        }
1970
0
        case TIFF_SSHORT:
1971
0
            *value = (int16_t *)origdata;
1972
0
            if (tif->tif_flags & TIFF_SWAB)
1973
0
                TIFFSwabArrayOfShort((uint16_t *)(*value), count);
1974
0
            return (TIFFReadDirEntryErrOk);
1975
0
    }
1976
0
    data = (int16_t *)_TIFFmallocExt(tif, count * 2);
1977
0
    if (data == 0)
1978
0
    {
1979
0
        _TIFFfreeExt(tif, origdata);
1980
0
        return (TIFFReadDirEntryErrAlloc);
1981
0
    }
1982
0
    switch (direntry->tdir_type)
1983
0
    {
1984
0
        case TIFF_BYTE:
1985
0
        {
1986
0
            uint8_t *ma;
1987
0
            int16_t *mb;
1988
0
            uint32_t n;
1989
0
            ma = (uint8_t *)origdata;
1990
0
            mb = data;
1991
0
            for (n = 0; n < count; n++)
1992
0
                *mb++ = (int16_t)(*ma++);
1993
0
        }
1994
0
        break;
1995
0
        case TIFF_SBYTE:
1996
0
        {
1997
0
            int8_t *ma;
1998
0
            int16_t *mb;
1999
0
            uint32_t n;
2000
0
            ma = (int8_t *)origdata;
2001
0
            mb = data;
2002
0
            for (n = 0; n < count; n++)
2003
0
                *mb++ = (int16_t)(*ma++);
2004
0
        }
2005
0
        break;
2006
0
        case TIFF_LONG:
2007
0
        {
2008
0
            uint32_t *ma;
2009
0
            int16_t *mb;
2010
0
            uint32_t n;
2011
0
            ma = (uint32_t *)origdata;
2012
0
            mb = data;
2013
0
            for (n = 0; n < count; n++)
2014
0
            {
2015
0
                if (tif->tif_flags & TIFF_SWAB)
2016
0
                    TIFFSwabLong(ma);
2017
0
                err = TIFFReadDirEntryCheckRangeSshortLong(*ma);
2018
0
                if (err != TIFFReadDirEntryErrOk)
2019
0
                    break;
2020
0
                *mb++ = (int16_t)(*ma++);
2021
0
            }
2022
0
        }
2023
0
        break;
2024
0
        case TIFF_SLONG:
2025
0
        {
2026
0
            int32_t *ma;
2027
0
            int16_t *mb;
2028
0
            uint32_t n;
2029
0
            ma = (int32_t *)origdata;
2030
0
            mb = data;
2031
0
            for (n = 0; n < count; n++)
2032
0
            {
2033
0
                if (tif->tif_flags & TIFF_SWAB)
2034
0
                    TIFFSwabLong((uint32_t *)ma);
2035
0
                err = TIFFReadDirEntryCheckRangeSshortSlong(*ma);
2036
0
                if (err != TIFFReadDirEntryErrOk)
2037
0
                    break;
2038
0
                *mb++ = (int16_t)(*ma++);
2039
0
            }
2040
0
        }
2041
0
        break;
2042
0
        case TIFF_LONG8:
2043
0
        {
2044
0
            uint64_t *ma;
2045
0
            int16_t *mb;
2046
0
            uint32_t n;
2047
0
            ma = (uint64_t *)origdata;
2048
0
            mb = data;
2049
0
            for (n = 0; n < count; n++)
2050
0
            {
2051
0
                if (tif->tif_flags & TIFF_SWAB)
2052
0
                    TIFFSwabLong8(ma);
2053
0
                err = TIFFReadDirEntryCheckRangeSshortLong8(*ma);
2054
0
                if (err != TIFFReadDirEntryErrOk)
2055
0
                    break;
2056
0
                *mb++ = (int16_t)(*ma++);
2057
0
            }
2058
0
        }
2059
0
        break;
2060
0
        case TIFF_SLONG8:
2061
0
        {
2062
0
            int64_t *ma;
2063
0
            int16_t *mb;
2064
0
            uint32_t n;
2065
0
            ma = (int64_t *)origdata;
2066
0
            mb = data;
2067
0
            for (n = 0; n < count; n++)
2068
0
            {
2069
0
                if (tif->tif_flags & TIFF_SWAB)
2070
0
                    TIFFSwabLong8((uint64_t *)ma);
2071
0
                err = TIFFReadDirEntryCheckRangeSshortSlong8(*ma);
2072
0
                if (err != TIFFReadDirEntryErrOk)
2073
0
                    break;
2074
0
                *mb++ = (int16_t)(*ma++);
2075
0
            }
2076
0
        }
2077
0
        break;
2078
0
    }
2079
0
    _TIFFfreeExt(tif, origdata);
2080
0
    if (err != TIFFReadDirEntryErrOk)
2081
0
    {
2082
0
        _TIFFfreeExt(tif, data);
2083
0
        return (err);
2084
0
    }
2085
0
    *value = data;
2086
0
    return (TIFFReadDirEntryErrOk);
2087
0
}
2088
2089
static enum TIFFReadDirEntryErr
2090
TIFFReadDirEntryLongArray(TIFF *tif, TIFFDirEntry *direntry, uint32_t **value)
2091
0
{
2092
0
    enum TIFFReadDirEntryErr err;
2093
0
    uint32_t count;
2094
0
    void *origdata;
2095
0
    uint32_t *data;
2096
0
    switch (direntry->tdir_type)
2097
0
    {
2098
0
        case TIFF_BYTE:
2099
0
        case TIFF_SBYTE:
2100
0
        case TIFF_SHORT:
2101
0
        case TIFF_SSHORT:
2102
0
        case TIFF_LONG:
2103
0
        case TIFF_SLONG:
2104
0
        case TIFF_LONG8:
2105
0
        case TIFF_SLONG8:
2106
0
            break;
2107
0
        default:
2108
0
            return (TIFFReadDirEntryErrType);
2109
0
    }
2110
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 4, &origdata);
2111
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2112
0
    {
2113
0
        *value = 0;
2114
0
        return (err);
2115
0
    }
2116
0
    switch (direntry->tdir_type)
2117
0
    {
2118
0
        case TIFF_LONG:
2119
0
            *value = (uint32_t *)origdata;
2120
0
            if (tif->tif_flags & TIFF_SWAB)
2121
0
                TIFFSwabArrayOfLong(*value, count);
2122
0
            return (TIFFReadDirEntryErrOk);
2123
0
        case TIFF_SLONG:
2124
0
        {
2125
0
            int32_t *m;
2126
0
            uint32_t n;
2127
0
            m = (int32_t *)origdata;
2128
0
            for (n = 0; n < count; n++)
2129
0
            {
2130
0
                if (tif->tif_flags & TIFF_SWAB)
2131
0
                    TIFFSwabLong((uint32_t *)m);
2132
0
                err = TIFFReadDirEntryCheckRangeLongSlong(*m);
2133
0
                if (err != TIFFReadDirEntryErrOk)
2134
0
                {
2135
0
                    _TIFFfreeExt(tif, origdata);
2136
0
                    return (err);
2137
0
                }
2138
0
                m++;
2139
0
            }
2140
0
            *value = (uint32_t *)origdata;
2141
0
            return (TIFFReadDirEntryErrOk);
2142
0
        }
2143
0
    }
2144
0
    data = (uint32_t *)_TIFFmallocExt(tif, count * 4);
2145
0
    if (data == 0)
2146
0
    {
2147
0
        _TIFFfreeExt(tif, origdata);
2148
0
        return (TIFFReadDirEntryErrAlloc);
2149
0
    }
2150
0
    switch (direntry->tdir_type)
2151
0
    {
2152
0
        case TIFF_BYTE:
2153
0
        {
2154
0
            uint8_t *ma;
2155
0
            uint32_t *mb;
2156
0
            uint32_t n;
2157
0
            ma = (uint8_t *)origdata;
2158
0
            mb = data;
2159
0
            for (n = 0; n < count; n++)
2160
0
                *mb++ = (uint32_t)(*ma++);
2161
0
        }
2162
0
        break;
2163
0
        case TIFF_SBYTE:
2164
0
        {
2165
0
            int8_t *ma;
2166
0
            uint32_t *mb;
2167
0
            uint32_t n;
2168
0
            ma = (int8_t *)origdata;
2169
0
            mb = data;
2170
0
            for (n = 0; n < count; n++)
2171
0
            {
2172
0
                err = TIFFReadDirEntryCheckRangeLongSbyte(*ma);
2173
0
                if (err != TIFFReadDirEntryErrOk)
2174
0
                    break;
2175
0
                *mb++ = (uint32_t)(*ma++);
2176
0
            }
2177
0
        }
2178
0
        break;
2179
0
        case TIFF_SHORT:
2180
0
        {
2181
0
            uint16_t *ma;
2182
0
            uint32_t *mb;
2183
0
            uint32_t n;
2184
0
            ma = (uint16_t *)origdata;
2185
0
            mb = data;
2186
0
            for (n = 0; n < count; n++)
2187
0
            {
2188
0
                if (tif->tif_flags & TIFF_SWAB)
2189
0
                    TIFFSwabShort(ma);
2190
0
                *mb++ = (uint32_t)(*ma++);
2191
0
            }
2192
0
        }
2193
0
        break;
2194
0
        case TIFF_SSHORT:
2195
0
        {
2196
0
            int16_t *ma;
2197
0
            uint32_t *mb;
2198
0
            uint32_t n;
2199
0
            ma = (int16_t *)origdata;
2200
0
            mb = data;
2201
0
            for (n = 0; n < count; n++)
2202
0
            {
2203
0
                if (tif->tif_flags & TIFF_SWAB)
2204
0
                    TIFFSwabShort((uint16_t *)ma);
2205
0
                err = TIFFReadDirEntryCheckRangeLongSshort(*ma);
2206
0
                if (err != TIFFReadDirEntryErrOk)
2207
0
                    break;
2208
0
                *mb++ = (uint32_t)(*ma++);
2209
0
            }
2210
0
        }
2211
0
        break;
2212
0
        case TIFF_LONG8:
2213
0
        {
2214
0
            uint64_t *ma;
2215
0
            uint32_t *mb;
2216
0
            uint32_t n;
2217
0
            ma = (uint64_t *)origdata;
2218
0
            mb = data;
2219
0
            for (n = 0; n < count; n++)
2220
0
            {
2221
0
                if (tif->tif_flags & TIFF_SWAB)
2222
0
                    TIFFSwabLong8(ma);
2223
0
                err = TIFFReadDirEntryCheckRangeLongLong8(*ma);
2224
0
                if (err != TIFFReadDirEntryErrOk)
2225
0
                    break;
2226
0
                *mb++ = (uint32_t)(*ma++);
2227
0
            }
2228
0
        }
2229
0
        break;
2230
0
        case TIFF_SLONG8:
2231
0
        {
2232
0
            int64_t *ma;
2233
0
            uint32_t *mb;
2234
0
            uint32_t n;
2235
0
            ma = (int64_t *)origdata;
2236
0
            mb = data;
2237
0
            for (n = 0; n < count; n++)
2238
0
            {
2239
0
                if (tif->tif_flags & TIFF_SWAB)
2240
0
                    TIFFSwabLong8((uint64_t *)ma);
2241
0
                err = TIFFReadDirEntryCheckRangeLongSlong8(*ma);
2242
0
                if (err != TIFFReadDirEntryErrOk)
2243
0
                    break;
2244
0
                *mb++ = (uint32_t)(*ma++);
2245
0
            }
2246
0
        }
2247
0
        break;
2248
0
    }
2249
0
    _TIFFfreeExt(tif, origdata);
2250
0
    if (err != TIFFReadDirEntryErrOk)
2251
0
    {
2252
0
        _TIFFfreeExt(tif, data);
2253
0
        return (err);
2254
0
    }
2255
0
    *value = data;
2256
0
    return (TIFFReadDirEntryErrOk);
2257
0
}
2258
2259
static enum TIFFReadDirEntryErr
2260
TIFFReadDirEntrySlongArray(TIFF *tif, TIFFDirEntry *direntry, int32_t **value)
2261
0
{
2262
0
    enum TIFFReadDirEntryErr err;
2263
0
    uint32_t count;
2264
0
    void *origdata;
2265
0
    int32_t *data;
2266
0
    switch (direntry->tdir_type)
2267
0
    {
2268
0
        case TIFF_BYTE:
2269
0
        case TIFF_SBYTE:
2270
0
        case TIFF_SHORT:
2271
0
        case TIFF_SSHORT:
2272
0
        case TIFF_LONG:
2273
0
        case TIFF_SLONG:
2274
0
        case TIFF_LONG8:
2275
0
        case TIFF_SLONG8:
2276
0
            break;
2277
0
        default:
2278
0
            return (TIFFReadDirEntryErrType);
2279
0
    }
2280
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 4, &origdata);
2281
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2282
0
    {
2283
0
        *value = 0;
2284
0
        return (err);
2285
0
    }
2286
0
    switch (direntry->tdir_type)
2287
0
    {
2288
0
        case TIFF_LONG:
2289
0
        {
2290
0
            uint32_t *m;
2291
0
            uint32_t n;
2292
0
            m = (uint32_t *)origdata;
2293
0
            for (n = 0; n < count; n++)
2294
0
            {
2295
0
                if (tif->tif_flags & TIFF_SWAB)
2296
0
                    TIFFSwabLong((uint32_t *)m);
2297
0
                err = TIFFReadDirEntryCheckRangeSlongLong(*m);
2298
0
                if (err != TIFFReadDirEntryErrOk)
2299
0
                {
2300
0
                    _TIFFfreeExt(tif, origdata);
2301
0
                    return (err);
2302
0
                }
2303
0
                m++;
2304
0
            }
2305
0
            *value = (int32_t *)origdata;
2306
0
            return (TIFFReadDirEntryErrOk);
2307
0
        }
2308
0
        case TIFF_SLONG:
2309
0
            *value = (int32_t *)origdata;
2310
0
            if (tif->tif_flags & TIFF_SWAB)
2311
0
                TIFFSwabArrayOfLong((uint32_t *)(*value), count);
2312
0
            return (TIFFReadDirEntryErrOk);
2313
0
    }
2314
0
    data = (int32_t *)_TIFFmallocExt(tif, count * 4);
2315
0
    if (data == 0)
2316
0
    {
2317
0
        _TIFFfreeExt(tif, origdata);
2318
0
        return (TIFFReadDirEntryErrAlloc);
2319
0
    }
2320
0
    switch (direntry->tdir_type)
2321
0
    {
2322
0
        case TIFF_BYTE:
2323
0
        {
2324
0
            uint8_t *ma;
2325
0
            int32_t *mb;
2326
0
            uint32_t n;
2327
0
            ma = (uint8_t *)origdata;
2328
0
            mb = data;
2329
0
            for (n = 0; n < count; n++)
2330
0
                *mb++ = (int32_t)(*ma++);
2331
0
        }
2332
0
        break;
2333
0
        case TIFF_SBYTE:
2334
0
        {
2335
0
            int8_t *ma;
2336
0
            int32_t *mb;
2337
0
            uint32_t n;
2338
0
            ma = (int8_t *)origdata;
2339
0
            mb = data;
2340
0
            for (n = 0; n < count; n++)
2341
0
                *mb++ = (int32_t)(*ma++);
2342
0
        }
2343
0
        break;
2344
0
        case TIFF_SHORT:
2345
0
        {
2346
0
            uint16_t *ma;
2347
0
            int32_t *mb;
2348
0
            uint32_t n;
2349
0
            ma = (uint16_t *)origdata;
2350
0
            mb = data;
2351
0
            for (n = 0; n < count; n++)
2352
0
            {
2353
0
                if (tif->tif_flags & TIFF_SWAB)
2354
0
                    TIFFSwabShort(ma);
2355
0
                *mb++ = (int32_t)(*ma++);
2356
0
            }
2357
0
        }
2358
0
        break;
2359
0
        case TIFF_SSHORT:
2360
0
        {
2361
0
            int16_t *ma;
2362
0
            int32_t *mb;
2363
0
            uint32_t n;
2364
0
            ma = (int16_t *)origdata;
2365
0
            mb = data;
2366
0
            for (n = 0; n < count; n++)
2367
0
            {
2368
0
                if (tif->tif_flags & TIFF_SWAB)
2369
0
                    TIFFSwabShort((uint16_t *)ma);
2370
0
                *mb++ = (int32_t)(*ma++);
2371
0
            }
2372
0
        }
2373
0
        break;
2374
0
        case TIFF_LONG8:
2375
0
        {
2376
0
            uint64_t *ma;
2377
0
            int32_t *mb;
2378
0
            uint32_t n;
2379
0
            ma = (uint64_t *)origdata;
2380
0
            mb = data;
2381
0
            for (n = 0; n < count; n++)
2382
0
            {
2383
0
                if (tif->tif_flags & TIFF_SWAB)
2384
0
                    TIFFSwabLong8(ma);
2385
0
                err = TIFFReadDirEntryCheckRangeSlongLong8(*ma);
2386
0
                if (err != TIFFReadDirEntryErrOk)
2387
0
                    break;
2388
0
                *mb++ = (int32_t)(*ma++);
2389
0
            }
2390
0
        }
2391
0
        break;
2392
0
        case TIFF_SLONG8:
2393
0
        {
2394
0
            int64_t *ma;
2395
0
            int32_t *mb;
2396
0
            uint32_t n;
2397
0
            ma = (int64_t *)origdata;
2398
0
            mb = data;
2399
0
            for (n = 0; n < count; n++)
2400
0
            {
2401
0
                if (tif->tif_flags & TIFF_SWAB)
2402
0
                    TIFFSwabLong8((uint64_t *)ma);
2403
0
                err = TIFFReadDirEntryCheckRangeSlongSlong8(*ma);
2404
0
                if (err != TIFFReadDirEntryErrOk)
2405
0
                    break;
2406
0
                *mb++ = (int32_t)(*ma++);
2407
0
            }
2408
0
        }
2409
0
        break;
2410
0
    }
2411
0
    _TIFFfreeExt(tif, origdata);
2412
0
    if (err != TIFFReadDirEntryErrOk)
2413
0
    {
2414
0
        _TIFFfreeExt(tif, data);
2415
0
        return (err);
2416
0
    }
2417
0
    *value = data;
2418
0
    return (TIFFReadDirEntryErrOk);
2419
0
}
2420
2421
static enum TIFFReadDirEntryErr
2422
TIFFReadDirEntryLong8ArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
2423
                                    uint64_t **value, uint64_t maxcount)
2424
19.7k
{
2425
19.7k
    enum TIFFReadDirEntryErr err;
2426
19.7k
    uint32_t count;
2427
19.7k
    void *origdata;
2428
19.7k
    uint64_t *data;
2429
19.7k
    switch (direntry->tdir_type)
2430
19.7k
    {
2431
0
        case TIFF_BYTE:
2432
0
        case TIFF_SBYTE:
2433
0
        case TIFF_SHORT:
2434
0
        case TIFF_SSHORT:
2435
19.7k
        case TIFF_LONG:
2436
19.7k
        case TIFF_SLONG:
2437
19.7k
        case TIFF_LONG8:
2438
19.7k
        case TIFF_SLONG8:
2439
19.7k
            break;
2440
0
        default:
2441
0
            return (TIFFReadDirEntryErrType);
2442
19.7k
    }
2443
19.7k
    err = TIFFReadDirEntryArrayWithLimit(tif, direntry, &count, 8, &origdata,
2444
19.7k
                                         maxcount);
2445
19.7k
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2446
0
    {
2447
0
        *value = 0;
2448
0
        return (err);
2449
0
    }
2450
19.7k
    switch (direntry->tdir_type)
2451
19.7k
    {
2452
0
        case TIFF_LONG8:
2453
0
            *value = (uint64_t *)origdata;
2454
0
            if (tif->tif_flags & TIFF_SWAB)
2455
0
                TIFFSwabArrayOfLong8(*value, count);
2456
0
            return (TIFFReadDirEntryErrOk);
2457
0
        case TIFF_SLONG8:
2458
0
        {
2459
0
            int64_t *m;
2460
0
            uint32_t n;
2461
0
            m = (int64_t *)origdata;
2462
0
            for (n = 0; n < count; n++)
2463
0
            {
2464
0
                if (tif->tif_flags & TIFF_SWAB)
2465
0
                    TIFFSwabLong8((uint64_t *)m);
2466
0
                err = TIFFReadDirEntryCheckRangeLong8Slong8(*m);
2467
0
                if (err != TIFFReadDirEntryErrOk)
2468
0
                {
2469
0
                    _TIFFfreeExt(tif, origdata);
2470
0
                    return (err);
2471
0
                }
2472
0
                m++;
2473
0
            }
2474
0
            *value = (uint64_t *)origdata;
2475
0
            return (TIFFReadDirEntryErrOk);
2476
0
        }
2477
19.7k
    }
2478
19.7k
    data = (uint64_t *)_TIFFmallocExt(tif, count * 8);
2479
19.7k
    if (data == 0)
2480
0
    {
2481
0
        _TIFFfreeExt(tif, origdata);
2482
0
        return (TIFFReadDirEntryErrAlloc);
2483
0
    }
2484
19.7k
    switch (direntry->tdir_type)
2485
19.7k
    {
2486
0
        case TIFF_BYTE:
2487
0
        {
2488
0
            uint8_t *ma;
2489
0
            uint64_t *mb;
2490
0
            uint32_t n;
2491
0
            ma = (uint8_t *)origdata;
2492
0
            mb = data;
2493
0
            for (n = 0; n < count; n++)
2494
0
                *mb++ = (uint64_t)(*ma++);
2495
0
        }
2496
0
        break;
2497
0
        case TIFF_SBYTE:
2498
0
        {
2499
0
            int8_t *ma;
2500
0
            uint64_t *mb;
2501
0
            uint32_t n;
2502
0
            ma = (int8_t *)origdata;
2503
0
            mb = data;
2504
0
            for (n = 0; n < count; n++)
2505
0
            {
2506
0
                err = TIFFReadDirEntryCheckRangeLong8Sbyte(*ma);
2507
0
                if (err != TIFFReadDirEntryErrOk)
2508
0
                    break;
2509
0
                *mb++ = (uint64_t)(*ma++);
2510
0
            }
2511
0
        }
2512
0
        break;
2513
0
        case TIFF_SHORT:
2514
0
        {
2515
0
            uint16_t *ma;
2516
0
            uint64_t *mb;
2517
0
            uint32_t n;
2518
0
            ma = (uint16_t *)origdata;
2519
0
            mb = data;
2520
0
            for (n = 0; n < count; n++)
2521
0
            {
2522
0
                if (tif->tif_flags & TIFF_SWAB)
2523
0
                    TIFFSwabShort(ma);
2524
0
                *mb++ = (uint64_t)(*ma++);
2525
0
            }
2526
0
        }
2527
0
        break;
2528
0
        case TIFF_SSHORT:
2529
0
        {
2530
0
            int16_t *ma;
2531
0
            uint64_t *mb;
2532
0
            uint32_t n;
2533
0
            ma = (int16_t *)origdata;
2534
0
            mb = data;
2535
0
            for (n = 0; n < count; n++)
2536
0
            {
2537
0
                if (tif->tif_flags & TIFF_SWAB)
2538
0
                    TIFFSwabShort((uint16_t *)ma);
2539
0
                err = TIFFReadDirEntryCheckRangeLong8Sshort(*ma);
2540
0
                if (err != TIFFReadDirEntryErrOk)
2541
0
                    break;
2542
0
                *mb++ = (uint64_t)(*ma++);
2543
0
            }
2544
0
        }
2545
0
        break;
2546
19.7k
        case TIFF_LONG:
2547
19.7k
        {
2548
19.7k
            uint32_t *ma;
2549
19.7k
            uint64_t *mb;
2550
19.7k
            uint32_t n;
2551
19.7k
            ma = (uint32_t *)origdata;
2552
19.7k
            mb = data;
2553
39.5k
            for (n = 0; n < count; n++)
2554
19.7k
            {
2555
19.7k
                if (tif->tif_flags & TIFF_SWAB)
2556
0
                    TIFFSwabLong(ma);
2557
19.7k
                *mb++ = (uint64_t)(*ma++);
2558
19.7k
            }
2559
19.7k
        }
2560
19.7k
        break;
2561
0
        case TIFF_SLONG:
2562
0
        {
2563
0
            int32_t *ma;
2564
0
            uint64_t *mb;
2565
0
            uint32_t n;
2566
0
            ma = (int32_t *)origdata;
2567
0
            mb = data;
2568
0
            for (n = 0; n < count; n++)
2569
0
            {
2570
0
                if (tif->tif_flags & TIFF_SWAB)
2571
0
                    TIFFSwabLong((uint32_t *)ma);
2572
0
                err = TIFFReadDirEntryCheckRangeLong8Slong(*ma);
2573
0
                if (err != TIFFReadDirEntryErrOk)
2574
0
                    break;
2575
0
                *mb++ = (uint64_t)(*ma++);
2576
0
            }
2577
0
        }
2578
0
        break;
2579
19.7k
    }
2580
19.7k
    _TIFFfreeExt(tif, origdata);
2581
19.7k
    if (err != TIFFReadDirEntryErrOk)
2582
0
    {
2583
0
        _TIFFfreeExt(tif, data);
2584
0
        return (err);
2585
0
    }
2586
19.7k
    *value = data;
2587
19.7k
    return (TIFFReadDirEntryErrOk);
2588
19.7k
}
2589
2590
static enum TIFFReadDirEntryErr
2591
TIFFReadDirEntryLong8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value)
2592
0
{
2593
0
    return TIFFReadDirEntryLong8ArrayWithLimit(tif, direntry, value,
2594
0
                                               ~((uint64_t)0));
2595
0
}
2596
2597
static enum TIFFReadDirEntryErr
2598
TIFFReadDirEntrySlong8Array(TIFF *tif, TIFFDirEntry *direntry, int64_t **value)
2599
0
{
2600
0
    enum TIFFReadDirEntryErr err;
2601
0
    uint32_t count;
2602
0
    void *origdata;
2603
0
    int64_t *data;
2604
0
    switch (direntry->tdir_type)
2605
0
    {
2606
0
        case TIFF_BYTE:
2607
0
        case TIFF_SBYTE:
2608
0
        case TIFF_SHORT:
2609
0
        case TIFF_SSHORT:
2610
0
        case TIFF_LONG:
2611
0
        case TIFF_SLONG:
2612
0
        case TIFF_LONG8:
2613
0
        case TIFF_SLONG8:
2614
0
            break;
2615
0
        default:
2616
0
            return (TIFFReadDirEntryErrType);
2617
0
    }
2618
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 8, &origdata);
2619
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2620
0
    {
2621
0
        *value = 0;
2622
0
        return (err);
2623
0
    }
2624
0
    switch (direntry->tdir_type)
2625
0
    {
2626
0
        case TIFF_LONG8:
2627
0
        {
2628
0
            uint64_t *m;
2629
0
            uint32_t n;
2630
0
            m = (uint64_t *)origdata;
2631
0
            for (n = 0; n < count; n++)
2632
0
            {
2633
0
                if (tif->tif_flags & TIFF_SWAB)
2634
0
                    TIFFSwabLong8(m);
2635
0
                err = TIFFReadDirEntryCheckRangeSlong8Long8(*m);
2636
0
                if (err != TIFFReadDirEntryErrOk)
2637
0
                {
2638
0
                    _TIFFfreeExt(tif, origdata);
2639
0
                    return (err);
2640
0
                }
2641
0
                m++;
2642
0
            }
2643
0
            *value = (int64_t *)origdata;
2644
0
            return (TIFFReadDirEntryErrOk);
2645
0
        }
2646
0
        case TIFF_SLONG8:
2647
0
            *value = (int64_t *)origdata;
2648
0
            if (tif->tif_flags & TIFF_SWAB)
2649
0
                TIFFSwabArrayOfLong8((uint64_t *)(*value), count);
2650
0
            return (TIFFReadDirEntryErrOk);
2651
0
    }
2652
0
    data = (int64_t *)_TIFFmallocExt(tif, count * 8);
2653
0
    if (data == 0)
2654
0
    {
2655
0
        _TIFFfreeExt(tif, origdata);
2656
0
        return (TIFFReadDirEntryErrAlloc);
2657
0
    }
2658
0
    switch (direntry->tdir_type)
2659
0
    {
2660
0
        case TIFF_BYTE:
2661
0
        {
2662
0
            uint8_t *ma;
2663
0
            int64_t *mb;
2664
0
            uint32_t n;
2665
0
            ma = (uint8_t *)origdata;
2666
0
            mb = data;
2667
0
            for (n = 0; n < count; n++)
2668
0
                *mb++ = (int64_t)(*ma++);
2669
0
        }
2670
0
        break;
2671
0
        case TIFF_SBYTE:
2672
0
        {
2673
0
            int8_t *ma;
2674
0
            int64_t *mb;
2675
0
            uint32_t n;
2676
0
            ma = (int8_t *)origdata;
2677
0
            mb = data;
2678
0
            for (n = 0; n < count; n++)
2679
0
                *mb++ = (int64_t)(*ma++);
2680
0
        }
2681
0
        break;
2682
0
        case TIFF_SHORT:
2683
0
        {
2684
0
            uint16_t *ma;
2685
0
            int64_t *mb;
2686
0
            uint32_t n;
2687
0
            ma = (uint16_t *)origdata;
2688
0
            mb = data;
2689
0
            for (n = 0; n < count; n++)
2690
0
            {
2691
0
                if (tif->tif_flags & TIFF_SWAB)
2692
0
                    TIFFSwabShort(ma);
2693
0
                *mb++ = (int64_t)(*ma++);
2694
0
            }
2695
0
        }
2696
0
        break;
2697
0
        case TIFF_SSHORT:
2698
0
        {
2699
0
            int16_t *ma;
2700
0
            int64_t *mb;
2701
0
            uint32_t n;
2702
0
            ma = (int16_t *)origdata;
2703
0
            mb = data;
2704
0
            for (n = 0; n < count; n++)
2705
0
            {
2706
0
                if (tif->tif_flags & TIFF_SWAB)
2707
0
                    TIFFSwabShort((uint16_t *)ma);
2708
0
                *mb++ = (int64_t)(*ma++);
2709
0
            }
2710
0
        }
2711
0
        break;
2712
0
        case TIFF_LONG:
2713
0
        {
2714
0
            uint32_t *ma;
2715
0
            int64_t *mb;
2716
0
            uint32_t n;
2717
0
            ma = (uint32_t *)origdata;
2718
0
            mb = data;
2719
0
            for (n = 0; n < count; n++)
2720
0
            {
2721
0
                if (tif->tif_flags & TIFF_SWAB)
2722
0
                    TIFFSwabLong(ma);
2723
0
                *mb++ = (int64_t)(*ma++);
2724
0
            }
2725
0
        }
2726
0
        break;
2727
0
        case TIFF_SLONG:
2728
0
        {
2729
0
            int32_t *ma;
2730
0
            int64_t *mb;
2731
0
            uint32_t n;
2732
0
            ma = (int32_t *)origdata;
2733
0
            mb = data;
2734
0
            for (n = 0; n < count; n++)
2735
0
            {
2736
0
                if (tif->tif_flags & TIFF_SWAB)
2737
0
                    TIFFSwabLong((uint32_t *)ma);
2738
0
                *mb++ = (int64_t)(*ma++);
2739
0
            }
2740
0
        }
2741
0
        break;
2742
0
    }
2743
0
    _TIFFfreeExt(tif, origdata);
2744
0
    *value = data;
2745
0
    return (TIFFReadDirEntryErrOk);
2746
0
}
2747
2748
static enum TIFFReadDirEntryErr
2749
TIFFReadDirEntryFloatArray(TIFF *tif, TIFFDirEntry *direntry, float **value)
2750
0
{
2751
0
    enum TIFFReadDirEntryErr err;
2752
0
    uint32_t count;
2753
0
    void *origdata;
2754
0
    float *data;
2755
0
    switch (direntry->tdir_type)
2756
0
    {
2757
0
        case TIFF_BYTE:
2758
0
        case TIFF_SBYTE:
2759
0
        case TIFF_SHORT:
2760
0
        case TIFF_SSHORT:
2761
0
        case TIFF_LONG:
2762
0
        case TIFF_SLONG:
2763
0
        case TIFF_LONG8:
2764
0
        case TIFF_SLONG8:
2765
0
        case TIFF_RATIONAL:
2766
0
        case TIFF_SRATIONAL:
2767
0
        case TIFF_FLOAT:
2768
0
        case TIFF_DOUBLE:
2769
0
            break;
2770
0
        default:
2771
0
            return (TIFFReadDirEntryErrType);
2772
0
    }
2773
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 4, &origdata);
2774
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
2775
0
    {
2776
0
        *value = 0;
2777
0
        return (err);
2778
0
    }
2779
0
    switch (direntry->tdir_type)
2780
0
    {
2781
0
        case TIFF_FLOAT:
2782
0
            if (tif->tif_flags & TIFF_SWAB)
2783
0
                TIFFSwabArrayOfLong((uint32_t *)origdata, count);
2784
0
            TIFFCvtIEEEDoubleToNative(tif, count, (float *)origdata);
2785
0
            *value = (float *)origdata;
2786
0
            return (TIFFReadDirEntryErrOk);
2787
0
    }
2788
0
    data = (float *)_TIFFmallocExt(tif, count * sizeof(float));
2789
0
    if (data == 0)
2790
0
    {
2791
0
        _TIFFfreeExt(tif, origdata);
2792
0
        return (TIFFReadDirEntryErrAlloc);
2793
0
    }
2794
0
    switch (direntry->tdir_type)
2795
0
    {
2796
0
        case TIFF_BYTE:
2797
0
        {
2798
0
            uint8_t *ma;
2799
0
            float *mb;
2800
0
            uint32_t n;
2801
0
            ma = (uint8_t *)origdata;
2802
0
            mb = data;
2803
0
            for (n = 0; n < count; n++)
2804
0
                *mb++ = (float)(*ma++);
2805
0
        }
2806
0
        break;
2807
0
        case TIFF_SBYTE:
2808
0
        {
2809
0
            int8_t *ma;
2810
0
            float *mb;
2811
0
            uint32_t n;
2812
0
            ma = (int8_t *)origdata;
2813
0
            mb = data;
2814
0
            for (n = 0; n < count; n++)
2815
0
                *mb++ = (float)(*ma++);
2816
0
        }
2817
0
        break;
2818
0
        case TIFF_SHORT:
2819
0
        {
2820
0
            uint16_t *ma;
2821
0
            float *mb;
2822
0
            uint32_t n;
2823
0
            ma = (uint16_t *)origdata;
2824
0
            mb = data;
2825
0
            for (n = 0; n < count; n++)
2826
0
            {
2827
0
                if (tif->tif_flags & TIFF_SWAB)
2828
0
                    TIFFSwabShort(ma);
2829
0
                *mb++ = (float)(*ma++);
2830
0
            }
2831
0
        }
2832
0
        break;
2833
0
        case TIFF_SSHORT:
2834
0
        {
2835
0
            int16_t *ma;
2836
0
            float *mb;
2837
0
            uint32_t n;
2838
0
            ma = (int16_t *)origdata;
2839
0
            mb = data;
2840
0
            for (n = 0; n < count; n++)
2841
0
            {
2842
0
                if (tif->tif_flags & TIFF_SWAB)
2843
0
                    TIFFSwabShort((uint16_t *)ma);
2844
0
                *mb++ = (float)(*ma++);
2845
0
            }
2846
0
        }
2847
0
        break;
2848
0
        case TIFF_LONG:
2849
0
        {
2850
0
            uint32_t *ma;
2851
0
            float *mb;
2852
0
            uint32_t n;
2853
0
            ma = (uint32_t *)origdata;
2854
0
            mb = data;
2855
0
            for (n = 0; n < count; n++)
2856
0
            {
2857
0
                if (tif->tif_flags & TIFF_SWAB)
2858
0
                    TIFFSwabLong(ma);
2859
0
                *mb++ = (float)(*ma++);
2860
0
            }
2861
0
        }
2862
0
        break;
2863
0
        case TIFF_SLONG:
2864
0
        {
2865
0
            int32_t *ma;
2866
0
            float *mb;
2867
0
            uint32_t n;
2868
0
            ma = (int32_t *)origdata;
2869
0
            mb = data;
2870
0
            for (n = 0; n < count; n++)
2871
0
            {
2872
0
                if (tif->tif_flags & TIFF_SWAB)
2873
0
                    TIFFSwabLong((uint32_t *)ma);
2874
0
                *mb++ = (float)(*ma++);
2875
0
            }
2876
0
        }
2877
0
        break;
2878
0
        case TIFF_LONG8:
2879
0
        {
2880
0
            uint64_t *ma;
2881
0
            float *mb;
2882
0
            uint32_t n;
2883
0
            ma = (uint64_t *)origdata;
2884
0
            mb = data;
2885
0
            for (n = 0; n < count; n++)
2886
0
            {
2887
0
                if (tif->tif_flags & TIFF_SWAB)
2888
0
                    TIFFSwabLong8(ma);
2889
0
                *mb++ = (float)(*ma++);
2890
0
            }
2891
0
        }
2892
0
        break;
2893
0
        case TIFF_SLONG8:
2894
0
        {
2895
0
            int64_t *ma;
2896
0
            float *mb;
2897
0
            uint32_t n;
2898
0
            ma = (int64_t *)origdata;
2899
0
            mb = data;
2900
0
            for (n = 0; n < count; n++)
2901
0
            {
2902
0
                if (tif->tif_flags & TIFF_SWAB)
2903
0
                    TIFFSwabLong8((uint64_t *)ma);
2904
0
                *mb++ = (float)(*ma++);
2905
0
            }
2906
0
        }
2907
0
        break;
2908
0
        case TIFF_RATIONAL:
2909
0
        {
2910
0
            uint32_t *ma;
2911
0
            uint32_t maa;
2912
0
            uint32_t mab;
2913
0
            float *mb;
2914
0
            uint32_t n;
2915
0
            ma = (uint32_t *)origdata;
2916
0
            mb = data;
2917
0
            for (n = 0; n < count; n++)
2918
0
            {
2919
0
                if (tif->tif_flags & TIFF_SWAB)
2920
0
                    TIFFSwabLong(ma);
2921
0
                maa = *ma++;
2922
0
                if (tif->tif_flags & TIFF_SWAB)
2923
0
                    TIFFSwabLong(ma);
2924
0
                mab = *ma++;
2925
0
                if (mab == 0)
2926
0
                    *mb++ = 0.0;
2927
0
                else
2928
0
                    *mb++ = (float)maa / (float)mab;
2929
0
            }
2930
0
        }
2931
0
        break;
2932
0
        case TIFF_SRATIONAL:
2933
0
        {
2934
0
            uint32_t *ma;
2935
0
            int32_t maa;
2936
0
            uint32_t mab;
2937
0
            float *mb;
2938
0
            uint32_t n;
2939
0
            ma = (uint32_t *)origdata;
2940
0
            mb = data;
2941
0
            for (n = 0; n < count; n++)
2942
0
            {
2943
0
                if (tif->tif_flags & TIFF_SWAB)
2944
0
                    TIFFSwabLong(ma);
2945
0
                maa = *(int32_t *)ma;
2946
0
                ma++;
2947
0
                if (tif->tif_flags & TIFF_SWAB)
2948
0
                    TIFFSwabLong(ma);
2949
0
                mab = *ma++;
2950
0
                if (mab == 0)
2951
0
                    *mb++ = 0.0;
2952
0
                else
2953
0
                    *mb++ = (float)maa / (float)mab;
2954
0
            }
2955
0
        }
2956
0
        break;
2957
0
        case TIFF_DOUBLE:
2958
0
        {
2959
0
            double *ma;
2960
0
            float *mb;
2961
0
            uint32_t n;
2962
0
            if (tif->tif_flags & TIFF_SWAB)
2963
0
                TIFFSwabArrayOfLong8((uint64_t *)origdata, count);
2964
0
            TIFFCvtIEEEDoubleToNative(tif, count, (double *)origdata);
2965
0
            ma = (double *)origdata;
2966
0
            mb = data;
2967
0
            for (n = 0; n < count; n++)
2968
0
            {
2969
0
                double val = *ma++;
2970
0
                if (val > FLT_MAX)
2971
0
                    val = FLT_MAX;
2972
0
                else if (val < -FLT_MAX)
2973
0
                    val = -FLT_MAX;
2974
0
                *mb++ = (float)val;
2975
0
            }
2976
0
        }
2977
0
        break;
2978
0
    }
2979
0
    _TIFFfreeExt(tif, origdata);
2980
0
    *value = data;
2981
0
    return (TIFFReadDirEntryErrOk);
2982
0
}
2983
2984
static enum TIFFReadDirEntryErr
2985
TIFFReadDirEntryDoubleArray(TIFF *tif, TIFFDirEntry *direntry, double **value)
2986
0
{
2987
0
    enum TIFFReadDirEntryErr err;
2988
0
    uint32_t count;
2989
0
    void *origdata;
2990
0
    double *data;
2991
0
    switch (direntry->tdir_type)
2992
0
    {
2993
0
        case TIFF_BYTE:
2994
0
        case TIFF_SBYTE:
2995
0
        case TIFF_SHORT:
2996
0
        case TIFF_SSHORT:
2997
0
        case TIFF_LONG:
2998
0
        case TIFF_SLONG:
2999
0
        case TIFF_LONG8:
3000
0
        case TIFF_SLONG8:
3001
0
        case TIFF_RATIONAL:
3002
0
        case TIFF_SRATIONAL:
3003
0
        case TIFF_FLOAT:
3004
0
        case TIFF_DOUBLE:
3005
0
            break;
3006
0
        default:
3007
0
            return (TIFFReadDirEntryErrType);
3008
0
    }
3009
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 8, &origdata);
3010
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
3011
0
    {
3012
0
        *value = 0;
3013
0
        return (err);
3014
0
    }
3015
0
    switch (direntry->tdir_type)
3016
0
    {
3017
0
        case TIFF_DOUBLE:
3018
0
            if (tif->tif_flags & TIFF_SWAB)
3019
0
                TIFFSwabArrayOfLong8((uint64_t *)origdata, count);
3020
0
            TIFFCvtIEEEDoubleToNative(tif, count, (double *)origdata);
3021
0
            *value = (double *)origdata;
3022
0
            return (TIFFReadDirEntryErrOk);
3023
0
    }
3024
0
    data = (double *)_TIFFmallocExt(tif, count * sizeof(double));
3025
0
    if (data == 0)
3026
0
    {
3027
0
        _TIFFfreeExt(tif, origdata);
3028
0
        return (TIFFReadDirEntryErrAlloc);
3029
0
    }
3030
0
    switch (direntry->tdir_type)
3031
0
    {
3032
0
        case TIFF_BYTE:
3033
0
        {
3034
0
            uint8_t *ma;
3035
0
            double *mb;
3036
0
            uint32_t n;
3037
0
            ma = (uint8_t *)origdata;
3038
0
            mb = data;
3039
0
            for (n = 0; n < count; n++)
3040
0
                *mb++ = (double)(*ma++);
3041
0
        }
3042
0
        break;
3043
0
        case TIFF_SBYTE:
3044
0
        {
3045
0
            int8_t *ma;
3046
0
            double *mb;
3047
0
            uint32_t n;
3048
0
            ma = (int8_t *)origdata;
3049
0
            mb = data;
3050
0
            for (n = 0; n < count; n++)
3051
0
                *mb++ = (double)(*ma++);
3052
0
        }
3053
0
        break;
3054
0
        case TIFF_SHORT:
3055
0
        {
3056
0
            uint16_t *ma;
3057
0
            double *mb;
3058
0
            uint32_t n;
3059
0
            ma = (uint16_t *)origdata;
3060
0
            mb = data;
3061
0
            for (n = 0; n < count; n++)
3062
0
            {
3063
0
                if (tif->tif_flags & TIFF_SWAB)
3064
0
                    TIFFSwabShort(ma);
3065
0
                *mb++ = (double)(*ma++);
3066
0
            }
3067
0
        }
3068
0
        break;
3069
0
        case TIFF_SSHORT:
3070
0
        {
3071
0
            int16_t *ma;
3072
0
            double *mb;
3073
0
            uint32_t n;
3074
0
            ma = (int16_t *)origdata;
3075
0
            mb = data;
3076
0
            for (n = 0; n < count; n++)
3077
0
            {
3078
0
                if (tif->tif_flags & TIFF_SWAB)
3079
0
                    TIFFSwabShort((uint16_t *)ma);
3080
0
                *mb++ = (double)(*ma++);
3081
0
            }
3082
0
        }
3083
0
        break;
3084
0
        case TIFF_LONG:
3085
0
        {
3086
0
            uint32_t *ma;
3087
0
            double *mb;
3088
0
            uint32_t n;
3089
0
            ma = (uint32_t *)origdata;
3090
0
            mb = data;
3091
0
            for (n = 0; n < count; n++)
3092
0
            {
3093
0
                if (tif->tif_flags & TIFF_SWAB)
3094
0
                    TIFFSwabLong(ma);
3095
0
                *mb++ = (double)(*ma++);
3096
0
            }
3097
0
        }
3098
0
        break;
3099
0
        case TIFF_SLONG:
3100
0
        {
3101
0
            int32_t *ma;
3102
0
            double *mb;
3103
0
            uint32_t n;
3104
0
            ma = (int32_t *)origdata;
3105
0
            mb = data;
3106
0
            for (n = 0; n < count; n++)
3107
0
            {
3108
0
                if (tif->tif_flags & TIFF_SWAB)
3109
0
                    TIFFSwabLong((uint32_t *)ma);
3110
0
                *mb++ = (double)(*ma++);
3111
0
            }
3112
0
        }
3113
0
        break;
3114
0
        case TIFF_LONG8:
3115
0
        {
3116
0
            uint64_t *ma;
3117
0
            double *mb;
3118
0
            uint32_t n;
3119
0
            ma = (uint64_t *)origdata;
3120
0
            mb = data;
3121
0
            for (n = 0; n < count; n++)
3122
0
            {
3123
0
                if (tif->tif_flags & TIFF_SWAB)
3124
0
                    TIFFSwabLong8(ma);
3125
0
                *mb++ = (double)(*ma++);
3126
0
            }
3127
0
        }
3128
0
        break;
3129
0
        case TIFF_SLONG8:
3130
0
        {
3131
0
            int64_t *ma;
3132
0
            double *mb;
3133
0
            uint32_t n;
3134
0
            ma = (int64_t *)origdata;
3135
0
            mb = data;
3136
0
            for (n = 0; n < count; n++)
3137
0
            {
3138
0
                if (tif->tif_flags & TIFF_SWAB)
3139
0
                    TIFFSwabLong8((uint64_t *)ma);
3140
0
                *mb++ = (double)(*ma++);
3141
0
            }
3142
0
        }
3143
0
        break;
3144
0
        case TIFF_RATIONAL:
3145
0
        {
3146
0
            uint32_t *ma;
3147
0
            uint32_t maa;
3148
0
            uint32_t mab;
3149
0
            double *mb;
3150
0
            uint32_t n;
3151
0
            ma = (uint32_t *)origdata;
3152
0
            mb = data;
3153
0
            for (n = 0; n < count; n++)
3154
0
            {
3155
0
                if (tif->tif_flags & TIFF_SWAB)
3156
0
                    TIFFSwabLong(ma);
3157
0
                maa = *ma++;
3158
0
                if (tif->tif_flags & TIFF_SWAB)
3159
0
                    TIFFSwabLong(ma);
3160
0
                mab = *ma++;
3161
0
                if (mab == 0)
3162
0
                    *mb++ = 0.0;
3163
0
                else
3164
0
                    *mb++ = (double)maa / (double)mab;
3165
0
            }
3166
0
        }
3167
0
        break;
3168
0
        case TIFF_SRATIONAL:
3169
0
        {
3170
0
            uint32_t *ma;
3171
0
            int32_t maa;
3172
0
            uint32_t mab;
3173
0
            double *mb;
3174
0
            uint32_t n;
3175
0
            ma = (uint32_t *)origdata;
3176
0
            mb = data;
3177
0
            for (n = 0; n < count; n++)
3178
0
            {
3179
0
                if (tif->tif_flags & TIFF_SWAB)
3180
0
                    TIFFSwabLong(ma);
3181
0
                maa = *(int32_t *)ma;
3182
0
                ma++;
3183
0
                if (tif->tif_flags & TIFF_SWAB)
3184
0
                    TIFFSwabLong(ma);
3185
0
                mab = *ma++;
3186
0
                if (mab == 0)
3187
0
                    *mb++ = 0.0;
3188
0
                else
3189
0
                    *mb++ = (double)maa / (double)mab;
3190
0
            }
3191
0
        }
3192
0
        break;
3193
0
        case TIFF_FLOAT:
3194
0
        {
3195
0
            float *ma;
3196
0
            double *mb;
3197
0
            uint32_t n;
3198
0
            if (tif->tif_flags & TIFF_SWAB)
3199
0
                TIFFSwabArrayOfLong((uint32_t *)origdata, count);
3200
0
            TIFFCvtIEEEFloatToNative(tif, count, (float *)origdata);
3201
0
            ma = (float *)origdata;
3202
0
            mb = data;
3203
0
            for (n = 0; n < count; n++)
3204
0
                *mb++ = (double)(*ma++);
3205
0
        }
3206
0
        break;
3207
0
    }
3208
0
    _TIFFfreeExt(tif, origdata);
3209
0
    *value = data;
3210
0
    return (TIFFReadDirEntryErrOk);
3211
0
}
3212
3213
static enum TIFFReadDirEntryErr
3214
TIFFReadDirEntryIfd8Array(TIFF *tif, TIFFDirEntry *direntry, uint64_t **value)
3215
0
{
3216
0
    enum TIFFReadDirEntryErr err;
3217
0
    uint32_t count;
3218
0
    void *origdata;
3219
0
    uint64_t *data;
3220
0
    switch (direntry->tdir_type)
3221
0
    {
3222
0
        case TIFF_LONG:
3223
0
        case TIFF_LONG8:
3224
0
        case TIFF_IFD:
3225
0
        case TIFF_IFD8:
3226
0
            break;
3227
0
        default:
3228
0
            return (TIFFReadDirEntryErrType);
3229
0
    }
3230
0
    err = TIFFReadDirEntryArray(tif, direntry, &count, 8, &origdata);
3231
0
    if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
3232
0
    {
3233
0
        *value = 0;
3234
0
        return (err);
3235
0
    }
3236
0
    switch (direntry->tdir_type)
3237
0
    {
3238
0
        case TIFF_LONG8:
3239
0
        case TIFF_IFD8:
3240
0
            *value = (uint64_t *)origdata;
3241
0
            if (tif->tif_flags & TIFF_SWAB)
3242
0
                TIFFSwabArrayOfLong8(*value, count);
3243
0
            return (TIFFReadDirEntryErrOk);
3244
0
    }
3245
0
    data = (uint64_t *)_TIFFmallocExt(tif, count * 8);
3246
0
    if (data == 0)
3247
0
    {
3248
0
        _TIFFfreeExt(tif, origdata);
3249
0
        return (TIFFReadDirEntryErrAlloc);
3250
0
    }
3251
0
    switch (direntry->tdir_type)
3252
0
    {
3253
0
        case TIFF_LONG:
3254
0
        case TIFF_IFD:
3255
0
        {
3256
0
            uint32_t *ma;
3257
0
            uint64_t *mb;
3258
0
            uint32_t n;
3259
0
            ma = (uint32_t *)origdata;
3260
0
            mb = data;
3261
0
            for (n = 0; n < count; n++)
3262
0
            {
3263
0
                if (tif->tif_flags & TIFF_SWAB)
3264
0
                    TIFFSwabLong(ma);
3265
0
                *mb++ = (uint64_t)(*ma++);
3266
0
            }
3267
0
        }
3268
0
        break;
3269
0
    }
3270
0
    _TIFFfreeExt(tif, origdata);
3271
0
    *value = data;
3272
0
    return (TIFFReadDirEntryErrOk);
3273
0
}
3274
3275
static enum TIFFReadDirEntryErr
3276
TIFFReadDirEntryPersampleShort(TIFF *tif, TIFFDirEntry *direntry,
3277
                               uint16_t *value)
3278
0
{
3279
0
    enum TIFFReadDirEntryErr err;
3280
0
    uint16_t *m;
3281
0
    uint16_t *na;
3282
0
    uint16_t nb;
3283
0
    if (direntry->tdir_count < (uint64_t)tif->tif_dir.td_samplesperpixel)
3284
0
        return (TIFFReadDirEntryErrCount);
3285
0
    err = TIFFReadDirEntryShortArray(tif, direntry, &m);
3286
0
    if (err != TIFFReadDirEntryErrOk || m == NULL)
3287
0
        return (err);
3288
0
    na = m;
3289
0
    nb = tif->tif_dir.td_samplesperpixel;
3290
0
    *value = *na++;
3291
0
    nb--;
3292
0
    while (nb > 0)
3293
0
    {
3294
0
        if (*na++ != *value)
3295
0
        {
3296
0
            err = TIFFReadDirEntryErrPsdif;
3297
0
            break;
3298
0
        }
3299
0
        nb--;
3300
0
    }
3301
0
    _TIFFfreeExt(tif, m);
3302
0
    return (err);
3303
0
}
3304
3305
static void TIFFReadDirEntryCheckedByte(TIFF *tif, TIFFDirEntry *direntry,
3306
                                        uint8_t *value)
3307
0
{
3308
0
    (void)tif;
3309
0
    *value = *(uint8_t *)(&direntry->tdir_offset);
3310
0
}
3311
3312
static void TIFFReadDirEntryCheckedSbyte(TIFF *tif, TIFFDirEntry *direntry,
3313
                                         int8_t *value)
3314
0
{
3315
0
    (void)tif;
3316
0
    *value = *(int8_t *)(&direntry->tdir_offset);
3317
0
}
3318
3319
static void TIFFReadDirEntryCheckedShort(TIFF *tif, TIFFDirEntry *direntry,
3320
                                         uint16_t *value)
3321
98.9k
{
3322
98.9k
    *value = direntry->tdir_offset.toff_short;
3323
    /* *value=*(uint16_t*)(&direntry->tdir_offset); */
3324
98.9k
    if (tif->tif_flags & TIFF_SWAB)
3325
0
        TIFFSwabShort(value);
3326
98.9k
}
3327
3328
static void TIFFReadDirEntryCheckedSshort(TIFF *tif, TIFFDirEntry *direntry,
3329
                                          int16_t *value)
3330
0
{
3331
0
    *value = *(int16_t *)(&direntry->tdir_offset);
3332
0
    if (tif->tif_flags & TIFF_SWAB)
3333
0
        TIFFSwabShort((uint16_t *)value);
3334
0
}
3335
3336
static void TIFFReadDirEntryCheckedLong(TIFF *tif, TIFFDirEntry *direntry,
3337
                                        uint32_t *value)
3338
0
{
3339
0
    *value = *(uint32_t *)(&direntry->tdir_offset);
3340
0
    if (tif->tif_flags & TIFF_SWAB)
3341
0
        TIFFSwabLong(value);
3342
0
}
3343
3344
static void TIFFReadDirEntryCheckedSlong(TIFF *tif, TIFFDirEntry *direntry,
3345
                                         int32_t *value)
3346
0
{
3347
0
    *value = *(int32_t *)(&direntry->tdir_offset);
3348
0
    if (tif->tif_flags & TIFF_SWAB)
3349
0
        TIFFSwabLong((uint32_t *)value);
3350
0
}
3351
3352
static enum TIFFReadDirEntryErr
3353
TIFFReadDirEntryCheckedLong8(TIFF *tif, TIFFDirEntry *direntry, uint64_t *value)
3354
0
{
3355
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3356
0
    {
3357
0
        enum TIFFReadDirEntryErr err;
3358
0
        uint32_t offset = direntry->tdir_offset.toff_long;
3359
0
        if (tif->tif_flags & TIFF_SWAB)
3360
0
            TIFFSwabLong(&offset);
3361
0
        err = TIFFReadDirEntryData(tif, offset, 8, value);
3362
0
        if (err != TIFFReadDirEntryErrOk)
3363
0
            return (err);
3364
0
    }
3365
0
    else
3366
0
        *value = direntry->tdir_offset.toff_long8;
3367
0
    if (tif->tif_flags & TIFF_SWAB)
3368
0
        TIFFSwabLong8(value);
3369
0
    return (TIFFReadDirEntryErrOk);
3370
0
}
3371
3372
static enum TIFFReadDirEntryErr
3373
TIFFReadDirEntryCheckedSlong8(TIFF *tif, TIFFDirEntry *direntry, int64_t *value)
3374
0
{
3375
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3376
0
    {
3377
0
        enum TIFFReadDirEntryErr err;
3378
0
        uint32_t offset = direntry->tdir_offset.toff_long;
3379
0
        if (tif->tif_flags & TIFF_SWAB)
3380
0
            TIFFSwabLong(&offset);
3381
0
        err = TIFFReadDirEntryData(tif, offset, 8, value);
3382
0
        if (err != TIFFReadDirEntryErrOk)
3383
0
            return (err);
3384
0
    }
3385
0
    else
3386
0
        *value = *(int64_t *)(&direntry->tdir_offset);
3387
0
    if (tif->tif_flags & TIFF_SWAB)
3388
0
        TIFFSwabLong8((uint64_t *)value);
3389
0
    return (TIFFReadDirEntryErrOk);
3390
0
}
3391
3392
static enum TIFFReadDirEntryErr
3393
TIFFReadDirEntryCheckedRational(TIFF *tif, TIFFDirEntry *direntry,
3394
                                double *value)
3395
19.7k
{
3396
19.7k
    UInt64Aligned_t m;
3397
3398
19.7k
    assert(sizeof(double) == 8);
3399
19.7k
    assert(sizeof(uint64_t) == 8);
3400
19.7k
    assert(sizeof(uint32_t) == 4);
3401
19.7k
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3402
19.7k
    {
3403
19.7k
        enum TIFFReadDirEntryErr err;
3404
19.7k
        uint32_t offset = direntry->tdir_offset.toff_long;
3405
19.7k
        if (tif->tif_flags & TIFF_SWAB)
3406
0
            TIFFSwabLong(&offset);
3407
19.7k
        err = TIFFReadDirEntryData(tif, offset, 8, m.i);
3408
19.7k
        if (err != TIFFReadDirEntryErrOk)
3409
0
            return (err);
3410
19.7k
    }
3411
0
    else
3412
0
        m.l = direntry->tdir_offset.toff_long8;
3413
19.7k
    if (tif->tif_flags & TIFF_SWAB)
3414
0
        TIFFSwabArrayOfLong(m.i, 2);
3415
    /* Not completely sure what we should do when m.i[1]==0, but some */
3416
    /* sanitizers do not like division by 0.0: */
3417
    /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
3418
19.7k
    if (m.i[0] == 0 || m.i[1] == 0)
3419
0
        *value = 0.0;
3420
19.7k
    else
3421
19.7k
        *value = (double)m.i[0] / (double)m.i[1];
3422
19.7k
    return (TIFFReadDirEntryErrOk);
3423
19.7k
}
3424
3425
static enum TIFFReadDirEntryErr
3426
TIFFReadDirEntryCheckedSrational(TIFF *tif, TIFFDirEntry *direntry,
3427
                                 double *value)
3428
0
{
3429
0
    UInt64Aligned_t m;
3430
0
    assert(sizeof(double) == 8);
3431
0
    assert(sizeof(uint64_t) == 8);
3432
0
    assert(sizeof(int32_t) == 4);
3433
0
    assert(sizeof(uint32_t) == 4);
3434
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3435
0
    {
3436
0
        enum TIFFReadDirEntryErr err;
3437
0
        uint32_t offset = direntry->tdir_offset.toff_long;
3438
0
        if (tif->tif_flags & TIFF_SWAB)
3439
0
            TIFFSwabLong(&offset);
3440
0
        err = TIFFReadDirEntryData(tif, offset, 8, m.i);
3441
0
        if (err != TIFFReadDirEntryErrOk)
3442
0
            return (err);
3443
0
    }
3444
0
    else
3445
0
        m.l = direntry->tdir_offset.toff_long8;
3446
0
    if (tif->tif_flags & TIFF_SWAB)
3447
0
        TIFFSwabArrayOfLong(m.i, 2);
3448
    /* Not completely sure what we should do when m.i[1]==0, but some */
3449
    /* sanitizers do not like division by 0.0: */
3450
    /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
3451
0
    if ((int32_t)m.i[0] == 0 || m.i[1] == 0)
3452
0
        *value = 0.0;
3453
0
    else
3454
0
        *value = (double)((int32_t)m.i[0]) / (double)m.i[1];
3455
0
    return (TIFFReadDirEntryErrOk);
3456
0
}
3457
3458
#if 0
3459
static enum TIFFReadDirEntryErr
3460
TIFFReadDirEntryCheckedRationalDirect(TIFF *tif, TIFFDirEntry *direntry,
3461
                                      TIFFRational_t *value)
3462
{ /*--: SetGetRATIONAL_directly:_CustomTag: Read rational (and signed rationals)
3463
     directly --*/
3464
    UInt64Aligned_t m;
3465
3466
    assert(sizeof(double) == 8);
3467
    assert(sizeof(uint64_t) == 8);
3468
    assert(sizeof(uint32_t) == 4);
3469
3470
    if (direntry->tdir_count != 1)
3471
        return (TIFFReadDirEntryErrCount);
3472
3473
    if (direntry->tdir_type != TIFF_RATIONAL &&
3474
        direntry->tdir_type != TIFF_SRATIONAL)
3475
        return (TIFFReadDirEntryErrType);
3476
3477
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3478
    {
3479
        enum TIFFReadDirEntryErr err;
3480
        uint32_t offset = direntry->tdir_offset.toff_long;
3481
        if (tif->tif_flags & TIFF_SWAB)
3482
            TIFFSwabLong(&offset);
3483
        err = TIFFReadDirEntryData(tif, offset, 8, m.i);
3484
        if (err != TIFFReadDirEntryErrOk)
3485
            return (err);
3486
    }
3487
    else
3488
    {
3489
        m.l = direntry->tdir_offset.toff_long8;
3490
    }
3491
3492
    if (tif->tif_flags & TIFF_SWAB)
3493
        TIFFSwabArrayOfLong(m.i, 2);
3494
3495
    value->uNum = m.i[0];
3496
    value->uDenom = m.i[1];
3497
    return (TIFFReadDirEntryErrOk);
3498
} /*-- TIFFReadDirEntryCheckedRationalDirect() --*/
3499
#endif
3500
3501
static void TIFFReadDirEntryCheckedFloat(TIFF *tif, TIFFDirEntry *direntry,
3502
                                         float *value)
3503
0
{
3504
0
    union
3505
0
    {
3506
0
        float f;
3507
0
        uint32_t i;
3508
0
    } float_union;
3509
0
    assert(sizeof(float) == 4);
3510
0
    assert(sizeof(uint32_t) == 4);
3511
0
    assert(sizeof(float_union) == 4);
3512
0
    float_union.i = *(uint32_t *)(&direntry->tdir_offset);
3513
0
    *value = float_union.f;
3514
0
    if (tif->tif_flags & TIFF_SWAB)
3515
0
        TIFFSwabLong((uint32_t *)value);
3516
0
}
3517
3518
static enum TIFFReadDirEntryErr
3519
TIFFReadDirEntryCheckedDouble(TIFF *tif, TIFFDirEntry *direntry, double *value)
3520
0
{
3521
0
    assert(sizeof(double) == 8);
3522
0
    assert(sizeof(uint64_t) == 8);
3523
0
    assert(sizeof(UInt64Aligned_t) == 8);
3524
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
3525
0
    {
3526
0
        enum TIFFReadDirEntryErr err;
3527
0
        uint32_t offset = direntry->tdir_offset.toff_long;
3528
0
        if (tif->tif_flags & TIFF_SWAB)
3529
0
            TIFFSwabLong(&offset);
3530
0
        err = TIFFReadDirEntryData(tif, offset, 8, value);
3531
0
        if (err != TIFFReadDirEntryErrOk)
3532
0
            return (err);
3533
0
    }
3534
0
    else
3535
0
    {
3536
0
        UInt64Aligned_t uint64_union;
3537
0
        uint64_union.l = direntry->tdir_offset.toff_long8;
3538
0
        *value = uint64_union.d;
3539
0
    }
3540
0
    if (tif->tif_flags & TIFF_SWAB)
3541
0
        TIFFSwabLong8((uint64_t *)value);
3542
0
    return (TIFFReadDirEntryErrOk);
3543
0
}
3544
3545
static enum TIFFReadDirEntryErr
3546
TIFFReadDirEntryCheckRangeByteSbyte(int8_t value)
3547
0
{
3548
0
    if (value < 0)
3549
0
        return (TIFFReadDirEntryErrRange);
3550
0
    else
3551
0
        return (TIFFReadDirEntryErrOk);
3552
0
}
3553
3554
static enum TIFFReadDirEntryErr
3555
TIFFReadDirEntryCheckRangeByteShort(uint16_t value)
3556
0
{
3557
0
    if (value > 0xFF)
3558
0
        return (TIFFReadDirEntryErrRange);
3559
0
    else
3560
0
        return (TIFFReadDirEntryErrOk);
3561
0
}
3562
3563
static enum TIFFReadDirEntryErr
3564
TIFFReadDirEntryCheckRangeByteSshort(int16_t value)
3565
0
{
3566
0
    if ((value < 0) || (value > 0xFF))
3567
0
        return (TIFFReadDirEntryErrRange);
3568
0
    else
3569
0
        return (TIFFReadDirEntryErrOk);
3570
0
}
3571
3572
static enum TIFFReadDirEntryErr
3573
TIFFReadDirEntryCheckRangeByteLong(uint32_t value)
3574
0
{
3575
0
    if (value > 0xFF)
3576
0
        return (TIFFReadDirEntryErrRange);
3577
0
    else
3578
0
        return (TIFFReadDirEntryErrOk);
3579
0
}
3580
3581
static enum TIFFReadDirEntryErr
3582
TIFFReadDirEntryCheckRangeByteSlong(int32_t value)
3583
0
{
3584
0
    if ((value < 0) || (value > 0xFF))
3585
0
        return (TIFFReadDirEntryErrRange);
3586
0
    else
3587
0
        return (TIFFReadDirEntryErrOk);
3588
0
}
3589
3590
static enum TIFFReadDirEntryErr
3591
TIFFReadDirEntryCheckRangeByteLong8(uint64_t value)
3592
0
{
3593
0
    if (value > 0xFF)
3594
0
        return (TIFFReadDirEntryErrRange);
3595
0
    else
3596
0
        return (TIFFReadDirEntryErrOk);
3597
0
}
3598
3599
static enum TIFFReadDirEntryErr
3600
TIFFReadDirEntryCheckRangeByteSlong8(int64_t value)
3601
0
{
3602
0
    if ((value < 0) || (value > 0xFF))
3603
0
        return (TIFFReadDirEntryErrRange);
3604
0
    else
3605
0
        return (TIFFReadDirEntryErrOk);
3606
0
}
3607
3608
static enum TIFFReadDirEntryErr
3609
TIFFReadDirEntryCheckRangeSbyteByte(uint8_t value)
3610
0
{
3611
0
    if (value > 0x7F)
3612
0
        return (TIFFReadDirEntryErrRange);
3613
0
    else
3614
0
        return (TIFFReadDirEntryErrOk);
3615
0
}
3616
3617
static enum TIFFReadDirEntryErr
3618
TIFFReadDirEntryCheckRangeSbyteShort(uint16_t value)
3619
0
{
3620
0
    if (value > 0x7F)
3621
0
        return (TIFFReadDirEntryErrRange);
3622
0
    else
3623
0
        return (TIFFReadDirEntryErrOk);
3624
0
}
3625
3626
static enum TIFFReadDirEntryErr
3627
TIFFReadDirEntryCheckRangeSbyteSshort(int16_t value)
3628
0
{
3629
0
    if ((value < -0x80) || (value > 0x7F))
3630
0
        return (TIFFReadDirEntryErrRange);
3631
0
    else
3632
0
        return (TIFFReadDirEntryErrOk);
3633
0
}
3634
3635
static enum TIFFReadDirEntryErr
3636
TIFFReadDirEntryCheckRangeSbyteLong(uint32_t value)
3637
0
{
3638
0
    if (value > 0x7F)
3639
0
        return (TIFFReadDirEntryErrRange);
3640
0
    else
3641
0
        return (TIFFReadDirEntryErrOk);
3642
0
}
3643
3644
static enum TIFFReadDirEntryErr
3645
TIFFReadDirEntryCheckRangeSbyteSlong(int32_t value)
3646
0
{
3647
0
    if ((value < -0x80) || (value > 0x7F))
3648
0
        return (TIFFReadDirEntryErrRange);
3649
0
    else
3650
0
        return (TIFFReadDirEntryErrOk);
3651
0
}
3652
3653
static enum TIFFReadDirEntryErr
3654
TIFFReadDirEntryCheckRangeSbyteLong8(uint64_t value)
3655
0
{
3656
0
    if (value > 0x7F)
3657
0
        return (TIFFReadDirEntryErrRange);
3658
0
    else
3659
0
        return (TIFFReadDirEntryErrOk);
3660
0
}
3661
3662
static enum TIFFReadDirEntryErr
3663
TIFFReadDirEntryCheckRangeSbyteSlong8(int64_t value)
3664
0
{
3665
0
    if ((value < -0x80) || (value > 0x7F))
3666
0
        return (TIFFReadDirEntryErrRange);
3667
0
    else
3668
0
        return (TIFFReadDirEntryErrOk);
3669
0
}
3670
3671
static enum TIFFReadDirEntryErr
3672
TIFFReadDirEntryCheckRangeShortSbyte(int8_t value)
3673
0
{
3674
0
    if (value < 0)
3675
0
        return (TIFFReadDirEntryErrRange);
3676
0
    else
3677
0
        return (TIFFReadDirEntryErrOk);
3678
0
}
3679
3680
static enum TIFFReadDirEntryErr
3681
TIFFReadDirEntryCheckRangeShortSshort(int16_t value)
3682
0
{
3683
0
    if (value < 0)
3684
0
        return (TIFFReadDirEntryErrRange);
3685
0
    else
3686
0
        return (TIFFReadDirEntryErrOk);
3687
0
}
3688
3689
static enum TIFFReadDirEntryErr
3690
TIFFReadDirEntryCheckRangeShortLong(uint32_t value)
3691
0
{
3692
0
    if (value > 0xFFFF)
3693
0
        return (TIFFReadDirEntryErrRange);
3694
0
    else
3695
0
        return (TIFFReadDirEntryErrOk);
3696
0
}
3697
3698
static enum TIFFReadDirEntryErr
3699
TIFFReadDirEntryCheckRangeShortSlong(int32_t value)
3700
0
{
3701
0
    if ((value < 0) || (value > 0xFFFF))
3702
0
        return (TIFFReadDirEntryErrRange);
3703
0
    else
3704
0
        return (TIFFReadDirEntryErrOk);
3705
0
}
3706
3707
static enum TIFFReadDirEntryErr
3708
TIFFReadDirEntryCheckRangeShortLong8(uint64_t value)
3709
0
{
3710
0
    if (value > 0xFFFF)
3711
0
        return (TIFFReadDirEntryErrRange);
3712
0
    else
3713
0
        return (TIFFReadDirEntryErrOk);
3714
0
}
3715
3716
static enum TIFFReadDirEntryErr
3717
TIFFReadDirEntryCheckRangeShortSlong8(int64_t value)
3718
0
{
3719
0
    if ((value < 0) || (value > 0xFFFF))
3720
0
        return (TIFFReadDirEntryErrRange);
3721
0
    else
3722
0
        return (TIFFReadDirEntryErrOk);
3723
0
}
3724
3725
static enum TIFFReadDirEntryErr
3726
TIFFReadDirEntryCheckRangeSshortShort(uint16_t value)
3727
0
{
3728
0
    if (value > 0x7FFF)
3729
0
        return (TIFFReadDirEntryErrRange);
3730
0
    else
3731
0
        return (TIFFReadDirEntryErrOk);
3732
0
}
3733
3734
static enum TIFFReadDirEntryErr
3735
TIFFReadDirEntryCheckRangeSshortLong(uint32_t value)
3736
0
{
3737
0
    if (value > 0x7FFF)
3738
0
        return (TIFFReadDirEntryErrRange);
3739
0
    else
3740
0
        return (TIFFReadDirEntryErrOk);
3741
0
}
3742
3743
static enum TIFFReadDirEntryErr
3744
TIFFReadDirEntryCheckRangeSshortSlong(int32_t value)
3745
0
{
3746
0
    if ((value < -0x8000) || (value > 0x7FFF))
3747
0
        return (TIFFReadDirEntryErrRange);
3748
0
    else
3749
0
        return (TIFFReadDirEntryErrOk);
3750
0
}
3751
3752
static enum TIFFReadDirEntryErr
3753
TIFFReadDirEntryCheckRangeSshortLong8(uint64_t value)
3754
0
{
3755
0
    if (value > 0x7FFF)
3756
0
        return (TIFFReadDirEntryErrRange);
3757
0
    else
3758
0
        return (TIFFReadDirEntryErrOk);
3759
0
}
3760
3761
static enum TIFFReadDirEntryErr
3762
TIFFReadDirEntryCheckRangeSshortSlong8(int64_t value)
3763
0
{
3764
0
    if ((value < -0x8000) || (value > 0x7FFF))
3765
0
        return (TIFFReadDirEntryErrRange);
3766
0
    else
3767
0
        return (TIFFReadDirEntryErrOk);
3768
0
}
3769
3770
static enum TIFFReadDirEntryErr
3771
TIFFReadDirEntryCheckRangeLongSbyte(int8_t value)
3772
0
{
3773
0
    if (value < 0)
3774
0
        return (TIFFReadDirEntryErrRange);
3775
0
    else
3776
0
        return (TIFFReadDirEntryErrOk);
3777
0
}
3778
3779
static enum TIFFReadDirEntryErr
3780
TIFFReadDirEntryCheckRangeLongSshort(int16_t value)
3781
0
{
3782
0
    if (value < 0)
3783
0
        return (TIFFReadDirEntryErrRange);
3784
0
    else
3785
0
        return (TIFFReadDirEntryErrOk);
3786
0
}
3787
3788
static enum TIFFReadDirEntryErr
3789
TIFFReadDirEntryCheckRangeLongSlong(int32_t value)
3790
0
{
3791
0
    if (value < 0)
3792
0
        return (TIFFReadDirEntryErrRange);
3793
0
    else
3794
0
        return (TIFFReadDirEntryErrOk);
3795
0
}
3796
3797
static enum TIFFReadDirEntryErr
3798
TIFFReadDirEntryCheckRangeLongLong8(uint64_t value)
3799
0
{
3800
0
    if (value > UINT32_MAX)
3801
0
        return (TIFFReadDirEntryErrRange);
3802
0
    else
3803
0
        return (TIFFReadDirEntryErrOk);
3804
0
}
3805
3806
static enum TIFFReadDirEntryErr
3807
TIFFReadDirEntryCheckRangeLongSlong8(int64_t value)
3808
0
{
3809
0
    if ((value < 0) || (value > (int64_t)UINT32_MAX))
3810
0
        return (TIFFReadDirEntryErrRange);
3811
0
    else
3812
0
        return (TIFFReadDirEntryErrOk);
3813
0
}
3814
3815
static enum TIFFReadDirEntryErr
3816
TIFFReadDirEntryCheckRangeSlongLong(uint32_t value)
3817
0
{
3818
0
    if (value > 0x7FFFFFFFUL)
3819
0
        return (TIFFReadDirEntryErrRange);
3820
0
    else
3821
0
        return (TIFFReadDirEntryErrOk);
3822
0
}
3823
3824
/* Check that the 8-byte unsigned value can fit in a 4-byte unsigned range */
3825
static enum TIFFReadDirEntryErr
3826
TIFFReadDirEntryCheckRangeSlongLong8(uint64_t value)
3827
0
{
3828
0
    if (value > 0x7FFFFFFF)
3829
0
        return (TIFFReadDirEntryErrRange);
3830
0
    else
3831
0
        return (TIFFReadDirEntryErrOk);
3832
0
}
3833
3834
/* Check that the 8-byte signed value can fit in a 4-byte signed range */
3835
static enum TIFFReadDirEntryErr
3836
TIFFReadDirEntryCheckRangeSlongSlong8(int64_t value)
3837
0
{
3838
0
    if ((value < 0 - ((int64_t)0x7FFFFFFF + 1)) || (value > 0x7FFFFFFF))
3839
0
        return (TIFFReadDirEntryErrRange);
3840
0
    else
3841
0
        return (TIFFReadDirEntryErrOk);
3842
0
}
3843
3844
static enum TIFFReadDirEntryErr
3845
TIFFReadDirEntryCheckRangeLong8Sbyte(int8_t value)
3846
0
{
3847
0
    if (value < 0)
3848
0
        return (TIFFReadDirEntryErrRange);
3849
0
    else
3850
0
        return (TIFFReadDirEntryErrOk);
3851
0
}
3852
3853
static enum TIFFReadDirEntryErr
3854
TIFFReadDirEntryCheckRangeLong8Sshort(int16_t value)
3855
0
{
3856
0
    if (value < 0)
3857
0
        return (TIFFReadDirEntryErrRange);
3858
0
    else
3859
0
        return (TIFFReadDirEntryErrOk);
3860
0
}
3861
3862
static enum TIFFReadDirEntryErr
3863
TIFFReadDirEntryCheckRangeLong8Slong(int32_t value)
3864
0
{
3865
0
    if (value < 0)
3866
0
        return (TIFFReadDirEntryErrRange);
3867
0
    else
3868
0
        return (TIFFReadDirEntryErrOk);
3869
0
}
3870
3871
static enum TIFFReadDirEntryErr
3872
TIFFReadDirEntryCheckRangeLong8Slong8(int64_t value)
3873
0
{
3874
0
    if (value < 0)
3875
0
        return (TIFFReadDirEntryErrRange);
3876
0
    else
3877
0
        return (TIFFReadDirEntryErrOk);
3878
0
}
3879
3880
static enum TIFFReadDirEntryErr
3881
TIFFReadDirEntryCheckRangeSlong8Long8(uint64_t value)
3882
0
{
3883
0
    if (value > INT64_MAX)
3884
0
        return (TIFFReadDirEntryErrRange);
3885
0
    else
3886
0
        return (TIFFReadDirEntryErrOk);
3887
0
}
3888
3889
static enum TIFFReadDirEntryErr TIFFReadDirEntryData(TIFF *tif, uint64_t offset,
3890
                                                     tmsize_t size, void *dest)
3891
19.7k
{
3892
19.7k
    assert(size > 0);
3893
19.7k
    if (!isMapped(tif))
3894
19.7k
    {
3895
19.7k
        if (!SeekOK(tif, offset))
3896
0
            return (TIFFReadDirEntryErrIo);
3897
19.7k
        if (!ReadOK(tif, dest, size))
3898
0
            return (TIFFReadDirEntryErrIo);
3899
19.7k
    }
3900
0
    else
3901
0
    {
3902
0
        size_t ma, mb;
3903
0
        ma = (size_t)offset;
3904
0
        if ((uint64_t)ma != offset || ma > (~(size_t)0) - (size_t)size)
3905
0
        {
3906
0
            return TIFFReadDirEntryErrIo;
3907
0
        }
3908
0
        mb = ma + size;
3909
0
        if (mb > (uint64_t)tif->tif_size)
3910
0
            return (TIFFReadDirEntryErrIo);
3911
0
        _TIFFmemcpy(dest, tif->tif_base + ma, size);
3912
0
    }
3913
19.7k
    return (TIFFReadDirEntryErrOk);
3914
19.7k
}
3915
3916
static void TIFFReadDirEntryOutputErr(TIFF *tif, enum TIFFReadDirEntryErr err,
3917
                                      const char *module, const char *tagname,
3918
                                      int recover)
3919
0
{
3920
0
    if (!recover)
3921
0
    {
3922
0
        switch (err)
3923
0
        {
3924
0
            case TIFFReadDirEntryErrCount:
3925
0
                TIFFErrorExtR(tif, module, "Incorrect count for \"%s\"",
3926
0
                              tagname);
3927
0
                break;
3928
0
            case TIFFReadDirEntryErrType:
3929
0
                TIFFErrorExtR(tif, module, "Incompatible type for \"%s\"",
3930
0
                              tagname);
3931
0
                break;
3932
0
            case TIFFReadDirEntryErrIo:
3933
0
                TIFFErrorExtR(tif, module, "IO error during reading of \"%s\"",
3934
0
                              tagname);
3935
0
                break;
3936
0
            case TIFFReadDirEntryErrRange:
3937
0
                TIFFErrorExtR(tif, module, "Incorrect value for \"%s\"",
3938
0
                              tagname);
3939
0
                break;
3940
0
            case TIFFReadDirEntryErrPsdif:
3941
0
                TIFFErrorExtR(
3942
0
                    tif, module,
3943
0
                    "Cannot handle different values per sample for \"%s\"",
3944
0
                    tagname);
3945
0
                break;
3946
0
            case TIFFReadDirEntryErrSizesan:
3947
0
                TIFFErrorExtR(tif, module,
3948
0
                              "Sanity check on size of \"%s\" value failed",
3949
0
                              tagname);
3950
0
                break;
3951
0
            case TIFFReadDirEntryErrAlloc:
3952
0
                TIFFErrorExtR(tif, module, "Out of memory reading of \"%s\"",
3953
0
                              tagname);
3954
0
                break;
3955
0
            default:
3956
0
                assert(0); /* we should never get here */
3957
0
                break;
3958
0
        }
3959
0
    }
3960
0
    else
3961
0
    {
3962
0
        switch (err)
3963
0
        {
3964
0
            case TIFFReadDirEntryErrCount:
3965
0
                TIFFWarningExtR(tif, module,
3966
0
                                "Incorrect count for \"%s\"; tag ignored",
3967
0
                                tagname);
3968
0
                break;
3969
0
            case TIFFReadDirEntryErrType:
3970
0
                TIFFWarningExtR(tif, module,
3971
0
                                "Incompatible type for \"%s\"; tag ignored",
3972
0
                                tagname);
3973
0
                break;
3974
0
            case TIFFReadDirEntryErrIo:
3975
0
                TIFFWarningExtR(
3976
0
                    tif, module,
3977
0
                    "IO error during reading of \"%s\"; tag ignored", tagname);
3978
0
                break;
3979
0
            case TIFFReadDirEntryErrRange:
3980
0
                TIFFWarningExtR(tif, module,
3981
0
                                "Incorrect value for \"%s\"; tag ignored",
3982
0
                                tagname);
3983
0
                break;
3984
0
            case TIFFReadDirEntryErrPsdif:
3985
0
                TIFFWarningExtR(tif, module,
3986
0
                                "Cannot handle different values per sample for "
3987
0
                                "\"%s\"; tag ignored",
3988
0
                                tagname);
3989
0
                break;
3990
0
            case TIFFReadDirEntryErrSizesan:
3991
0
                TIFFWarningExtR(
3992
0
                    tif, module,
3993
0
                    "Sanity check on size of \"%s\" value failed; tag ignored",
3994
0
                    tagname);
3995
0
                break;
3996
0
            case TIFFReadDirEntryErrAlloc:
3997
0
                TIFFWarningExtR(tif, module,
3998
0
                                "Out of memory reading of \"%s\"; tag ignored",
3999
0
                                tagname);
4000
0
                break;
4001
0
            default:
4002
0
                assert(0); /* we should never get here */
4003
0
                break;
4004
0
        }
4005
0
    }
4006
0
}
4007
4008
/*
4009
 * Return the maximum number of color channels specified for a given photometric
4010
 * type. 0 is returned if photometric type isn't supported or no default value
4011
 * is defined by the specification.
4012
 */
4013
static int _TIFFGetMaxColorChannels(uint16_t photometric)
4014
9.89k
{
4015
9.89k
    switch (photometric)
4016
9.89k
    {
4017
0
        case PHOTOMETRIC_PALETTE:
4018
0
        case PHOTOMETRIC_MINISWHITE:
4019
9.89k
        case PHOTOMETRIC_MINISBLACK:
4020
9.89k
            return 1;
4021
0
        case PHOTOMETRIC_YCBCR:
4022
0
        case PHOTOMETRIC_RGB:
4023
0
        case PHOTOMETRIC_CIELAB:
4024
0
        case PHOTOMETRIC_LOGLUV:
4025
0
        case PHOTOMETRIC_ITULAB:
4026
0
        case PHOTOMETRIC_ICCLAB:
4027
0
            return 3;
4028
0
        case PHOTOMETRIC_SEPARATED:
4029
0
        case PHOTOMETRIC_MASK:
4030
0
            return 4;
4031
0
        case PHOTOMETRIC_LOGL:
4032
0
        case PHOTOMETRIC_CFA:
4033
0
        default:
4034
0
            return 0;
4035
9.89k
    }
4036
9.89k
}
4037
4038
static int ByteCountLooksBad(TIFF *tif)
4039
9.89k
{
4040
    /*
4041
     * Assume we have wrong StripByteCount value (in case
4042
     * of single strip) in following cases:
4043
     *   - it is equal to zero along with StripOffset;
4044
     *   - it is larger than file itself (in case of uncompressed
4045
     *     image);
4046
     *   - it is smaller than the size of the bytes per row
4047
     *     multiplied on the number of rows.  The last case should
4048
     *     not be checked in the case of writing new image,
4049
     *     because we may do not know the exact strip size
4050
     *     until the whole image will be written and directory
4051
     *     dumped out.
4052
     */
4053
9.89k
    uint64_t bytecount = TIFFGetStrileByteCount(tif, 0);
4054
9.89k
    uint64_t offset = TIFFGetStrileOffset(tif, 0);
4055
9.89k
    uint64_t filesize;
4056
4057
9.89k
    if (offset == 0)
4058
0
        return 0;
4059
9.89k
    if (bytecount == 0)
4060
0
        return 1;
4061
9.89k
    if (tif->tif_dir.td_compression != COMPRESSION_NONE)
4062
9.89k
        return 0;
4063
0
    filesize = TIFFGetFileSize(tif);
4064
0
    if (offset <= filesize && bytecount > filesize - offset)
4065
0
        return 1;
4066
0
    if (tif->tif_mode == O_RDONLY)
4067
0
    {
4068
0
        uint64_t scanlinesize = TIFFScanlineSize64(tif);
4069
0
        if (tif->tif_dir.td_imagelength > 0 &&
4070
0
            scanlinesize > UINT64_MAX / tif->tif_dir.td_imagelength)
4071
0
        {
4072
0
            return 1;
4073
0
        }
4074
0
        if (bytecount < scanlinesize * tif->tif_dir.td_imagelength)
4075
0
            return 1;
4076
0
    }
4077
0
    return 0;
4078
0
}
4079
4080
/*
4081
 * To evaluate the IFD data size when reading, save the offset and data size of
4082
 * all data that does not fit into the IFD entries themselves.
4083
 */
4084
static bool EvaluateIFDdatasizeReading(TIFF *tif, TIFFDirEntry *dp)
4085
49.4k
{
4086
49.4k
    const uint64_t data_width = TIFFDataWidth(dp->tdir_type);
4087
49.4k
    if (data_width != 0 && dp->tdir_count > UINT64_MAX / data_width)
4088
0
    {
4089
0
        TIFFErrorExtR(tif, "EvaluateIFDdatasizeReading",
4090
0
                      "Too large IFD data size");
4091
0
        return false;
4092
0
    }
4093
49.4k
    const uint64_t datalength = dp->tdir_count * data_width;
4094
49.4k
    if (datalength > ((tif->tif_flags & TIFF_BIGTIFF) ? 0x8U : 0x4U))
4095
19.7k
    {
4096
19.7k
        if (tif->tif_dir.td_dirdatasize_read > UINT64_MAX - datalength)
4097
0
        {
4098
0
            TIFFErrorExtR(tif, "EvaluateIFDdatasizeReading",
4099
0
                          "Too large IFD data size");
4100
0
            return false;
4101
0
        }
4102
19.7k
        tif->tif_dir.td_dirdatasize_read += datalength;
4103
19.7k
        if (!(tif->tif_flags & TIFF_BIGTIFF))
4104
19.7k
        {
4105
            /* The offset of TIFFDirEntry are not swapped when read in. That has
4106
             * to be done when used. */
4107
19.7k
            uint32_t offset = dp->tdir_offset.toff_long;
4108
19.7k
            if (tif->tif_flags & TIFF_SWAB)
4109
0
                TIFFSwabLong(&offset);
4110
19.7k
            tif->tif_dir
4111
19.7k
                .td_dirdatasize_offsets[tif->tif_dir.td_dirdatasize_Noffsets]
4112
19.7k
                .offset = (uint64_t)offset;
4113
19.7k
        }
4114
0
        else
4115
0
        {
4116
0
            tif->tif_dir
4117
0
                .td_dirdatasize_offsets[tif->tif_dir.td_dirdatasize_Noffsets]
4118
0
                .offset = dp->tdir_offset.toff_long8;
4119
0
            if (tif->tif_flags & TIFF_SWAB)
4120
0
                TIFFSwabLong8(
4121
0
                    &tif->tif_dir
4122
0
                         .td_dirdatasize_offsets[tif->tif_dir
4123
0
                                                     .td_dirdatasize_Noffsets]
4124
0
                         .offset);
4125
0
        }
4126
19.7k
        tif->tif_dir
4127
19.7k
            .td_dirdatasize_offsets[tif->tif_dir.td_dirdatasize_Noffsets]
4128
19.7k
            .length = datalength;
4129
19.7k
        tif->tif_dir.td_dirdatasize_Noffsets++;
4130
19.7k
    }
4131
49.4k
    return true;
4132
49.4k
}
4133
4134
/*
4135
 * Compare function for qsort() sorting TIFFEntryOffsetAndLength array entries.
4136
 */
4137
static int cmpTIFFEntryOffsetAndLength(const void *a, const void *b)
4138
0
{
4139
0
    const TIFFEntryOffsetAndLength *ta = (const TIFFEntryOffsetAndLength *)a;
4140
0
    const TIFFEntryOffsetAndLength *tb = (const TIFFEntryOffsetAndLength *)b;
4141
    /* Compare offsets */
4142
0
    if (ta->offset > tb->offset)
4143
0
        return 1;
4144
0
    else if (ta->offset < tb->offset)
4145
0
        return -1;
4146
0
    else
4147
0
        return 0;
4148
0
}
4149
4150
/*
4151
 * Determine the IFD data size after reading an IFD from the file that can be
4152
 * overwritten and saving it in tif_dir.td_dirdatasize_read. This data size
4153
 * includes the IFD entries themselves as well as the data that does not fit
4154
 * directly into the IFD entries but is located directly after the IFD entries
4155
 * in the file.
4156
 */
4157
static void CalcFinalIFDdatasizeReading(TIFF *tif, uint16_t dircount)
4158
9.89k
{
4159
    /* IFD data size is only needed if file-writing is enabled.
4160
     * This also avoids the seek() to EOF to determine the file size, which
4161
     * causes the stdin-streaming-friendly mode of libtiff for GDAL to fail. */
4162
9.89k
    if (tif->tif_mode == O_RDONLY)
4163
9.89k
        return;
4164
4165
    /* Sort TIFFEntryOffsetAndLength array in ascending order. */
4166
0
    qsort(tif->tif_dir.td_dirdatasize_offsets,
4167
0
          tif->tif_dir.td_dirdatasize_Noffsets,
4168
0
          sizeof(TIFFEntryOffsetAndLength), cmpTIFFEntryOffsetAndLength);
4169
4170
    /* Get offset of end of IFD entry space. */
4171
0
    uint64_t IFDendoffset;
4172
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
4173
0
        IFDendoffset = tif->tif_diroff + 2 + dircount * 12 + 4;
4174
0
    else
4175
0
        IFDendoffset = tif->tif_diroff + 8 + dircount * 20 + 8;
4176
4177
    /* Check which offsets are right behind IFD entries. However, LibTIFF
4178
     * increments the writing address for every external data to an even offset.
4179
     * Thus gaps of 1 byte can occur. */
4180
0
    uint64_t size = 0;
4181
0
    uint64_t offset;
4182
0
    uint32_t i;
4183
0
    for (i = 0; i < tif->tif_dir.td_dirdatasize_Noffsets; i++)
4184
0
    {
4185
0
        offset = tif->tif_dir.td_dirdatasize_offsets[i].offset;
4186
0
        if (offset == IFDendoffset)
4187
0
        {
4188
0
            size += tif->tif_dir.td_dirdatasize_offsets[i].length;
4189
0
            IFDendoffset += tif->tif_dir.td_dirdatasize_offsets[i].length;
4190
0
        }
4191
0
        else if (offset == IFDendoffset + 1)
4192
0
        {
4193
            /* Add gap byte after previous IFD data set. */
4194
0
            size += tif->tif_dir.td_dirdatasize_offsets[i].length + 1;
4195
0
            IFDendoffset += tif->tif_dir.td_dirdatasize_offsets[i].length;
4196
0
        }
4197
0
        else
4198
0
        {
4199
            /* Further data is no more continuously after IFD */
4200
0
            break;
4201
0
        }
4202
0
    }
4203
    /* Check for gap byte of some easy cases. This should cover 90% of cases.
4204
     * Otherwise, IFD will be re-written even it might be safely overwritten. */
4205
0
    if (tif->tif_nextdiroff != 0)
4206
0
    {
4207
0
        if (tif->tif_nextdiroff == IFDendoffset + 1)
4208
0
            size++;
4209
0
    }
4210
0
    else
4211
0
    {
4212
        /* Check for IFD data ends at EOF. Then IFD can always be safely
4213
         * overwritten. */
4214
0
        offset = TIFFSeekFile(tif, 0, SEEK_END);
4215
0
        if (offset == IFDendoffset)
4216
0
        {
4217
0
            tif->tif_dir.td_dirdatasize_read = UINT64_MAX;
4218
0
            return;
4219
0
        }
4220
0
    }
4221
4222
    /* Finally, add the size of the IFD tag entries themselves. */
4223
0
    if (!(tif->tif_flags & TIFF_BIGTIFF))
4224
0
        tif->tif_dir.td_dirdatasize_read = 2 + dircount * 12 + 4 + size;
4225
0
    else
4226
0
        tif->tif_dir.td_dirdatasize_read = 8 + dircount * 20 + 8 + size;
4227
0
} /*-- CalcFinalIFDdatasizeReading() --*/
4228
4229
/*
4230
 * Read the next TIFF directory from a file and convert it to the internal
4231
 * format. We read directories sequentially.
4232
 */
4233
int TIFFReadDirectory(TIFF *tif)
4234
9.89k
{
4235
9.89k
    static const char module[] = "TIFFReadDirectory";
4236
9.89k
    TIFFDirEntry *dir;
4237
9.89k
    uint16_t dircount;
4238
9.89k
    TIFFDirEntry *dp;
4239
9.89k
    uint16_t di;
4240
9.89k
    const TIFFField *fip;
4241
9.89k
    uint32_t fii = FAILED_FII;
4242
9.89k
    toff_t nextdiroff;
4243
9.89k
    int bitspersample_read = FALSE;
4244
9.89k
    int color_channels;
4245
4246
9.89k
    if (tif->tif_nextdiroff == 0)
4247
0
    {
4248
        /* In this special case, tif_diroff needs also to be set to 0.
4249
         * This is behind the last IFD, thus no checking or reading necessary.
4250
         */
4251
0
        tif->tif_diroff = tif->tif_nextdiroff;
4252
0
        return 0;
4253
0
    }
4254
4255
9.89k
    nextdiroff = tif->tif_nextdiroff;
4256
    /* tif_curdir++ and tif_nextdiroff should only be updated after SUCCESSFUL
4257
     * reading of the directory. Otherwise, invalid IFD offsets could corrupt
4258
     * the IFD list. */
4259
9.89k
    if (!_TIFFCheckDirNumberAndOffset(tif,
4260
9.89k
                                      tif->tif_curdir ==
4261
9.89k
                                              TIFF_NON_EXISTENT_DIR_NUMBER
4262
9.89k
                                          ? 0
4263
9.89k
                                          : tif->tif_curdir + 1,
4264
9.89k
                                      nextdiroff))
4265
0
    {
4266
0
        return 0; /* bad offset (IFD looping or more than TIFF_MAX_DIR_COUNT
4267
                     IFDs) */
4268
0
    }
4269
9.89k
    dircount = TIFFFetchDirectory(tif, nextdiroff, &dir, &tif->tif_nextdiroff);
4270
9.89k
    if (!dircount)
4271
0
    {
4272
0
        TIFFErrorExtR(tif, module,
4273
0
                      "Failed to read directory at offset %" PRIu64,
4274
0
                      nextdiroff);
4275
0
        return 0;
4276
0
    }
4277
    /* Set global values after a valid directory has been fetched.
4278
     * tif_diroff is already set to nextdiroff in TIFFFetchDirectory() in the
4279
     * beginning. */
4280
9.89k
    if (tif->tif_curdir == TIFF_NON_EXISTENT_DIR_NUMBER)
4281
9.89k
        tif->tif_curdir = 0;
4282
0
    else
4283
0
        tif->tif_curdir++;
4284
9.89k
    (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
4285
4286
9.89k
    TIFFReadDirectoryCheckOrder(tif, dir, dircount);
4287
4288
    /*
4289
     * Mark duplicates of any tag to be ignored (bugzilla 1994)
4290
     * to avoid certain pathological problems.
4291
     */
4292
9.89k
    {
4293
9.89k
        TIFFDirEntry *ma;
4294
9.89k
        uint16_t mb;
4295
148k
        for (ma = dir, mb = 0; mb < dircount; ma++, mb++)
4296
138k
        {
4297
138k
            TIFFDirEntry *na;
4298
138k
            uint16_t nb;
4299
1.03M
            for (na = ma + 1, nb = mb + 1; nb < dircount; na++, nb++)
4300
900k
            {
4301
900k
                if (ma->tdir_tag == na->tdir_tag)
4302
0
                {
4303
0
                    na->tdir_ignore = TRUE;
4304
0
                }
4305
900k
            }
4306
138k
        }
4307
9.89k
    }
4308
4309
9.89k
    tif->tif_flags &= ~TIFF_BEENWRITING; /* reset before new dir */
4310
9.89k
    tif->tif_flags &= ~TIFF_BUF4WRITE;   /* reset before new dir */
4311
9.89k
    tif->tif_flags &= ~TIFF_CHOPPEDUPARRAYS;
4312
4313
    /* free any old stuff and reinit */
4314
9.89k
    TIFFFreeDirectory(tif);
4315
9.89k
    TIFFDefaultDirectory(tif);
4316
4317
    /* Allocate arrays for offset values outside IFD entry for IFD data size
4318
     * checking. Note: Counter are reset within TIFFFreeDirectory(). */
4319
9.89k
    tif->tif_dir.td_dirdatasize_offsets =
4320
9.89k
        (TIFFEntryOffsetAndLength *)_TIFFmallocExt(
4321
9.89k
            tif, dircount * sizeof(TIFFEntryOffsetAndLength));
4322
9.89k
    if (tif->tif_dir.td_dirdatasize_offsets == NULL)
4323
0
    {
4324
0
        TIFFErrorExtR(
4325
0
            tif, module,
4326
0
            "Failed to allocate memory for counting IFD data size at reading");
4327
0
        goto bad;
4328
0
    }
4329
    /*
4330
     * Electronic Arts writes gray-scale TIFF files
4331
     * without a PlanarConfiguration directory entry.
4332
     * Thus we setup a default value here, even though
4333
     * the TIFF spec says there is no default value.
4334
     * After PlanarConfiguration is preset in TIFFDefaultDirectory()
4335
     * the following setting is not needed, but does not harm either.
4336
     */
4337
9.89k
    TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
4338
    /*
4339
     * Setup default value and then make a pass over
4340
     * the fields to check type and tag information,
4341
     * and to extract info required to size data
4342
     * structures.  A second pass is made afterwards
4343
     * to read in everything not taken in the first pass.
4344
     * But we must process the Compression tag first
4345
     * in order to merge in codec-private tag definitions (otherwise
4346
     * we may get complaints about unknown tags).  However, the
4347
     * Compression tag may be dependent on the SamplesPerPixel
4348
     * tag value because older TIFF specs permitted Compression
4349
     * to be written as a SamplesPerPixel-count tag entry.
4350
     * Thus if we don't first figure out the correct SamplesPerPixel
4351
     * tag value then we may end up ignoring the Compression tag
4352
     * value because it has an incorrect count value (if the
4353
     * true value of SamplesPerPixel is not 1).
4354
     */
4355
9.89k
    dp =
4356
9.89k
        TIFFReadDirectoryFindEntry(tif, dir, dircount, TIFFTAG_SAMPLESPERPIXEL);
4357
9.89k
    if (dp)
4358
9.89k
    {
4359
9.89k
        if (!TIFFFetchNormalTag(tif, dp, 0))
4360
0
            goto bad;
4361
9.89k
        dp->tdir_ignore = TRUE;
4362
9.89k
    }
4363
9.89k
    dp = TIFFReadDirectoryFindEntry(tif, dir, dircount, TIFFTAG_COMPRESSION);
4364
9.89k
    if (dp)
4365
9.89k
    {
4366
        /*
4367
         * The 5.0 spec says the Compression tag has one value, while
4368
         * earlier specs say it has one value per sample.  Because of
4369
         * this, we accept the tag if one value is supplied with either
4370
         * count.
4371
         */
4372
9.89k
        uint16_t value;
4373
9.89k
        enum TIFFReadDirEntryErr err;
4374
9.89k
        err = TIFFReadDirEntryShort(tif, dp, &value);
4375
9.89k
        if (err == TIFFReadDirEntryErrCount)
4376
0
            err = TIFFReadDirEntryPersampleShort(tif, dp, &value);
4377
9.89k
        if (err != TIFFReadDirEntryErrOk)
4378
0
        {
4379
0
            TIFFReadDirEntryOutputErr(tif, err, module, "Compression", 0);
4380
0
            goto bad;
4381
0
        }
4382
9.89k
        if (!TIFFSetField(tif, TIFFTAG_COMPRESSION, value))
4383
0
            goto bad;
4384
9.89k
        dp->tdir_ignore = TRUE;
4385
9.89k
    }
4386
0
    else
4387
0
    {
4388
0
        if (!TIFFSetField(tif, TIFFTAG_COMPRESSION, COMPRESSION_NONE))
4389
0
            goto bad;
4390
0
    }
4391
    /*
4392
     * First real pass over the directory.
4393
     */
4394
148k
    for (di = 0, dp = dir; di < dircount; di++, dp++)
4395
138k
    {
4396
138k
        if (!dp->tdir_ignore)
4397
118k
        {
4398
118k
            TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
4399
118k
            if (fii == FAILED_FII)
4400
0
            {
4401
0
                TIFFWarningExtR(tif, module,
4402
0
                                "Unknown field with tag %" PRIu16 " (0x%" PRIx16
4403
0
                                ") encountered",
4404
0
                                dp->tdir_tag, dp->tdir_tag);
4405
                /* the following knowingly leaks the
4406
                   anonymous field structure */
4407
0
                const TIFFField *fld = _TIFFCreateAnonField(
4408
0
                    tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
4409
0
                if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
4410
0
                {
4411
0
                    TIFFWarningExtR(
4412
0
                        tif, module,
4413
0
                        "Registering anonymous field with tag %" PRIu16
4414
0
                        " (0x%" PRIx16 ") failed",
4415
0
                        dp->tdir_tag, dp->tdir_tag);
4416
0
                    dp->tdir_ignore = TRUE;
4417
0
                }
4418
0
                else
4419
0
                {
4420
0
                    TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
4421
0
                    assert(fii != FAILED_FII);
4422
0
                }
4423
0
            }
4424
118k
        }
4425
138k
        if (!dp->tdir_ignore)
4426
118k
        {
4427
118k
            fip = tif->tif_fields[fii];
4428
118k
            if (fip->field_bit == FIELD_IGNORE)
4429
0
                dp->tdir_ignore = TRUE;
4430
118k
            else
4431
118k
            {
4432
118k
                switch (dp->tdir_tag)
4433
118k
                {
4434
9.89k
                    case TIFFTAG_STRIPOFFSETS:
4435
19.7k
                    case TIFFTAG_STRIPBYTECOUNTS:
4436
19.7k
                    case TIFFTAG_TILEOFFSETS:
4437
19.7k
                    case TIFFTAG_TILEBYTECOUNTS:
4438
19.7k
                        TIFFSetFieldBit(tif, fip->field_bit);
4439
19.7k
                        break;
4440
9.89k
                    case TIFFTAG_IMAGEWIDTH:
4441
19.7k
                    case TIFFTAG_IMAGELENGTH:
4442
19.7k
                    case TIFFTAG_IMAGEDEPTH:
4443
19.7k
                    case TIFFTAG_TILELENGTH:
4444
19.7k
                    case TIFFTAG_TILEWIDTH:
4445
19.7k
                    case TIFFTAG_TILEDEPTH:
4446
29.6k
                    case TIFFTAG_PLANARCONFIG:
4447
39.5k
                    case TIFFTAG_ROWSPERSTRIP:
4448
39.5k
                    case TIFFTAG_EXTRASAMPLES:
4449
39.5k
                        if (!TIFFFetchNormalTag(tif, dp, 0))
4450
0
                            goto bad;
4451
39.5k
                        dp->tdir_ignore = TRUE;
4452
39.5k
                        break;
4453
59.3k
                    default:
4454
59.3k
                        if (!_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag))
4455
0
                            dp->tdir_ignore = TRUE;
4456
59.3k
                        break;
4457
118k
                }
4458
118k
            }
4459
118k
        }
4460
138k
    }
4461
    /*
4462
     * XXX: OJPEG hack.
4463
     * If a) compression is OJPEG, b) planarconfig tag says it's separate,
4464
     * c) strip offsets/bytecounts tag are both present and
4465
     * d) both contain exactly one value, then we consistently find
4466
     * that the buggy implementation of the buggy compression scheme
4467
     * matches contig planarconfig best. So we 'fix-up' the tag here
4468
     */
4469
9.89k
    if ((tif->tif_dir.td_compression == COMPRESSION_OJPEG) &&
4470
9.89k
        (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE))
4471
0
    {
4472
0
        if (!_TIFFFillStriles(tif))
4473
0
            goto bad;
4474
0
        dp = TIFFReadDirectoryFindEntry(tif, dir, dircount,
4475
0
                                        TIFFTAG_STRIPOFFSETS);
4476
0
        if ((dp != 0) && (dp->tdir_count == 1))
4477
0
        {
4478
0
            dp = TIFFReadDirectoryFindEntry(tif, dir, dircount,
4479
0
                                            TIFFTAG_STRIPBYTECOUNTS);
4480
0
            if ((dp != 0) && (dp->tdir_count == 1))
4481
0
            {
4482
0
                tif->tif_dir.td_planarconfig = PLANARCONFIG_CONTIG;
4483
0
                TIFFWarningExtR(tif, module,
4484
0
                                "Planarconfig tag value assumed incorrect, "
4485
0
                                "assuming data is contig instead of chunky");
4486
0
            }
4487
0
        }
4488
0
    }
4489
    /*
4490
     * Allocate directory structure and setup defaults.
4491
     */
4492
9.89k
    if (!TIFFFieldSet(tif, FIELD_IMAGEDIMENSIONS))
4493
0
    {
4494
0
        MissingRequired(tif, "ImageLength");
4495
0
        goto bad;
4496
0
    }
4497
4498
    /*
4499
     * Second pass: extract other information.
4500
     */
4501
148k
    for (di = 0, dp = dir; di < dircount; di++, dp++)
4502
138k
    {
4503
138k
        if (!dp->tdir_ignore)
4504
79.1k
        {
4505
79.1k
            switch (dp->tdir_tag)
4506
79.1k
            {
4507
0
                case TIFFTAG_MINSAMPLEVALUE:
4508
0
                case TIFFTAG_MAXSAMPLEVALUE:
4509
9.89k
                case TIFFTAG_BITSPERSAMPLE:
4510
9.89k
                case TIFFTAG_DATATYPE:
4511
9.89k
                case TIFFTAG_SAMPLEFORMAT:
4512
                    /*
4513
                     * The MinSampleValue, MaxSampleValue, BitsPerSample
4514
                     * DataType and SampleFormat tags are supposed to be
4515
                     * written as one value/sample, but some vendors
4516
                     * incorrectly write one value only -- so we accept
4517
                     * that as well (yuck). Other vendors write correct
4518
                     * value for NumberOfSamples, but incorrect one for
4519
                     * BitsPerSample and friends, and we will read this
4520
                     * too.
4521
                     */
4522
9.89k
                    {
4523
9.89k
                        uint16_t value;
4524
9.89k
                        enum TIFFReadDirEntryErr err;
4525
9.89k
                        err = TIFFReadDirEntryShort(tif, dp, &value);
4526
9.89k
                        if (!EvaluateIFDdatasizeReading(tif, dp))
4527
0
                            goto bad;
4528
9.89k
                        if (err == TIFFReadDirEntryErrCount)
4529
0
                            err =
4530
0
                                TIFFReadDirEntryPersampleShort(tif, dp, &value);
4531
9.89k
                        if (err != TIFFReadDirEntryErrOk)
4532
0
                        {
4533
0
                            fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4534
0
                            TIFFReadDirEntryOutputErr(
4535
0
                                tif, err, module,
4536
0
                                fip ? fip->field_name : "unknown tagname", 0);
4537
0
                            goto bad;
4538
0
                        }
4539
9.89k
                        if (!TIFFSetField(tif, dp->tdir_tag, value))
4540
0
                            goto bad;
4541
9.89k
                        if (dp->tdir_tag == TIFFTAG_BITSPERSAMPLE)
4542
9.89k
                            bitspersample_read = TRUE;
4543
9.89k
                    }
4544
0
                    break;
4545
0
                case TIFFTAG_SMINSAMPLEVALUE:
4546
0
                case TIFFTAG_SMAXSAMPLEVALUE:
4547
0
                {
4548
4549
0
                    double *data = NULL;
4550
0
                    enum TIFFReadDirEntryErr err;
4551
0
                    uint32_t saved_flags;
4552
0
                    int m;
4553
0
                    if (dp->tdir_count !=
4554
0
                        (uint64_t)tif->tif_dir.td_samplesperpixel)
4555
0
                        err = TIFFReadDirEntryErrCount;
4556
0
                    else
4557
0
                        err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
4558
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
4559
0
                        goto bad;
4560
0
                    if (err != TIFFReadDirEntryErrOk)
4561
0
                    {
4562
0
                        fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4563
0
                        TIFFReadDirEntryOutputErr(
4564
0
                            tif, err, module,
4565
0
                            fip ? fip->field_name : "unknown tagname", 0);
4566
0
                        goto bad;
4567
0
                    }
4568
0
                    saved_flags = tif->tif_flags;
4569
0
                    tif->tif_flags |= TIFF_PERSAMPLE;
4570
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
4571
0
                    tif->tif_flags = saved_flags;
4572
0
                    _TIFFfreeExt(tif, data);
4573
0
                    if (!m)
4574
0
                        goto bad;
4575
0
                }
4576
0
                break;
4577
9.89k
                case TIFFTAG_STRIPOFFSETS:
4578
9.89k
                case TIFFTAG_TILEOFFSETS:
4579
9.89k
                {
4580
9.89k
                    switch (dp->tdir_type)
4581
9.89k
                    {
4582
0
                        case TIFF_SHORT:
4583
9.89k
                        case TIFF_LONG:
4584
9.89k
                        case TIFF_LONG8:
4585
9.89k
                            break;
4586
0
                        default:
4587
                            /* Warn except if directory typically created with
4588
                             * TIFFDeferStrileArrayWriting() */
4589
0
                            if (!(tif->tif_mode == O_RDWR &&
4590
0
                                  dp->tdir_count == 0 && dp->tdir_type == 0 &&
4591
0
                                  dp->tdir_offset.toff_long8 == 0))
4592
0
                            {
4593
0
                                fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4594
0
                                TIFFWarningExtR(
4595
0
                                    tif, module, "Invalid data type for tag %s",
4596
0
                                    fip ? fip->field_name : "unknown tagname");
4597
0
                            }
4598
0
                            break;
4599
9.89k
                    }
4600
9.89k
                    _TIFFmemcpy(&(tif->tif_dir.td_stripoffset_entry), dp,
4601
9.89k
                                sizeof(TIFFDirEntry));
4602
9.89k
                    if (!EvaluateIFDdatasizeReading(tif, dp))
4603
0
                        goto bad;
4604
9.89k
                }
4605
9.89k
                break;
4606
9.89k
                case TIFFTAG_STRIPBYTECOUNTS:
4607
9.89k
                case TIFFTAG_TILEBYTECOUNTS:
4608
9.89k
                {
4609
9.89k
                    switch (dp->tdir_type)
4610
9.89k
                    {
4611
0
                        case TIFF_SHORT:
4612
9.89k
                        case TIFF_LONG:
4613
9.89k
                        case TIFF_LONG8:
4614
9.89k
                            break;
4615
0
                        default:
4616
                            /* Warn except if directory typically created with
4617
                             * TIFFDeferStrileArrayWriting() */
4618
0
                            if (!(tif->tif_mode == O_RDWR &&
4619
0
                                  dp->tdir_count == 0 && dp->tdir_type == 0 &&
4620
0
                                  dp->tdir_offset.toff_long8 == 0))
4621
0
                            {
4622
0
                                fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4623
0
                                TIFFWarningExtR(
4624
0
                                    tif, module, "Invalid data type for tag %s",
4625
0
                                    fip ? fip->field_name : "unknown tagname");
4626
0
                            }
4627
0
                            break;
4628
9.89k
                    }
4629
9.89k
                    _TIFFmemcpy(&(tif->tif_dir.td_stripbytecount_entry), dp,
4630
9.89k
                                sizeof(TIFFDirEntry));
4631
9.89k
                    if (!EvaluateIFDdatasizeReading(tif, dp))
4632
0
                        goto bad;
4633
9.89k
                }
4634
9.89k
                break;
4635
9.89k
                case TIFFTAG_COLORMAP:
4636
0
                case TIFFTAG_TRANSFERFUNCTION:
4637
0
                {
4638
0
                    enum TIFFReadDirEntryErr err;
4639
0
                    uint32_t countpersample;
4640
0
                    uint32_t countrequired;
4641
0
                    uint32_t incrementpersample;
4642
0
                    uint16_t *value = NULL;
4643
                    /* It would be dangerous to instantiate those tag values */
4644
                    /* since if td_bitspersample has not yet been read (due to
4645
                     */
4646
                    /* unordered tags), it could be read afterwards with a */
4647
                    /* values greater than the default one (1), which may cause
4648
                     */
4649
                    /* crashes in user code */
4650
0
                    if (!bitspersample_read)
4651
0
                    {
4652
0
                        fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4653
0
                        TIFFWarningExtR(
4654
0
                            tif, module,
4655
0
                            "Ignoring %s since BitsPerSample tag not found",
4656
0
                            fip ? fip->field_name : "unknown tagname");
4657
0
                        continue;
4658
0
                    }
4659
                    /* ColorMap or TransferFunction for high bit */
4660
                    /* depths do not make much sense and could be */
4661
                    /* used as a denial of service vector */
4662
0
                    if (tif->tif_dir.td_bitspersample > 24)
4663
0
                    {
4664
0
                        fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4665
0
                        TIFFWarningExtR(
4666
0
                            tif, module,
4667
0
                            "Ignoring %s because BitsPerSample=%" PRIu16 ">24",
4668
0
                            fip ? fip->field_name : "unknown tagname",
4669
0
                            tif->tif_dir.td_bitspersample);
4670
0
                        continue;
4671
0
                    }
4672
0
                    countpersample = (1U << tif->tif_dir.td_bitspersample);
4673
0
                    if ((dp->tdir_tag == TIFFTAG_TRANSFERFUNCTION) &&
4674
0
                        (dp->tdir_count == (uint64_t)countpersample))
4675
0
                    {
4676
0
                        countrequired = countpersample;
4677
0
                        incrementpersample = 0;
4678
0
                    }
4679
0
                    else
4680
0
                    {
4681
0
                        countrequired = 3 * countpersample;
4682
0
                        incrementpersample = countpersample;
4683
0
                    }
4684
0
                    if (dp->tdir_count != (uint64_t)countrequired)
4685
0
                        err = TIFFReadDirEntryErrCount;
4686
0
                    else
4687
0
                        err = TIFFReadDirEntryShortArray(tif, dp, &value);
4688
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
4689
0
                        goto bad;
4690
0
                    if (err != TIFFReadDirEntryErrOk)
4691
0
                    {
4692
0
                        fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4693
0
                        TIFFReadDirEntryOutputErr(
4694
0
                            tif, err, module,
4695
0
                            fip ? fip->field_name : "unknown tagname", 1);
4696
0
                    }
4697
0
                    else
4698
0
                    {
4699
0
                        TIFFSetField(tif, dp->tdir_tag, value,
4700
0
                                     value + incrementpersample,
4701
0
                                     value + 2 * incrementpersample);
4702
0
                        _TIFFfreeExt(tif, value);
4703
0
                    }
4704
0
                }
4705
0
                break;
4706
                    /* BEGIN REV 4.0 COMPATIBILITY */
4707
0
                case TIFFTAG_OSUBFILETYPE:
4708
0
                {
4709
0
                    uint16_t valueo;
4710
0
                    uint32_t value;
4711
0
                    if (TIFFReadDirEntryShort(tif, dp, &valueo) ==
4712
0
                        TIFFReadDirEntryErrOk)
4713
0
                    {
4714
0
                        switch (valueo)
4715
0
                        {
4716
0
                            case OFILETYPE_REDUCEDIMAGE:
4717
0
                                value = FILETYPE_REDUCEDIMAGE;
4718
0
                                break;
4719
0
                            case OFILETYPE_PAGE:
4720
0
                                value = FILETYPE_PAGE;
4721
0
                                break;
4722
0
                            default:
4723
0
                                value = 0;
4724
0
                                break;
4725
0
                        }
4726
0
                        if (value != 0)
4727
0
                            TIFFSetField(tif, TIFFTAG_SUBFILETYPE, value);
4728
0
                    }
4729
0
                }
4730
0
                break;
4731
                /* END REV 4.0 COMPATIBILITY */
4732
#if 0
4733
                case TIFFTAG_EP_BATTERYLEVEL:
4734
                    /* TIFFTAG_EP_BATTERYLEVEL can be RATIONAL or ASCII.
4735
                     * LibTiff defines it as ASCII and converts RATIONAL to an
4736
                     * ASCII string. */
4737
                    switch (dp->tdir_type)
4738
                    {
4739
                        case TIFF_RATIONAL:
4740
                        {
4741
                            /* Read rational and convert to ASCII*/
4742
                            enum TIFFReadDirEntryErr err;
4743
                            TIFFRational_t rValue;
4744
                            err = TIFFReadDirEntryCheckedRationalDirect(
4745
                                tif, dp, &rValue);
4746
                            if (err != TIFFReadDirEntryErrOk)
4747
                            {
4748
                                fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4749
                                TIFFReadDirEntryOutputErr(
4750
                                    tif, err, module,
4751
                                    fip ? fip->field_name : "unknown tagname",
4752
                                    1);
4753
                            }
4754
                            else
4755
                            {
4756
                                char szAux[32];
4757
                                snprintf(szAux, sizeof(szAux) - 1, "%d/%d",
4758
                                         rValue.uNum, rValue.uDenom);
4759
                                TIFFSetField(tif, dp->tdir_tag, szAux);
4760
                            }
4761
                        }
4762
                        break;
4763
                        case TIFF_ASCII:
4764
                            (void)TIFFFetchNormalTag(tif, dp, TRUE);
4765
                            break;
4766
                        default:
4767
                            fip = TIFFFieldWithTag(tif, dp->tdir_tag);
4768
                            TIFFWarningExtR(tif, module,
4769
                                            "Invalid data type for tag %s. "
4770
                                            "ASCII or RATIONAL expected",
4771
                                            fip ? fip->field_name
4772
                                                : "unknown tagname");
4773
                            break;
4774
                    }
4775
                    break;
4776
#endif
4777
49.4k
                default:
4778
49.4k
                    (void)TIFFFetchNormalTag(tif, dp, TRUE);
4779
49.4k
                    break;
4780
79.1k
            } /* -- switch (dp->tdir_tag) -- */
4781
79.1k
        }     /* -- if (!dp->tdir_ignore) */
4782
138k
    }         /* -- for-loop -- */
4783
4784
    /* Evaluate final IFD data size. */
4785
9.89k
    CalcFinalIFDdatasizeReading(tif, dircount);
4786
4787
    /*
4788
     * OJPEG hack:
4789
     * - If a) compression is OJPEG, and b) photometric tag is missing,
4790
     * then we consistently find that photometric should be YCbCr
4791
     * - If a) compression is OJPEG, and b) photometric tag says it's RGB,
4792
     * then we consistently find that the buggy implementation of the
4793
     * buggy compression scheme matches photometric YCbCr instead.
4794
     * - If a) compression is OJPEG, and b) bitspersample tag is missing,
4795
     * then we consistently find bitspersample should be 8.
4796
     * - If a) compression is OJPEG, b) samplesperpixel tag is missing,
4797
     * and c) photometric is RGB or YCbCr, then we consistently find
4798
     * samplesperpixel should be 3
4799
     * - If a) compression is OJPEG, b) samplesperpixel tag is missing,
4800
     * and c) photometric is MINISWHITE or MINISBLACK, then we consistently
4801
     * find samplesperpixel should be 3
4802
     */
4803
9.89k
    if (tif->tif_dir.td_compression == COMPRESSION_OJPEG)
4804
0
    {
4805
0
        if (!TIFFFieldSet(tif, FIELD_PHOTOMETRIC))
4806
0
        {
4807
0
            TIFFWarningExtR(
4808
0
                tif, module,
4809
0
                "Photometric tag is missing, assuming data is YCbCr");
4810
0
            if (!TIFFSetField(tif, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_YCBCR))
4811
0
                goto bad;
4812
0
        }
4813
0
        else if (tif->tif_dir.td_photometric == PHOTOMETRIC_RGB)
4814
0
        {
4815
0
            tif->tif_dir.td_photometric = PHOTOMETRIC_YCBCR;
4816
0
            TIFFWarningExtR(tif, module,
4817
0
                            "Photometric tag value assumed incorrect, "
4818
0
                            "assuming data is YCbCr instead of RGB");
4819
0
        }
4820
0
        if (!TIFFFieldSet(tif, FIELD_BITSPERSAMPLE))
4821
0
        {
4822
0
            TIFFWarningExtR(
4823
0
                tif, module,
4824
0
                "BitsPerSample tag is missing, assuming 8 bits per sample");
4825
0
            if (!TIFFSetField(tif, TIFFTAG_BITSPERSAMPLE, 8))
4826
0
                goto bad;
4827
0
        }
4828
0
        if (!TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
4829
0
        {
4830
0
            if (tif->tif_dir.td_photometric == PHOTOMETRIC_RGB)
4831
0
            {
4832
0
                TIFFWarningExtR(tif, module,
4833
0
                                "SamplesPerPixel tag is missing, "
4834
0
                                "assuming correct SamplesPerPixel value is 3");
4835
0
                if (!TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 3))
4836
0
                    goto bad;
4837
0
            }
4838
0
            if (tif->tif_dir.td_photometric == PHOTOMETRIC_YCBCR)
4839
0
            {
4840
0
                TIFFWarningExtR(tif, module,
4841
0
                                "SamplesPerPixel tag is missing, "
4842
0
                                "applying correct SamplesPerPixel value of 3");
4843
0
                if (!TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 3))
4844
0
                    goto bad;
4845
0
            }
4846
0
            else if ((tif->tif_dir.td_photometric == PHOTOMETRIC_MINISWHITE) ||
4847
0
                     (tif->tif_dir.td_photometric == PHOTOMETRIC_MINISBLACK))
4848
0
            {
4849
                /*
4850
                 * SamplesPerPixel tag is missing, but is not required
4851
                 * by spec.  Assume correct SamplesPerPixel value of 1.
4852
                 */
4853
0
                if (!TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 1))
4854
0
                    goto bad;
4855
0
            }
4856
0
        }
4857
0
    }
4858
4859
    /*
4860
     * Setup appropriate structures (by strip or by tile)
4861
     * We do that only after the above OJPEG hack which alters SamplesPerPixel
4862
     * and thus influences the number of strips in the separate planarconfig.
4863
     */
4864
9.89k
    if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS))
4865
9.89k
    {
4866
9.89k
        tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
4867
9.89k
        tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
4868
9.89k
        tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
4869
9.89k
        tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
4870
9.89k
        tif->tif_flags &= ~TIFF_ISTILED;
4871
9.89k
    }
4872
0
    else
4873
0
    {
4874
0
        tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
4875
0
        tif->tif_flags |= TIFF_ISTILED;
4876
0
    }
4877
9.89k
    if (!tif->tif_dir.td_nstrips)
4878
0
    {
4879
0
        TIFFErrorExtR(tif, module, "Cannot handle zero number of %s",
4880
0
                      isTiled(tif) ? "tiles" : "strips");
4881
0
        goto bad;
4882
0
    }
4883
9.89k
    tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
4884
9.89k
    if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
4885
0
        tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
4886
9.89k
    if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS))
4887
0
    {
4888
#ifdef OJPEG_SUPPORT
4889
        if ((tif->tif_dir.td_compression == COMPRESSION_OJPEG) &&
4890
            (isTiled(tif) == 0) && (tif->tif_dir.td_nstrips == 1))
4891
        {
4892
            /*
4893
             * XXX: OJPEG hack.
4894
             * If a) compression is OJPEG, b) it's not a tiled TIFF,
4895
             * and c) the number of strips is 1,
4896
             * then we tolerate the absence of stripoffsets tag,
4897
             * because, presumably, all required data is in the
4898
             * JpegInterchangeFormat stream.
4899
             */
4900
            TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
4901
        }
4902
        else
4903
#endif
4904
0
        {
4905
0
            MissingRequired(tif, isTiled(tif) ? "TileOffsets" : "StripOffsets");
4906
0
            goto bad;
4907
0
        }
4908
0
    }
4909
4910
9.89k
    if (tif->tif_mode == O_RDWR &&
4911
9.89k
        tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
4912
9.89k
        tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
4913
9.89k
        tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
4914
9.89k
        tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
4915
9.89k
        tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
4916
9.89k
        tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
4917
9.89k
        tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
4918
9.89k
        tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0)
4919
0
    {
4920
        /* Directory typically created with TIFFDeferStrileArrayWriting() */
4921
0
        TIFFSetupStrips(tif);
4922
0
    }
4923
9.89k
    else if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD))
4924
9.89k
    {
4925
9.89k
        if (tif->tif_dir.td_stripoffset_entry.tdir_tag != 0)
4926
9.89k
        {
4927
9.89k
            if (!TIFFFetchStripThing(tif, &(tif->tif_dir.td_stripoffset_entry),
4928
9.89k
                                     tif->tif_dir.td_nstrips,
4929
9.89k
                                     &tif->tif_dir.td_stripoffset_p))
4930
0
            {
4931
0
                goto bad;
4932
0
            }
4933
9.89k
        }
4934
9.89k
        if (tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0)
4935
9.89k
        {
4936
9.89k
            if (!TIFFFetchStripThing(
4937
9.89k
                    tif, &(tif->tif_dir.td_stripbytecount_entry),
4938
9.89k
                    tif->tif_dir.td_nstrips, &tif->tif_dir.td_stripbytecount_p))
4939
0
            {
4940
0
                goto bad;
4941
0
            }
4942
9.89k
        }
4943
9.89k
    }
4944
4945
    /*
4946
     * Make sure all non-color channels are extrasamples.
4947
     * If it's not the case, define them as such.
4948
     */
4949
9.89k
    color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
4950
9.89k
    if (color_channels &&
4951
9.89k
        tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples >
4952
9.89k
            color_channels)
4953
0
    {
4954
0
        uint16_t old_extrasamples;
4955
0
        uint16_t *new_sampleinfo;
4956
4957
0
        TIFFWarningExtR(
4958
0
            tif, module,
4959
0
            "Sum of Photometric type-related "
4960
0
            "color channels and ExtraSamples doesn't match SamplesPerPixel. "
4961
0
            "Defining non-color channels as ExtraSamples.");
4962
4963
0
        old_extrasamples = tif->tif_dir.td_extrasamples;
4964
0
        tif->tif_dir.td_extrasamples =
4965
0
            (uint16_t)(tif->tif_dir.td_samplesperpixel - color_channels);
4966
4967
        // sampleinfo should contain information relative to these new extra
4968
        // samples
4969
0
        new_sampleinfo = (uint16_t *)_TIFFcallocExt(
4970
0
            tif, tif->tif_dir.td_extrasamples, sizeof(uint16_t));
4971
0
        if (!new_sampleinfo)
4972
0
        {
4973
0
            TIFFErrorExtR(tif, module,
4974
0
                          "Failed to allocate memory for "
4975
0
                          "temporary new sampleinfo array "
4976
0
                          "(%" PRIu16 " 16 bit elements)",
4977
0
                          tif->tif_dir.td_extrasamples);
4978
0
            goto bad;
4979
0
        }
4980
4981
0
        if (old_extrasamples > 0)
4982
0
            memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo,
4983
0
                   old_extrasamples * sizeof(uint16_t));
4984
0
        _TIFFsetShortArrayExt(tif, &tif->tif_dir.td_sampleinfo, new_sampleinfo,
4985
0
                              tif->tif_dir.td_extrasamples);
4986
0
        _TIFFfreeExt(tif, new_sampleinfo);
4987
0
    }
4988
4989
    /*
4990
     * Verify Palette image has a Colormap.
4991
     */
4992
9.89k
    if (tif->tif_dir.td_photometric == PHOTOMETRIC_PALETTE &&
4993
9.89k
        !TIFFFieldSet(tif, FIELD_COLORMAP))
4994
0
    {
4995
0
        if (tif->tif_dir.td_bitspersample >= 8 &&
4996
0
            tif->tif_dir.td_samplesperpixel == 3)
4997
0
            tif->tif_dir.td_photometric = PHOTOMETRIC_RGB;
4998
0
        else if (tif->tif_dir.td_bitspersample >= 8)
4999
0
            tif->tif_dir.td_photometric = PHOTOMETRIC_MINISBLACK;
5000
0
        else
5001
0
        {
5002
0
            MissingRequired(tif, "Colormap");
5003
0
            goto bad;
5004
0
        }
5005
0
    }
5006
    /*
5007
     * OJPEG hack:
5008
     * We do no further messing with strip/tile offsets/bytecounts in OJPEG
5009
     * TIFFs
5010
     */
5011
9.89k
    if (tif->tif_dir.td_compression != COMPRESSION_OJPEG)
5012
9.89k
    {
5013
        /*
5014
         * Attempt to deal with a missing StripByteCounts tag.
5015
         */
5016
9.89k
        if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS))
5017
0
        {
5018
            /*
5019
             * Some manufacturers violate the spec by not giving
5020
             * the size of the strips.  In this case, assume there
5021
             * is one uncompressed strip of data.
5022
             */
5023
0
            if ((tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
5024
0
                 tif->tif_dir.td_nstrips > 1) ||
5025
0
                (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE &&
5026
0
                 tif->tif_dir.td_nstrips !=
5027
0
                     (uint32_t)tif->tif_dir.td_samplesperpixel))
5028
0
            {
5029
0
                MissingRequired(tif, "StripByteCounts");
5030
0
                goto bad;
5031
0
            }
5032
0
            TIFFWarningExtR(
5033
0
                tif, module,
5034
0
                "TIFF directory is missing required "
5035
0
                "\"StripByteCounts\" field, calculating from imagelength");
5036
0
            if (EstimateStripByteCounts(tif, dir, dircount) < 0)
5037
0
                goto bad;
5038
0
        }
5039
9.89k
        else if (tif->tif_dir.td_nstrips == 1 &&
5040
9.89k
                 !(tif->tif_flags & TIFF_ISTILED) && ByteCountLooksBad(tif))
5041
0
        {
5042
            /*
5043
             * XXX: Plexus (and others) sometimes give a value of
5044
             * zero for a tag when they don't know what the
5045
             * correct value is!  Try and handle the simple case
5046
             * of estimating the size of a one strip image.
5047
             */
5048
0
            TIFFWarningExtR(tif, module,
5049
0
                            "Bogus \"StripByteCounts\" field, ignoring and "
5050
0
                            "calculating from imagelength");
5051
0
            if (EstimateStripByteCounts(tif, dir, dircount) < 0)
5052
0
                goto bad;
5053
0
        }
5054
9.89k
        else if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD) &&
5055
9.89k
                 tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
5056
9.89k
                 tif->tif_dir.td_nstrips > 2 &&
5057
9.89k
                 tif->tif_dir.td_compression == COMPRESSION_NONE &&
5058
9.89k
                 TIFFGetStrileByteCount(tif, 0) !=
5059
0
                     TIFFGetStrileByteCount(tif, 1) &&
5060
9.89k
                 TIFFGetStrileByteCount(tif, 0) != 0 &&
5061
9.89k
                 TIFFGetStrileByteCount(tif, 1) != 0)
5062
0
        {
5063
            /*
5064
             * XXX: Some vendors fill StripByteCount array with
5065
             * absolutely wrong values (it can be equal to
5066
             * StripOffset array, for example). Catch this case
5067
             * here.
5068
             *
5069
             * We avoid this check if deferring strile loading
5070
             * as it would always force us to load the strip/tile
5071
             * information.
5072
             */
5073
0
            TIFFWarningExtR(tif, module,
5074
0
                            "Wrong \"StripByteCounts\" field, ignoring and "
5075
0
                            "calculating from imagelength");
5076
0
            if (EstimateStripByteCounts(tif, dir, dircount) < 0)
5077
0
                goto bad;
5078
0
        }
5079
9.89k
    }
5080
9.89k
    if (dir)
5081
9.89k
    {
5082
9.89k
        _TIFFfreeExt(tif, dir);
5083
9.89k
        dir = NULL;
5084
9.89k
    }
5085
9.89k
    if (!TIFFFieldSet(tif, FIELD_MAXSAMPLEVALUE))
5086
9.89k
    {
5087
9.89k
        if (tif->tif_dir.td_bitspersample >= 16)
5088
0
            tif->tif_dir.td_maxsamplevalue = 0xFFFF;
5089
9.89k
        else
5090
9.89k
            tif->tif_dir.td_maxsamplevalue =
5091
9.89k
                (uint16_t)((1L << tif->tif_dir.td_bitspersample) - 1);
5092
9.89k
    }
5093
5094
#ifdef STRIPBYTECOUNTSORTED_UNUSED
5095
    /*
5096
     * XXX: We can optimize checking for the strip bounds using the sorted
5097
     * bytecounts array. See also comments for TIFFAppendToStrip()
5098
     * function in tif_write.c.
5099
     */
5100
    if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD) && tif->tif_dir.td_nstrips > 1)
5101
    {
5102
        uint32_t strip;
5103
5104
        tif->tif_dir.td_stripbytecountsorted = 1;
5105
        for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++)
5106
        {
5107
            if (TIFFGetStrileOffset(tif, strip - 1) >
5108
                TIFFGetStrileOffset(tif, strip))
5109
            {
5110
                tif->tif_dir.td_stripbytecountsorted = 0;
5111
                break;
5112
            }
5113
        }
5114
    }
5115
#endif
5116
5117
    /*
5118
     * An opportunity for compression mode dependent tag fixup
5119
     */
5120
9.89k
    (*tif->tif_fixuptags)(tif);
5121
5122
    /*
5123
     * Some manufacturers make life difficult by writing
5124
     * large amounts of uncompressed data as a single strip.
5125
     * This is contrary to the recommendations of the spec.
5126
     * The following makes an attempt at breaking such images
5127
     * into strips closer to the recommended 8k bytes.  A
5128
     * side effect, however, is that the RowsPerStrip tag
5129
     * value may be changed.
5130
     */
5131
9.89k
    if ((tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG) &&
5132
9.89k
        (tif->tif_dir.td_nstrips == 1) &&
5133
9.89k
        (tif->tif_dir.td_compression == COMPRESSION_NONE) &&
5134
9.89k
        ((tif->tif_flags & (TIFF_STRIPCHOP | TIFF_ISTILED)) == TIFF_STRIPCHOP))
5135
0
    {
5136
0
        ChopUpSingleUncompressedStrip(tif);
5137
0
    }
5138
5139
    /* There are also uncompressed striped files with strips larger than */
5140
    /* 2 GB, which make them unfriendly with a lot of code. If possible, */
5141
    /* try to expose smaller "virtual" strips. */
5142
9.89k
    if (tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG &&
5143
9.89k
        tif->tif_dir.td_compression == COMPRESSION_NONE &&
5144
9.89k
        (tif->tif_flags & (TIFF_STRIPCHOP | TIFF_ISTILED)) == TIFF_STRIPCHOP &&
5145
9.89k
        TIFFStripSize64(tif) > 0x7FFFFFFFUL)
5146
0
    {
5147
0
        TryChopUpUncompressedBigTiff(tif);
5148
0
    }
5149
5150
    /*
5151
     * Clear the dirty directory flag.
5152
     */
5153
9.89k
    tif->tif_flags &= ~TIFF_DIRTYDIRECT;
5154
9.89k
    tif->tif_flags &= ~TIFF_DIRTYSTRIP;
5155
5156
    /*
5157
     * Reinitialize i/o since we are starting on a new directory.
5158
     */
5159
9.89k
    tif->tif_row = (uint32_t)-1;
5160
9.89k
    tif->tif_curstrip = (uint32_t)-1;
5161
9.89k
    tif->tif_col = (uint32_t)-1;
5162
9.89k
    tif->tif_curtile = (uint32_t)-1;
5163
9.89k
    tif->tif_tilesize = (tmsize_t)-1;
5164
5165
9.89k
    tif->tif_scanlinesize = TIFFScanlineSize(tif);
5166
9.89k
    if (!tif->tif_scanlinesize)
5167
0
    {
5168
0
        TIFFErrorExtR(tif, module, "Cannot handle zero scanline size");
5169
0
        return (0);
5170
0
    }
5171
5172
9.89k
    if (isTiled(tif))
5173
0
    {
5174
0
        tif->tif_tilesize = TIFFTileSize(tif);
5175
0
        if (!tif->tif_tilesize)
5176
0
        {
5177
0
            TIFFErrorExtR(tif, module, "Cannot handle zero tile size");
5178
0
            return (0);
5179
0
        }
5180
0
    }
5181
9.89k
    else
5182
9.89k
    {
5183
9.89k
        if (!TIFFStripSize(tif))
5184
0
        {
5185
0
            TIFFErrorExtR(tif, module, "Cannot handle zero strip size");
5186
0
            return (0);
5187
0
        }
5188
9.89k
    }
5189
9.89k
    return (1);
5190
0
bad:
5191
0
    if (dir)
5192
0
        _TIFFfreeExt(tif, dir);
5193
0
    return (0);
5194
9.89k
}
5195
5196
static void TIFFReadDirectoryCheckOrder(TIFF *tif, TIFFDirEntry *dir,
5197
                                        uint16_t dircount)
5198
9.89k
{
5199
9.89k
    static const char module[] = "TIFFReadDirectoryCheckOrder";
5200
9.89k
    uint32_t m;
5201
9.89k
    uint16_t n;
5202
9.89k
    TIFFDirEntry *o;
5203
9.89k
    m = 0;
5204
148k
    for (n = 0, o = dir; n < dircount; n++, o++)
5205
138k
    {
5206
138k
        if (o->tdir_tag < m)
5207
0
        {
5208
0
            TIFFWarningExtR(tif, module,
5209
0
                            "Invalid TIFF directory; tags are not sorted in "
5210
0
                            "ascending order");
5211
0
            break;
5212
0
        }
5213
138k
        m = o->tdir_tag + 1;
5214
138k
    }
5215
9.89k
}
5216
5217
static TIFFDirEntry *TIFFReadDirectoryFindEntry(TIFF *tif, TIFFDirEntry *dir,
5218
                                                uint16_t dircount,
5219
                                                uint16_t tagid)
5220
19.7k
{
5221
19.7k
    TIFFDirEntry *m;
5222
19.7k
    uint16_t n;
5223
19.7k
    (void)tif;
5224
118k
    for (m = dir, n = 0; n < dircount; m++, n++)
5225
118k
    {
5226
118k
        if (m->tdir_tag == tagid)
5227
19.7k
            return (m);
5228
118k
    }
5229
0
    return (0);
5230
19.7k
}
5231
5232
static void TIFFReadDirectoryFindFieldInfo(TIFF *tif, uint16_t tagid,
5233
                                           uint32_t *fii)
5234
217k
{
5235
217k
    int32_t ma, mb, mc;
5236
217k
    ma = -1;
5237
217k
    mc = (int32_t)tif->tif_nfields;
5238
1.47M
    while (1)
5239
1.47M
    {
5240
1.47M
        if (ma + 1 == mc)
5241
0
        {
5242
0
            *fii = FAILED_FII;
5243
0
            return;
5244
0
        }
5245
1.47M
        mb = (ma + mc) / 2;
5246
1.47M
        if (tif->tif_fields[mb]->field_tag == (uint32_t)tagid)
5247
217k
            break;
5248
1.25M
        if (tif->tif_fields[mb]->field_tag < (uint32_t)tagid)
5249
455k
            ma = mb;
5250
801k
        else
5251
801k
            mc = mb;
5252
1.25M
    }
5253
217k
    while (1)
5254
217k
    {
5255
217k
        if (mb == 0)
5256
0
            break;
5257
217k
        if (tif->tif_fields[mb - 1]->field_tag != (uint32_t)tagid)
5258
217k
            break;
5259
0
        mb--;
5260
0
    }
5261
217k
    *fii = mb;
5262
217k
}
5263
5264
/*
5265
 * Read custom directory from the arbitrary offset.
5266
 * The code is very similar to TIFFReadDirectory().
5267
 */
5268
int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
5269
                            const TIFFFieldArray *infoarray)
5270
0
{
5271
0
    static const char module[] = "TIFFReadCustomDirectory";
5272
0
    TIFFDirEntry *dir;
5273
0
    uint16_t dircount;
5274
0
    TIFFDirEntry *dp;
5275
0
    uint16_t di;
5276
0
    const TIFFField *fip;
5277
0
    uint32_t fii;
5278
0
    (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
5279
0
    _TIFFSetupFields(tif, infoarray);
5280
0
    dircount = TIFFFetchDirectory(tif, diroff, &dir, NULL);
5281
0
    if (!dircount)
5282
0
    {
5283
0
        TIFFErrorExtR(tif, module,
5284
0
                      "Failed to read custom directory at offset %" PRIu64,
5285
0
                      diroff);
5286
0
        return 0;
5287
0
    }
5288
0
    TIFFFreeDirectory(tif);
5289
0
    _TIFFmemset(&tif->tif_dir, 0, sizeof(TIFFDirectory));
5290
0
    TIFFReadDirectoryCheckOrder(tif, dir, dircount);
5291
    /* Allocate arrays for offset values outside IFD entry for IFD data size
5292
     * checking. Note: Counter are reset within TIFFFreeDirectory(). */
5293
0
    tif->tif_dir.td_dirdatasize_offsets =
5294
0
        (TIFFEntryOffsetAndLength *)_TIFFmallocExt(
5295
0
            tif, dircount * sizeof(TIFFEntryOffsetAndLength));
5296
0
    if (tif->tif_dir.td_dirdatasize_offsets == NULL)
5297
0
    {
5298
0
        TIFFErrorExtR(
5299
0
            tif, module,
5300
0
            "Failed to allocate memory for counting IFD data size at reading");
5301
0
        if (dir)
5302
0
            _TIFFfreeExt(tif, dir);
5303
0
        return 0;
5304
0
    }
5305
5306
0
    for (di = 0, dp = dir; di < dircount; di++, dp++)
5307
0
    {
5308
0
        TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
5309
0
        if (fii == FAILED_FII)
5310
0
        {
5311
0
            TIFFWarningExtR(tif, module,
5312
0
                            "Unknown field with tag %" PRIu16 " (0x%" PRIx16
5313
0
                            ") encountered",
5314
0
                            dp->tdir_tag, dp->tdir_tag);
5315
0
            const TIFFField *fld = _TIFFCreateAnonField(
5316
0
                tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
5317
0
            if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
5318
0
            {
5319
0
                TIFFWarningExtR(tif, module,
5320
0
                                "Registering anonymous field with tag %" PRIu16
5321
0
                                " (0x%" PRIx16 ") failed",
5322
0
                                dp->tdir_tag, dp->tdir_tag);
5323
0
                dp->tdir_ignore = TRUE;
5324
0
            }
5325
0
            else
5326
0
            {
5327
0
                TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
5328
0
                assert(fii != FAILED_FII);
5329
0
            }
5330
0
        }
5331
0
        if (!dp->tdir_ignore)
5332
0
        {
5333
0
            fip = tif->tif_fields[fii];
5334
0
            if (fip->field_bit == FIELD_IGNORE)
5335
0
                dp->tdir_ignore = TRUE;
5336
0
            else
5337
0
            {
5338
                /* check data type */
5339
0
                while ((fip->field_type != TIFF_ANY) &&
5340
0
                       (fip->field_type != dp->tdir_type))
5341
0
                {
5342
0
                    fii++;
5343
0
                    if ((fii == tif->tif_nfields) ||
5344
0
                        (tif->tif_fields[fii]->field_tag !=
5345
0
                         (uint32_t)dp->tdir_tag))
5346
0
                    {
5347
0
                        fii = 0xFFFF;
5348
0
                        break;
5349
0
                    }
5350
0
                    fip = tif->tif_fields[fii];
5351
0
                }
5352
0
                if (fii == 0xFFFF)
5353
0
                {
5354
0
                    TIFFWarningExtR(tif, module,
5355
0
                                    "Wrong data type %" PRIu16
5356
0
                                    " for \"%s\"; tag ignored",
5357
0
                                    dp->tdir_type, fip->field_name);
5358
0
                    dp->tdir_ignore = TRUE;
5359
0
                }
5360
0
                else
5361
0
                {
5362
                    /* check count if known in advance */
5363
0
                    if ((fip->field_readcount != TIFF_VARIABLE) &&
5364
0
                        (fip->field_readcount != TIFF_VARIABLE2))
5365
0
                    {
5366
0
                        uint32_t expected;
5367
0
                        if (fip->field_readcount == TIFF_SPP)
5368
0
                            expected =
5369
0
                                (uint32_t)tif->tif_dir.td_samplesperpixel;
5370
0
                        else
5371
0
                            expected = (uint32_t)fip->field_readcount;
5372
0
                        if (!CheckDirCount(tif, dp, expected))
5373
0
                            dp->tdir_ignore = TRUE;
5374
0
                    }
5375
0
                }
5376
0
            }
5377
0
            if (!dp->tdir_ignore)
5378
0
            {
5379
0
                switch (dp->tdir_tag)
5380
0
                {
5381
0
                    case EXIFTAG_SUBJECTDISTANCE:
5382
0
                        if (!TIFFFieldIsAnonymous(fip))
5383
0
                        {
5384
                            /* should only be called on a Exif directory */
5385
                            /* when exifFields[] is active */
5386
0
                            (void)TIFFFetchSubjectDistance(tif, dp);
5387
0
                        }
5388
0
                        else
5389
0
                        {
5390
0
                            (void)TIFFFetchNormalTag(tif, dp, TRUE);
5391
0
                        }
5392
0
                        break;
5393
0
                    default:
5394
0
                        (void)TIFFFetchNormalTag(tif, dp, TRUE);
5395
0
                        break;
5396
0
                }
5397
0
            } /*-- if (!dp->tdir_ignore) */
5398
0
        }
5399
0
    }
5400
    /* Evaluate final IFD data size. */
5401
0
    CalcFinalIFDdatasizeReading(tif, dircount);
5402
5403
    /* To be able to return from SubIFD or custom-IFD to main-IFD */
5404
0
    tif->tif_setdirectory_force_absolute = TRUE;
5405
0
    if (dir)
5406
0
        _TIFFfreeExt(tif, dir);
5407
0
    return 1;
5408
0
}
5409
5410
/*
5411
 * EXIF is important special case of custom IFD, so we have a special
5412
 * function to read it.
5413
 */
5414
int TIFFReadEXIFDirectory(TIFF *tif, toff_t diroff)
5415
0
{
5416
0
    return TIFFReadCustomDirectory(tif, diroff, _TIFFGetExifFields());
5417
0
}
5418
5419
/*
5420
 *--: EXIF-GPS custom directory reading as another special case of custom IFD.
5421
 */
5422
int TIFFReadGPSDirectory(TIFF *tif, toff_t diroff)
5423
0
{
5424
0
    return TIFFReadCustomDirectory(tif, diroff, _TIFFGetGpsFields());
5425
0
}
5426
5427
static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
5428
                                   uint16_t dircount)
5429
0
{
5430
0
    static const char module[] = "EstimateStripByteCounts";
5431
5432
0
    TIFFDirEntry *dp;
5433
0
    TIFFDirectory *td = &tif->tif_dir;
5434
0
    uint32_t strip;
5435
5436
    /* Do not try to load stripbytecount as we will compute it */
5437
0
    if (!_TIFFFillStrilesInternal(tif, 0))
5438
0
        return -1;
5439
5440
0
    const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
5441
0
    uint64_t filesize = 0;
5442
0
    if (allocsize > 100 * 1024 * 1024)
5443
0
    {
5444
        /* Before allocating a huge amount of memory for corrupted files, check
5445
         * if size of requested memory is not greater than file size. */
5446
0
        filesize = TIFFGetFileSize(tif);
5447
0
        if (allocsize > filesize)
5448
0
        {
5449
0
            TIFFWarningExtR(
5450
0
                tif, module,
5451
0
                "Requested memory size for StripByteCounts of %" PRIu64
5452
0
                " is greater than filesize %" PRIu64 ". Memory not allocated",
5453
0
                allocsize, filesize);
5454
0
            return -1;
5455
0
        }
5456
0
    }
5457
5458
0
    if (td->td_stripbytecount_p)
5459
0
        _TIFFfreeExt(tif, td->td_stripbytecount_p);
5460
0
    td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc(
5461
0
        tif, td->td_nstrips, sizeof(uint64_t), "for \"StripByteCounts\" array");
5462
0
    if (td->td_stripbytecount_p == NULL)
5463
0
        return -1;
5464
5465
0
    if (td->td_compression != COMPRESSION_NONE)
5466
0
    {
5467
0
        uint64_t space;
5468
0
        uint16_t n;
5469
0
        if (!(tif->tif_flags & TIFF_BIGTIFF))
5470
0
            space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4;
5471
0
        else
5472
0
            space = sizeof(TIFFHeaderBig) + 8 + dircount * 20 + 8;
5473
        /* calculate amount of space used by indirect values */
5474
0
        for (dp = dir, n = dircount; n > 0; n--, dp++)
5475
0
        {
5476
0
            uint32_t typewidth;
5477
0
            uint64_t datasize;
5478
0
            typewidth = TIFFDataWidth((TIFFDataType)dp->tdir_type);
5479
0
            if (typewidth == 0)
5480
0
            {
5481
0
                TIFFErrorExtR(
5482
0
                    tif, module,
5483
0
                    "Cannot determine size of unknown tag type %" PRIu16,
5484
0
                    dp->tdir_type);
5485
0
                return -1;
5486
0
            }
5487
0
            if (dp->tdir_count > UINT64_MAX / typewidth)
5488
0
                return -1;
5489
0
            datasize = (uint64_t)typewidth * dp->tdir_count;
5490
0
            if (!(tif->tif_flags & TIFF_BIGTIFF))
5491
0
            {
5492
0
                if (datasize <= 4)
5493
0
                    datasize = 0;
5494
0
            }
5495
0
            else
5496
0
            {
5497
0
                if (datasize <= 8)
5498
0
                    datasize = 0;
5499
0
            }
5500
0
            if (space > UINT64_MAX - datasize)
5501
0
                return -1;
5502
0
            space += datasize;
5503
0
        }
5504
0
        if (filesize == 0)
5505
0
            filesize = TIFFGetFileSize(tif);
5506
0
        if (filesize < space)
5507
            /* we should perhaps return in error ? */
5508
0
            space = filesize;
5509
0
        else
5510
0
            space = filesize - space;
5511
0
        if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
5512
0
            space /= td->td_samplesperpixel;
5513
0
        for (strip = 0; strip < td->td_nstrips; strip++)
5514
0
            td->td_stripbytecount_p[strip] = space;
5515
        /*
5516
         * This gross hack handles the case were the offset to
5517
         * the last strip is past the place where we think the strip
5518
         * should begin.  Since a strip of data must be contiguous,
5519
         * it's safe to assume that we've overestimated the amount
5520
         * of data in the strip and trim this number back accordingly.
5521
         */
5522
0
        strip--;
5523
0
        if (td->td_stripoffset_p[strip] >
5524
0
            UINT64_MAX - td->td_stripbytecount_p[strip])
5525
0
            return -1;
5526
0
        if (td->td_stripoffset_p[strip] + td->td_stripbytecount_p[strip] >
5527
0
            filesize)
5528
0
        {
5529
0
            if (td->td_stripoffset_p[strip] >= filesize)
5530
0
            {
5531
                /* Not sure what we should in that case... */
5532
0
                td->td_stripbytecount_p[strip] = 0;
5533
0
            }
5534
0
            else
5535
0
            {
5536
0
                td->td_stripbytecount_p[strip] =
5537
0
                    filesize - td->td_stripoffset_p[strip];
5538
0
            }
5539
0
        }
5540
0
    }
5541
0
    else if (isTiled(tif))
5542
0
    {
5543
0
        uint64_t bytespertile = TIFFTileSize64(tif);
5544
5545
0
        for (strip = 0; strip < td->td_nstrips; strip++)
5546
0
            td->td_stripbytecount_p[strip] = bytespertile;
5547
0
    }
5548
0
    else
5549
0
    {
5550
0
        uint64_t rowbytes = TIFFScanlineSize64(tif);
5551
0
        uint32_t rowsperstrip = td->td_imagelength / td->td_stripsperimage;
5552
0
        for (strip = 0; strip < td->td_nstrips; strip++)
5553
0
        {
5554
0
            if (rowbytes > 0 && rowsperstrip > UINT64_MAX / rowbytes)
5555
0
                return -1;
5556
0
            td->td_stripbytecount_p[strip] = rowbytes * rowsperstrip;
5557
0
        }
5558
0
    }
5559
0
    TIFFSetFieldBit(tif, FIELD_STRIPBYTECOUNTS);
5560
0
    if (!TIFFFieldSet(tif, FIELD_ROWSPERSTRIP))
5561
0
        td->td_rowsperstrip = td->td_imagelength;
5562
0
    return 1;
5563
0
}
5564
5565
static void MissingRequired(TIFF *tif, const char *tagname)
5566
0
{
5567
0
    static const char module[] = "MissingRequired";
5568
5569
0
    TIFFErrorExtR(tif, module,
5570
0
                  "TIFF directory is missing required \"%s\" field", tagname);
5571
0
}
5572
5573
static unsigned long hashFuncOffsetToNumber(const void *elt)
5574
29.6k
{
5575
29.6k
    const TIFFOffsetAndDirNumber *offsetAndDirNumber =
5576
29.6k
        (const TIFFOffsetAndDirNumber *)elt;
5577
29.6k
    const uint32_t hash = (uint32_t)(offsetAndDirNumber->offset >> 32) ^
5578
29.6k
                          ((uint32_t)offsetAndDirNumber->offset & 0xFFFFFFFFU);
5579
29.6k
    return hash;
5580
29.6k
}
5581
5582
static bool equalFuncOffsetToNumber(const void *elt1, const void *elt2)
5583
0
{
5584
0
    const TIFFOffsetAndDirNumber *offsetAndDirNumber1 =
5585
0
        (const TIFFOffsetAndDirNumber *)elt1;
5586
0
    const TIFFOffsetAndDirNumber *offsetAndDirNumber2 =
5587
0
        (const TIFFOffsetAndDirNumber *)elt2;
5588
0
    return offsetAndDirNumber1->offset == offsetAndDirNumber2->offset;
5589
0
}
5590
5591
static unsigned long hashFuncNumberToOffset(const void *elt)
5592
29.6k
{
5593
29.6k
    const TIFFOffsetAndDirNumber *offsetAndDirNumber =
5594
29.6k
        (const TIFFOffsetAndDirNumber *)elt;
5595
29.6k
    return offsetAndDirNumber->dirNumber;
5596
29.6k
}
5597
5598
static bool equalFuncNumberToOffset(const void *elt1, const void *elt2)
5599
0
{
5600
0
    const TIFFOffsetAndDirNumber *offsetAndDirNumber1 =
5601
0
        (const TIFFOffsetAndDirNumber *)elt1;
5602
0
    const TIFFOffsetAndDirNumber *offsetAndDirNumber2 =
5603
0
        (const TIFFOffsetAndDirNumber *)elt2;
5604
0
    return offsetAndDirNumber1->dirNumber == offsetAndDirNumber2->dirNumber;
5605
0
}
5606
5607
/*
5608
 * Check the directory number and offset against the list of already seen
5609
 * directory numbers and offsets. This is a trick to prevent IFD looping.
5610
 * The one can create TIFF file with looped directory pointers. We will
5611
 * maintain a list of already seen directories and check every IFD offset
5612
 * and its IFD number against that list. However, the offset of an IFD number
5613
 * can change - e.g. when writing updates to file.
5614
 * Returns 1 if all is ok; 0 if last directory or IFD loop is encountered,
5615
 * or an error has occurred.
5616
 */
5617
int _TIFFCheckDirNumberAndOffset(TIFF *tif, tdir_t dirn, uint64_t diroff)
5618
9.89k
{
5619
9.89k
    if (diroff == 0) /* no more directories */
5620
0
        return 0;
5621
5622
9.89k
    if (tif->tif_map_dir_offset_to_number == NULL)
5623
9.89k
    {
5624
9.89k
        tif->tif_map_dir_offset_to_number = TIFFHashSetNew(
5625
9.89k
            hashFuncOffsetToNumber, equalFuncOffsetToNumber, free);
5626
9.89k
        if (tif->tif_map_dir_offset_to_number == NULL)
5627
0
        {
5628
0
            TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5629
0
                          "Not enough memory");
5630
0
            return 1;
5631
0
        }
5632
9.89k
    }
5633
5634
9.89k
    if (tif->tif_map_dir_number_to_offset == NULL)
5635
9.89k
    {
5636
        /* No free callback for this map, as it shares the same items as
5637
         * tif->tif_map_dir_offset_to_number. */
5638
9.89k
        tif->tif_map_dir_number_to_offset = TIFFHashSetNew(
5639
9.89k
            hashFuncNumberToOffset, equalFuncNumberToOffset, NULL);
5640
9.89k
        if (tif->tif_map_dir_number_to_offset == NULL)
5641
0
        {
5642
0
            TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5643
0
                          "Not enough memory");
5644
0
            return 1;
5645
0
        }
5646
9.89k
    }
5647
5648
    /* Check if offset is already in the list:
5649
     * - yes: check, if offset is at the same IFD number - if not, it is an IFD
5650
     * loop
5651
     * -  no: add to list or update offset at that IFD number
5652
     */
5653
9.89k
    TIFFOffsetAndDirNumber entry;
5654
9.89k
    entry.offset = diroff;
5655
9.89k
    entry.dirNumber = dirn;
5656
5657
9.89k
    TIFFOffsetAndDirNumber *foundEntry =
5658
9.89k
        (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5659
9.89k
            tif->tif_map_dir_offset_to_number, &entry);
5660
9.89k
    if (foundEntry)
5661
0
    {
5662
0
        if (foundEntry->dirNumber == dirn)
5663
0
        {
5664
0
            return 1;
5665
0
        }
5666
0
        else
5667
0
        {
5668
0
            TIFFWarningExtR(tif, "_TIFFCheckDirNumberAndOffset",
5669
0
                            "TIFF directory %d has IFD looping to directory %u "
5670
0
                            "at offset 0x%" PRIx64 " (%" PRIu64 ")",
5671
0
                            (int)dirn - 1, foundEntry->dirNumber, diroff,
5672
0
                            diroff);
5673
0
            return 0;
5674
0
        }
5675
0
    }
5676
5677
    /* Check if offset of an IFD has been changed and update offset of that IFD
5678
     * number. */
5679
9.89k
    foundEntry = (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5680
9.89k
        tif->tif_map_dir_number_to_offset, &entry);
5681
9.89k
    if (foundEntry)
5682
0
    {
5683
0
        if (foundEntry->offset != diroff)
5684
0
        {
5685
0
            TIFFOffsetAndDirNumber entryOld;
5686
0
            entryOld.offset = foundEntry->offset;
5687
0
            entryOld.dirNumber = dirn;
5688
            /* We must remove first from tif_map_dir_number_to_offset as the */
5689
            /* entry is owned (and thus freed) by */
5690
            /* tif_map_dir_offset_to_number */
5691
0
            TIFFOffsetAndDirNumber *foundEntryOld =
5692
0
                (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5693
0
                    tif->tif_map_dir_number_to_offset, &entryOld);
5694
0
            if (foundEntryOld)
5695
0
            {
5696
0
                TIFFHashSetRemove(tif->tif_map_dir_number_to_offset,
5697
0
                                  foundEntryOld);
5698
0
            }
5699
0
            foundEntryOld = (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5700
0
                tif->tif_map_dir_offset_to_number, &entryOld);
5701
0
            if (foundEntryOld)
5702
0
            {
5703
0
                TIFFHashSetRemove(tif->tif_map_dir_offset_to_number,
5704
0
                                  foundEntryOld);
5705
0
            }
5706
5707
0
            TIFFOffsetAndDirNumber *entryPtr = (TIFFOffsetAndDirNumber *)malloc(
5708
0
                sizeof(TIFFOffsetAndDirNumber));
5709
0
            if (entryPtr == NULL)
5710
0
            {
5711
0
                return 0;
5712
0
            }
5713
5714
            /* Add IFD offset and dirn to IFD directory list */
5715
0
            *entryPtr = entry;
5716
5717
0
            if (!TIFFHashSetInsert(tif->tif_map_dir_offset_to_number, entryPtr))
5718
0
            {
5719
0
                TIFFErrorExtR(
5720
0
                    tif, "_TIFFCheckDirNumberAndOffset",
5721
0
                    "Insertion in tif_map_dir_offset_to_number failed");
5722
0
                return 0;
5723
0
            }
5724
0
            if (!TIFFHashSetInsert(tif->tif_map_dir_number_to_offset, entryPtr))
5725
0
            {
5726
0
                TIFFErrorExtR(
5727
0
                    tif, "_TIFFCheckDirNumberAndOffset",
5728
0
                    "Insertion in tif_map_dir_number_to_offset failed");
5729
0
                return 0;
5730
0
            }
5731
0
        }
5732
0
        return 1;
5733
0
    }
5734
5735
    /* Arbitrary (hopefully big enough) limit */
5736
9.89k
    if (TIFFHashSetSize(tif->tif_map_dir_offset_to_number) >=
5737
9.89k
        TIFF_MAX_DIR_COUNT)
5738
0
    {
5739
0
        TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5740
0
                      "Cannot handle more than %u TIFF directories",
5741
0
                      TIFF_MAX_DIR_COUNT);
5742
0
        return 0;
5743
0
    }
5744
5745
9.89k
    TIFFOffsetAndDirNumber *entryPtr =
5746
9.89k
        (TIFFOffsetAndDirNumber *)malloc(sizeof(TIFFOffsetAndDirNumber));
5747
9.89k
    if (entryPtr == NULL)
5748
0
    {
5749
0
        TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5750
0
                      "malloc(sizeof(TIFFOffsetAndDirNumber)) failed");
5751
0
        return 0;
5752
0
    }
5753
5754
    /* Add IFD offset and dirn to IFD directory list */
5755
9.89k
    *entryPtr = entry;
5756
5757
9.89k
    if (!TIFFHashSetInsert(tif->tif_map_dir_offset_to_number, entryPtr))
5758
0
    {
5759
0
        TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5760
0
                      "Insertion in tif_map_dir_offset_to_number failed");
5761
0
        return 0;
5762
0
    }
5763
9.89k
    if (!TIFFHashSetInsert(tif->tif_map_dir_number_to_offset, entryPtr))
5764
0
    {
5765
0
        TIFFErrorExtR(tif, "_TIFFCheckDirNumberAndOffset",
5766
0
                      "Insertion in tif_map_dir_number_to_offset failed");
5767
0
        return 0;
5768
0
    }
5769
5770
9.89k
    return 1;
5771
9.89k
} /* --- _TIFFCheckDirNumberAndOffset() ---*/
5772
5773
/*
5774
 * Retrieve the matching IFD directory number of a given IFD offset
5775
 * from the list of directories already seen.
5776
 * Returns 1 if the offset was in the list and the directory number
5777
 * can be returned.
5778
 * Otherwise returns 0 or if an error occurred.
5779
 */
5780
int _TIFFGetDirNumberFromOffset(TIFF *tif, uint64_t diroff, tdir_t *dirn)
5781
0
{
5782
0
    if (diroff == 0) /* no more directories */
5783
0
        return 0;
5784
5785
    /* Check if offset is already in the list and return matching directory
5786
     * number. Otherwise update IFD list using TIFFNumberOfDirectories() and
5787
     * search again in IFD list.
5788
     */
5789
0
    if (tif->tif_map_dir_offset_to_number == NULL)
5790
0
        return 0;
5791
0
    TIFFOffsetAndDirNumber entry;
5792
0
    entry.offset = diroff;
5793
0
    entry.dirNumber = 0; /* not used */
5794
5795
0
    TIFFOffsetAndDirNumber *foundEntry =
5796
0
        (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5797
0
            tif->tif_map_dir_offset_to_number, &entry);
5798
0
    if (foundEntry)
5799
0
    {
5800
0
        *dirn = foundEntry->dirNumber;
5801
0
        return 1;
5802
0
    }
5803
5804
    /* This updates the directory list for all main-IFDs in the file. */
5805
0
    TIFFNumberOfDirectories(tif);
5806
5807
0
    foundEntry = (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5808
0
        tif->tif_map_dir_offset_to_number, &entry);
5809
0
    if (foundEntry)
5810
0
    {
5811
0
        *dirn = foundEntry->dirNumber;
5812
0
        return 1;
5813
0
    }
5814
5815
0
    return 0;
5816
0
} /*--- _TIFFGetDirNumberFromOffset() ---*/
5817
5818
/*
5819
 * Retrieve the matching IFD directory offset of a given IFD number
5820
 * from the list of directories already seen.
5821
 * Returns 1 if the offset was in the list of already seen IFDs and the
5822
 * directory offset can be returned. The directory list is not updated.
5823
 * Otherwise returns 0 or if an error occurred.
5824
 */
5825
int _TIFFGetOffsetFromDirNumber(TIFF *tif, tdir_t dirn, uint64_t *diroff)
5826
0
{
5827
5828
0
    if (tif->tif_map_dir_number_to_offset == NULL)
5829
0
        return 0;
5830
0
    TIFFOffsetAndDirNumber entry;
5831
0
    entry.offset = 0; /* not used */
5832
0
    entry.dirNumber = dirn;
5833
5834
0
    TIFFOffsetAndDirNumber *foundEntry =
5835
0
        (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5836
0
            tif->tif_map_dir_number_to_offset, &entry);
5837
0
    if (foundEntry)
5838
0
    {
5839
0
        *diroff = foundEntry->offset;
5840
0
        return 1;
5841
0
    }
5842
5843
0
    return 0;
5844
0
} /*--- _TIFFGetOffsetFromDirNumber() ---*/
5845
5846
/*
5847
 * Remove an entry from the directory list of already seen directories
5848
 * by directory offset.
5849
 * If an entry is to be removed from the list, it is also okay if the entry
5850
 * is not in the list or the list does not exist.
5851
 */
5852
int _TIFFRemoveEntryFromDirectoryListByOffset(TIFF *tif, uint64_t diroff)
5853
0
{
5854
0
    if (tif->tif_map_dir_offset_to_number == NULL)
5855
0
        return 1;
5856
5857
0
    TIFFOffsetAndDirNumber entryOld;
5858
0
    entryOld.offset = diroff;
5859
0
    entryOld.dirNumber = 0;
5860
    /* We must remove first from tif_map_dir_number_to_offset as the
5861
     * entry is owned (and thus freed) by tif_map_dir_offset_to_number.
5862
     * However, we need firstly to find the directory number from offset. */
5863
5864
0
    TIFFOffsetAndDirNumber *foundEntryOldOff =
5865
0
        (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5866
0
            tif->tif_map_dir_offset_to_number, &entryOld);
5867
0
    if (foundEntryOldOff)
5868
0
    {
5869
0
        entryOld.dirNumber = foundEntryOldOff->dirNumber;
5870
0
        if (tif->tif_map_dir_number_to_offset != NULL)
5871
0
        {
5872
0
            TIFFOffsetAndDirNumber *foundEntryOldDir =
5873
0
                (TIFFOffsetAndDirNumber *)TIFFHashSetLookup(
5874
0
                    tif->tif_map_dir_number_to_offset, &entryOld);
5875
0
            if (foundEntryOldDir)
5876
0
            {
5877
0
                TIFFHashSetRemove(tif->tif_map_dir_number_to_offset,
5878
0
                                  foundEntryOldDir);
5879
0
                TIFFHashSetRemove(tif->tif_map_dir_offset_to_number,
5880
0
                                  foundEntryOldOff);
5881
0
                return 1;
5882
0
            }
5883
0
        }
5884
0
        else
5885
0
        {
5886
0
            TIFFErrorExtR(tif, "_TIFFRemoveEntryFromDirectoryListByOffset",
5887
0
                          "Unexpectedly tif_map_dir_number_to_offset is "
5888
0
                          "missing but tif_map_dir_offset_to_number exists.");
5889
0
            return 0;
5890
0
        }
5891
0
    }
5892
0
    return 1;
5893
0
} /*--- _TIFFRemoveEntryFromDirectoryListByOffset() ---*/
5894
5895
/*
5896
 * Check the count field of a directory entry against a known value.  The
5897
 * caller is expected to skip/ignore the tag if there is a mismatch.
5898
 */
5899
static int CheckDirCount(TIFF *tif, TIFFDirEntry *dir, uint32_t count)
5900
0
{
5901
0
    if ((uint64_t)count > dir->tdir_count)
5902
0
    {
5903
0
        const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
5904
0
        TIFFWarningExtR(tif, tif->tif_name,
5905
0
                        "incorrect count for field \"%s\" (%" PRIu64
5906
0
                        ", expecting %" PRIu32 "); tag ignored",
5907
0
                        fip ? fip->field_name : "unknown tagname",
5908
0
                        dir->tdir_count, count);
5909
0
        return (0);
5910
0
    }
5911
0
    else if ((uint64_t)count < dir->tdir_count)
5912
0
    {
5913
0
        const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
5914
0
        TIFFWarningExtR(tif, tif->tif_name,
5915
0
                        "incorrect count for field \"%s\" (%" PRIu64
5916
0
                        ", expecting %" PRIu32 "); tag trimmed",
5917
0
                        fip ? fip->field_name : "unknown tagname",
5918
0
                        dir->tdir_count, count);
5919
0
        dir->tdir_count = count;
5920
0
        return (1);
5921
0
    }
5922
0
    return (1);
5923
0
}
5924
5925
/*
5926
 * Read IFD structure from the specified offset. If the pointer to
5927
 * nextdiroff variable has been specified, read it too. Function returns a
5928
 * number of fields in the directory or 0 if failed.
5929
 */
5930
static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
5931
                                   TIFFDirEntry **pdir, uint64_t *nextdiroff)
5932
9.89k
{
5933
9.89k
    static const char module[] = "TIFFFetchDirectory";
5934
5935
9.89k
    void *origdir;
5936
9.89k
    uint16_t dircount16;
5937
9.89k
    uint32_t dirsize;
5938
9.89k
    TIFFDirEntry *dir;
5939
9.89k
    uint8_t *ma;
5940
9.89k
    TIFFDirEntry *mb;
5941
9.89k
    uint16_t n;
5942
5943
9.89k
    assert(pdir);
5944
5945
9.89k
    tif->tif_diroff = diroff;
5946
9.89k
    if (nextdiroff)
5947
9.89k
        *nextdiroff = 0;
5948
9.89k
    if (!isMapped(tif))
5949
9.89k
    {
5950
9.89k
        if (!SeekOK(tif, tif->tif_diroff))
5951
0
        {
5952
0
            TIFFErrorExtR(tif, module,
5953
0
                          "%s: Seek error accessing TIFF directory",
5954
0
                          tif->tif_name);
5955
0
            return 0;
5956
0
        }
5957
9.89k
        if (!(tif->tif_flags & TIFF_BIGTIFF))
5958
9.89k
        {
5959
9.89k
            if (!ReadOK(tif, &dircount16, sizeof(uint16_t)))
5960
0
            {
5961
0
                TIFFErrorExtR(tif, module,
5962
0
                              "%s: Can not read TIFF directory count",
5963
0
                              tif->tif_name);
5964
0
                return 0;
5965
0
            }
5966
9.89k
            if (tif->tif_flags & TIFF_SWAB)
5967
0
                TIFFSwabShort(&dircount16);
5968
9.89k
            if (dircount16 > 4096)
5969
0
            {
5970
0
                TIFFErrorExtR(tif, module,
5971
0
                              "Sanity check on directory count failed, this is "
5972
0
                              "probably not a valid IFD offset");
5973
0
                return 0;
5974
0
            }
5975
9.89k
            dirsize = 12;
5976
9.89k
        }
5977
0
        else
5978
0
        {
5979
0
            uint64_t dircount64;
5980
0
            if (!ReadOK(tif, &dircount64, sizeof(uint64_t)))
5981
0
            {
5982
0
                TIFFErrorExtR(tif, module,
5983
0
                              "%s: Can not read TIFF directory count",
5984
0
                              tif->tif_name);
5985
0
                return 0;
5986
0
            }
5987
0
            if (tif->tif_flags & TIFF_SWAB)
5988
0
                TIFFSwabLong8(&dircount64);
5989
0
            if (dircount64 > 4096)
5990
0
            {
5991
0
                TIFFErrorExtR(tif, module,
5992
0
                              "Sanity check on directory count failed, this is "
5993
0
                              "probably not a valid IFD offset");
5994
0
                return 0;
5995
0
            }
5996
0
            dircount16 = (uint16_t)dircount64;
5997
0
            dirsize = 20;
5998
0
        }
5999
9.89k
        origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
6000
9.89k
                                   "to read TIFF directory");
6001
9.89k
        if (origdir == NULL)
6002
0
            return 0;
6003
9.89k
        if (!ReadOK(tif, origdir, (tmsize_t)(dircount16 * dirsize)))
6004
0
        {
6005
0
            TIFFErrorExtR(tif, module, "%.100s: Can not read TIFF directory",
6006
0
                          tif->tif_name);
6007
0
            _TIFFfreeExt(tif, origdir);
6008
0
            return 0;
6009
0
        }
6010
        /*
6011
         * Read offset to next directory for sequential scans if
6012
         * needed.
6013
         */
6014
9.89k
        if (nextdiroff)
6015
9.89k
        {
6016
9.89k
            if (!(tif->tif_flags & TIFF_BIGTIFF))
6017
9.89k
            {
6018
9.89k
                uint32_t nextdiroff32;
6019
9.89k
                if (!ReadOK(tif, &nextdiroff32, sizeof(uint32_t)))
6020
0
                    nextdiroff32 = 0;
6021
9.89k
                if (tif->tif_flags & TIFF_SWAB)
6022
0
                    TIFFSwabLong(&nextdiroff32);
6023
9.89k
                *nextdiroff = nextdiroff32;
6024
9.89k
            }
6025
0
            else
6026
0
            {
6027
0
                if (!ReadOK(tif, nextdiroff, sizeof(uint64_t)))
6028
0
                    *nextdiroff = 0;
6029
0
                if (tif->tif_flags & TIFF_SWAB)
6030
0
                    TIFFSwabLong8(nextdiroff);
6031
0
            }
6032
9.89k
        }
6033
9.89k
    }
6034
0
    else
6035
0
    {
6036
0
        tmsize_t m;
6037
0
        tmsize_t off;
6038
0
        if (tif->tif_diroff > (uint64_t)INT64_MAX)
6039
0
        {
6040
0
            TIFFErrorExtR(tif, module, "Can not read TIFF directory count");
6041
0
            return (0);
6042
0
        }
6043
0
        off = (tmsize_t)tif->tif_diroff;
6044
6045
        /*
6046
         * Check for integer overflow when validating the dir_off,
6047
         * otherwise a very high offset may cause an OOB read and
6048
         * crash the client. Make two comparisons instead of
6049
         *
6050
         *  off + sizeof(uint16_t) > tif->tif_size
6051
         *
6052
         * to avoid overflow.
6053
         */
6054
0
        if (!(tif->tif_flags & TIFF_BIGTIFF))
6055
0
        {
6056
0
            m = off + sizeof(uint16_t);
6057
0
            if ((m < off) || (m < (tmsize_t)sizeof(uint16_t)) ||
6058
0
                (m > tif->tif_size))
6059
0
            {
6060
0
                TIFFErrorExtR(tif, module, "Can not read TIFF directory count");
6061
0
                return 0;
6062
0
            }
6063
0
            else
6064
0
            {
6065
0
                _TIFFmemcpy(&dircount16, tif->tif_base + off, sizeof(uint16_t));
6066
0
            }
6067
0
            off += sizeof(uint16_t);
6068
0
            if (tif->tif_flags & TIFF_SWAB)
6069
0
                TIFFSwabShort(&dircount16);
6070
0
            if (dircount16 > 4096)
6071
0
            {
6072
0
                TIFFErrorExtR(tif, module,
6073
0
                              "Sanity check on directory count failed, this is "
6074
0
                              "probably not a valid IFD offset");
6075
0
                return 0;
6076
0
            }
6077
0
            dirsize = 12;
6078
0
        }
6079
0
        else
6080
0
        {
6081
0
            uint64_t dircount64;
6082
0
            m = off + sizeof(uint64_t);
6083
0
            if ((m < off) || (m < (tmsize_t)sizeof(uint64_t)) ||
6084
0
                (m > tif->tif_size))
6085
0
            {
6086
0
                TIFFErrorExtR(tif, module, "Can not read TIFF directory count");
6087
0
                return 0;
6088
0
            }
6089
0
            else
6090
0
            {
6091
0
                _TIFFmemcpy(&dircount64, tif->tif_base + off, sizeof(uint64_t));
6092
0
            }
6093
0
            off += sizeof(uint64_t);
6094
0
            if (tif->tif_flags & TIFF_SWAB)
6095
0
                TIFFSwabLong8(&dircount64);
6096
0
            if (dircount64 > 4096)
6097
0
            {
6098
0
                TIFFErrorExtR(tif, module,
6099
0
                              "Sanity check on directory count failed, this is "
6100
0
                              "probably not a valid IFD offset");
6101
0
                return 0;
6102
0
            }
6103
0
            dircount16 = (uint16_t)dircount64;
6104
0
            dirsize = 20;
6105
0
        }
6106
0
        if (dircount16 == 0)
6107
0
        {
6108
0
            TIFFErrorExtR(tif, module,
6109
0
                          "Sanity check on directory count failed, zero tag "
6110
0
                          "directories not supported");
6111
0
            return 0;
6112
0
        }
6113
        /* Before allocating a huge amount of memory for corrupted files, check
6114
         * if size of requested memory is not greater than file size. */
6115
0
        uint64_t filesize = TIFFGetFileSize(tif);
6116
0
        uint64_t allocsize = (uint64_t)dircount16 * dirsize;
6117
0
        if (allocsize > filesize)
6118
0
        {
6119
0
            TIFFWarningExtR(
6120
0
                tif, module,
6121
0
                "Requested memory size for TIFF directory of %" PRIu64
6122
0
                " is greater than filesize %" PRIu64
6123
0
                ". Memory not allocated, TIFF directory not read",
6124
0
                allocsize, filesize);
6125
0
            return 0;
6126
0
        }
6127
0
        origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
6128
0
                                   "to read TIFF directory");
6129
0
        if (origdir == NULL)
6130
0
            return 0;
6131
0
        m = off + dircount16 * dirsize;
6132
0
        if ((m < off) || (m < (tmsize_t)(dircount16 * dirsize)) ||
6133
0
            (m > tif->tif_size))
6134
0
        {
6135
0
            TIFFErrorExtR(tif, module, "Can not read TIFF directory");
6136
0
            _TIFFfreeExt(tif, origdir);
6137
0
            return 0;
6138
0
        }
6139
0
        else
6140
0
        {
6141
0
            _TIFFmemcpy(origdir, tif->tif_base + off, dircount16 * dirsize);
6142
0
        }
6143
0
        if (nextdiroff)
6144
0
        {
6145
0
            off += dircount16 * dirsize;
6146
0
            if (!(tif->tif_flags & TIFF_BIGTIFF))
6147
0
            {
6148
0
                uint32_t nextdiroff32;
6149
0
                m = off + sizeof(uint32_t);
6150
0
                if ((m < off) || (m < (tmsize_t)sizeof(uint32_t)) ||
6151
0
                    (m > tif->tif_size))
6152
0
                    nextdiroff32 = 0;
6153
0
                else
6154
0
                    _TIFFmemcpy(&nextdiroff32, tif->tif_base + off,
6155
0
                                sizeof(uint32_t));
6156
0
                if (tif->tif_flags & TIFF_SWAB)
6157
0
                    TIFFSwabLong(&nextdiroff32);
6158
0
                *nextdiroff = nextdiroff32;
6159
0
            }
6160
0
            else
6161
0
            {
6162
0
                m = off + sizeof(uint64_t);
6163
0
                if ((m < off) || (m < (tmsize_t)sizeof(uint64_t)) ||
6164
0
                    (m > tif->tif_size))
6165
0
                    *nextdiroff = 0;
6166
0
                else
6167
0
                    _TIFFmemcpy(nextdiroff, tif->tif_base + off,
6168
0
                                sizeof(uint64_t));
6169
0
                if (tif->tif_flags & TIFF_SWAB)
6170
0
                    TIFFSwabLong8(nextdiroff);
6171
0
            }
6172
0
        }
6173
0
    }
6174
    /* No check against filesize needed here because "dir" should have same size
6175
     * than "origdir" checked above. */
6176
9.89k
    dir = (TIFFDirEntry *)_TIFFCheckMalloc(
6177
9.89k
        tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory");
6178
9.89k
    if (dir == 0)
6179
0
    {
6180
0
        _TIFFfreeExt(tif, origdir);
6181
0
        return 0;
6182
0
    }
6183
9.89k
    ma = (uint8_t *)origdir;
6184
9.89k
    mb = dir;
6185
148k
    for (n = 0; n < dircount16; n++)
6186
138k
    {
6187
138k
        mb->tdir_ignore = FALSE;
6188
138k
        if (tif->tif_flags & TIFF_SWAB)
6189
0
            TIFFSwabShort((uint16_t *)ma);
6190
138k
        mb->tdir_tag = *(uint16_t *)ma;
6191
138k
        ma += sizeof(uint16_t);
6192
138k
        if (tif->tif_flags & TIFF_SWAB)
6193
0
            TIFFSwabShort((uint16_t *)ma);
6194
138k
        mb->tdir_type = *(uint16_t *)ma;
6195
138k
        ma += sizeof(uint16_t);
6196
138k
        if (!(tif->tif_flags & TIFF_BIGTIFF))
6197
138k
        {
6198
138k
            if (tif->tif_flags & TIFF_SWAB)
6199
0
                TIFFSwabLong((uint32_t *)ma);
6200
138k
            mb->tdir_count = (uint64_t)(*(uint32_t *)ma);
6201
138k
            ma += sizeof(uint32_t);
6202
138k
            mb->tdir_offset.toff_long8 = 0;
6203
138k
            *(uint32_t *)(&mb->tdir_offset) = *(uint32_t *)ma;
6204
138k
            ma += sizeof(uint32_t);
6205
138k
        }
6206
0
        else
6207
0
        {
6208
0
            if (tif->tif_flags & TIFF_SWAB)
6209
0
                TIFFSwabLong8((uint64_t *)ma);
6210
0
            mb->tdir_count = TIFFReadUInt64(ma);
6211
0
            ma += sizeof(uint64_t);
6212
0
            mb->tdir_offset.toff_long8 = TIFFReadUInt64(ma);
6213
0
            ma += sizeof(uint64_t);
6214
0
        }
6215
138k
        mb++;
6216
138k
    }
6217
9.89k
    _TIFFfreeExt(tif, origdir);
6218
9.89k
    *pdir = dir;
6219
9.89k
    return dircount16;
6220
9.89k
}
6221
6222
/*
6223
 * Fetch a tag that is not handled by special case code.
6224
 */
6225
static int TIFFFetchNormalTag(TIFF *tif, TIFFDirEntry *dp, int recover)
6226
98.9k
{
6227
98.9k
    static const char module[] = "TIFFFetchNormalTag";
6228
98.9k
    enum TIFFReadDirEntryErr err;
6229
98.9k
    uint32_t fii;
6230
98.9k
    const TIFFField *fip = NULL;
6231
98.9k
    TIFFReadDirectoryFindFieldInfo(tif, dp->tdir_tag, &fii);
6232
98.9k
    if (fii == FAILED_FII)
6233
0
    {
6234
0
        TIFFErrorExtR(tif, "TIFFFetchNormalTag",
6235
0
                      "No definition found for tag %" PRIu16, dp->tdir_tag);
6236
0
        return 0;
6237
0
    }
6238
98.9k
    fip = tif->tif_fields[fii];
6239
98.9k
    assert(fip != NULL); /* should not happen */
6240
98.9k
    assert(fip->set_field_type !=
6241
98.9k
           TIFF_SETGET_OTHER); /* if so, we shouldn't arrive here but deal with
6242
                                  this in specialized code */
6243
98.9k
    assert(fip->set_field_type !=
6244
98.9k
           TIFF_SETGET_INT); /* if so, we shouldn't arrive here as this is only
6245
                                the case for pseudo-tags */
6246
98.9k
    err = TIFFReadDirEntryErrOk;
6247
98.9k
    switch (fip->set_field_type)
6248
98.9k
    {
6249
0
        case TIFF_SETGET_UNDEFINED:
6250
0
            TIFFErrorExtR(
6251
0
                tif, "TIFFFetchNormalTag",
6252
0
                "Defined set_field_type of custom tag %u (%s) is "
6253
0
                "TIFF_SETGET_UNDEFINED and thus tag is not read from file",
6254
0
                fip->field_tag, fip->field_name);
6255
0
            break;
6256
0
        case TIFF_SETGET_ASCII:
6257
0
        {
6258
0
            uint8_t *data;
6259
0
            assert(fip->field_passcount == 0);
6260
0
            err = TIFFReadDirEntryByteArray(tif, dp, &data);
6261
0
            if (err == TIFFReadDirEntryErrOk)
6262
0
            {
6263
0
                size_t mb = 0;
6264
0
                int n;
6265
0
                if (data != NULL)
6266
0
                {
6267
0
                    if (dp->tdir_count > 0 && data[dp->tdir_count - 1] == 0)
6268
0
                    {
6269
                        /* optimization: if data is known to be 0 terminated, we
6270
                         * can use strlen() */
6271
0
                        mb = strlen((const char *)data);
6272
0
                    }
6273
0
                    else
6274
0
                    {
6275
                        /* general case. equivalent to non-portable */
6276
                        /* mb = strnlen((const char*)data,
6277
                         * (uint32_t)dp->tdir_count); */
6278
0
                        uint8_t *ma = data;
6279
0
                        while (mb < (uint32_t)dp->tdir_count)
6280
0
                        {
6281
0
                            if (*ma == 0)
6282
0
                                break;
6283
0
                            ma++;
6284
0
                            mb++;
6285
0
                        }
6286
0
                    }
6287
0
                }
6288
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6289
0
                {
6290
0
                    if (data != NULL)
6291
0
                        _TIFFfreeExt(tif, data);
6292
0
                    return (0);
6293
0
                }
6294
0
                if (mb + 1 < (uint32_t)dp->tdir_count)
6295
0
                    TIFFWarningExtR(
6296
0
                        tif, module,
6297
0
                        "ASCII value for tag \"%s\" contains null byte in "
6298
0
                        "value; value incorrectly truncated during reading due "
6299
0
                        "to implementation limitations",
6300
0
                        fip->field_name);
6301
0
                else if (mb + 1 > (uint32_t)dp->tdir_count)
6302
0
                {
6303
0
                    TIFFWarningExtR(tif, module,
6304
0
                                    "ASCII value for tag \"%s\" does not end "
6305
0
                                    "in null byte. Forcing it to be null",
6306
0
                                    fip->field_name);
6307
                    /* TIFFReadDirEntryArrayWithLimit() ensures this can't be
6308
                     * larger than MAX_SIZE_TAG_DATA */
6309
0
                    assert((uint32_t)dp->tdir_count + 1 == dp->tdir_count + 1);
6310
0
                    uint8_t *o =
6311
0
                        _TIFFmallocExt(tif, (uint32_t)dp->tdir_count + 1);
6312
0
                    if (o == NULL)
6313
0
                    {
6314
0
                        if (data != NULL)
6315
0
                            _TIFFfreeExt(tif, data);
6316
0
                        return (0);
6317
0
                    }
6318
0
                    if (dp->tdir_count > 0)
6319
0
                    {
6320
0
                        _TIFFmemcpy(o, data, (uint32_t)dp->tdir_count);
6321
0
                    }
6322
0
                    o[(uint32_t)dp->tdir_count] = 0;
6323
0
                    if (data != 0)
6324
0
                        _TIFFfreeExt(tif, data);
6325
0
                    data = o;
6326
0
                }
6327
0
                n = TIFFSetField(tif, dp->tdir_tag, data);
6328
0
                if (data != 0)
6329
0
                    _TIFFfreeExt(tif, data);
6330
0
                if (!n)
6331
0
                    return (0);
6332
0
            }
6333
0
        }
6334
0
        break;
6335
0
        case TIFF_SETGET_UINT8:
6336
0
        {
6337
0
            uint8_t data = 0;
6338
0
            assert(fip->field_readcount == 1);
6339
0
            assert(fip->field_passcount == 0);
6340
0
            err = TIFFReadDirEntryByte(tif, dp, &data);
6341
0
            if (err == TIFFReadDirEntryErrOk)
6342
0
            {
6343
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6344
0
                    return (0);
6345
0
            }
6346
0
        }
6347
0
        break;
6348
0
        case TIFF_SETGET_SINT8:
6349
0
        {
6350
0
            int8_t data = 0;
6351
0
            assert(fip->field_readcount == 1);
6352
0
            assert(fip->field_passcount == 0);
6353
0
            err = TIFFReadDirEntrySbyte(tif, dp, &data);
6354
0
            if (err == TIFFReadDirEntryErrOk)
6355
0
            {
6356
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6357
0
                    return (0);
6358
0
            }
6359
0
        }
6360
0
        break;
6361
49.4k
        case TIFF_SETGET_UINT16:
6362
49.4k
        {
6363
49.4k
            uint16_t data;
6364
49.4k
            assert(fip->field_readcount == 1);
6365
49.4k
            assert(fip->field_passcount == 0);
6366
49.4k
            err = TIFFReadDirEntryShort(tif, dp, &data);
6367
49.4k
            if (err == TIFFReadDirEntryErrOk)
6368
49.4k
            {
6369
49.4k
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6370
0
                    return (0);
6371
49.4k
            }
6372
49.4k
        }
6373
49.4k
        break;
6374
49.4k
        case TIFF_SETGET_SINT16:
6375
0
        {
6376
0
            int16_t data;
6377
0
            assert(fip->field_readcount == 1);
6378
0
            assert(fip->field_passcount == 0);
6379
0
            err = TIFFReadDirEntrySshort(tif, dp, &data);
6380
0
            if (err == TIFFReadDirEntryErrOk)
6381
0
            {
6382
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6383
0
                    return (0);
6384
0
            }
6385
0
        }
6386
0
        break;
6387
29.6k
        case TIFF_SETGET_UINT32:
6388
29.6k
        {
6389
29.6k
            uint32_t data;
6390
29.6k
            assert(fip->field_readcount == 1);
6391
29.6k
            assert(fip->field_passcount == 0);
6392
29.6k
            err = TIFFReadDirEntryLong(tif, dp, &data);
6393
29.6k
            if (err == TIFFReadDirEntryErrOk)
6394
29.6k
            {
6395
29.6k
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6396
0
                    return (0);
6397
29.6k
            }
6398
29.6k
        }
6399
29.6k
        break;
6400
29.6k
        case TIFF_SETGET_SINT32:
6401
0
        {
6402
0
            int32_t data;
6403
0
            assert(fip->field_readcount == 1);
6404
0
            assert(fip->field_passcount == 0);
6405
0
            err = TIFFReadDirEntrySlong(tif, dp, &data);
6406
0
            if (err == TIFFReadDirEntryErrOk)
6407
0
            {
6408
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6409
0
                    return (0);
6410
0
            }
6411
0
        }
6412
0
        break;
6413
0
        case TIFF_SETGET_UINT64:
6414
0
        {
6415
0
            uint64_t data;
6416
0
            assert(fip->field_readcount == 1);
6417
0
            assert(fip->field_passcount == 0);
6418
0
            err = TIFFReadDirEntryLong8(tif, dp, &data);
6419
0
            if (err == TIFFReadDirEntryErrOk)
6420
0
            {
6421
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6422
0
                    return 0;
6423
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6424
0
                    return (0);
6425
0
            }
6426
0
        }
6427
0
        break;
6428
0
        case TIFF_SETGET_SINT64:
6429
0
        {
6430
0
            int64_t data;
6431
0
            assert(fip->field_readcount == 1);
6432
0
            assert(fip->field_passcount == 0);
6433
0
            err = TIFFReadDirEntrySlong8(tif, dp, &data);
6434
0
            if (err == TIFFReadDirEntryErrOk)
6435
0
            {
6436
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6437
0
                    return 0;
6438
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6439
0
                    return (0);
6440
0
            }
6441
0
        }
6442
0
        break;
6443
19.7k
        case TIFF_SETGET_FLOAT:
6444
19.7k
        {
6445
19.7k
            float data;
6446
19.7k
            assert(fip->field_readcount == 1);
6447
19.7k
            assert(fip->field_passcount == 0);
6448
19.7k
            err = TIFFReadDirEntryFloat(tif, dp, &data);
6449
19.7k
            if (err == TIFFReadDirEntryErrOk)
6450
19.7k
            {
6451
19.7k
                if (!EvaluateIFDdatasizeReading(tif, dp))
6452
0
                    return 0;
6453
19.7k
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6454
0
                    return (0);
6455
19.7k
            }
6456
19.7k
        }
6457
19.7k
        break;
6458
19.7k
        case TIFF_SETGET_DOUBLE:
6459
0
        {
6460
0
            double data;
6461
0
            assert(fip->field_readcount == 1);
6462
0
            assert(fip->field_passcount == 0);
6463
0
            err = TIFFReadDirEntryDouble(tif, dp, &data);
6464
0
            if (err == TIFFReadDirEntryErrOk)
6465
0
            {
6466
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6467
0
                    return 0;
6468
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6469
0
                    return (0);
6470
0
            }
6471
0
        }
6472
0
        break;
6473
0
        case TIFF_SETGET_IFD8:
6474
0
        {
6475
0
            uint64_t data;
6476
0
            assert(fip->field_readcount == 1);
6477
0
            assert(fip->field_passcount == 0);
6478
0
            err = TIFFReadDirEntryIfd8(tif, dp, &data);
6479
0
            if (err == TIFFReadDirEntryErrOk)
6480
0
            {
6481
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
6482
0
                    return 0;
6483
0
                if (!TIFFSetField(tif, dp->tdir_tag, data))
6484
0
                    return (0);
6485
0
            }
6486
0
        }
6487
0
        break;
6488
0
        case TIFF_SETGET_UINT16_PAIR:
6489
0
        {
6490
0
            uint16_t *data;
6491
0
            assert(fip->field_readcount == 2);
6492
0
            assert(fip->field_passcount == 0);
6493
0
            if (dp->tdir_count != 2)
6494
0
            {
6495
0
                TIFFWarningExtR(tif, module,
6496
0
                                "incorrect count for field \"%s\", expected 2, "
6497
0
                                "got %" PRIu64,
6498
0
                                fip->field_name, dp->tdir_count);
6499
0
                return (0);
6500
0
            }
6501
0
            err = TIFFReadDirEntryShortArray(tif, dp, &data);
6502
0
            if (err == TIFFReadDirEntryErrOk)
6503
0
            {
6504
0
                int m;
6505
0
                assert(data); /* avoid CLang static Analyzer false positive */
6506
0
                m = TIFFSetField(tif, dp->tdir_tag, data[0], data[1]);
6507
0
                _TIFFfreeExt(tif, data);
6508
0
                if (!m)
6509
0
                    return (0);
6510
0
            }
6511
0
        }
6512
0
        break;
6513
0
        case TIFF_SETGET_C0_UINT8:
6514
0
        {
6515
0
            uint8_t *data;
6516
0
            assert(fip->field_readcount >= 1);
6517
0
            assert(fip->field_passcount == 0);
6518
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6519
0
            {
6520
0
                TIFFWarningExtR(tif, module,
6521
0
                                "incorrect count for field \"%s\", expected "
6522
0
                                "%d, got %" PRIu64,
6523
0
                                fip->field_name, (int)fip->field_readcount,
6524
0
                                dp->tdir_count);
6525
0
                return (0);
6526
0
            }
6527
0
            else
6528
0
            {
6529
0
                err = TIFFReadDirEntryByteArray(tif, dp, &data);
6530
0
                if (err == TIFFReadDirEntryErrOk)
6531
0
                {
6532
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6533
0
                    {
6534
0
                        if (data != 0)
6535
0
                            _TIFFfreeExt(tif, data);
6536
0
                        return 0;
6537
0
                    }
6538
0
                    int m;
6539
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6540
0
                    if (data != 0)
6541
0
                        _TIFFfreeExt(tif, data);
6542
0
                    if (!m)
6543
0
                        return (0);
6544
0
                }
6545
0
            }
6546
0
        }
6547
0
        break;
6548
0
        case TIFF_SETGET_C0_SINT8:
6549
0
        {
6550
0
            int8_t *data;
6551
0
            assert(fip->field_readcount >= 1);
6552
0
            assert(fip->field_passcount == 0);
6553
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6554
0
            {
6555
0
                TIFFWarningExtR(tif, module,
6556
0
                                "incorrect count for field \"%s\", expected "
6557
0
                                "%d, got %" PRIu64,
6558
0
                                fip->field_name, (int)fip->field_readcount,
6559
0
                                dp->tdir_count);
6560
0
                return (0);
6561
0
            }
6562
0
            else
6563
0
            {
6564
0
                err = TIFFReadDirEntrySbyteArray(tif, dp, &data);
6565
0
                if (err == TIFFReadDirEntryErrOk)
6566
0
                {
6567
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6568
0
                    {
6569
0
                        if (data != 0)
6570
0
                            _TIFFfreeExt(tif, data);
6571
0
                        return 0;
6572
0
                    }
6573
0
                    int m;
6574
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6575
0
                    if (data != 0)
6576
0
                        _TIFFfreeExt(tif, data);
6577
0
                    if (!m)
6578
0
                        return (0);
6579
0
                }
6580
0
            }
6581
0
        }
6582
0
        break;
6583
0
        case TIFF_SETGET_C0_UINT16:
6584
0
        {
6585
0
            uint16_t *data;
6586
0
            assert(fip->field_readcount >= 1);
6587
0
            assert(fip->field_passcount == 0);
6588
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6589
0
            {
6590
0
                TIFFWarningExtR(tif, module,
6591
0
                                "incorrect count for field \"%s\", expected "
6592
0
                                "%d, got %" PRIu64,
6593
0
                                fip->field_name, (int)fip->field_readcount,
6594
0
                                dp->tdir_count);
6595
0
                return (0);
6596
0
            }
6597
0
            else
6598
0
            {
6599
0
                err = TIFFReadDirEntryShortArray(tif, dp, &data);
6600
0
                if (err == TIFFReadDirEntryErrOk)
6601
0
                {
6602
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6603
0
                    {
6604
0
                        if (data != 0)
6605
0
                            _TIFFfreeExt(tif, data);
6606
0
                        return 0;
6607
0
                    }
6608
0
                    int m;
6609
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6610
0
                    if (data != 0)
6611
0
                        _TIFFfreeExt(tif, data);
6612
0
                    if (!m)
6613
0
                        return (0);
6614
0
                }
6615
0
            }
6616
0
        }
6617
0
        break;
6618
0
        case TIFF_SETGET_C0_SINT16:
6619
0
        {
6620
0
            int16_t *data;
6621
0
            assert(fip->field_readcount >= 1);
6622
0
            assert(fip->field_passcount == 0);
6623
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6624
0
            {
6625
0
                TIFFWarningExtR(tif, module,
6626
0
                                "incorrect count for field \"%s\", expected "
6627
0
                                "%d, got %" PRIu64,
6628
0
                                fip->field_name, (int)fip->field_readcount,
6629
0
                                dp->tdir_count);
6630
0
                return (0);
6631
0
            }
6632
0
            else
6633
0
            {
6634
0
                err = TIFFReadDirEntrySshortArray(tif, dp, &data);
6635
0
                if (err == TIFFReadDirEntryErrOk)
6636
0
                {
6637
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6638
0
                    {
6639
0
                        if (data != 0)
6640
0
                            _TIFFfreeExt(tif, data);
6641
0
                        return 0;
6642
0
                    }
6643
0
                    int m;
6644
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6645
0
                    if (data != 0)
6646
0
                        _TIFFfreeExt(tif, data);
6647
0
                    if (!m)
6648
0
                        return (0);
6649
0
                }
6650
0
            }
6651
0
        }
6652
0
        break;
6653
0
        case TIFF_SETGET_C0_UINT32:
6654
0
        {
6655
0
            uint32_t *data;
6656
0
            assert(fip->field_readcount >= 1);
6657
0
            assert(fip->field_passcount == 0);
6658
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6659
0
            {
6660
0
                TIFFWarningExtR(tif, module,
6661
0
                                "incorrect count for field \"%s\", expected "
6662
0
                                "%d, got %" PRIu64,
6663
0
                                fip->field_name, (int)fip->field_readcount,
6664
0
                                dp->tdir_count);
6665
0
                return (0);
6666
0
            }
6667
0
            else
6668
0
            {
6669
0
                err = TIFFReadDirEntryLongArray(tif, dp, &data);
6670
0
                if (err == TIFFReadDirEntryErrOk)
6671
0
                {
6672
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6673
0
                    {
6674
0
                        if (data != 0)
6675
0
                            _TIFFfreeExt(tif, data);
6676
0
                        return 0;
6677
0
                    }
6678
0
                    int m;
6679
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6680
0
                    if (data != 0)
6681
0
                        _TIFFfreeExt(tif, data);
6682
0
                    if (!m)
6683
0
                        return (0);
6684
0
                }
6685
0
            }
6686
0
        }
6687
0
        break;
6688
0
        case TIFF_SETGET_C0_SINT32:
6689
0
        {
6690
0
            int32_t *data;
6691
0
            assert(fip->field_readcount >= 1);
6692
0
            assert(fip->field_passcount == 0);
6693
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6694
0
            {
6695
0
                TIFFWarningExtR(tif, module,
6696
0
                                "incorrect count for field \"%s\", expected "
6697
0
                                "%d, got %" PRIu64,
6698
0
                                fip->field_name, (int)fip->field_readcount,
6699
0
                                dp->tdir_count);
6700
0
                return (0);
6701
0
            }
6702
0
            else
6703
0
            {
6704
0
                err = TIFFReadDirEntrySlongArray(tif, dp, &data);
6705
0
                if (err == TIFFReadDirEntryErrOk)
6706
0
                {
6707
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6708
0
                    {
6709
0
                        if (data != 0)
6710
0
                            _TIFFfreeExt(tif, data);
6711
0
                        return 0;
6712
0
                    }
6713
0
                    int m;
6714
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6715
0
                    if (data != 0)
6716
0
                        _TIFFfreeExt(tif, data);
6717
0
                    if (!m)
6718
0
                        return (0);
6719
0
                }
6720
0
            }
6721
0
        }
6722
0
        break;
6723
0
        case TIFF_SETGET_C0_UINT64:
6724
0
        {
6725
0
            uint64_t *data;
6726
0
            assert(fip->field_readcount >= 1);
6727
0
            assert(fip->field_passcount == 0);
6728
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6729
0
            {
6730
0
                TIFFWarningExtR(tif, module,
6731
0
                                "incorrect count for field \"%s\", expected "
6732
0
                                "%d, got %" PRIu64,
6733
0
                                fip->field_name, (int)fip->field_readcount,
6734
0
                                dp->tdir_count);
6735
0
                return (0);
6736
0
            }
6737
0
            else
6738
0
            {
6739
0
                err = TIFFReadDirEntryLong8Array(tif, dp, &data);
6740
0
                if (err == TIFFReadDirEntryErrOk)
6741
0
                {
6742
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6743
0
                    {
6744
0
                        if (data != 0)
6745
0
                            _TIFFfreeExt(tif, data);
6746
0
                        return 0;
6747
0
                    }
6748
0
                    int m;
6749
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6750
0
                    if (data != 0)
6751
0
                        _TIFFfreeExt(tif, data);
6752
0
                    if (!m)
6753
0
                        return (0);
6754
0
                }
6755
0
            }
6756
0
        }
6757
0
        break;
6758
0
        case TIFF_SETGET_C0_SINT64:
6759
0
        {
6760
0
            int64_t *data;
6761
0
            assert(fip->field_readcount >= 1);
6762
0
            assert(fip->field_passcount == 0);
6763
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6764
0
            {
6765
0
                TIFFWarningExtR(tif, module,
6766
0
                                "incorrect count for field \"%s\", expected "
6767
0
                                "%d, got %" PRIu64,
6768
0
                                fip->field_name, (int)fip->field_readcount,
6769
0
                                dp->tdir_count);
6770
0
                return (0);
6771
0
            }
6772
0
            else
6773
0
            {
6774
0
                err = TIFFReadDirEntrySlong8Array(tif, dp, &data);
6775
0
                if (err == TIFFReadDirEntryErrOk)
6776
0
                {
6777
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6778
0
                    {
6779
0
                        if (data != 0)
6780
0
                            _TIFFfreeExt(tif, data);
6781
0
                        return 0;
6782
0
                    }
6783
0
                    int m;
6784
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6785
0
                    if (data != 0)
6786
0
                        _TIFFfreeExt(tif, data);
6787
0
                    if (!m)
6788
0
                        return (0);
6789
0
                }
6790
0
            }
6791
0
        }
6792
0
        break;
6793
0
        case TIFF_SETGET_C0_FLOAT:
6794
0
        {
6795
0
            float *data;
6796
0
            assert(fip->field_readcount >= 1);
6797
0
            assert(fip->field_passcount == 0);
6798
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6799
0
            {
6800
0
                TIFFWarningExtR(tif, module,
6801
0
                                "incorrect count for field \"%s\", expected "
6802
0
                                "%d, got %" PRIu64,
6803
0
                                fip->field_name, (int)fip->field_readcount,
6804
0
                                dp->tdir_count);
6805
0
                return (0);
6806
0
            }
6807
0
            else
6808
0
            {
6809
0
                err = TIFFReadDirEntryFloatArray(tif, dp, &data);
6810
0
                if (err == TIFFReadDirEntryErrOk)
6811
0
                {
6812
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6813
0
                    {
6814
0
                        if (data != 0)
6815
0
                            _TIFFfreeExt(tif, data);
6816
0
                        return 0;
6817
0
                    }
6818
0
                    int m;
6819
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6820
0
                    if (data != 0)
6821
0
                        _TIFFfreeExt(tif, data);
6822
0
                    if (!m)
6823
0
                        return (0);
6824
0
                }
6825
0
            }
6826
0
        }
6827
0
        break;
6828
        /*--: Rational2Double: Extend for Double Arrays and Rational-Arrays read
6829
         * into Double-Arrays. */
6830
0
        case TIFF_SETGET_C0_DOUBLE:
6831
0
        {
6832
0
            double *data;
6833
0
            assert(fip->field_readcount >= 1);
6834
0
            assert(fip->field_passcount == 0);
6835
0
            if (dp->tdir_count != (uint64_t)fip->field_readcount)
6836
0
            {
6837
0
                TIFFWarningExtR(tif, module,
6838
0
                                "incorrect count for field \"%s\", expected "
6839
0
                                "%d, got %" PRIu64,
6840
0
                                fip->field_name, (int)fip->field_readcount,
6841
0
                                dp->tdir_count);
6842
0
                return (0);
6843
0
            }
6844
0
            else
6845
0
            {
6846
0
                err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
6847
0
                if (err == TIFFReadDirEntryErrOk)
6848
0
                {
6849
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6850
0
                    {
6851
0
                        if (data != 0)
6852
0
                            _TIFFfreeExt(tif, data);
6853
0
                        return 0;
6854
0
                    }
6855
0
                    int m;
6856
0
                    m = TIFFSetField(tif, dp->tdir_tag, data);
6857
0
                    if (data != 0)
6858
0
                        _TIFFfreeExt(tif, data);
6859
0
                    if (!m)
6860
0
                        return (0);
6861
0
                }
6862
0
            }
6863
0
        }
6864
0
        break;
6865
0
        case TIFF_SETGET_C16_ASCII:
6866
0
        {
6867
0
            uint8_t *data;
6868
0
            assert(fip->field_readcount == TIFF_VARIABLE);
6869
0
            assert(fip->field_passcount == 1);
6870
0
            if (dp->tdir_count > 0xFFFF)
6871
0
                err = TIFFReadDirEntryErrCount;
6872
0
            else
6873
0
            {
6874
0
                err = TIFFReadDirEntryByteArray(tif, dp, &data);
6875
0
                if (err == TIFFReadDirEntryErrOk)
6876
0
                {
6877
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6878
0
                    {
6879
0
                        if (data != 0)
6880
0
                            _TIFFfreeExt(tif, data);
6881
0
                        return 0;
6882
0
                    }
6883
0
                    int m;
6884
0
                    if (data != 0 && dp->tdir_count > 0 &&
6885
0
                        data[dp->tdir_count - 1] != '\0')
6886
0
                    {
6887
0
                        TIFFWarningExtR(tif, module,
6888
0
                                        "ASCII value for ASCII array tag "
6889
0
                                        "\"%s\" does not end in null "
6890
0
                                        "byte. Forcing it to be null",
6891
0
                                        fip->field_name);
6892
                        /* Enlarge buffer and add terminating null. */
6893
0
                        uint8_t *o =
6894
0
                            _TIFFmallocExt(tif, (uint32_t)dp->tdir_count + 1);
6895
0
                        if (o == NULL)
6896
0
                        {
6897
0
                            if (data != NULL)
6898
0
                                _TIFFfreeExt(tif, data);
6899
0
                            return (0);
6900
0
                        }
6901
0
                        if (dp->tdir_count > 0)
6902
0
                        {
6903
0
                            _TIFFmemcpy(o, data, (uint32_t)dp->tdir_count);
6904
0
                        }
6905
0
                        o[(uint32_t)dp->tdir_count] = 0;
6906
0
                        dp->tdir_count++; /* Increment for added null. */
6907
0
                        if (data != 0)
6908
0
                            _TIFFfreeExt(tif, data);
6909
0
                        data = o;
6910
0
                    }
6911
0
                    m = TIFFSetField(tif, dp->tdir_tag,
6912
0
                                     (uint16_t)(dp->tdir_count), data);
6913
0
                    if (data != 0)
6914
0
                        _TIFFfreeExt(tif, data);
6915
0
                    if (!m)
6916
0
                        return (0);
6917
0
                }
6918
0
            }
6919
0
        }
6920
0
        break;
6921
0
        case TIFF_SETGET_C16_UINT8:
6922
0
        {
6923
0
            uint8_t *data;
6924
0
            assert(fip->field_readcount == TIFF_VARIABLE);
6925
0
            assert(fip->field_passcount == 1);
6926
0
            if (dp->tdir_count > 0xFFFF)
6927
0
                err = TIFFReadDirEntryErrCount;
6928
0
            else
6929
0
            {
6930
0
                err = TIFFReadDirEntryByteArray(tif, dp, &data);
6931
0
                if (err == TIFFReadDirEntryErrOk)
6932
0
                {
6933
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6934
0
                    {
6935
0
                        if (data != 0)
6936
0
                            _TIFFfreeExt(tif, data);
6937
0
                        return 0;
6938
0
                    }
6939
0
                    int m;
6940
0
                    m = TIFFSetField(tif, dp->tdir_tag,
6941
0
                                     (uint16_t)(dp->tdir_count), data);
6942
0
                    if (data != 0)
6943
0
                        _TIFFfreeExt(tif, data);
6944
0
                    if (!m)
6945
0
                        return (0);
6946
0
                }
6947
0
            }
6948
0
        }
6949
0
        break;
6950
0
        case TIFF_SETGET_C16_SINT8:
6951
0
        {
6952
0
            int8_t *data;
6953
0
            assert(fip->field_readcount == TIFF_VARIABLE);
6954
0
            assert(fip->field_passcount == 1);
6955
0
            if (dp->tdir_count > 0xFFFF)
6956
0
                err = TIFFReadDirEntryErrCount;
6957
0
            else
6958
0
            {
6959
0
                err = TIFFReadDirEntrySbyteArray(tif, dp, &data);
6960
0
                if (err == TIFFReadDirEntryErrOk)
6961
0
                {
6962
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6963
0
                    {
6964
0
                        if (data != 0)
6965
0
                            _TIFFfreeExt(tif, data);
6966
0
                        return 0;
6967
0
                    }
6968
0
                    int m;
6969
0
                    m = TIFFSetField(tif, dp->tdir_tag,
6970
0
                                     (uint16_t)(dp->tdir_count), data);
6971
0
                    if (data != 0)
6972
0
                        _TIFFfreeExt(tif, data);
6973
0
                    if (!m)
6974
0
                        return (0);
6975
0
                }
6976
0
            }
6977
0
        }
6978
0
        break;
6979
0
        case TIFF_SETGET_C16_UINT16:
6980
0
        {
6981
0
            uint16_t *data;
6982
0
            assert(fip->field_readcount == TIFF_VARIABLE);
6983
0
            assert(fip->field_passcount == 1);
6984
0
            if (dp->tdir_count > 0xFFFF)
6985
0
                err = TIFFReadDirEntryErrCount;
6986
0
            else
6987
0
            {
6988
0
                err = TIFFReadDirEntryShortArray(tif, dp, &data);
6989
0
                if (err == TIFFReadDirEntryErrOk)
6990
0
                {
6991
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
6992
0
                    {
6993
0
                        if (data != 0)
6994
0
                            _TIFFfreeExt(tif, data);
6995
0
                        return 0;
6996
0
                    }
6997
0
                    int m;
6998
0
                    m = TIFFSetField(tif, dp->tdir_tag,
6999
0
                                     (uint16_t)(dp->tdir_count), data);
7000
0
                    if (data != 0)
7001
0
                        _TIFFfreeExt(tif, data);
7002
0
                    if (!m)
7003
0
                        return (0);
7004
0
                }
7005
0
            }
7006
0
        }
7007
0
        break;
7008
0
        case TIFF_SETGET_C16_SINT16:
7009
0
        {
7010
0
            int16_t *data;
7011
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7012
0
            assert(fip->field_passcount == 1);
7013
0
            if (dp->tdir_count > 0xFFFF)
7014
0
                err = TIFFReadDirEntryErrCount;
7015
0
            else
7016
0
            {
7017
0
                err = TIFFReadDirEntrySshortArray(tif, dp, &data);
7018
0
                if (err == TIFFReadDirEntryErrOk)
7019
0
                {
7020
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7021
0
                    {
7022
0
                        if (data != 0)
7023
0
                            _TIFFfreeExt(tif, data);
7024
0
                        return 0;
7025
0
                    }
7026
0
                    int m;
7027
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7028
0
                                     (uint16_t)(dp->tdir_count), data);
7029
0
                    if (data != 0)
7030
0
                        _TIFFfreeExt(tif, data);
7031
0
                    if (!m)
7032
0
                        return (0);
7033
0
                }
7034
0
            }
7035
0
        }
7036
0
        break;
7037
0
        case TIFF_SETGET_C16_UINT32:
7038
0
        {
7039
0
            uint32_t *data;
7040
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7041
0
            assert(fip->field_passcount == 1);
7042
0
            if (dp->tdir_count > 0xFFFF)
7043
0
                err = TIFFReadDirEntryErrCount;
7044
0
            else
7045
0
            {
7046
0
                err = TIFFReadDirEntryLongArray(tif, dp, &data);
7047
0
                if (err == TIFFReadDirEntryErrOk)
7048
0
                {
7049
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7050
0
                    {
7051
0
                        if (data != 0)
7052
0
                            _TIFFfreeExt(tif, data);
7053
0
                        return 0;
7054
0
                    }
7055
0
                    int m;
7056
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7057
0
                                     (uint16_t)(dp->tdir_count), data);
7058
0
                    if (data != 0)
7059
0
                        _TIFFfreeExt(tif, data);
7060
0
                    if (!m)
7061
0
                        return (0);
7062
0
                }
7063
0
            }
7064
0
        }
7065
0
        break;
7066
0
        case TIFF_SETGET_C16_SINT32:
7067
0
        {
7068
0
            int32_t *data;
7069
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7070
0
            assert(fip->field_passcount == 1);
7071
0
            if (dp->tdir_count > 0xFFFF)
7072
0
                err = TIFFReadDirEntryErrCount;
7073
0
            else
7074
0
            {
7075
0
                err = TIFFReadDirEntrySlongArray(tif, dp, &data);
7076
0
                if (err == TIFFReadDirEntryErrOk)
7077
0
                {
7078
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7079
0
                    {
7080
0
                        if (data != 0)
7081
0
                            _TIFFfreeExt(tif, data);
7082
0
                        return 0;
7083
0
                    }
7084
0
                    int m;
7085
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7086
0
                                     (uint16_t)(dp->tdir_count), data);
7087
0
                    if (data != 0)
7088
0
                        _TIFFfreeExt(tif, data);
7089
0
                    if (!m)
7090
0
                        return (0);
7091
0
                }
7092
0
            }
7093
0
        }
7094
0
        break;
7095
0
        case TIFF_SETGET_C16_UINT64:
7096
0
        {
7097
0
            uint64_t *data;
7098
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7099
0
            assert(fip->field_passcount == 1);
7100
0
            if (dp->tdir_count > 0xFFFF)
7101
0
                err = TIFFReadDirEntryErrCount;
7102
0
            else
7103
0
            {
7104
0
                err = TIFFReadDirEntryLong8Array(tif, dp, &data);
7105
0
                if (err == TIFFReadDirEntryErrOk)
7106
0
                {
7107
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7108
0
                    {
7109
0
                        if (data != 0)
7110
0
                            _TIFFfreeExt(tif, data);
7111
0
                        return 0;
7112
0
                    }
7113
0
                    int m;
7114
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7115
0
                                     (uint16_t)(dp->tdir_count), data);
7116
0
                    if (data != 0)
7117
0
                        _TIFFfreeExt(tif, data);
7118
0
                    if (!m)
7119
0
                        return (0);
7120
0
                }
7121
0
            }
7122
0
        }
7123
0
        break;
7124
0
        case TIFF_SETGET_C16_SINT64:
7125
0
        {
7126
0
            int64_t *data;
7127
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7128
0
            assert(fip->field_passcount == 1);
7129
0
            if (dp->tdir_count > 0xFFFF)
7130
0
                err = TIFFReadDirEntryErrCount;
7131
0
            else
7132
0
            {
7133
0
                err = TIFFReadDirEntrySlong8Array(tif, dp, &data);
7134
0
                if (err == TIFFReadDirEntryErrOk)
7135
0
                {
7136
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7137
0
                    {
7138
0
                        if (data != 0)
7139
0
                            _TIFFfreeExt(tif, data);
7140
0
                        return 0;
7141
0
                    }
7142
0
                    int m;
7143
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7144
0
                                     (uint16_t)(dp->tdir_count), data);
7145
0
                    if (data != 0)
7146
0
                        _TIFFfreeExt(tif, data);
7147
0
                    if (!m)
7148
0
                        return (0);
7149
0
                }
7150
0
            }
7151
0
        }
7152
0
        break;
7153
0
        case TIFF_SETGET_C16_FLOAT:
7154
0
        {
7155
0
            float *data;
7156
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7157
0
            assert(fip->field_passcount == 1);
7158
0
            if (dp->tdir_count > 0xFFFF)
7159
0
                err = TIFFReadDirEntryErrCount;
7160
0
            else
7161
0
            {
7162
0
                err = TIFFReadDirEntryFloatArray(tif, dp, &data);
7163
0
                if (err == TIFFReadDirEntryErrOk)
7164
0
                {
7165
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7166
0
                    {
7167
0
                        if (data != 0)
7168
0
                            _TIFFfreeExt(tif, data);
7169
0
                        return 0;
7170
0
                    }
7171
0
                    int m;
7172
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7173
0
                                     (uint16_t)(dp->tdir_count), data);
7174
0
                    if (data != 0)
7175
0
                        _TIFFfreeExt(tif, data);
7176
0
                    if (!m)
7177
0
                        return (0);
7178
0
                }
7179
0
            }
7180
0
        }
7181
0
        break;
7182
0
        case TIFF_SETGET_C16_DOUBLE:
7183
0
        {
7184
0
            double *data;
7185
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7186
0
            assert(fip->field_passcount == 1);
7187
0
            if (dp->tdir_count > 0xFFFF)
7188
0
                err = TIFFReadDirEntryErrCount;
7189
0
            else
7190
0
            {
7191
0
                err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
7192
0
                if (err == TIFFReadDirEntryErrOk)
7193
0
                {
7194
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7195
0
                    {
7196
0
                        if (data != 0)
7197
0
                            _TIFFfreeExt(tif, data);
7198
0
                        return 0;
7199
0
                    }
7200
0
                    int m;
7201
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7202
0
                                     (uint16_t)(dp->tdir_count), data);
7203
0
                    if (data != 0)
7204
0
                        _TIFFfreeExt(tif, data);
7205
0
                    if (!m)
7206
0
                        return (0);
7207
0
                }
7208
0
            }
7209
0
        }
7210
0
        break;
7211
0
        case TIFF_SETGET_C16_IFD8:
7212
0
        {
7213
0
            uint64_t *data;
7214
0
            assert(fip->field_readcount == TIFF_VARIABLE);
7215
0
            assert(fip->field_passcount == 1);
7216
0
            if (dp->tdir_count > 0xFFFF)
7217
0
                err = TIFFReadDirEntryErrCount;
7218
0
            else
7219
0
            {
7220
0
                err = TIFFReadDirEntryIfd8Array(tif, dp, &data);
7221
0
                if (err == TIFFReadDirEntryErrOk)
7222
0
                {
7223
0
                    if (!EvaluateIFDdatasizeReading(tif, dp))
7224
0
                    {
7225
0
                        if (data != 0)
7226
0
                            _TIFFfreeExt(tif, data);
7227
0
                        return 0;
7228
0
                    }
7229
0
                    int m;
7230
0
                    m = TIFFSetField(tif, dp->tdir_tag,
7231
0
                                     (uint16_t)(dp->tdir_count), data);
7232
0
                    if (data != 0)
7233
0
                        _TIFFfreeExt(tif, data);
7234
0
                    if (!m)
7235
0
                        return (0);
7236
0
                }
7237
0
            }
7238
0
        }
7239
0
        break;
7240
0
        case TIFF_SETGET_C32_ASCII:
7241
0
        {
7242
0
            uint8_t *data;
7243
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7244
0
            assert(fip->field_passcount == 1);
7245
0
            err = TIFFReadDirEntryByteArray(tif, dp, &data);
7246
0
            if (err == TIFFReadDirEntryErrOk)
7247
0
            {
7248
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7249
0
                {
7250
0
                    if (data != 0)
7251
0
                        _TIFFfreeExt(tif, data);
7252
0
                    return 0;
7253
0
                }
7254
0
                int m;
7255
0
                if (data != 0 && dp->tdir_count > 0 &&
7256
0
                    data[dp->tdir_count - 1] != '\0')
7257
0
                {
7258
0
                    TIFFWarningExtR(
7259
0
                        tif, module,
7260
0
                        "ASCII value for ASCII array tag \"%s\" does not end "
7261
0
                        "in null byte. Forcing it to be null",
7262
0
                        fip->field_name);
7263
                    /* Enlarge buffer and add terminating null. */
7264
0
                    uint8_t *o =
7265
0
                        _TIFFmallocExt(tif, (uint32_t)dp->tdir_count + 1);
7266
0
                    if (o == NULL)
7267
0
                    {
7268
0
                        if (data != NULL)
7269
0
                            _TIFFfreeExt(tif, data);
7270
0
                        return (0);
7271
0
                    }
7272
0
                    if (dp->tdir_count > 0)
7273
0
                    {
7274
0
                        _TIFFmemcpy(o, data, (uint32_t)dp->tdir_count);
7275
0
                    }
7276
0
                    o[(uint32_t)dp->tdir_count] = 0;
7277
0
                    dp->tdir_count++; /* Increment for added null. */
7278
0
                    if (data != 0)
7279
0
                        _TIFFfreeExt(tif, data);
7280
0
                    data = o;
7281
0
                }
7282
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7283
0
                                 data);
7284
0
                if (data != 0)
7285
0
                    _TIFFfreeExt(tif, data);
7286
0
                if (!m)
7287
0
                    return (0);
7288
0
            }
7289
0
        }
7290
0
        break;
7291
0
        case TIFF_SETGET_C32_UINT8:
7292
0
        {
7293
0
            uint8_t *data;
7294
0
            uint32_t count = 0;
7295
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7296
0
            assert(fip->field_passcount == 1);
7297
0
            if (fip->field_tag == TIFFTAG_RICHTIFFIPTC &&
7298
0
                dp->tdir_type == TIFF_LONG)
7299
0
            {
7300
                /* Adobe's software (wrongly) writes RichTIFFIPTC tag with
7301
                 * data type LONG instead of UNDEFINED. Work around this
7302
                 * frequently found issue */
7303
0
                void *origdata;
7304
0
                err = TIFFReadDirEntryArray(tif, dp, &count, 4, &origdata);
7305
0
                if ((err != TIFFReadDirEntryErrOk) || (origdata == 0))
7306
0
                {
7307
0
                    data = NULL;
7308
0
                }
7309
0
                else
7310
0
                {
7311
0
                    if (tif->tif_flags & TIFF_SWAB)
7312
0
                        TIFFSwabArrayOfLong((uint32_t *)origdata, count);
7313
0
                    data = (uint8_t *)origdata;
7314
0
                    count = (uint32_t)(count * 4);
7315
0
                }
7316
0
            }
7317
0
            else
7318
0
            {
7319
0
                err = TIFFReadDirEntryByteArray(tif, dp, &data);
7320
0
                count = (uint32_t)(dp->tdir_count);
7321
0
            }
7322
0
            if (err == TIFFReadDirEntryErrOk)
7323
0
            {
7324
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7325
0
                {
7326
0
                    if (data != 0)
7327
0
                        _TIFFfreeExt(tif, data);
7328
0
                    return 0;
7329
0
                }
7330
0
                int m;
7331
0
                m = TIFFSetField(tif, dp->tdir_tag, count, data);
7332
0
                if (data != 0)
7333
0
                    _TIFFfreeExt(tif, data);
7334
0
                if (!m)
7335
0
                    return (0);
7336
0
            }
7337
0
        }
7338
0
        break;
7339
0
        case TIFF_SETGET_C32_SINT8:
7340
0
        {
7341
0
            int8_t *data = NULL;
7342
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7343
0
            assert(fip->field_passcount == 1);
7344
0
            err = TIFFReadDirEntrySbyteArray(tif, dp, &data);
7345
0
            if (err == TIFFReadDirEntryErrOk)
7346
0
            {
7347
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7348
0
                {
7349
0
                    if (data != 0)
7350
0
                        _TIFFfreeExt(tif, data);
7351
0
                    return 0;
7352
0
                }
7353
0
                int m;
7354
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7355
0
                                 data);
7356
0
                if (data != 0)
7357
0
                    _TIFFfreeExt(tif, data);
7358
0
                if (!m)
7359
0
                    return (0);
7360
0
            }
7361
0
        }
7362
0
        break;
7363
0
        case TIFF_SETGET_C32_UINT16:
7364
0
        {
7365
0
            uint16_t *data;
7366
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7367
0
            assert(fip->field_passcount == 1);
7368
0
            err = TIFFReadDirEntryShortArray(tif, dp, &data);
7369
0
            if (err == TIFFReadDirEntryErrOk)
7370
0
            {
7371
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7372
0
                {
7373
0
                    if (data != 0)
7374
0
                        _TIFFfreeExt(tif, data);
7375
0
                    return 0;
7376
0
                }
7377
0
                int m;
7378
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7379
0
                                 data);
7380
0
                if (data != 0)
7381
0
                    _TIFFfreeExt(tif, data);
7382
0
                if (!m)
7383
0
                    return (0);
7384
0
            }
7385
0
        }
7386
0
        break;
7387
0
        case TIFF_SETGET_C32_SINT16:
7388
0
        {
7389
0
            int16_t *data = NULL;
7390
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7391
0
            assert(fip->field_passcount == 1);
7392
0
            err = TIFFReadDirEntrySshortArray(tif, dp, &data);
7393
0
            if (err == TIFFReadDirEntryErrOk)
7394
0
            {
7395
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7396
0
                {
7397
0
                    if (data != 0)
7398
0
                        _TIFFfreeExt(tif, data);
7399
0
                    return 0;
7400
0
                }
7401
0
                int m;
7402
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7403
0
                                 data);
7404
0
                if (data != 0)
7405
0
                    _TIFFfreeExt(tif, data);
7406
0
                if (!m)
7407
0
                    return (0);
7408
0
            }
7409
0
        }
7410
0
        break;
7411
0
        case TIFF_SETGET_C32_UINT32:
7412
0
        {
7413
0
            uint32_t *data;
7414
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7415
0
            assert(fip->field_passcount == 1);
7416
0
            err = TIFFReadDirEntryLongArray(tif, dp, &data);
7417
0
            if (err == TIFFReadDirEntryErrOk)
7418
0
            {
7419
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7420
0
                {
7421
0
                    if (data != 0)
7422
0
                        _TIFFfreeExt(tif, data);
7423
0
                    return 0;
7424
0
                }
7425
0
                int m;
7426
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7427
0
                                 data);
7428
0
                if (data != 0)
7429
0
                    _TIFFfreeExt(tif, data);
7430
0
                if (!m)
7431
0
                    return (0);
7432
0
            }
7433
0
        }
7434
0
        break;
7435
0
        case TIFF_SETGET_C32_SINT32:
7436
0
        {
7437
0
            int32_t *data = NULL;
7438
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7439
0
            assert(fip->field_passcount == 1);
7440
0
            err = TIFFReadDirEntrySlongArray(tif, dp, &data);
7441
0
            if (err == TIFFReadDirEntryErrOk)
7442
0
            {
7443
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7444
0
                {
7445
0
                    if (data != 0)
7446
0
                        _TIFFfreeExt(tif, data);
7447
0
                    return 0;
7448
0
                }
7449
0
                int m;
7450
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7451
0
                                 data);
7452
0
                if (data != 0)
7453
0
                    _TIFFfreeExt(tif, data);
7454
0
                if (!m)
7455
0
                    return (0);
7456
0
            }
7457
0
        }
7458
0
        break;
7459
0
        case TIFF_SETGET_C32_UINT64:
7460
0
        {
7461
0
            uint64_t *data;
7462
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7463
0
            assert(fip->field_passcount == 1);
7464
0
            err = TIFFReadDirEntryLong8Array(tif, dp, &data);
7465
0
            if (err == TIFFReadDirEntryErrOk)
7466
0
            {
7467
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7468
0
                {
7469
0
                    if (data != 0)
7470
0
                        _TIFFfreeExt(tif, data);
7471
0
                    return 0;
7472
0
                }
7473
0
                int m;
7474
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7475
0
                                 data);
7476
0
                if (data != 0)
7477
0
                    _TIFFfreeExt(tif, data);
7478
0
                if (!m)
7479
0
                    return (0);
7480
0
            }
7481
0
        }
7482
0
        break;
7483
0
        case TIFF_SETGET_C32_SINT64:
7484
0
        {
7485
0
            int64_t *data = NULL;
7486
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7487
0
            assert(fip->field_passcount == 1);
7488
0
            err = TIFFReadDirEntrySlong8Array(tif, dp, &data);
7489
0
            if (err == TIFFReadDirEntryErrOk)
7490
0
            {
7491
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7492
0
                {
7493
0
                    if (data != 0)
7494
0
                        _TIFFfreeExt(tif, data);
7495
0
                    return 0;
7496
0
                }
7497
0
                int m;
7498
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7499
0
                                 data);
7500
0
                if (data != 0)
7501
0
                    _TIFFfreeExt(tif, data);
7502
0
                if (!m)
7503
0
                    return (0);
7504
0
            }
7505
0
        }
7506
0
        break;
7507
0
        case TIFF_SETGET_C32_FLOAT:
7508
0
        {
7509
0
            float *data;
7510
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7511
0
            assert(fip->field_passcount == 1);
7512
0
            err = TIFFReadDirEntryFloatArray(tif, dp, &data);
7513
0
            if (err == TIFFReadDirEntryErrOk)
7514
0
            {
7515
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7516
0
                {
7517
0
                    if (data != 0)
7518
0
                        _TIFFfreeExt(tif, data);
7519
0
                    return 0;
7520
0
                }
7521
0
                int m;
7522
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7523
0
                                 data);
7524
0
                if (data != 0)
7525
0
                    _TIFFfreeExt(tif, data);
7526
0
                if (!m)
7527
0
                    return (0);
7528
0
            }
7529
0
        }
7530
0
        break;
7531
0
        case TIFF_SETGET_C32_DOUBLE:
7532
0
        {
7533
0
            double *data;
7534
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7535
0
            assert(fip->field_passcount == 1);
7536
0
            err = TIFFReadDirEntryDoubleArray(tif, dp, &data);
7537
0
            if (err == TIFFReadDirEntryErrOk)
7538
0
            {
7539
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7540
0
                {
7541
0
                    if (data != 0)
7542
0
                        _TIFFfreeExt(tif, data);
7543
0
                    return 0;
7544
0
                }
7545
0
                int m;
7546
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7547
0
                                 data);
7548
0
                if (data != 0)
7549
0
                    _TIFFfreeExt(tif, data);
7550
0
                if (!m)
7551
0
                    return (0);
7552
0
            }
7553
0
        }
7554
0
        break;
7555
0
        case TIFF_SETGET_C32_IFD8:
7556
0
        {
7557
0
            uint64_t *data;
7558
0
            assert(fip->field_readcount == TIFF_VARIABLE2);
7559
0
            assert(fip->field_passcount == 1);
7560
0
            err = TIFFReadDirEntryIfd8Array(tif, dp, &data);
7561
0
            if (err == TIFFReadDirEntryErrOk)
7562
0
            {
7563
0
                if (!EvaluateIFDdatasizeReading(tif, dp))
7564
0
                {
7565
0
                    if (data != 0)
7566
0
                        _TIFFfreeExt(tif, data);
7567
0
                    return 0;
7568
0
                }
7569
0
                int m;
7570
0
                m = TIFFSetField(tif, dp->tdir_tag, (uint32_t)(dp->tdir_count),
7571
0
                                 data);
7572
0
                if (data != 0)
7573
0
                    _TIFFfreeExt(tif, data);
7574
0
                if (!m)
7575
0
                    return (0);
7576
0
            }
7577
0
        }
7578
0
        break;
7579
0
        default:
7580
0
            assert(0); /* we should never get here */
7581
0
            break;
7582
98.9k
    }
7583
98.9k
    if (err != TIFFReadDirEntryErrOk)
7584
0
    {
7585
0
        TIFFReadDirEntryOutputErr(tif, err, module, fip->field_name, recover);
7586
0
        return (0);
7587
0
    }
7588
98.9k
    return (1);
7589
98.9k
}
7590
7591
/*
7592
 * Fetch a set of offsets or lengths.
7593
 * While this routine says "strips", in fact it's also used for tiles.
7594
 */
7595
static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
7596
                               uint64_t **lpp)
7597
19.7k
{
7598
19.7k
    static const char module[] = "TIFFFetchStripThing";
7599
19.7k
    enum TIFFReadDirEntryErr err;
7600
19.7k
    uint64_t *data;
7601
19.7k
    err = TIFFReadDirEntryLong8ArrayWithLimit(tif, dir, &data, nstrips);
7602
19.7k
    if (err != TIFFReadDirEntryErrOk)
7603
0
    {
7604
0
        const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
7605
0
        TIFFReadDirEntryOutputErr(tif, err, module,
7606
0
                                  fip ? fip->field_name : "unknown tagname", 0);
7607
0
        return (0);
7608
0
    }
7609
19.7k
    if (dir->tdir_count < (uint64_t)nstrips)
7610
0
    {
7611
0
        uint64_t *resizeddata;
7612
0
        const TIFFField *fip = TIFFFieldWithTag(tif, dir->tdir_tag);
7613
0
        const char *pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT");
7614
0
        uint32_t max_nstrips = 1000000;
7615
0
        if (pszMax)
7616
0
            max_nstrips = (uint32_t)atoi(pszMax);
7617
0
        TIFFReadDirEntryOutputErr(tif, TIFFReadDirEntryErrCount, module,
7618
0
                                  fip ? fip->field_name : "unknown tagname",
7619
0
                                  (nstrips <= max_nstrips));
7620
7621
0
        if (nstrips > max_nstrips)
7622
0
        {
7623
0
            _TIFFfreeExt(tif, data);
7624
0
            return (0);
7625
0
        }
7626
7627
0
        const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
7628
0
        if (allocsize > 100 * 1024 * 1024)
7629
0
        {
7630
            /* Before allocating a huge amount of memory for corrupted files,
7631
             * check if size of requested memory is not greater than file size.
7632
             */
7633
0
            const uint64_t filesize = TIFFGetFileSize(tif);
7634
0
            if (allocsize > filesize)
7635
0
            {
7636
0
                TIFFWarningExtR(
7637
0
                    tif, module,
7638
0
                    "Requested memory size for StripArray of %" PRIu64
7639
0
                    " is greater than filesize %" PRIu64
7640
0
                    ". Memory not allocated",
7641
0
                    allocsize, filesize);
7642
0
                _TIFFfreeExt(tif, data);
7643
0
                return (0);
7644
0
            }
7645
0
        }
7646
0
        resizeddata = (uint64_t *)_TIFFCheckMalloc(
7647
0
            tif, nstrips, sizeof(uint64_t), "for strip array");
7648
0
        if (resizeddata == 0)
7649
0
        {
7650
0
            _TIFFfreeExt(tif, data);
7651
0
            return (0);
7652
0
        }
7653
0
        if (dir->tdir_count)
7654
0
            _TIFFmemcpy(resizeddata, data,
7655
0
                        (uint32_t)dir->tdir_count * sizeof(uint64_t));
7656
0
        _TIFFmemset(resizeddata + (uint32_t)dir->tdir_count, 0,
7657
0
                    (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
7658
0
        _TIFFfreeExt(tif, data);
7659
0
        data = resizeddata;
7660
0
    }
7661
19.7k
    *lpp = data;
7662
19.7k
    return (1);
7663
19.7k
}
7664
7665
/*
7666
 * Fetch and set the SubjectDistance EXIF tag.
7667
 */
7668
static int TIFFFetchSubjectDistance(TIFF *tif, TIFFDirEntry *dir)
7669
0
{
7670
0
    static const char module[] = "TIFFFetchSubjectDistance";
7671
0
    enum TIFFReadDirEntryErr err;
7672
0
    UInt64Aligned_t m;
7673
0
    m.l = 0;
7674
0
    assert(sizeof(double) == 8);
7675
0
    assert(sizeof(uint64_t) == 8);
7676
0
    assert(sizeof(uint32_t) == 4);
7677
0
    if (dir->tdir_count != 1)
7678
0
        err = TIFFReadDirEntryErrCount;
7679
0
    else if (dir->tdir_type != TIFF_RATIONAL)
7680
0
        err = TIFFReadDirEntryErrType;
7681
0
    else
7682
0
    {
7683
0
        if (!(tif->tif_flags & TIFF_BIGTIFF))
7684
0
        {
7685
0
            uint32_t offset;
7686
0
            offset = *(uint32_t *)(&dir->tdir_offset);
7687
0
            if (tif->tif_flags & TIFF_SWAB)
7688
0
                TIFFSwabLong(&offset);
7689
0
            err = TIFFReadDirEntryData(tif, offset, 8, m.i);
7690
0
        }
7691
0
        else
7692
0
        {
7693
0
            m.l = dir->tdir_offset.toff_long8;
7694
0
            err = TIFFReadDirEntryErrOk;
7695
0
        }
7696
0
    }
7697
0
    if (err == TIFFReadDirEntryErrOk)
7698
0
    {
7699
0
        double n;
7700
0
        if (tif->tif_flags & TIFF_SWAB)
7701
0
            TIFFSwabArrayOfLong(m.i, 2);
7702
0
        if (m.i[0] == 0)
7703
0
            n = 0.0;
7704
0
        else if (m.i[0] == 0xFFFFFFFF || m.i[1] == 0)
7705
            /*
7706
             * XXX: Numerator 0xFFFFFFFF means that we have infinite
7707
             * distance. Indicate that with a negative floating point
7708
             * SubjectDistance value.
7709
             */
7710
0
            n = -1.0;
7711
0
        else
7712
0
            n = (double)m.i[0] / (double)m.i[1];
7713
0
        return (TIFFSetField(tif, dir->tdir_tag, n));
7714
0
    }
7715
0
    else
7716
0
    {
7717
0
        TIFFReadDirEntryOutputErr(tif, err, module, "SubjectDistance", TRUE);
7718
0
        return (0);
7719
0
    }
7720
0
}
7721
7722
static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
7723
                                      uint64_t stripbytes,
7724
                                      uint32_t rowsperstrip)
7725
0
{
7726
0
    TIFFDirectory *td = &tif->tif_dir;
7727
0
    uint64_t bytecount;
7728
0
    uint64_t offset;
7729
0
    uint64_t last_offset;
7730
0
    uint64_t last_bytecount;
7731
0
    uint32_t i;
7732
0
    uint64_t *newcounts;
7733
0
    uint64_t *newoffsets;
7734
7735
0
    offset = TIFFGetStrileOffset(tif, 0);
7736
0
    last_offset = TIFFGetStrileOffset(tif, td->td_nstrips - 1);
7737
0
    last_bytecount = TIFFGetStrileByteCount(tif, td->td_nstrips - 1);
7738
0
    if (last_offset > UINT64_MAX - last_bytecount ||
7739
0
        last_offset + last_bytecount < offset)
7740
0
    {
7741
0
        return;
7742
0
    }
7743
0
    bytecount = last_offset + last_bytecount - offset;
7744
7745
    /* Before allocating a huge amount of memory for corrupted files, check if
7746
     * size of StripByteCount and StripOffset tags is not greater than
7747
     * file size.
7748
     */
7749
0
    const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
7750
0
    if (allocsize > 100 * 1024 * 1024)
7751
0
    {
7752
0
        const uint64_t filesize = TIFFGetFileSize(tif);
7753
0
        if (allocsize > filesize)
7754
0
        {
7755
0
            TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
7756
0
                            "Requested memory size for StripByteCount and "
7757
0
                            "StripOffsets %" PRIu64
7758
0
                            " is greater than filesize %" PRIu64
7759
0
                            ". Memory not allocated",
7760
0
                            allocsize, filesize);
7761
0
            return;
7762
0
        }
7763
0
    }
7764
7765
0
    newcounts =
7766
0
        (uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t),
7767
0
                                     "for chopped \"StripByteCounts\" array");
7768
0
    newoffsets = (uint64_t *)_TIFFCheckMalloc(
7769
0
        tif, nstrips, sizeof(uint64_t), "for chopped \"StripOffsets\" array");
7770
0
    if (newcounts == NULL || newoffsets == NULL)
7771
0
    {
7772
        /*
7773
         * Unable to allocate new strip information, give up and use
7774
         * the original one strip information.
7775
         */
7776
0
        if (newcounts != NULL)
7777
0
            _TIFFfreeExt(tif, newcounts);
7778
0
        if (newoffsets != NULL)
7779
0
            _TIFFfreeExt(tif, newoffsets);
7780
0
        return;
7781
0
    }
7782
7783
    /*
7784
     * Fill the strip information arrays with new bytecounts and offsets
7785
     * that reflect the broken-up format.
7786
     */
7787
0
    for (i = 0; i < nstrips; i++)
7788
0
    {
7789
0
        if (stripbytes > bytecount)
7790
0
            stripbytes = bytecount;
7791
0
        newcounts[i] = stripbytes;
7792
0
        newoffsets[i] = stripbytes ? offset : 0;
7793
0
        offset += stripbytes;
7794
0
        bytecount -= stripbytes;
7795
0
    }
7796
7797
    /*
7798
     * Replace old single strip info with multi-strip info.
7799
     */
7800
0
    td->td_stripsperimage = td->td_nstrips = nstrips;
7801
0
    TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
7802
7803
0
    _TIFFfreeExt(tif, td->td_stripbytecount_p);
7804
0
    _TIFFfreeExt(tif, td->td_stripoffset_p);
7805
0
    td->td_stripbytecount_p = newcounts;
7806
0
    td->td_stripoffset_p = newoffsets;
7807
#ifdef STRIPBYTECOUNTSORTED_UNUSED
7808
    td->td_stripbytecountsorted = 1;
7809
#endif
7810
0
    tif->tif_flags |= TIFF_CHOPPEDUPARRAYS;
7811
0
}
7812
7813
/*
7814
 * Replace a single strip (tile) of uncompressed data by multiple strips
7815
 * (tiles), each approximately STRIP_SIZE_DEFAULT bytes. This is useful for
7816
 * dealing with large images or for dealing with machines with a limited
7817
 * amount memory.
7818
 */
7819
static void ChopUpSingleUncompressedStrip(TIFF *tif)
7820
0
{
7821
0
    register TIFFDirectory *td = &tif->tif_dir;
7822
0
    uint64_t bytecount;
7823
0
    uint64_t offset;
7824
0
    uint32_t rowblock;
7825
0
    uint64_t rowblockbytes;
7826
0
    uint64_t stripbytes;
7827
0
    uint32_t nstrips;
7828
0
    uint32_t rowsperstrip;
7829
7830
0
    bytecount = TIFFGetStrileByteCount(tif, 0);
7831
    /* On a newly created file, just re-opened to be filled, we */
7832
    /* don't want strip chop to trigger as it is going to cause issues */
7833
    /* later ( StripOffsets and StripByteCounts improperly filled) . */
7834
0
    if (bytecount == 0 && tif->tif_mode != O_RDONLY)
7835
0
        return;
7836
0
    offset = TIFFGetStrileByteCount(tif, 0);
7837
0
    assert(td->td_planarconfig == PLANARCONFIG_CONTIG);
7838
0
    if ((td->td_photometric == PHOTOMETRIC_YCBCR) && (!isUpSampled(tif)))
7839
0
        rowblock = td->td_ycbcrsubsampling[1];
7840
0
    else
7841
0
        rowblock = 1;
7842
0
    rowblockbytes = TIFFVTileSize64(tif, rowblock);
7843
    /*
7844
     * Make the rows hold at least one scanline, but fill specified amount
7845
     * of data if possible.
7846
     */
7847
0
    if (rowblockbytes > STRIP_SIZE_DEFAULT)
7848
0
    {
7849
0
        stripbytes = rowblockbytes;
7850
0
        rowsperstrip = rowblock;
7851
0
    }
7852
0
    else if (rowblockbytes > 0)
7853
0
    {
7854
0
        uint32_t rowblocksperstrip;
7855
0
        rowblocksperstrip = (uint32_t)(STRIP_SIZE_DEFAULT / rowblockbytes);
7856
0
        rowsperstrip = rowblocksperstrip * rowblock;
7857
0
        stripbytes = rowblocksperstrip * rowblockbytes;
7858
0
    }
7859
0
    else
7860
0
        return;
7861
7862
    /*
7863
     * never increase the number of rows per strip
7864
     */
7865
0
    if (rowsperstrip >= td->td_rowsperstrip || rowsperstrip == 0)
7866
0
        return;
7867
0
    nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
7868
0
    if (nstrips == 0)
7869
0
        return;
7870
7871
    /* If we are going to allocate a lot of memory, make sure that the */
7872
    /* file is as big as needed */
7873
0
    if (tif->tif_mode == O_RDONLY && nstrips > 1000000 &&
7874
0
        (offset >= TIFFGetFileSize(tif) ||
7875
0
         stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)))
7876
0
    {
7877
0
        return;
7878
0
    }
7879
7880
0
    allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
7881
0
}
7882
7883
/*
7884
 * Replace a file with contiguous strips > 2 GB of uncompressed data by
7885
 * multiple smaller strips. This is useful for
7886
 * dealing with large images or for dealing with machines with a limited
7887
 * amount memory.
7888
 */
7889
static void TryChopUpUncompressedBigTiff(TIFF *tif)
7890
0
{
7891
0
    TIFFDirectory *td = &tif->tif_dir;
7892
0
    uint32_t rowblock;
7893
0
    uint64_t rowblockbytes;
7894
0
    uint32_t i;
7895
0
    uint64_t stripsize;
7896
0
    uint32_t rowblocksperstrip;
7897
0
    uint32_t rowsperstrip;
7898
0
    uint64_t stripbytes;
7899
0
    uint32_t nstrips;
7900
7901
0
    stripsize = TIFFStripSize64(tif);
7902
7903
0
    assert(tif->tif_dir.td_planarconfig == PLANARCONFIG_CONTIG);
7904
0
    assert(tif->tif_dir.td_compression == COMPRESSION_NONE);
7905
0
    assert((tif->tif_flags & (TIFF_STRIPCHOP | TIFF_ISTILED)) ==
7906
0
           TIFF_STRIPCHOP);
7907
0
    assert(stripsize > 0x7FFFFFFFUL);
7908
7909
    /* On a newly created file, just re-opened to be filled, we */
7910
    /* don't want strip chop to trigger as it is going to cause issues */
7911
    /* later ( StripOffsets and StripByteCounts improperly filled) . */
7912
0
    if (TIFFGetStrileByteCount(tif, 0) == 0 && tif->tif_mode != O_RDONLY)
7913
0
        return;
7914
7915
0
    if ((td->td_photometric == PHOTOMETRIC_YCBCR) && (!isUpSampled(tif)))
7916
0
        rowblock = td->td_ycbcrsubsampling[1];
7917
0
    else
7918
0
        rowblock = 1;
7919
0
    rowblockbytes = TIFFVStripSize64(tif, rowblock);
7920
0
    if (rowblockbytes == 0 || rowblockbytes > 0x7FFFFFFFUL)
7921
0
    {
7922
        /* In case of file with gigantic width */
7923
0
        return;
7924
0
    }
7925
7926
    /* Check that the strips are contiguous and of the expected size */
7927
0
    for (i = 0; i < td->td_nstrips; i++)
7928
0
    {
7929
0
        if (i == td->td_nstrips - 1)
7930
0
        {
7931
0
            if (TIFFGetStrileByteCount(tif, i) <
7932
0
                TIFFVStripSize64(tif,
7933
0
                                 td->td_imagelength - i * td->td_rowsperstrip))
7934
0
            {
7935
0
                return;
7936
0
            }
7937
0
        }
7938
0
        else
7939
0
        {
7940
0
            if (TIFFGetStrileByteCount(tif, i) != stripsize)
7941
0
            {
7942
0
                return;
7943
0
            }
7944
0
            if (i > 0 && TIFFGetStrileOffset(tif, i) !=
7945
0
                             TIFFGetStrileOffset(tif, i - 1) +
7946
0
                                 TIFFGetStrileByteCount(tif, i - 1))
7947
0
            {
7948
0
                return;
7949
0
            }
7950
0
        }
7951
0
    }
7952
7953
    /* Aim for 512 MB strips (that will still be manageable by 32 bit builds */
7954
0
    rowblocksperstrip = (uint32_t)(512 * 1024 * 1024 / rowblockbytes);
7955
0
    if (rowblocksperstrip == 0)
7956
0
        rowblocksperstrip = 1;
7957
0
    rowsperstrip = rowblocksperstrip * rowblock;
7958
0
    stripbytes = rowblocksperstrip * rowblockbytes;
7959
0
    assert(stripbytes <= 0x7FFFFFFFUL);
7960
7961
0
    if (rowsperstrip == 0)
7962
0
        return;
7963
0
    nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
7964
0
    if (nstrips == 0)
7965
0
        return;
7966
7967
    /* If we are going to allocate a lot of memory, make sure that the */
7968
    /* file is as big as needed */
7969
0
    if (tif->tif_mode == O_RDONLY && nstrips > 1000000)
7970
0
    {
7971
0
        uint64_t last_offset = TIFFGetStrileOffset(tif, td->td_nstrips - 1);
7972
0
        uint64_t filesize = TIFFGetFileSize(tif);
7973
0
        uint64_t last_bytecount =
7974
0
            TIFFGetStrileByteCount(tif, td->td_nstrips - 1);
7975
0
        if (last_offset > filesize || last_bytecount > filesize - last_offset)
7976
0
        {
7977
0
            return;
7978
0
        }
7979
0
    }
7980
7981
0
    allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
7982
0
}
7983
7984
TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
7985
static uint64_t _TIFFUnsanitizedAddUInt64AndInt(uint64_t a, int b)
7986
0
{
7987
0
    return a + b;
7988
0
}
7989
7990
/* Read the value of [Strip|Tile]Offset or [Strip|Tile]ByteCount around
7991
 * strip/tile of number strile. Also fetch the neighbouring values using a
7992
 * 4096 byte page size.
7993
 */
7994
static int _TIFFPartialReadStripArray(TIFF *tif, TIFFDirEntry *dirent,
7995
                                      int strile, uint64_t *panVals)
7996
0
{
7997
0
    static const char module[] = "_TIFFPartialReadStripArray";
7998
0
#define IO_CACHE_PAGE_SIZE 4096
7999
8000
0
    size_t sizeofval;
8001
0
    const int bSwab = (tif->tif_flags & TIFF_SWAB) != 0;
8002
0
    int sizeofvalint;
8003
0
    uint64_t nBaseOffset;
8004
0
    uint64_t nOffset;
8005
0
    uint64_t nOffsetStartPage;
8006
0
    uint64_t nOffsetEndPage;
8007
0
    tmsize_t nToRead;
8008
0
    tmsize_t nRead;
8009
0
    uint64_t nLastStripOffset;
8010
0
    int iStartBefore;
8011
0
    int i;
8012
0
    const uint32_t arraySize = tif->tif_dir.td_stripoffsetbyteallocsize;
8013
0
    unsigned char buffer[2 * IO_CACHE_PAGE_SIZE];
8014
8015
0
    assert(dirent->tdir_count > 4);
8016
8017
0
    if (dirent->tdir_type == TIFF_SHORT)
8018
0
    {
8019
0
        sizeofval = sizeof(uint16_t);
8020
0
    }
8021
0
    else if (dirent->tdir_type == TIFF_LONG)
8022
0
    {
8023
0
        sizeofval = sizeof(uint32_t);
8024
0
    }
8025
0
    else if (dirent->tdir_type == TIFF_LONG8)
8026
0
    {
8027
0
        sizeofval = sizeof(uint64_t);
8028
0
    }
8029
0
    else if (dirent->tdir_type == TIFF_SLONG8)
8030
0
    {
8031
        /* Non conformant but used by some images as in */
8032
        /* https://github.com/OSGeo/gdal/issues/2165 */
8033
0
        sizeofval = sizeof(int64_t);
8034
0
    }
8035
0
    else
8036
0
    {
8037
0
        TIFFErrorExtR(tif, module,
8038
0
                      "Invalid type for [Strip|Tile][Offset/ByteCount] tag");
8039
0
        panVals[strile] = 0;
8040
0
        return 0;
8041
0
    }
8042
0
    sizeofvalint = (int)(sizeofval);
8043
8044
0
    if (tif->tif_flags & TIFF_BIGTIFF)
8045
0
    {
8046
0
        uint64_t offset = dirent->tdir_offset.toff_long8;
8047
0
        if (bSwab)
8048
0
            TIFFSwabLong8(&offset);
8049
0
        nBaseOffset = offset;
8050
0
    }
8051
0
    else
8052
0
    {
8053
0
        uint32_t offset = dirent->tdir_offset.toff_long;
8054
0
        if (bSwab)
8055
0
            TIFFSwabLong(&offset);
8056
0
        nBaseOffset = offset;
8057
0
    }
8058
    /* To avoid later unsigned integer overflows */
8059
0
    if (nBaseOffset > (uint64_t)INT64_MAX)
8060
0
    {
8061
0
        TIFFErrorExtR(tif, module, "Cannot read offset/size for strile %d",
8062
0
                      strile);
8063
0
        panVals[strile] = 0;
8064
0
        return 0;
8065
0
    }
8066
0
    nOffset = nBaseOffset + sizeofval * strile;
8067
0
    nOffsetStartPage = (nOffset / IO_CACHE_PAGE_SIZE) * IO_CACHE_PAGE_SIZE;
8068
0
    nOffsetEndPage = nOffsetStartPage + IO_CACHE_PAGE_SIZE;
8069
8070
0
    if (nOffset + sizeofval > nOffsetEndPage)
8071
0
        nOffsetEndPage += IO_CACHE_PAGE_SIZE;
8072
0
#undef IO_CACHE_PAGE_SIZE
8073
8074
0
    nLastStripOffset = nBaseOffset + arraySize * sizeofval;
8075
0
    if (nLastStripOffset < nOffsetEndPage)
8076
0
        nOffsetEndPage = nLastStripOffset;
8077
0
    if (nOffsetStartPage >= nOffsetEndPage)
8078
0
    {
8079
0
        TIFFErrorExtR(tif, module, "Cannot read offset/size for strile %d",
8080
0
                      strile);
8081
0
        panVals[strile] = 0;
8082
0
        return 0;
8083
0
    }
8084
0
    if (!SeekOK(tif, nOffsetStartPage))
8085
0
    {
8086
0
        panVals[strile] = 0;
8087
0
        return 0;
8088
0
    }
8089
8090
0
    nToRead = (tmsize_t)(nOffsetEndPage - nOffsetStartPage);
8091
0
    nRead = TIFFReadFile(tif, buffer, nToRead);
8092
0
    if (nRead < nToRead)
8093
0
    {
8094
0
        TIFFErrorExtR(tif, module,
8095
0
                      "Cannot read offset/size for strile around ~%d", strile);
8096
0
        return 0;
8097
0
    }
8098
0
    iStartBefore = -(int)((nOffset - nOffsetStartPage) / sizeofval);
8099
0
    if (strile + iStartBefore < 0)
8100
0
        iStartBefore = -strile;
8101
0
    for (i = iStartBefore;
8102
0
         (uint32_t)(strile + i) < arraySize &&
8103
0
         _TIFFUnsanitizedAddUInt64AndInt(nOffset, (i + 1) * sizeofvalint) <=
8104
0
             nOffsetEndPage;
8105
0
         ++i)
8106
0
    {
8107
0
        if (dirent->tdir_type == TIFF_SHORT)
8108
0
        {
8109
0
            uint16_t val;
8110
0
            memcpy(&val,
8111
0
                   buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
8112
0
                   sizeof(val));
8113
0
            if (bSwab)
8114
0
                TIFFSwabShort(&val);
8115
0
            panVals[strile + i] = val;
8116
0
        }
8117
0
        else if (dirent->tdir_type == TIFF_LONG)
8118
0
        {
8119
0
            uint32_t val;
8120
0
            memcpy(&val,
8121
0
                   buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
8122
0
                   sizeof(val));
8123
0
            if (bSwab)
8124
0
                TIFFSwabLong(&val);
8125
0
            panVals[strile + i] = val;
8126
0
        }
8127
0
        else if (dirent->tdir_type == TIFF_LONG8)
8128
0
        {
8129
0
            uint64_t val;
8130
0
            memcpy(&val,
8131
0
                   buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
8132
0
                   sizeof(val));
8133
0
            if (bSwab)
8134
0
                TIFFSwabLong8(&val);
8135
0
            panVals[strile + i] = val;
8136
0
        }
8137
0
        else /* if( dirent->tdir_type == TIFF_SLONG8 ) */
8138
0
        {
8139
            /* Non conformant data type */
8140
0
            int64_t val;
8141
0
            memcpy(&val,
8142
0
                   buffer + (nOffset - nOffsetStartPage) + i * sizeofvalint,
8143
0
                   sizeof(val));
8144
0
            if (bSwab)
8145
0
                TIFFSwabLong8((uint64_t *)&val);
8146
0
            panVals[strile + i] = (uint64_t)val;
8147
0
        }
8148
0
    }
8149
0
    return 1;
8150
0
}
8151
8152
static int _TIFFFetchStrileValue(TIFF *tif, uint32_t strile,
8153
                                 TIFFDirEntry *dirent, uint64_t **parray)
8154
0
{
8155
0
    static const char module[] = "_TIFFFetchStrileValue";
8156
0
    TIFFDirectory *td = &tif->tif_dir;
8157
0
    if (strile >= dirent->tdir_count)
8158
0
    {
8159
0
        return 0;
8160
0
    }
8161
0
    if (strile >= td->td_stripoffsetbyteallocsize)
8162
0
    {
8163
0
        uint32_t nStripArrayAllocBefore = td->td_stripoffsetbyteallocsize;
8164
0
        uint32_t nStripArrayAllocNew;
8165
0
        uint64_t nArraySize64;
8166
0
        size_t nArraySize;
8167
0
        uint64_t *offsetArray;
8168
0
        uint64_t *bytecountArray;
8169
8170
0
        if (strile > 1000000)
8171
0
        {
8172
0
            uint64_t filesize = TIFFGetFileSize(tif);
8173
            /* Avoid excessive memory allocation attempt */
8174
            /* For such a big blockid we need at least a TIFF_LONG per strile */
8175
            /* for the offset array. */
8176
0
            if (strile > filesize / sizeof(uint32_t))
8177
0
            {
8178
0
                TIFFErrorExtR(tif, module, "File too short");
8179
0
                return 0;
8180
0
            }
8181
0
        }
8182
8183
0
        if (td->td_stripoffsetbyteallocsize == 0 &&
8184
0
            td->td_nstrips < 1024 * 1024)
8185
0
        {
8186
0
            nStripArrayAllocNew = td->td_nstrips;
8187
0
        }
8188
0
        else
8189
0
        {
8190
0
#define TIFF_MAX(a, b) (((a) > (b)) ? (a) : (b))
8191
0
#define TIFF_MIN(a, b) (((a) < (b)) ? (a) : (b))
8192
0
            nStripArrayAllocNew = TIFF_MAX(strile + 1, 1024U * 512U);
8193
0
            if (nStripArrayAllocNew < 0xFFFFFFFFU / 2)
8194
0
                nStripArrayAllocNew *= 2;
8195
0
            nStripArrayAllocNew = TIFF_MIN(nStripArrayAllocNew, td->td_nstrips);
8196
0
        }
8197
0
        assert(strile < nStripArrayAllocNew);
8198
0
        nArraySize64 = (uint64_t)sizeof(uint64_t) * nStripArrayAllocNew;
8199
0
        nArraySize = (size_t)(nArraySize64);
8200
#if SIZEOF_SIZE_T == 4
8201
        if (nArraySize != nArraySize64)
8202
        {
8203
            TIFFErrorExtR(tif, module,
8204
                          "Cannot allocate strip offset and bytecount arrays");
8205
            return 0;
8206
        }
8207
#endif
8208
0
        offsetArray = (uint64_t *)(_TIFFreallocExt(tif, td->td_stripoffset_p,
8209
0
                                                   nArraySize));
8210
0
        bytecountArray = (uint64_t *)(_TIFFreallocExt(
8211
0
            tif, td->td_stripbytecount_p, nArraySize));
8212
0
        if (offsetArray)
8213
0
            td->td_stripoffset_p = offsetArray;
8214
0
        if (bytecountArray)
8215
0
            td->td_stripbytecount_p = bytecountArray;
8216
0
        if (offsetArray && bytecountArray)
8217
0
        {
8218
0
            td->td_stripoffsetbyteallocsize = nStripArrayAllocNew;
8219
            /* Initialize new entries to ~0 / -1 */
8220
            /* coverity[overrun-buffer-arg] */
8221
0
            memset(td->td_stripoffset_p + nStripArrayAllocBefore, 0xFF,
8222
0
                   (td->td_stripoffsetbyteallocsize - nStripArrayAllocBefore) *
8223
0
                       sizeof(uint64_t));
8224
            /* coverity[overrun-buffer-arg] */
8225
0
            memset(td->td_stripbytecount_p + nStripArrayAllocBefore, 0xFF,
8226
0
                   (td->td_stripoffsetbyteallocsize - nStripArrayAllocBefore) *
8227
0
                       sizeof(uint64_t));
8228
0
        }
8229
0
        else
8230
0
        {
8231
0
            TIFFErrorExtR(tif, module,
8232
0
                          "Cannot allocate strip offset and bytecount arrays");
8233
0
            _TIFFfreeExt(tif, td->td_stripoffset_p);
8234
0
            td->td_stripoffset_p = NULL;
8235
0
            _TIFFfreeExt(tif, td->td_stripbytecount_p);
8236
0
            td->td_stripbytecount_p = NULL;
8237
0
            td->td_stripoffsetbyteallocsize = 0;
8238
0
        }
8239
0
    }
8240
0
    if (*parray == NULL || strile >= td->td_stripoffsetbyteallocsize)
8241
0
        return 0;
8242
8243
0
    if (~((*parray)[strile]) == 0)
8244
0
    {
8245
0
        if (!_TIFFPartialReadStripArray(tif, dirent, strile, *parray))
8246
0
        {
8247
0
            (*parray)[strile] = 0;
8248
0
            return 0;
8249
0
        }
8250
0
    }
8251
8252
0
    return 1;
8253
0
}
8254
8255
static uint64_t _TIFFGetStrileOffsetOrByteCountValue(TIFF *tif, uint32_t strile,
8256
                                                     TIFFDirEntry *dirent,
8257
                                                     uint64_t **parray,
8258
                                                     int *pbErr)
8259
39.5k
{
8260
39.5k
    TIFFDirectory *td = &tif->tif_dir;
8261
39.5k
    if (pbErr)
8262
0
        *pbErr = 0;
8263
39.5k
    if ((tif->tif_flags & TIFF_DEFERSTRILELOAD) &&
8264
39.5k
        !(tif->tif_flags & TIFF_CHOPPEDUPARRAYS))
8265
0
    {
8266
0
        if (!(tif->tif_flags & TIFF_LAZYSTRILELOAD) ||
8267
            /* If the values may fit in the toff_long/toff_long8 member */
8268
            /* then use _TIFFFillStriles to simplify _TIFFFetchStrileValue */
8269
0
            dirent->tdir_count <= 4)
8270
0
        {
8271
0
            if (!_TIFFFillStriles(tif))
8272
0
            {
8273
0
                if (pbErr)
8274
0
                    *pbErr = 1;
8275
                /* Do not return, as we want this function to always */
8276
                /* return the same value if called several times with */
8277
                /* the same arguments */
8278
0
            }
8279
0
        }
8280
0
        else
8281
0
        {
8282
0
            if (!_TIFFFetchStrileValue(tif, strile, dirent, parray))
8283
0
            {
8284
0
                if (pbErr)
8285
0
                    *pbErr = 1;
8286
0
                return 0;
8287
0
            }
8288
0
        }
8289
0
    }
8290
39.5k
    if (*parray == NULL || strile >= td->td_nstrips)
8291
0
    {
8292
0
        if (pbErr)
8293
0
            *pbErr = 1;
8294
0
        return 0;
8295
0
    }
8296
39.5k
    return (*parray)[strile];
8297
39.5k
}
8298
8299
/* Return the value of the TileOffsets/StripOffsets array for the specified
8300
 * tile/strile */
8301
uint64_t TIFFGetStrileOffset(TIFF *tif, uint32_t strile)
8302
19.7k
{
8303
19.7k
    return TIFFGetStrileOffsetWithErr(tif, strile, NULL);
8304
19.7k
}
8305
8306
/* Return the value of the TileOffsets/StripOffsets array for the specified
8307
 * tile/strile */
8308
uint64_t TIFFGetStrileOffsetWithErr(TIFF *tif, uint32_t strile, int *pbErr)
8309
19.7k
{
8310
19.7k
    TIFFDirectory *td = &tif->tif_dir;
8311
19.7k
    return _TIFFGetStrileOffsetOrByteCountValue(tif, strile,
8312
19.7k
                                                &(td->td_stripoffset_entry),
8313
19.7k
                                                &(td->td_stripoffset_p), pbErr);
8314
19.7k
}
8315
8316
/* Return the value of the TileByteCounts/StripByteCounts array for the
8317
 * specified tile/strile */
8318
uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile)
8319
19.7k
{
8320
19.7k
    return TIFFGetStrileByteCountWithErr(tif, strile, NULL);
8321
19.7k
}
8322
8323
/* Return the value of the TileByteCounts/StripByteCounts array for the
8324
 * specified tile/strile */
8325
uint64_t TIFFGetStrileByteCountWithErr(TIFF *tif, uint32_t strile, int *pbErr)
8326
19.7k
{
8327
19.7k
    TIFFDirectory *td = &tif->tif_dir;
8328
19.7k
    return _TIFFGetStrileOffsetOrByteCountValue(
8329
19.7k
        tif, strile, &(td->td_stripbytecount_entry), &(td->td_stripbytecount_p),
8330
19.7k
        pbErr);
8331
19.7k
}
8332
8333
0
int _TIFFFillStriles(TIFF *tif) { return _TIFFFillStrilesInternal(tif, 1); }
8334
8335
static int _TIFFFillStrilesInternal(TIFF *tif, int loadStripByteCount)
8336
0
{
8337
0
    register TIFFDirectory *td = &tif->tif_dir;
8338
0
    int return_value = 1;
8339
8340
    /* Do not do anything if TIFF_DEFERSTRILELOAD is not set */
8341
0
    if (!(tif->tif_flags & TIFF_DEFERSTRILELOAD) ||
8342
0
        (tif->tif_flags & TIFF_CHOPPEDUPARRAYS) != 0)
8343
0
        return 1;
8344
8345
0
    if (tif->tif_flags & TIFF_LAZYSTRILELOAD)
8346
0
    {
8347
        /* In case of lazy loading, reload completely the arrays */
8348
0
        _TIFFfreeExt(tif, td->td_stripoffset_p);
8349
0
        _TIFFfreeExt(tif, td->td_stripbytecount_p);
8350
0
        td->td_stripoffset_p = NULL;
8351
0
        td->td_stripbytecount_p = NULL;
8352
0
        td->td_stripoffsetbyteallocsize = 0;
8353
0
        tif->tif_flags &= ~TIFF_LAZYSTRILELOAD;
8354
0
    }
8355
8356
    /* If stripoffset array is already loaded, exit with success */
8357
0
    if (td->td_stripoffset_p != NULL)
8358
0
        return 1;
8359
8360
    /* If tdir_count was canceled, then we already got there, but in error */
8361
0
    if (td->td_stripoffset_entry.tdir_count == 0)
8362
0
        return 0;
8363
8364
0
    if (!TIFFFetchStripThing(tif, &(td->td_stripoffset_entry), td->td_nstrips,
8365
0
                             &td->td_stripoffset_p))
8366
0
    {
8367
0
        return_value = 0;
8368
0
    }
8369
8370
0
    if (loadStripByteCount &&
8371
0
        !TIFFFetchStripThing(tif, &(td->td_stripbytecount_entry),
8372
0
                             td->td_nstrips, &td->td_stripbytecount_p))
8373
0
    {
8374
0
        return_value = 0;
8375
0
    }
8376
8377
0
    _TIFFmemset(&(td->td_stripoffset_entry), 0, sizeof(TIFFDirEntry));
8378
0
    _TIFFmemset(&(td->td_stripbytecount_entry), 0, sizeof(TIFFDirEntry));
8379
8380
#ifdef STRIPBYTECOUNTSORTED_UNUSED
8381
    if (tif->tif_dir.td_nstrips > 1 && return_value == 1)
8382
    {
8383
        uint32_t strip;
8384
8385
        tif->tif_dir.td_stripbytecountsorted = 1;
8386
        for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++)
8387
        {
8388
            if (tif->tif_dir.td_stripoffset_p[strip - 1] >
8389
                tif->tif_dir.td_stripoffset_p[strip])
8390
            {
8391
                tif->tif_dir.td_stripbytecountsorted = 0;
8392
                break;
8393
            }
8394
        }
8395
    }
8396
#endif
8397
8398
0
    return return_value;
8399
0
}