← Back to branch summary

~ubuntu-branches/ubuntu/saucy/tiff/saucy-security

« back to all changes in this revision

Viewing changes to tools/tiff2pdf.c

  • Committer: Package Import Robot
  • Author(s): Jay Berkenbilt
  • Date: 2012-06-24 13:45:42 UTC
  • mfrom: (1.1.8)
  • mto: This revision was merged to the branch mainline in revision 26.
  • Revision ID: package-import@ubuntu.com-20120624134542-2xxi2i0ytrcddfdx
New upstream release

Show diffs side-by-side

added added

removed removed

Lines of Context:
tools/tiff2pdf.c
1
 
/* $Id: tiff2pdf.c,v 1.65 2011-05-31 17:00:03 bfriesen Exp $
 
1
/* $Id: tiff2pdf.c,v 1.67 2012-06-15 21:51:54 fwarmerdam Exp $
2
2
 *
3
3
 * tiff2pdf - converts a TIFF image to a PDF document
4
4
 *
435
435
        (void) handle, (void) data, (void) offset;
436
436
}
437
437
 
 
438
static uint64
 
439
checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p)
 
440
{
 
441
        uint64 bytes = summand1 + summand2;
 
442
 
 
443
        if (bytes - summand1 != summand2) {
 
444
                TIFFError(TIFF2PDF_MODULE, "Integer overflow");
 
445
                t2p->t2p_error = T2P_ERR_ERROR;
 
446
                bytes = 0;
 
447
        }
 
448
 
 
449
        return bytes;
 
450
}
 
451
 
 
452
static uint64
 
453
checkMultiply64(uint64 first, uint64 second, T2P* t2p)
 
454
{
 
455
        uint64 bytes = first * second;
 
456
 
 
457
        if (second && bytes / second != first) {
 
458
                TIFFError(TIFF2PDF_MODULE, "Integer overflow");
 
459
                t2p->t2p_error = T2P_ERR_ERROR;
 
460
                bytes = 0;
 
461
        }
 
462
 
 
463
        return bytes;
 
464
}
 
465
 
438
466
/*
439
467
 
440
468
  This is the main function.
1776
1804
        tstrip_t i=0;
1777
1805
        tstrip_t stripcount=0;
1778
1806
#endif
1779
 
#ifdef OJPEG_SUPPORT
1780
 
        tsize_t k = 0;
1781
 
#endif
 
1807
        uint64 k = 0;
1782
1808
 
1783
1809
        if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){
1784
1810
#ifdef CCITT_SUPPORT
1806
1832
                        }
1807
1833
                        stripcount=TIFFNumberOfStrips(input);
1808
1834
                        for(i=0;i<stripcount;i++){
1809
 
                                k += sbc[i];
 
1835
                                k = checkAdd64(k, sbc[i], t2p);
1810
1836
                        }
1811
1837
                        if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){
1812
1838
                                if(t2p->tiff_dataoffset != 0){
1813
1839
                                        if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){
1814
 
                                                if(t2p->tiff_datasize < k) {
1815
 
                                                        t2p->pdf_ojpegiflength=t2p->tiff_datasize;
1816
 
                                                        t2p->tiff_datasize+=k;
1817
 
                                                        t2p->tiff_datasize+=6;
1818
 
                                                        t2p->tiff_datasize+=2*stripcount;
 
1840
                                                if((uint64)t2p->tiff_datasize < k) {
1819
1841
                                                        TIFFWarning(TIFF2PDF_MODULE, 
1820
1842
                                                                "Input file %s has short JPEG interchange file byte count", 
1821
1843
                                                                TIFFFileName(input));
 
1844
                                                        t2p->pdf_ojpegiflength=t2p->tiff_datasize;
 
1845
                                                        k = checkAdd64(k, t2p->tiff_datasize, t2p);
 
1846
                                                        k = checkAdd64(k, 6, t2p);
 
1847
                                                        k = checkAdd64(k, stripcount, t2p);
 
1848
                                                        k = checkAdd64(k, stripcount, t2p);
 
1849
                                                        t2p->tiff_datasize = (tsize_t) k;
 
1850
                                                        if ((uint64) t2p->tiff_datasize != k) {
 
1851
                                                                TIFFError(TIFF2PDF_MODULE, "Integer overflow");
 
1852
                                                                t2p->t2p_error = T2P_ERR_ERROR;
 
1853
                                                        }
1822
1854
                                                        return;
1823
1855
                                                }
1824
1856
                                                return;
1831
1863
                                        }
1832
1864
                                }
1833
1865
                        }
1834
 
                        t2p->tiff_datasize+=k;
1835
 
                        t2p->tiff_datasize+=2*stripcount;
1836
 
                        t2p->tiff_datasize+=2048;
 
1866
                        k = checkAdd64(k, stripcount, t2p);
 
1867
                        k = checkAdd64(k, stripcount, t2p);
 
1868
                        k = checkAdd64(k, 2048, t2p);
 
1869
                        t2p->tiff_datasize = (tsize_t) k;
 
1870
                        if ((uint64) t2p->tiff_datasize != k) {
 
1871
                                TIFFError(TIFF2PDF_MODULE, "Integer overflow");
 
1872
                                t2p->t2p_error = T2P_ERR_ERROR;
 
1873
                        }
1837
1874
                        return;
1838
1875
                }
1839
1876
#endif
1842
1879
                        uint32 count = 0;
1843
1880
                        if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){
1844
1881
                                if(count > 4){
1845
 
                                        t2p->tiff_datasize += count;
1846
 
                                        t2p->tiff_datasize -= 2; /* don't use EOI of header */
 
1882
                                        k += count;
 
1883
                                        k -= 2; /* don't use EOI of header */
1847
1884
                                }
1848
1885
                        } else {
1849
 
                                t2p->tiff_datasize = 2; /* SOI for first strip */
 
1886
                                k = 2; /* SOI for first strip */
1850
1887
                        }
1851
1888
                        stripcount=TIFFNumberOfStrips(input);
1852
1889
                        if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){
1857
1894
                                return;
1858
1895
                        }
1859
1896
                        for(i=0;i<stripcount;i++){
1860
 
                                t2p->tiff_datasize += sbc[i];
1861
 
                                t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */
1862
 
                        }
1863
 
                        t2p->tiff_datasize +=2; /* use EOI of last strip */
 
1897
                                k = checkAdd64(k, sbc[i], t2p);
 
1898
                                k -=4; /* don't use SOI or EOI of strip */
 
1899
                        }
 
1900
                        k = checkAdd64(k, 2, t2p); /* use EOI of last strip */
 
1901
                        t2p->tiff_datasize = (tsize_t) k;
 
1902
                        if ((uint64) t2p->tiff_datasize != k) {
 
1903
                                TIFFError(TIFF2PDF_MODULE, "Integer overflow");
 
1904
                                t2p->t2p_error = T2P_ERR_ERROR;
 
1905
                        }
1864
1906
                        return;
1865
1907
                }
1866
1908
#endif
1867
1909
                (void) 0;
1868
1910
        }
1869
 
        t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length;
 
1911
        k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
1870
1912
        if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
1871
 
                t2p->tiff_datasize*= t2p->tiff_samplesperpixel;
 
1913
                k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
 
1914
        }
 
1915
        if (k == 0) {
 
1916
                /* Assume we had overflow inside TIFFScanlineSize */
 
1917
                t2p->t2p_error = T2P_ERR_ERROR;
 
1918
        }
 
1919
 
 
1920
        t2p->tiff_datasize = (tsize_t) k;
 
1921
        if ((uint64) t2p->tiff_datasize != k) {
 
1922
                TIFFError(TIFF2PDF_MODULE, "Integer overflow");
 
1923
                t2p->t2p_error = T2P_ERR_ERROR;
1872
1924
        }
1873
1925
 
1874
1926
        return;
1886
1938
#ifdef JPEG_SUPPORT
1887
1939
        unsigned char* jpt;
1888
1940
#endif
 
1941
        uint64 k;
1889
1942
 
1890
1943
        edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
1891
1944
        edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
1897
1950
#endif
1898
1951
                ){
1899
1952
                        t2p->tiff_datasize=TIFFTileSize(input);
 
1953
                        if (t2p->tiff_datasize == 0) {
 
1954
                                /* Assume we had overflow inside TIFFTileSize */
 
1955
                                t2p->t2p_error = T2P_ERR_ERROR;
 
1956
                        }
1900
1957
                        return;
1901
1958
                } else {
1902
1959
                        TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc);
1903
 
                        t2p->tiff_datasize=(tmsize_t)tbc[tile];
 
1960
                        k=tbc[tile];
1904
1961
#ifdef OJPEG_SUPPORT
1905
1962
                        if(t2p->tiff_compression==COMPRESSION_OJPEG){
1906
 
                                t2p->tiff_datasize+=2048;
1907
 
                                return;
 
1963
                                k = checkAdd64(k, 2048, t2p);
1908
1964
                        }
1909
1965
#endif
1910
1966
#ifdef JPEG_SUPPORT
1912
1968
                                uint32 count = 0;
1913
1969
                                if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){
1914
1970
                                        if(count > 4){
1915
 
                                                t2p->tiff_datasize += count;
1916
 
                                                t2p->tiff_datasize -= 2; /* don't use EOI of header or SOI of tile */
 
1971
                                                k = checkAdd64(k, count, t2p);
 
1972
                                                k -= 2; /* don't use EOI of header or SOI of tile */
1917
1973
                                        }
1918
1974
                                }
1919
1975
                        }
1920
1976
#endif
 
1977
                        t2p->tiff_datasize = (tsize_t) k;
 
1978
                        if ((uint64) t2p->tiff_datasize != k) {
 
1979
                                TIFFError(TIFF2PDF_MODULE, "Integer overflow");
 
1980
                                t2p->t2p_error = T2P_ERR_ERROR;
 
1981
                        }
1921
1982
                        return;
1922
1983
                }
1923
1984
        }
1924
 
        t2p->tiff_datasize=TIFFTileSize(input);
 
1985
        k = TIFFTileSize(input);
1925
1986
        if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
1926
 
                t2p->tiff_datasize*= t2p->tiff_samplesperpixel;
 
1987
                k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
 
1988
        }
 
1989
        if (k == 0) {
 
1990
                /* Assume we had overflow inside TIFFTileSize */
 
1991
                t2p->t2p_error = T2P_ERR_ERROR;
 
1992
        }
 
1993
 
 
1994
        t2p->tiff_datasize = (tsize_t) k;
 
1995
        if ((uint64) t2p->tiff_datasize != k) {
 
1996
                TIFFError(TIFF2PDF_MODULE, "Integer overflow");
 
1997
                t2p->t2p_error = T2P_ERR_ERROR;
1927
1998
        }
1928
1999
 
1929
2000
        return;
2016
2087
        uint32 max_striplength=0;
2017
2088
#endif
2018
2089
 
 
2090
        /* Fail if prior error (in particular, can't trust tiff_datasize) */
 
2091
        if (t2p->t2p_error != T2P_ERR_OK)
 
2092
                return(0);
 
2093
 
2019
2094
        if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){
2020
2095
#ifdef CCITT_SUPPORT
2021
2096
                if(t2p->pdf_compression == T2P_COMPRESS_G4){
2590
2665
        uint32 xuint32=0;
2591
2666
#endif
2592
2667
 
 
2668
        /* Fail if prior error (in particular, can't trust tiff_datasize) */
 
2669
        if (t2p->t2p_error != T2P_ERR_OK)
 
2670
                return(0);
 
2671
 
2593
2672
        edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
2594
2673
        edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
2595
2674
 
3354
3433
        uint32 edgetilewidth, 
3355
3434
        uint32 tilelength){
3356
3435
        
3357
 
        uint32 i=0;
 
3436
        uint32 i;
3358
3437
        tsize_t edgescanwidth=0;
3359
3438
        
3360
3439
        edgescanwidth = (scanwidth * edgetilewidth + (tilewidth - 1))/ tilewidth;
3361
 
        for(i=i;i<tilelength;i++){
 
3440
        for(i=0;i<tilelength;i++){
3362
3441
                _TIFFmemcpy( 
3363
3442
                        &(((char*)buffer)[edgescanwidth*i]), 
3364
3443
                        &(((char*)buffer)[scanwidth*i]),