LibTiff Mailing List
TIFF and LibTiff Mailing List Archive
October 2004
Previous Thread
Next Thread
Previous by Thread
Next by Thread
Previous by Date
Next by Date
Contact
The TIFF Mailing List Homepage
This list is run by Frank Warmerdam
Archive maintained by AWare Systems
Thread
2004.10.15 20:01 "WIN32 _TIFFrealloc() bug?", by Ville Herva
Hi,
When opening an image on WIN32, libtiff-3.6.1 does:
GlobalSize(NULL)
_TIFFrealloc(void * 0x00000000, long 4) line 237
TIFFReadDirectory(tiff * 0x001b5ec8) line 112 + 25 bytes
TIFFClientOpen(const char * 0x009d4934, const char * 0x009d4920, thandle_t__
* 0x00000000, long (thandle_t__ *, void *, long)*
0x00627caa+_tiffFileReadProc(thandle_t__ *, void *, long), long (thandle_t__
*, void*, long)* 0x00627cd1 _tiffFileWriteProc(thandle_t__ *, void *, long),
unsigned long (thandle_t__ *, unsigned long, int)* ...) line 367 + 9 bytes
iTIFFOpen(char * 0x009d4920) line 669 + 51 bytes
in _TIFFrealloc() there's this GlobalSize() call:
tdata_t
_TIFFrealloc(tdata_t p, tsize_t s)
{
void* pvTmp;
tsize_t old=GlobalSize(p);
if (old>=s)
{
if ((pvTmp = GlobalAlloc(GMEM_FIXED, s)) != NULL) {
CopyMemory(pvTmp, p, s);
GlobalFree(p);
}
}
else
{
if ((pvTmp = GlobalAlloc(GMEM_FIXED, s)) != NULL) {
CopyMemory(pvTmp, p, old);
GlobalFree(p);
}
}
return ((tdata_t)pvTmp);
}
called from TIFFReadDirectory():
tif->tif_dirlist = _TIFFrealloc(tif->tif_dirlist,
tif->tif_dirnumber *
sizeof(toff_t));
Now, after TIFFClientOpen() the tif->tif_dirlist part of the tif structure
may still be initialized to 0. This results into GlobalSize(0) call, which
afaict is illegal, and seems to crash at least some of the time. Judging
from the _TIFFrealloc() implementations for other architectures
(tif_unix.c), I presume _TIFFrealloc() API is meant to accept a NULL pointer
like the standard realloc().
Should the line perhaps read:
tsize_t old=p != 0 ? GlobalSize(p) : 0;
and maybe also
- CopyMemory(pvTmp, p, old);
+ if (old!=0) CopyMemory(pvTmp, p, old);
Comments?
-- v --
v@iki.fi