2007.08.13 10:40 "[Tiff] bug in 3.8.2", by John

Hi,

I've found a bug in libtiff 3.8.2 with files over 2GB, if anyone cares. Will there be another 3.x release? In case there is one planned, it's in TIFFFetchData(), in tif_dirread.c, around line 986.

This has:

                if ((tsize_t)dir->tdir_offset + cc < (tsize_t)dir->tdir_offset

                    || (tsize_t)dir->tdir_offset + cc < cc
                    || (tsize_t)dir->tdir_offset + cc > (tsize_t)tif->tif_size)

                        goto bad;

The 3rd sanity check will break for memory mapped files over 2GB, since casting tif_size to tsize_t (which is int32) will produce a negative number. The first and second tests will break for directories which occur after the 2GB watershed, since again tdir_offset will become negative.

I changed these tests to be:

                if (dir->tdir_offset + (toff_t)cc < dir->tdir_offset)
                        goto bad;
                if (dir->tdir_offset + (toff_t)cc < (toff_t)cc)
                        goto bad;
                if (dir->tdir_offset + (toff_t)cc > tif->tif_size)
                        goto bad;

since toff_t is a uint32. With this change I can successfully read and write 3GB multipage TIFF files.

tiff-4.0-alpha seems to work OK.

John