- 2014.12.27 22:30 "[Tiff] [PATCH] tiff2pdf fixes for grayscale (min-is-white/black) and alpha", by Yuriy M. Kaminskiy
- 2014.12.29 22:29 "[Tiff] [PATCH] Signal error on unsupported sample/bit-depth in jbig codec instead of silently producing garbage", by Yuriy M. Kaminskiy
-
2014.12.30 20:41 "[Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Yuriy M. Kaminskiy
-
2014.12.30 20:55 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Jürgen_Buchmüller
- 2014.12.30 21:45 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Yuriy M. Kaminskiy
- 2014.12.31 14:33 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Olivier Paquet
- 2015.01.04 23:02 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Yuriy M. Kaminskiy
- 2014.12.31 09:36 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Jürgen_Buchmüller
-
2014.12.30 20:55 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Jürgen_Buchmüller
- 2015.01.25 16:56 "[Tiff] [security][PATCH] tiff2pdf: fix snprintf return value misuse", by Yuriy M. Kaminskiy
2014.12.30 20:41 "[Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Yuriy M. Kaminskiy
While fixing that, I noticed some very WTF code: add_ms in
libtiff/tif_pixarlog.c and checkAdd64 in tools/tiff2pdf.c
I'm not sure what are they trying to do, but I'm pretty sure they are doing it
WRONG and both cannot possibly work, due to different reasons. Please take a
look or two.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
NotDashEscaped: You need GnuPG to verify this message
From: Yuriy M. Kaminskiy <yumkam@gmail.com>
Subject: tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply
Index: tiff-4.0.x-20141227/libtiff/tif_luv.c
===================================================================
--- tiff-4.0.x-20141227.orig/libtiff/tif_luv.c 2014-12-30 22:58:02.804597893 +0300
+++ tiff-4.0.x-20141227/libtiff/tif_luv.c 2014-12-30 23:00:42.640095713 +0300
@@ -1208,17 +1208,6 @@ LogL16GuessDataFmt(TIFFDirectory *td)
return (SGILOGDATAFMT_UNKNOWN);
}
-static tmsize_t
-multiply_ms(tmsize_t m1, tmsize_t m2)
-{
- tmsize_t bytes = m1 * m2;
-
- if (m1 && bytes / m1 != m2)
- bytes = 0;
-
- return bytes;
-}
-
static int
LogL16InitState(TIFF* tif)
{
@@ -1248,10 +1237,10 @@ LogL16InitState(TIFF* tif)
return (0);
}
if( isTiled(tif) )
- sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength);
+ sp->tbuflen = TIFFSafeMultiply(tmsize_t, td->td_tilewidth, td->td_tilelength);
else
- sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip);
- if (multiply_ms(sp->tbuflen, sizeof (int16)) == 0 || + sp->tbuflen = TIFFSafeMultiply(tmsize_t, td->td_imagewidth, td->td_rowsperstrip); + if (TIFFSafeMultiply(tmsize_t, sp->tbuflen, sizeof (int16)) == 0 ||
(sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (int16))) == NULL) {
TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer");
return (0);
@@ -1348,10 +1337,10 @@ LogLuvInitState(TIFF* tif)
return (0);
}
if( isTiled(tif) )
- sp->tbuflen = multiply_ms(td->td_tilewidth, td->td_tilelength);
+ sp->tbuflen = TIFFSafeMultiply(tmsize_t, td->td_tilewidth, td->td_tilelength);
else
- sp->tbuflen = multiply_ms(td->td_imagewidth, td->td_rowsperstrip);
- if (multiply_ms(sp->tbuflen, sizeof (uint32)) == 0 || + sp->tbuflen = TIFFSafeMultiply(tmsize_t, td->td_imagewidth, td->td_rowsperstrip); + if (TIFFSafeMultiply(tmsize_t, sp->tbuflen, sizeof (uint32)) == 0 || (sp->tbuf = (uint8*) _TIFFmalloc(sp->tbuflen * sizeof (uint32))) == NULL) { TIFFErrorExt(tif->tif_clientdata, module, "No space for SGILog translation buffer"); return (0); Index: tiff-4.0.x-20141227/libtiff/tif_pixarlog.c =================================================================== --- tiff-4.0.x-20141227.orig/libtiff/tif_pixarlog.c 2014-12-30 22:58:02.864596908 +0300 +++ tiff-4.0.x-20141227/libtiff/tif_pixarlog.c 2014-12-30 23:16:09.812097595 +0300 @@ -633,17 +633,7 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
return guess;
}
-static tmsize_t
-multiply_ms(tmsize_t m1, tmsize_t m2)
-{
- tmsize_t bytes = m1 * m2;
-
- if (m1 && bytes / m1 != m2)
- bytes = 0;
-
- return bytes;
-}
-
+/* XXX does this work? tmsize_t is signed type and signed overflow result is not defined */
static tmsize_t
add_ms(tmsize_t m1, tmsize_t m2)
{
@@ -683,8 +673,9 @@ PixarLogSetupDecode(TIFF* tif)
sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG?
td->td_samplesperpixel: 1);
- tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
- td->td_rowsperstrip), sizeof(uint16)); + tbuf_size = TIFFSafeMultiply(tmsize_t, td->td_imagewidth, sp->stride); + tbuf_size = TIFFSafeMultiply(tmsize_t, tbuf_size, td->td_rowsperstrip); + tbuf_size = TIFFSafeMultiply(tmsize_t, tbuf_size, sizeof(uint16));
/* add one more stride in case input ends mid-stride */
tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
if (tbuf_size == 0)
@@ -883,8 +874,9 @@ PixarLogSetupEncode(TIFF* tif)
sp->stride = (td->td_planarconfig == PLANARCONFIG_CONTIG?
td->td_samplesperpixel: 1);
- tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
- td->td_rowsperstrip), sizeof(uint16)); + tbuf_size = TIFFSafeMultiply(tmsize_t, td->td_imagewidth, sp->stride); + tbuf_size = TIFFSafeMultiply(tmsize_t, tbuf_size, td->td_rowsperstrip); + tbuf_size = TIFFSafeMultiply(tmsize_t, tbuf_size, sizeof(uint16));
if (tbuf_size == 0)
return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
Index: tiff-4.0.x-20141227/tools/ppm2tiff.c
===================================================================
--- tiff-4.0.x-20141227.orig/tools/ppm2tiff.c 2014-12-30 22:47:52.748094718 +0300
+++ tiff-4.0.x-20141227/tools/ppm2tiff.c 2014-12-30 23:20:59.076095939 +0300
@@ -48,6 +48,7 @@
#endif
#include "tiffio.h"
+#include "tiffiop.h"
#ifndef HAVE_GETOPT
extern int getopt(int, char**, char*);
@@ -72,17 +73,6 @@ BadPPM(char* file)
exit(-2);
}
-static tmsize_t
-multiply_ms(tmsize_t m1, tmsize_t m2)
-{
- tmsize_t bytes = m1 * m2;
-
- if (m1 && bytes / m1 != m2)
- bytes = 0;
-
- return bytes;
-}
-
int
main(int argc, char* argv[])
{
@@ -253,7 +243,7 @@ main(int argc, char* argv[])
switch (bpp) {
case 1:
/* if round-up overflows, result will be zero,
OK */
- linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
+ linebytes = (TIFFSafeMultiply(tmsize_t, w, spp) + (8 - 1)) / 8;
if (rowsperstrip == (uint32) -1) {
TIFFSetField(out,
TIFFTAG_ROWSPERSTRIP, h);
} else {
@@ -262,7 +252,7 @@ main(int argc, char* argv[])
}
break;
case 8:
- linebytes = multiply_ms(spp, w);
+ linebytes = TIFFSafeMultiply(tmsize_t, w, spp);
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
TIFFDefaultStripSize(out, rowsperstrip));
break;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iF4EAREIAAYFAlSjDOsACgkQKZn9iF16KMPhqwD8DfwCjdAAc7jtLt1bLCDLSGLP
9KJQmS9qdiEjACYG+mAA/AttBVO282JYRXAnXG4FrC0hnCk5wA7mxXSKHkcqu9+j
=Lns4
-----END PGP SIGNATURE-----