File tiff-CVE-2023-2731.patch of Package tiff.34105
This patch contains code from following commits:
For the `old_tif_rawcc` field in `LZWCodecState` struct:
https://gitlab.com/libtiff/libtiff/-/commit/7bad03e938c651aae4d1cf3bc5ec76406531513a
https://gitlab.com/libtiff/libtiff/-/commit/4af64003c8322d2cba6f86245a3ccf88dd6125d5
Compatability:
https://gitlab.com/libtiff/libtiff/-/commit/189d65779275132c86abd1e06cdab8a080645b32
https://gitlab.com/libtiff/libtiff/-/commit/a2aa4074e90b63adc5d8d06679dc567de36f74cd
`error_code` label:
https://gitlab.com/libtiff/libtiff/-/commit/3079627ea0dee150e6a208cec8381de611bb842b
For the `read_error` field in `LZWCodecState` struct:
https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a
which also is marked as fix for CVE-2022-1622 (bsc#1199483) which we are not affected by
due to code not being present.
And finally the commit marked as a fix for CVE-2023-2731 (bsc#1211478)
https://github.com/libsdl-org/libtiff/commit/9be22b639ea69e102d3847dca4c53ef025e9527b
Index: tiff-4.0.9/libtiff/tif_lzw.c
===================================================================
--- tiff-4.0.9.orig/libtiff/tif_lzw.c
+++ tiff-4.0.9/libtiff/tif_lzw.c
@@ -3,6 +3,7 @@
/*
* Copyright (c) 1988-1997 Sam Leffler
* Copyright (c) 1991-1997 Silicon Graphics, Inc.
+ * Copyright (c) 2022 Even Rouault
*
* Permission to use, copy, modify, distribute, and sell this software and
* its documentation for any purpose is hereby granted without fee, provided
@@ -38,8 +39,13 @@
*/
#include "tif_predict.h"
+#include <stdbool.h>
#include <stdio.h>
+/* Select the plausible largest natural integer type for the architecture */
+#define SIZEOF_WORDTYPE SIZEOF_SIZE_T
+typedef size_t WordType;
+
/*
* NB: The 5.0 spec describes a different algorithm than Aldus
* implements. Specifically, Aldus does code length transitions
@@ -54,13 +60,6 @@
* Future revisions to the TIFF spec are expected to "clarify this issue".
*/
#define LZW_COMPAT /* include backwards compatibility code */
-/*
- * Each strip of data is supposed to be terminated by a CODE_EOI.
- * If the following #define is included, the decoder will also
- * check for end-of-strip w/o seeing this code. This makes the
- * library more robust, but also slower.
- */
-#define LZW_CHECKEOS /* include checks for strips w/o EOI code */
#define MAXCODE(n) ((1L<<(n))-1)
/*
@@ -94,7 +93,7 @@ typedef struct {
unsigned short nbits; /* # of bits/code */
unsigned short maxcode; /* maximum code for lzw_nbits */
unsigned short free_ent; /* next free entry in hash table */
- unsigned long nextdata; /* next bits of i/o */
+ WordType nextdata; /* next bits of i/o */
long nextbits; /* # of valid bits in lzw_nextdata */
int rw_mode; /* preserve rw_mode from init */
@@ -121,8 +120,10 @@ typedef struct {
typedef struct code_ent {
struct code_ent *next;
unsigned short length; /* string len, including this token */
- unsigned char value; /* data value */
+ /* firstchar should be placed immediately before value in this structure */
unsigned char firstchar; /* first token of string */
+ unsigned char value; /* data value */
+ bool repeated;
} code_t;
typedef int (*decodeFunc)(TIFF*, uint8*, tmsize_t, uint16);
@@ -133,15 +134,15 @@ typedef struct {
/* Decoding specific data */
long dec_nbitsmask; /* lzw_nbits 1 bits, right adjusted */
long dec_restart; /* restart count */
-#ifdef LZW_CHECKEOS
uint64 dec_bitsleft; /* available bits in raw data */
-#endif
+ tmsize_t old_tif_rawcc; /* value of tif_rawcc at the end of the previous TIFLZWDecode() call */
decodeFunc dec_decode; /* regular or backwards compatible */
code_t* dec_codep; /* current recognized code */
code_t* dec_oldcodep; /* previously recognized code */
code_t* dec_free_entp; /* next free entry */
code_t* dec_maxcodep; /* max available entry */
code_t* dec_codetab; /* kept separate for small machines */
+ int read_error; /* whether a read error has occured, and which should cause further reads in the same strip/tile to be aborted */
/* Encoding specific data */
int enc_oldcode; /* last code encountered */
@@ -168,26 +169,6 @@ static void cl_hash(LZWCodecState*);
* LZW Decoder.
*/
-#ifdef LZW_CHECKEOS
-/*
- * This check shouldn't be necessary because each
- * strip is suppose to be terminated with CODE_EOI.
- */
-#define NextCode(_tif, _sp, _bp, _code, _get) { \
- if ((_sp)->dec_bitsleft < (uint64)nbits) { \
- TIFFWarningExt(_tif->tif_clientdata, module, \
- "LZWDecode: Strip %d not terminated with EOI code", \
- _tif->tif_curstrip); \
- _code = CODE_EOI; \
- } else { \
- _get(_sp,_bp,_code); \
- (_sp)->dec_bitsleft -= nbits; \
- } \
-}
-#else
-#define NextCode(tif, sp, bp, code, get) get(sp, bp, code)
-#endif
-
static int
LZWFixupTags(TIFF* tif)
{
@@ -240,16 +221,19 @@ LZWSetupDecode(TIFF* tif)
*/
code = 255;
do {
- sp->dec_codetab[code].value = (unsigned char)code;
sp->dec_codetab[code].firstchar = (unsigned char)code;
+ sp->dec_codetab[code].value = (unsigned char)code;
+ sp->dec_codetab[code].repeated = true;
sp->dec_codetab[code].length = 1;
sp->dec_codetab[code].next = NULL;
} while (code--);
/*
- * Zero-out the unused entries
- */
- _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+ * Zero-out the unused entries */
+ /* Silence false positive */
+ /* coverity[overrun-buffer-arg] */
+ memset(&sp->dec_codetab[CODE_CLEAR], 0,
(CODE_FIRST - CODE_CLEAR) * sizeof (code_t));
+
}
return (1);
}
@@ -318,10 +302,9 @@ LZWPreDecode(TIFF* tif, uint16 s)
sp->dec_restart = 0;
sp->dec_nbitsmask = MAXCODE(BITS_MIN);
-#ifdef LZW_CHECKEOS
sp->dec_bitsleft = 0;
-#endif
- sp->dec_free_entp = sp->dec_codetab + CODE_FIRST;
+ sp->old_tif_rawcc = 0;
+ sp->dec_free_entp = sp->dec_codetab - 1 ; // + CODE_FIRST;
/*
* Zero entries that are not yet filled in. We do
* this to guard against bogus input data that causes
@@ -329,33 +312,86 @@ LZWPreDecode(TIFF* tif, uint16 s)
* come up with a way to safely bounds-check input codes
* while decoding then you can remove this operation.
*/
- _TIFFmemset(sp->dec_free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- sp->dec_oldcodep = &sp->dec_codetab[-1];
+ sp->dec_oldcodep = &sp->dec_codetab[0];
sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1];
+ sp->read_error = 0;
return (1);
}
/*
* Decode a "hunk of data".
*/
-#define GetNextCode(sp, bp, code) { \
- nextdata = (nextdata<<8) | *(bp)++; \
- nextbits += 8; \
- if (nextbits < nbits) { \
- nextdata = (nextdata<<8) | *(bp)++; \
- nextbits += 8; \
- } \
- code = (hcode_t)((nextdata >> (nextbits-nbits)) & nbitsmask); \
- nextbits -= nbits; \
-}
-static void
-codeLoop(TIFF* tif, const char* module)
-{
- TIFFErrorExt(tif->tif_clientdata, module,
- "Bogus encoding, loop in the code table; scanline %d",
- tif->tif_row);
-}
+/* Get the next 32 or 64-bit from the input data */
+#ifdef WORDS_BIGENDIAN
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata))
+#elif SIZEOF_WORDTYPE == 8
+# if defined(__GNUC__) && defined(__x86_64__)
+# define GetNextData(nextdata, bp) nextdata = __builtin_bswap64(*(uint64*)(bp))
+# elif defined(_M_X64)
+# define GetNextData(nextdata, bp) nextdata = _byteswap_uint64(*(uint64*)(bp))
+# elif defined(__GNUC__)
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \
+ nextdata = __builtin_bswap64(nextdata)
+# else
+# define GetNextData(nextdata, bp) nextdata = (((uint64)bp[0]) << 56) | \
+ (((uint64)bp[1]) << 48) | \
+ (((uint64)bp[2]) << 40) | \
+ (((uint64)bp[3]) << 32) | \
+ (((uint64)bp[4]) << 24) | \
+ (((uint64)bp[5]) << 16) | \
+ (((uint64)bp[6]) << 8) | \
+ (((uint64)bp[7]))
+# endif
+#elif SIZEOF_WORDTYPE == 4
+# if defined(__GNUC__) && defined(__i386__)
+# define GetNextData(nextdata, bp) nextdata = __builtin_bswap32(*(uint32*)(bp))
+# elif defined(_M_X86)
+# define GetNextData(nextdata, bp) nextdata = _byteswap_ulong(*(unsigned long*)(bp))
+# elif defined(__GNUC__)
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \
+ nextdata = __builtin_bswap32(nextdata)
+# else
+# define GetNextData(nextdata, bp) nextdata = (((uint32)bp[0]) << 24) | \
+ (((uint32)bp[1]) << 16) | \
+ (((uint32)bp[2]) << 8) | \
+ (((uint32)bp[3]))
+# endif
+#else
+# error "Unhandled SIZEOF_WORDTYPE"
+#endif
+
+#define GetNextCodeLZW() do { \
+ nextbits -= nbits; \
+ if (nextbits < 0) { \
+ if (dec_bitsleft >= 8 * SIZEOF_WORDTYPE) { \
+ unsigned codetmp = (unsigned)(nextdata << (-nextbits)); \
+ GetNextData(nextdata, bp); \
+ bp += SIZEOF_WORDTYPE; \
+ nextbits += 8 * SIZEOF_WORDTYPE; \
+ dec_bitsleft -= 8 * SIZEOF_WORDTYPE; \
+ code = (WordType)((codetmp | (nextdata >> nextbits)) & nbitsmask); \
+ break; \
+ } \
+ else {\
+ if( dec_bitsleft < 8) { \
+ goto no_eoi; \
+ }\
+ nextdata = (nextdata<<8) | *(bp)++; \
+ nextbits += 8; \
+ dec_bitsleft -= 8; \
+ if( nextbits < 0 ) { \
+ if( dec_bitsleft < 8) { \
+ goto no_eoi; \
+ }\
+ nextdata = (nextdata<<8) | *(bp)++; \
+ nextbits += 8; \
+ dec_bitsleft -= 8; \
+ } \
+ } \
+ } \
+ code = (WordType)((nextdata >> nextbits) & nbitsmask); \
+} while(0)
static int
LZWDecode(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
@@ -364,17 +400,22 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_
LZWCodecState *sp = DecoderState(tif);
char *op = (char*) op0;
long occ = (long) occ0;
- char *tp;
unsigned char *bp;
- hcode_t code;
- int len;
long nbits, nextbits, nbitsmask;
- unsigned long nextdata;
- code_t *codep, *free_entp, *maxcodep, *oldcodep;
+ WordType nextdata;
+ code_t *free_entp, *maxcodep, *oldcodep;
(void) s;
assert(sp != NULL);
- assert(sp->dec_codetab != NULL);
+ assert(sp->dec_codetab != NULL);
+
+ if (sp->read_error) {
+ TIFFErrorExt(tif, module,
+ "LZWDecode: Scanline %u cannot be read due to "
+ "previous error",
+ tif->tif_row);
+ return 0;
+ }
/*
Fail if value does not fit in long.
@@ -387,7 +428,7 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_
if (sp->dec_restart) {
long residue;
- codep = sp->dec_codep;
+ code_t* codep = sp->dec_codep;
residue = codep->length - sp->dec_restart;
if (residue > occ) {
/*
@@ -401,7 +442,7 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_
codep = codep->next;
} while (--residue > occ && codep);
if (codep) {
- tp = op + occ;
+ uint8* tp = op + occ;
do {
*--tp = codep->value;
codep = codep->next;
@@ -414,7 +455,7 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_
*/
op += residue;
occ -= residue;
- tp = op;
+ uint8* tp = op;
do {
int t;
--tp;
@@ -426,9 +467,8 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_
}
bp = (unsigned char *)tif->tif_rawcp;
-#ifdef LZW_CHECKEOS
- sp->dec_bitsleft = (((uint64)tif->tif_rawcc) << 3);
-#endif
+ sp->dec_bitsleft += (((uint64)tif->tif_rawcc - sp->old_tif_rawcc) << 3);
+ uint64 dec_bitsleft = sp->dec_bitsleft;
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -436,125 +476,235 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_
oldcodep = sp->dec_oldcodep;
free_entp = sp->dec_free_entp;
maxcodep = sp->dec_maxcodep;
+ code_t* const dec_codetab = sp->dec_codetab;
+ code_t* codep;
- while (occ > 0) {
- NextCode(tif, sp, bp, code, GetNextCode);
- if (code == CODE_EOI)
- break;
- if (code == CODE_CLEAR) {
- do {
- free_entp = sp->dec_codetab + CODE_FIRST;
- _TIFFmemset(free_entp, 0,
- (CSIZE - CODE_FIRST) * sizeof (code_t));
- nbits = BITS_MIN;
- nbitsmask = MAXCODE(BITS_MIN);
- maxcodep = sp->dec_codetab + nbitsmask-1;
- NextCode(tif, sp, bp, code, GetNextCode);
- } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
- if (code == CODE_EOI)
- break;
- if (code > CODE_CLEAR) {
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "LZWDecode: Corrupted LZW table at scanline %d",
- tif->tif_row);
- return (0);
- }
- *op++ = (char)code;
- occ--;
- oldcodep = sp->dec_codetab + code;
- continue;
- }
- codep = sp->dec_codetab + code;
+ if (occ == 0) {
+ goto after_loop;
+ }
+
+begin:
+ {
+ WordType code;
+ GetNextCodeLZW();
+ codep = dec_codetab + code;
+ if (code >= CODE_FIRST)
+ goto code_above_or_equal_to_258;
+ if (code < 256)
+ goto code_below_256;
+ if (code == CODE_EOI)
+ goto after_loop;
+ goto code_clear;
- /*
- * Add the new entry to the code table.
- */
- if (free_entp < &sp->dec_codetab[0] ||
- free_entp >= &sp->dec_codetab[CSIZE]) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Corrupted LZW table at scanline %d",
- tif->tif_row);
- return (0);
- }
+code_below_256:
+ {
+ if (codep > free_entp)
+ goto error_code;
+ free_entp->next = oldcodep;
+ free_entp->firstchar = oldcodep->firstchar;
+ free_entp->length = oldcodep->length+1;
+ free_entp->value = (uint8)code;
+ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - code));
+ if (++free_entp > maxcodep) {
+ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */
+ nbits = BITS_MAX;
+ nbitsmask = MAXCODE(nbits);
+ maxcodep = dec_codetab + nbitsmask-1;
+ if( free_entp >= &dec_codetab[CSIZE] )
+ {
+ /* At that point, the next valid states are either EOI or a */
+ /* CODE_CLEAR. If a regular code is read, at the next */
+ /* attempt at registering a new entry, we will error out */
+ /* due to setting free_entp before any valid code */
+ free_entp = dec_codetab - 1;
+ }
+ }
+ oldcodep = codep;
+ *op++ = (uint8)code;
+ occ--;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+code_above_or_equal_to_258:
+ {
+ /*
+ * Add the new entry to the code table.
+ */
+
+ if (codep >= free_entp)
+ {
+ if (codep != free_entp)
+ goto error_code;
+ free_entp->value = oldcodep->firstchar;
+ }
+ else
+ {
+ free_entp->value = codep->firstchar;
+ }
+ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - free_entp->value));
+ free_entp->next = oldcodep;
+
+ free_entp->firstchar = oldcodep->firstchar;
+ free_entp->length = oldcodep->length+1;
+ if (++free_entp > maxcodep) {
+ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */
+ nbits = BITS_MAX;
+ nbitsmask = MAXCODE(nbits);
+ maxcodep = dec_codetab + nbitsmask-1;
+ if (free_entp >= &dec_codetab[CSIZE])
+ {
+ /* At that point, the next valid states are either EOI or a */
+ /* CODE_CLEAR. If a regular code is read, at the next */
+ /* attempt at registering a new entry, we will error out */
+ /* due to setting free_entp before any valid code */
+ free_entp = dec_codetab - 1;
+ }
+ }
+ oldcodep = codep;
+
+ /*
+ * Code maps to a string, copy string
+ * value to output (written in reverse).
+ */
+ /* tiny bit faster on x86_64 to store in unsigned short than int */
+ unsigned short len = codep->length;
+
+ if (len < 3) /* equivalent to len == 2 given all other conditions */
+ {
+ if (occ <= 2)
+ {
+ if (occ == 2)
+ {
+ memcpy(op, &(codep->firstchar), 2);
+ op += 2;
+ occ -= 2;
+ goto after_loop;
+ }
+ goto too_short_buffer;
+ }
+
+ memcpy(op, &(codep->firstchar), 2);
+ op += 2;
+ occ -= 2;
+ goto begin; /* we can save the comparison occ > 0 */
+ }
+
+ if (len == 3)
+ {
+ if (occ <= 3)
+ {
+ if (occ == 3)
+ {
+ op[0] = codep->firstchar;
+ op[1] = codep->next->value;
+ op[2] = codep->value;
+ op += 3;
+ occ -= 3;
+ goto after_loop;
+ }
+ goto too_short_buffer;
+ }
+
+ op[0] = codep->firstchar;
+ op[1] = codep->next->value;
+ op[2] = codep->value;
+ op += 3;
+ occ -= 3;
+ goto begin; /* we can save the comparison occ > 0 */
+ }
+
+ if (len > occ)
+ {
+ goto too_short_buffer;
+ }
+
+ if (codep->repeated)
+ {
+ memset(op, codep->value, len);
+ op += len;
+ occ -= len;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+
+ uint8* tp = op + len;
+
+ assert(len >= 4);
+
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ if (tp > op)
+ {
+ do {
+ codep = codep->next;
+ *--tp = codep->value;
+ } while (tp > op);
+ }
+
+ assert(occ >= len);
+ op += len;
+ occ -= len;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
- free_entp->next = oldcodep;
- if (free_entp->next < &sp->dec_codetab[0] ||
- free_entp->next >= &sp->dec_codetab[CSIZE]) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Corrupted LZW table at scanline %d",
- tif->tif_row);
- return (0);
- }
- free_entp->firstchar = free_entp->next->firstchar;
- free_entp->length = free_entp->next->length+1;
- free_entp->value = (codep < free_entp) ?
- codep->firstchar : free_entp->firstchar;
- if (++free_entp > maxcodep) {
- if (++nbits > BITS_MAX) /* should not happen */
- nbits = BITS_MAX;
- nbitsmask = MAXCODE(nbits);
- maxcodep = sp->dec_codetab + nbitsmask-1;
- }
- oldcodep = codep;
- if (code >= 256) {
- /*
- * Code maps to a string, copy string
- * value to output (written in reverse).
- */
- if(codep->length == 0) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Wrong length of decoded string: "
- "data probably corrupted at scanline %d",
- tif->tif_row);
- return (0);
- }
- if (codep->length > occ) {
- /*
- * String is too long for decode buffer,
- * locate portion that will fit, copy to
- * the decode buffer, and setup restart
- * logic for the next decoding call.
- */
- sp->dec_codep = codep;
- do {
- codep = codep->next;
- } while (codep && codep->length > occ);
- if (codep) {
- sp->dec_restart = (long)occ;
- tp = op + occ;
- do {
- *--tp = codep->value;
- codep = codep->next;
- } while (--occ && codep);
- if (codep)
- codeLoop(tif, module);
- }
- break;
- }
- len = codep->length;
- tp = op + len;
- do {
- int t;
- --tp;
- t = codep->value;
- codep = codep->next;
- *tp = (char)t;
- } while (codep && tp > op);
- if (codep) {
- codeLoop(tif, module);
- break;
- }
- assert(occ >= len);
- op += len;
- occ -= len;
- } else {
- *op++ = (char)code;
- occ--;
- }
- }
+ code_clear:
+ {
+ free_entp = dec_codetab + CODE_FIRST;
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = dec_codetab + nbitsmask-1;
+ do {
+ GetNextCodeLZW();
+ } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
+ if (code == CODE_EOI)
+ goto after_loop;
+ if (code > CODE_EOI) {
+ goto error_code;
+ }
+ *op++ = (uint8)code;
+ occ--;
+ oldcodep = dec_codetab + code;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+ }
+
+too_short_buffer:
+ {
+ /*
+ * String is too long for decode buffer,
+ * locate portion that will fit, copy to
+ * the decode buffer, and setup restart
+ * logic for the next decoding call.
+ */
+ sp->dec_codep = codep;
+ do {
+ codep = codep->next;
+ } while (codep->length > occ);
+
+ sp->dec_restart = occ;
+ uint8* tp = op + occ;
+ do {
+ *--tp = codep->value;
+ codep = codep->next;
+ } while (--occ);
+ }
+after_loop:
tif->tif_rawcc -= (tmsize_t)( (uint8*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8*) bp;
+ sp->old_tif_rawcc = tif->tif_rawcc;
+ sp->dec_bitsleft = dec_bitsleft;
sp->lzw_nbits = (unsigned short) nbits;
sp->lzw_nextdata = nextdata;
sp->lzw_nextbits = nextbits;
@@ -576,9 +726,37 @@ LZWDecode(TIFF* tif, uint8* op0, tmsize_
return (0);
}
return (1);
+
+no_eoi:
+ sp->read_error = 1;
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "LZWDecode: Strip %u not terminated with EOI code",
+ tif->tif_curstrip);
+ return 0;
+error_code:
+ sp->read_error = 1;
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table");
+ return 0;
}
#ifdef LZW_COMPAT
+
+/*
+ * This check shouldn't be necessary because each
+ * strip is suppose to be terminated with CODE_EOI.
+ */
+#define NextCode(_tif, _sp, _bp, _code, _get, dec_bitsleft) { \
+ if (dec_bitsleft < (uint64)nbits) { \
+ TIFFWarningExt(_tif->tif_clientdata, module, \
+ "LZWDecode: Strip %u not terminated with EOI code", \
+ _tif->tif_curstrip); \
+ _code = CODE_EOI; \
+ } else { \
+ _get(_sp,_bp,_code); \
+ dec_bitsleft -= nbits; \
+ } \
+}
+
/*
* Decode a "hunk of data" for old images.
*/
@@ -605,7 +783,8 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t
unsigned char *bp;
int code, nbits;
int len;
- long nextbits, nextdata, nbitsmask;
+ long nextbits, nbitsmask;
+ WordType nextdata;
code_t *codep, *free_entp, *maxcodep, *oldcodep;
(void) s;
@@ -657,9 +836,10 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t
}
bp = (unsigned char *)tif->tif_rawcp;
-#ifdef LZW_CHECKEOS
- sp->dec_bitsleft = (((uint64)tif->tif_rawcc) << 3);
-#endif
+
+ sp->dec_bitsleft += (((uint64)tif->tif_rawcc - sp->old_tif_rawcc) << 3);
+ uint64 dec_bitsleft = sp->dec_bitsleft;
+
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -669,7 +849,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t
maxcodep = sp->dec_maxcodep;
while (occ > 0) {
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft);
if (code == CODE_EOI)
break;
if (code == CODE_CLEAR) {
@@ -680,7 +860,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask;
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft);
} while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
if (code == CODE_EOI)
break;
@@ -776,6 +956,8 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, t
tif->tif_rawcc -= (tmsize_t)( (uint8*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8*) bp;
+ sp->old_tif_rawcc = tif->tif_rawcc;
+ sp->dec_bitsleft = dec_bitsleft;
sp->lzw_nbits = (unsigned short)nbits;
sp->lzw_nextdata = nextdata;
sp->lzw_nextbits = nextbits;
@@ -900,8 +1082,8 @@ LZWEncode(TIFF* tif, uint8* bp, tmsize_t
hcode_t ent;
long disp;
long incount, outcount, checkpoint;
- unsigned long nextdata;
- long nextbits;
+ WordType nextdata;
+ long nextbits;
int free_ent, maxcode, nbits;
uint8* op;
uint8* limit;
@@ -1064,7 +1246,7 @@ LZWPostEncode(TIFF* tif)
register LZWCodecState *sp = EncoderState(tif);
uint8* op = tif->tif_rawcp;
long nextbits = sp->lzw_nextbits;
- unsigned long nextdata = sp->lzw_nextdata;
+ WordType nextdata = sp->lzw_nextdata;
long outcount = sp->enc_outcount;
int nbits = sp->lzw_nbits;