1*4882a593SmuzhiyunFrom 1e000b3484808f1ee7a68bd276220d1cd82dec73 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Su Laus <sulau@freenet.de> 3*4882a593SmuzhiyunDate: Thu, 13 Oct 2022 14:33:27 +0000 4*4882a593SmuzhiyunSubject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271, 5*4882a593Smuzhiyun #381, #386, #388, #389, #435) 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunCVE: CVE-2022-3570 CVE-2022-3598 8*4882a593SmuzhiyunUpstream-Status: Backport 9*4882a593SmuzhiyunSigned-off-by: Ross Burton <ross.burton@arm.com> 10*4882a593Smuzhiyun--- 11*4882a593Smuzhiyun tools/tiffcrop.c | 203 ++++++++++++++++++++++++++--------------------- 12*4882a593Smuzhiyun 1 file changed, 114 insertions(+), 89 deletions(-) 13*4882a593Smuzhiyun 14*4882a593Smuzhiyundiff --git a/tools/tiffcrop.c b/tools/tiffcrop.c 15*4882a593Smuzhiyunindex f96c7d60..adf0f849 100644 16*4882a593Smuzhiyun--- a/tools/tiffcrop.c 17*4882a593Smuzhiyun+++ b/tools/tiffcrop.c 18*4882a593Smuzhiyun@@ -210,6 +210,10 @@ static char tiffcrop_rev_date[] = "02-09-2022"; 19*4882a593Smuzhiyun 20*4882a593Smuzhiyun #define TIFF_DIR_MAX 65534 21*4882a593Smuzhiyun 22*4882a593Smuzhiyun+/* Some conversion subroutines require image buffers, which are at least 3 bytes 23*4882a593Smuzhiyun+ * larger than the necessary size for the image itself. */ 24*4882a593Smuzhiyun+#define NUM_BUFF_OVERSIZE_BYTES 3 25*4882a593Smuzhiyun+ 26*4882a593Smuzhiyun /* Offsets into buffer for margins and fixed width and length segments */ 27*4882a593Smuzhiyun struct offset { 28*4882a593Smuzhiyun uint32_t tmargin; 29*4882a593Smuzhiyun@@ -231,7 +235,7 @@ struct offset { 30*4882a593Smuzhiyun */ 31*4882a593Smuzhiyun 32*4882a593Smuzhiyun struct buffinfo { 33*4882a593Smuzhiyun- uint32_t size; /* size of this buffer */ 34*4882a593Smuzhiyun+ size_t size; /* size of this buffer */ 35*4882a593Smuzhiyun unsigned char *buffer; /* address of the allocated buffer */ 36*4882a593Smuzhiyun }; 37*4882a593Smuzhiyun 38*4882a593Smuzhiyun@@ -805,8 +809,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, 39*4882a593Smuzhiyun uint32_t dst_rowsize, shift_width; 40*4882a593Smuzhiyun uint32_t bytes_per_sample, bytes_per_pixel; 41*4882a593Smuzhiyun uint32_t trailing_bits, prev_trailing_bits; 42*4882a593Smuzhiyun- uint32_t tile_rowsize = TIFFTileRowSize(in); 43*4882a593Smuzhiyun- uint32_t src_offset, dst_offset; 44*4882a593Smuzhiyun+ tmsize_t tile_rowsize = TIFFTileRowSize(in); 45*4882a593Smuzhiyun+ tmsize_t src_offset, dst_offset; 46*4882a593Smuzhiyun uint32_t row_offset, col_offset; 47*4882a593Smuzhiyun uint8_t *bufp = (uint8_t*) buf; 48*4882a593Smuzhiyun unsigned char *src = NULL; 49*4882a593Smuzhiyun@@ -856,7 +860,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, 50*4882a593Smuzhiyun TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); 51*4882a593Smuzhiyun exit(EXIT_FAILURE); 52*4882a593Smuzhiyun } 53*4882a593Smuzhiyun- tilebuf = limitMalloc(tile_buffsize + 3); 54*4882a593Smuzhiyun+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); 55*4882a593Smuzhiyun if (tilebuf == 0) 56*4882a593Smuzhiyun return 0; 57*4882a593Smuzhiyun tilebuf[tile_buffsize] = 0; 58*4882a593Smuzhiyun@@ -1019,7 +1023,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf, 59*4882a593Smuzhiyun for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++) 60*4882a593Smuzhiyun { 61*4882a593Smuzhiyun srcbuffs[sample] = NULL; 62*4882a593Smuzhiyun- tbuff = (unsigned char *)limitMalloc(tilesize + 8); 63*4882a593Smuzhiyun+ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES); 64*4882a593Smuzhiyun if (!tbuff) 65*4882a593Smuzhiyun { 66*4882a593Smuzhiyun TIFFError ("readSeparateTilesIntoBuffer", 67*4882a593Smuzhiyun@@ -1213,7 +1217,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, 68*4882a593Smuzhiyun } 69*4882a593Smuzhiyun rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); 70*4882a593Smuzhiyun 71*4882a593Smuzhiyun- obuf = limitMalloc (rowstripsize); 72*4882a593Smuzhiyun+ /* Add 3 padding bytes for extractContigSamples32bits */ 73*4882a593Smuzhiyun+ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES); 74*4882a593Smuzhiyun if (obuf == NULL) 75*4882a593Smuzhiyun return 1; 76*4882a593Smuzhiyun 77*4882a593Smuzhiyun@@ -1226,7 +1231,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, 78*4882a593Smuzhiyun stripsize = TIFFVStripSize(out, nrows); 79*4882a593Smuzhiyun src = buf + (row * rowsize); 80*4882a593Smuzhiyun total_bytes += stripsize; 81*4882a593Smuzhiyun- memset (obuf, '\0', rowstripsize); 82*4882a593Smuzhiyun+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES); 83*4882a593Smuzhiyun if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) 84*4882a593Smuzhiyun { 85*4882a593Smuzhiyun _TIFFfree(obuf); 86*4882a593Smuzhiyun@@ -1234,10 +1239,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, 87*4882a593Smuzhiyun } 88*4882a593Smuzhiyun if ((dump->outfile != NULL) && (dump->level == 1)) 89*4882a593Smuzhiyun { 90*4882a593Smuzhiyun- dump_info(dump->outfile, dump->format,"", 91*4882a593Smuzhiyun+ if (scanlinesize > 0x0ffffffffULL) { 92*4882a593Smuzhiyun+ dump_info(dump->infile, dump->format, "loadImage", 93*4882a593Smuzhiyun+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", 94*4882a593Smuzhiyun+ scanlinesize); 95*4882a593Smuzhiyun+ } 96*4882a593Smuzhiyun+ dump_info(dump->outfile, dump->format,"", 97*4882a593Smuzhiyun "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", 98*4882a593Smuzhiyun- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf); 99*4882a593Smuzhiyun- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf); 100*4882a593Smuzhiyun+ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf); 101*4882a593Smuzhiyun+ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf); 102*4882a593Smuzhiyun } 103*4882a593Smuzhiyun 104*4882a593Smuzhiyun if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) 105*4882a593Smuzhiyun@@ -1264,7 +1274,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng 106*4882a593Smuzhiyun uint32_t tl, tw; 107*4882a593Smuzhiyun uint32_t row, col, nrow, ncol; 108*4882a593Smuzhiyun uint32_t src_rowsize, col_offset; 109*4882a593Smuzhiyun- uint32_t tile_rowsize = TIFFTileRowSize(out); 110*4882a593Smuzhiyun+ tmsize_t tile_rowsize = TIFFTileRowSize(out); 111*4882a593Smuzhiyun uint8_t* bufp = (uint8_t*) buf; 112*4882a593Smuzhiyun tsize_t tile_buffsize = 0; 113*4882a593Smuzhiyun tsize_t tilesize = TIFFTileSize(out); 114*4882a593Smuzhiyun@@ -1307,9 +1317,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng 115*4882a593Smuzhiyun } 116*4882a593Smuzhiyun src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; 117*4882a593Smuzhiyun 118*4882a593Smuzhiyun- tilebuf = limitMalloc(tile_buffsize); 119*4882a593Smuzhiyun+ /* Add 3 padding bytes for extractContigSamples32bits */ 120*4882a593Smuzhiyun+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); 121*4882a593Smuzhiyun if (tilebuf == 0) 122*4882a593Smuzhiyun return 1; 123*4882a593Smuzhiyun+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); 124*4882a593Smuzhiyun for (row = 0; row < imagelength; row += tl) 125*4882a593Smuzhiyun { 126*4882a593Smuzhiyun nrow = (row + tl > imagelength) ? imagelength - row : tl; 127*4882a593Smuzhiyun@@ -1355,7 +1367,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele 128*4882a593Smuzhiyun uint32_t imagewidth, tsample_t spp, 129*4882a593Smuzhiyun struct dump_opts * dump) 130*4882a593Smuzhiyun { 131*4882a593Smuzhiyun- tdata_t obuf = limitMalloc(TIFFTileSize(out)); 132*4882a593Smuzhiyun+ /* Add 3 padding bytes for extractContigSamples32bits */ 133*4882a593Smuzhiyun+ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); 134*4882a593Smuzhiyun uint32_t tl, tw; 135*4882a593Smuzhiyun uint32_t row, col, nrow, ncol; 136*4882a593Smuzhiyun uint32_t src_rowsize, col_offset; 137*4882a593Smuzhiyun@@ -1365,6 +1378,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele 138*4882a593Smuzhiyun 139*4882a593Smuzhiyun if (obuf == NULL) 140*4882a593Smuzhiyun return 1; 141*4882a593Smuzhiyun+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); 142*4882a593Smuzhiyun 143*4882a593Smuzhiyun if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || 144*4882a593Smuzhiyun !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || 145*4882a593Smuzhiyun@@ -1790,14 +1804,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 146*4882a593Smuzhiyun 147*4882a593Smuzhiyun *opt_offset = '\0'; 148*4882a593Smuzhiyun /* convert option to lowercase */ 149*4882a593Smuzhiyun- end = strlen (opt_ptr); 150*4882a593Smuzhiyun+ end = (unsigned int)strlen (opt_ptr); 151*4882a593Smuzhiyun for (i = 0; i < end; i++) 152*4882a593Smuzhiyun *(opt_ptr + i) = tolower((int) *(opt_ptr + i)); 153*4882a593Smuzhiyun /* Look for dump format specification */ 154*4882a593Smuzhiyun if (strncmp(opt_ptr, "for", 3) == 0) 155*4882a593Smuzhiyun { 156*4882a593Smuzhiyun /* convert value to lowercase */ 157*4882a593Smuzhiyun- end = strlen (opt_offset + 1); 158*4882a593Smuzhiyun+ end = (unsigned int)strlen (opt_offset + 1); 159*4882a593Smuzhiyun for (i = 1; i <= end; i++) 160*4882a593Smuzhiyun *(opt_offset + i) = tolower((int) *(opt_offset + i)); 161*4882a593Smuzhiyun /* check dump format value */ 162*4882a593Smuzhiyun@@ -2270,6 +2284,8 @@ main(int argc, char* argv[]) 163*4882a593Smuzhiyun size_t length; 164*4882a593Smuzhiyun char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */ 165*4882a593Smuzhiyun 166*4882a593Smuzhiyun+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3); 167*4882a593Smuzhiyun+ 168*4882a593Smuzhiyun little_endian = *((unsigned char *)&little_endian) & '1'; 169*4882a593Smuzhiyun 170*4882a593Smuzhiyun initImageData(&image); 171*4882a593Smuzhiyun@@ -3222,13 +3238,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, 172*4882a593Smuzhiyun /* If we have a full buffer's worth, write it out */ 173*4882a593Smuzhiyun if (ready_bits >= 32) 174*4882a593Smuzhiyun { 175*4882a593Smuzhiyun- bytebuff1 = (buff2 >> 56); 176*4882a593Smuzhiyun+ bytebuff1 = (uint8_t)(buff2 >> 56); 177*4882a593Smuzhiyun *dst++ = bytebuff1; 178*4882a593Smuzhiyun- bytebuff2 = (buff2 >> 48); 179*4882a593Smuzhiyun+ bytebuff2 = (uint8_t)(buff2 >> 48); 180*4882a593Smuzhiyun *dst++ = bytebuff2; 181*4882a593Smuzhiyun- bytebuff3 = (buff2 >> 40); 182*4882a593Smuzhiyun+ bytebuff3 = (uint8_t)(buff2 >> 40); 183*4882a593Smuzhiyun *dst++ = bytebuff3; 184*4882a593Smuzhiyun- bytebuff4 = (buff2 >> 32); 185*4882a593Smuzhiyun+ bytebuff4 = (uint8_t)(buff2 >> 32); 186*4882a593Smuzhiyun *dst++ = bytebuff4; 187*4882a593Smuzhiyun ready_bits -= 32; 188*4882a593Smuzhiyun 189*4882a593Smuzhiyun@@ -3637,13 +3653,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, 190*4882a593Smuzhiyun } 191*4882a593Smuzhiyun else /* If we have a full buffer's worth, write it out */ 192*4882a593Smuzhiyun { 193*4882a593Smuzhiyun- bytebuff1 = (buff2 >> 56); 194*4882a593Smuzhiyun+ bytebuff1 = (uint8_t)(buff2 >> 56); 195*4882a593Smuzhiyun *dst++ = bytebuff1; 196*4882a593Smuzhiyun- bytebuff2 = (buff2 >> 48); 197*4882a593Smuzhiyun+ bytebuff2 = (uint8_t)(buff2 >> 48); 198*4882a593Smuzhiyun *dst++ = bytebuff2; 199*4882a593Smuzhiyun- bytebuff3 = (buff2 >> 40); 200*4882a593Smuzhiyun+ bytebuff3 = (uint8_t)(buff2 >> 40); 201*4882a593Smuzhiyun *dst++ = bytebuff3; 202*4882a593Smuzhiyun- bytebuff4 = (buff2 >> 32); 203*4882a593Smuzhiyun+ bytebuff4 = (uint8_t)(buff2 >> 32); 204*4882a593Smuzhiyun *dst++ = bytebuff4; 205*4882a593Smuzhiyun ready_bits -= 32; 206*4882a593Smuzhiyun 207*4882a593Smuzhiyun@@ -3820,10 +3836,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3 208*4882a593Smuzhiyun static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) 209*4882a593Smuzhiyun { 210*4882a593Smuzhiyun uint8_t* bufp = buf; 211*4882a593Smuzhiyun- int32_t bytes_read = 0; 212*4882a593Smuzhiyun+ tmsize_t bytes_read = 0; 213*4882a593Smuzhiyun uint32_t strip, nstrips = TIFFNumberOfStrips(in); 214*4882a593Smuzhiyun- uint32_t stripsize = TIFFStripSize(in); 215*4882a593Smuzhiyun- uint32_t rows = 0; 216*4882a593Smuzhiyun+ tmsize_t stripsize = TIFFStripSize(in); 217*4882a593Smuzhiyun+ tmsize_t rows = 0; 218*4882a593Smuzhiyun uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); 219*4882a593Smuzhiyun tsize_t scanline_size = TIFFScanlineSize(in); 220*4882a593Smuzhiyun 221*4882a593Smuzhiyun@@ -3836,11 +3852,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) 222*4882a593Smuzhiyun bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1); 223*4882a593Smuzhiyun rows = bytes_read / scanline_size; 224*4882a593Smuzhiyun if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize)) 225*4882a593Smuzhiyun- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32, 226*4882a593Smuzhiyun+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64, 227*4882a593Smuzhiyun strip + 1, bytes_read, stripsize); 228*4882a593Smuzhiyun 229*4882a593Smuzhiyun if (bytes_read < 0 && !ignore) { 230*4882a593Smuzhiyun- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows", 231*4882a593Smuzhiyun+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows", 232*4882a593Smuzhiyun strip, rows); 233*4882a593Smuzhiyun return 0; 234*4882a593Smuzhiyun } 235*4882a593Smuzhiyun@@ -4305,13 +4321,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, 236*4882a593Smuzhiyun /* If we have a full buffer's worth, write it out */ 237*4882a593Smuzhiyun if (ready_bits >= 32) 238*4882a593Smuzhiyun { 239*4882a593Smuzhiyun- bytebuff1 = (buff2 >> 56); 240*4882a593Smuzhiyun+ bytebuff1 = (uint8_t)(buff2 >> 56); 241*4882a593Smuzhiyun *dst++ = bytebuff1; 242*4882a593Smuzhiyun- bytebuff2 = (buff2 >> 48); 243*4882a593Smuzhiyun+ bytebuff2 = (uint8_t)(buff2 >> 48); 244*4882a593Smuzhiyun *dst++ = bytebuff2; 245*4882a593Smuzhiyun- bytebuff3 = (buff2 >> 40); 246*4882a593Smuzhiyun+ bytebuff3 = (uint8_t)(buff2 >> 40); 247*4882a593Smuzhiyun *dst++ = bytebuff3; 248*4882a593Smuzhiyun- bytebuff4 = (buff2 >> 32); 249*4882a593Smuzhiyun+ bytebuff4 = (uint8_t)(buff2 >> 32); 250*4882a593Smuzhiyun *dst++ = bytebuff4; 251*4882a593Smuzhiyun ready_bits -= 32; 252*4882a593Smuzhiyun 253*4882a593Smuzhiyun@@ -4354,10 +4370,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, 254*4882a593Smuzhiyun "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", 255*4882a593Smuzhiyun row + 1, col + 1, src_byte, src_bit, dst - out); 256*4882a593Smuzhiyun 257*4882a593Smuzhiyun- dump_long (dumpfile, format, "Match bits ", matchbits); 258*4882a593Smuzhiyun+ dump_wide (dumpfile, format, "Match bits ", matchbits); 259*4882a593Smuzhiyun dump_data (dumpfile, format, "Src bits ", src, 4); 260*4882a593Smuzhiyun- dump_long (dumpfile, format, "Buff1 bits ", buff1); 261*4882a593Smuzhiyun- dump_long (dumpfile, format, "Buff2 bits ", buff2); 262*4882a593Smuzhiyun+ dump_wide (dumpfile, format, "Buff1 bits ", buff1); 263*4882a593Smuzhiyun+ dump_wide (dumpfile, format, "Buff2 bits ", buff2); 264*4882a593Smuzhiyun dump_byte (dumpfile, format, "Write bits1", bytebuff1); 265*4882a593Smuzhiyun dump_byte (dumpfile, format, "Write bits2", bytebuff2); 266*4882a593Smuzhiyun dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); 267*4882a593Smuzhiyun@@ -4830,13 +4846,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, 268*4882a593Smuzhiyun /* If we have a full buffer's worth, write it out */ 269*4882a593Smuzhiyun if (ready_bits >= 32) 270*4882a593Smuzhiyun { 271*4882a593Smuzhiyun- bytebuff1 = (buff2 >> 56); 272*4882a593Smuzhiyun+ bytebuff1 = (uint8_t)(buff2 >> 56); 273*4882a593Smuzhiyun *dst++ = bytebuff1; 274*4882a593Smuzhiyun- bytebuff2 = (buff2 >> 48); 275*4882a593Smuzhiyun+ bytebuff2 = (uint8_t)(buff2 >> 48); 276*4882a593Smuzhiyun *dst++ = bytebuff2; 277*4882a593Smuzhiyun- bytebuff3 = (buff2 >> 40); 278*4882a593Smuzhiyun+ bytebuff3 = (uint8_t)(buff2 >> 40); 279*4882a593Smuzhiyun *dst++ = bytebuff3; 280*4882a593Smuzhiyun- bytebuff4 = (buff2 >> 32); 281*4882a593Smuzhiyun+ bytebuff4 = (uint8_t)(buff2 >> 32); 282*4882a593Smuzhiyun *dst++ = bytebuff4; 283*4882a593Smuzhiyun ready_bits -= 32; 284*4882a593Smuzhiyun 285*4882a593Smuzhiyun@@ -4879,10 +4895,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, 286*4882a593Smuzhiyun "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", 287*4882a593Smuzhiyun row + 1, col + 1, src_byte, src_bit, dst - out); 288*4882a593Smuzhiyun 289*4882a593Smuzhiyun- dump_long (dumpfile, format, "Match bits ", matchbits); 290*4882a593Smuzhiyun+ dump_wide (dumpfile, format, "Match bits ", matchbits); 291*4882a593Smuzhiyun dump_data (dumpfile, format, "Src bits ", src, 4); 292*4882a593Smuzhiyun- dump_long (dumpfile, format, "Buff1 bits ", buff1); 293*4882a593Smuzhiyun- dump_long (dumpfile, format, "Buff2 bits ", buff2); 294*4882a593Smuzhiyun+ dump_wide (dumpfile, format, "Buff1 bits ", buff1); 295*4882a593Smuzhiyun+ dump_wide (dumpfile, format, "Buff2 bits ", buff2); 296*4882a593Smuzhiyun dump_byte (dumpfile, format, "Write bits1", bytebuff1); 297*4882a593Smuzhiyun dump_byte (dumpfile, format, "Write bits2", bytebuff2); 298*4882a593Smuzhiyun dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); 299*4882a593Smuzhiyun@@ -4905,7 +4921,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt 300*4882a593Smuzhiyun { 301*4882a593Smuzhiyun int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; 302*4882a593Smuzhiyun uint32_t j; 303*4882a593Smuzhiyun- int32_t bytes_read = 0; 304*4882a593Smuzhiyun+ tmsize_t bytes_read = 0; 305*4882a593Smuzhiyun uint16_t bps = 0, planar; 306*4882a593Smuzhiyun uint32_t nstrips; 307*4882a593Smuzhiyun uint32_t strips_per_sample; 308*4882a593Smuzhiyun@@ -4971,7 +4987,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt 309*4882a593Smuzhiyun for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 310*4882a593Smuzhiyun { 311*4882a593Smuzhiyun srcbuffs[s] = NULL; 312*4882a593Smuzhiyun- buff = limitMalloc(stripsize + 3); 313*4882a593Smuzhiyun+ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES); 314*4882a593Smuzhiyun if (!buff) 315*4882a593Smuzhiyun { 316*4882a593Smuzhiyun TIFFError ("readSeparateStripsIntoBuffer", 317*4882a593Smuzhiyun@@ -4994,7 +5010,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt 318*4882a593Smuzhiyun buff = srcbuffs[s]; 319*4882a593Smuzhiyun strip = (s * strips_per_sample) + j; 320*4882a593Smuzhiyun bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); 321*4882a593Smuzhiyun- rows_this_strip = bytes_read / src_rowsize; 322*4882a593Smuzhiyun+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize); 323*4882a593Smuzhiyun if (bytes_read < 0 && !ignore) 324*4882a593Smuzhiyun { 325*4882a593Smuzhiyun TIFFError(TIFFFileName(in), 326*4882a593Smuzhiyun@@ -6047,13 +6063,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c 327*4882a593Smuzhiyun uint16_t input_compression = 0, input_photometric = 0; 328*4882a593Smuzhiyun uint16_t subsampling_horiz, subsampling_vert; 329*4882a593Smuzhiyun uint32_t width = 0, length = 0; 330*4882a593Smuzhiyun- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0; 331*4882a593Smuzhiyun+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0; 332*4882a593Smuzhiyun+ tmsize_t scanlinesize = 0; 333*4882a593Smuzhiyun uint32_t tw = 0, tl = 0; /* Tile width and length */ 334*4882a593Smuzhiyun- uint32_t tile_rowsize = 0; 335*4882a593Smuzhiyun+ tmsize_t tile_rowsize = 0; 336*4882a593Smuzhiyun unsigned char *read_buff = NULL; 337*4882a593Smuzhiyun unsigned char *new_buff = NULL; 338*4882a593Smuzhiyun int readunit = 0; 339*4882a593Smuzhiyun- static uint32_t prev_readsize = 0; 340*4882a593Smuzhiyun+ static tmsize_t prev_readsize = 0; 341*4882a593Smuzhiyun 342*4882a593Smuzhiyun TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); 343*4882a593Smuzhiyun TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); 344*4882a593Smuzhiyun@@ -6355,7 +6372,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c 345*4882a593Smuzhiyun TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); 346*4882a593Smuzhiyun return (-1); 347*4882a593Smuzhiyun } 348*4882a593Smuzhiyun- read_buff = (unsigned char *)limitMalloc(buffsize+3); 349*4882a593Smuzhiyun+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); 350*4882a593Smuzhiyun } 351*4882a593Smuzhiyun else 352*4882a593Smuzhiyun { 353*4882a593Smuzhiyun@@ -6366,11 +6383,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c 354*4882a593Smuzhiyun TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); 355*4882a593Smuzhiyun return (-1); 356*4882a593Smuzhiyun } 357*4882a593Smuzhiyun- new_buff = _TIFFrealloc(read_buff, buffsize+3); 358*4882a593Smuzhiyun+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); 359*4882a593Smuzhiyun if (!new_buff) 360*4882a593Smuzhiyun { 361*4882a593Smuzhiyun free (read_buff); 362*4882a593Smuzhiyun- read_buff = (unsigned char *)limitMalloc(buffsize+3); 363*4882a593Smuzhiyun+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); 364*4882a593Smuzhiyun } 365*4882a593Smuzhiyun else 366*4882a593Smuzhiyun read_buff = new_buff; 367*4882a593Smuzhiyun@@ -6443,8 +6460,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c 368*4882a593Smuzhiyun dump_info (dump->infile, dump->format, "", 369*4882a593Smuzhiyun "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp); 370*4882a593Smuzhiyun 371*4882a593Smuzhiyun+ if (scanlinesize > 0x0ffffffffULL) { 372*4882a593Smuzhiyun+ dump_info(dump->infile, dump->format, "loadImage", 373*4882a593Smuzhiyun+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", 374*4882a593Smuzhiyun+ scanlinesize); 375*4882a593Smuzhiyun+ } 376*4882a593Smuzhiyun for (i = 0; i < length; i++) 377*4882a593Smuzhiyun- dump_buffer(dump->infile, dump->format, 1, scanlinesize, 378*4882a593Smuzhiyun+ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize, 379*4882a593Smuzhiyun i, read_buff + (i * scanlinesize)); 380*4882a593Smuzhiyun } 381*4882a593Smuzhiyun return (0); 382*4882a593Smuzhiyun@@ -7464,13 +7486,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image, 383*4882a593Smuzhiyun if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { 384*4882a593Smuzhiyun TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); 385*4882a593Smuzhiyun if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { 386*4882a593Smuzhiyun- int inknameslen = strlen(inknames) + 1; 387*4882a593Smuzhiyun+ int inknameslen = (int)strlen(inknames) + 1; 388*4882a593Smuzhiyun const char* cp = inknames; 389*4882a593Smuzhiyun while (ninks > 1) { 390*4882a593Smuzhiyun cp = strchr(cp, '\0'); 391*4882a593Smuzhiyun if (cp) { 392*4882a593Smuzhiyun cp++; 393*4882a593Smuzhiyun- inknameslen += (strlen(cp) + 1); 394*4882a593Smuzhiyun+ inknameslen += ((int)strlen(cp) + 1); 395*4882a593Smuzhiyun } 396*4882a593Smuzhiyun ninks--; 397*4882a593Smuzhiyun } 398*4882a593Smuzhiyun@@ -7533,23 +7555,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) 399*4882a593Smuzhiyun 400*4882a593Smuzhiyun if (!sect_buff) 401*4882a593Smuzhiyun { 402*4882a593Smuzhiyun- sect_buff = (unsigned char *)limitMalloc(sectsize); 403*4882a593Smuzhiyun+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); 404*4882a593Smuzhiyun if (!sect_buff) 405*4882a593Smuzhiyun { 406*4882a593Smuzhiyun TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); 407*4882a593Smuzhiyun return (-1); 408*4882a593Smuzhiyun } 409*4882a593Smuzhiyun- _TIFFmemset(sect_buff, 0, sectsize); 410*4882a593Smuzhiyun+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); 411*4882a593Smuzhiyun } 412*4882a593Smuzhiyun else 413*4882a593Smuzhiyun { 414*4882a593Smuzhiyun if (prev_sectsize < sectsize) 415*4882a593Smuzhiyun { 416*4882a593Smuzhiyun- new_buff = _TIFFrealloc(sect_buff, sectsize); 417*4882a593Smuzhiyun+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES); 418*4882a593Smuzhiyun if (!new_buff) 419*4882a593Smuzhiyun { 420*4882a593Smuzhiyun _TIFFfree (sect_buff); 421*4882a593Smuzhiyun- sect_buff = (unsigned char *)limitMalloc(sectsize); 422*4882a593Smuzhiyun+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); 423*4882a593Smuzhiyun } 424*4882a593Smuzhiyun else 425*4882a593Smuzhiyun sect_buff = new_buff; 426*4882a593Smuzhiyun@@ -7559,7 +7581,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) 427*4882a593Smuzhiyun TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); 428*4882a593Smuzhiyun return (-1); 429*4882a593Smuzhiyun } 430*4882a593Smuzhiyun- _TIFFmemset(sect_buff, 0, sectsize); 431*4882a593Smuzhiyun+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); 432*4882a593Smuzhiyun } 433*4882a593Smuzhiyun } 434*4882a593Smuzhiyun 435*4882a593Smuzhiyun@@ -7590,17 +7612,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, 436*4882a593Smuzhiyun cropsize = crop->bufftotal; 437*4882a593Smuzhiyun crop_buff = seg_buffs[0].buffer; 438*4882a593Smuzhiyun if (!crop_buff) 439*4882a593Smuzhiyun- crop_buff = (unsigned char *)limitMalloc(cropsize); 440*4882a593Smuzhiyun+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 441*4882a593Smuzhiyun else 442*4882a593Smuzhiyun { 443*4882a593Smuzhiyun prev_cropsize = seg_buffs[0].size; 444*4882a593Smuzhiyun if (prev_cropsize < cropsize) 445*4882a593Smuzhiyun { 446*4882a593Smuzhiyun- next_buff = _TIFFrealloc(crop_buff, cropsize); 447*4882a593Smuzhiyun+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); 448*4882a593Smuzhiyun if (! next_buff) 449*4882a593Smuzhiyun { 450*4882a593Smuzhiyun _TIFFfree (crop_buff); 451*4882a593Smuzhiyun- crop_buff = (unsigned char *)limitMalloc(cropsize); 452*4882a593Smuzhiyun+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 453*4882a593Smuzhiyun } 454*4882a593Smuzhiyun else 455*4882a593Smuzhiyun crop_buff = next_buff; 456*4882a593Smuzhiyun@@ -7613,7 +7635,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, 457*4882a593Smuzhiyun return (-1); 458*4882a593Smuzhiyun } 459*4882a593Smuzhiyun 460*4882a593Smuzhiyun- _TIFFmemset(crop_buff, 0, cropsize); 461*4882a593Smuzhiyun+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); 462*4882a593Smuzhiyun seg_buffs[0].buffer = crop_buff; 463*4882a593Smuzhiyun seg_buffs[0].size = cropsize; 464*4882a593Smuzhiyun 465*4882a593Smuzhiyun@@ -7693,17 +7715,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, 466*4882a593Smuzhiyun cropsize = crop->bufftotal; 467*4882a593Smuzhiyun crop_buff = seg_buffs[i].buffer; 468*4882a593Smuzhiyun if (!crop_buff) 469*4882a593Smuzhiyun- crop_buff = (unsigned char *)limitMalloc(cropsize); 470*4882a593Smuzhiyun+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 471*4882a593Smuzhiyun else 472*4882a593Smuzhiyun { 473*4882a593Smuzhiyun prev_cropsize = seg_buffs[0].size; 474*4882a593Smuzhiyun if (prev_cropsize < cropsize) 475*4882a593Smuzhiyun { 476*4882a593Smuzhiyun- next_buff = _TIFFrealloc(crop_buff, cropsize); 477*4882a593Smuzhiyun+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); 478*4882a593Smuzhiyun if (! next_buff) 479*4882a593Smuzhiyun { 480*4882a593Smuzhiyun _TIFFfree (crop_buff); 481*4882a593Smuzhiyun- crop_buff = (unsigned char *)limitMalloc(cropsize); 482*4882a593Smuzhiyun+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 483*4882a593Smuzhiyun } 484*4882a593Smuzhiyun else 485*4882a593Smuzhiyun crop_buff = next_buff; 486*4882a593Smuzhiyun@@ -7716,7 +7738,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, 487*4882a593Smuzhiyun return (-1); 488*4882a593Smuzhiyun } 489*4882a593Smuzhiyun 490*4882a593Smuzhiyun- _TIFFmemset(crop_buff, 0, cropsize); 491*4882a593Smuzhiyun+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); 492*4882a593Smuzhiyun seg_buffs[i].buffer = crop_buff; 493*4882a593Smuzhiyun seg_buffs[i].size = cropsize; 494*4882a593Smuzhiyun 495*4882a593Smuzhiyun@@ -7832,24 +7854,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, 496*4882a593Smuzhiyun crop_buff = *crop_buff_ptr; 497*4882a593Smuzhiyun if (!crop_buff) 498*4882a593Smuzhiyun { 499*4882a593Smuzhiyun- crop_buff = (unsigned char *)limitMalloc(cropsize); 500*4882a593Smuzhiyun+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 501*4882a593Smuzhiyun if (!crop_buff) 502*4882a593Smuzhiyun { 503*4882a593Smuzhiyun TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); 504*4882a593Smuzhiyun return (-1); 505*4882a593Smuzhiyun } 506*4882a593Smuzhiyun- _TIFFmemset(crop_buff, 0, cropsize); 507*4882a593Smuzhiyun+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); 508*4882a593Smuzhiyun prev_cropsize = cropsize; 509*4882a593Smuzhiyun } 510*4882a593Smuzhiyun else 511*4882a593Smuzhiyun { 512*4882a593Smuzhiyun if (prev_cropsize < cropsize) 513*4882a593Smuzhiyun { 514*4882a593Smuzhiyun- new_buff = _TIFFrealloc(crop_buff, cropsize); 515*4882a593Smuzhiyun+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); 516*4882a593Smuzhiyun if (!new_buff) 517*4882a593Smuzhiyun { 518*4882a593Smuzhiyun free (crop_buff); 519*4882a593Smuzhiyun- crop_buff = (unsigned char *)limitMalloc(cropsize); 520*4882a593Smuzhiyun+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 521*4882a593Smuzhiyun } 522*4882a593Smuzhiyun else 523*4882a593Smuzhiyun crop_buff = new_buff; 524*4882a593Smuzhiyun@@ -7858,7 +7880,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, 525*4882a593Smuzhiyun TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); 526*4882a593Smuzhiyun return (-1); 527*4882a593Smuzhiyun } 528*4882a593Smuzhiyun- _TIFFmemset(crop_buff, 0, cropsize); 529*4882a593Smuzhiyun+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); 530*4882a593Smuzhiyun } 531*4882a593Smuzhiyun } 532*4882a593Smuzhiyun 533*4882a593Smuzhiyun@@ -8156,13 +8178,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image, 534*4882a593Smuzhiyun if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { 535*4882a593Smuzhiyun TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); 536*4882a593Smuzhiyun if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { 537*4882a593Smuzhiyun- int inknameslen = strlen(inknames) + 1; 538*4882a593Smuzhiyun+ int inknameslen = (int)strlen(inknames) + 1; 539*4882a593Smuzhiyun const char* cp = inknames; 540*4882a593Smuzhiyun while (ninks > 1) { 541*4882a593Smuzhiyun cp = strchr(cp, '\0'); 542*4882a593Smuzhiyun if (cp) { 543*4882a593Smuzhiyun cp++; 544*4882a593Smuzhiyun- inknameslen += (strlen(cp) + 1); 545*4882a593Smuzhiyun+ inknameslen += ((int)strlen(cp) + 1); 546*4882a593Smuzhiyun } 547*4882a593Smuzhiyun ninks--; 548*4882a593Smuzhiyun } 549*4882a593Smuzhiyun@@ -8547,13 +8569,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ 550*4882a593Smuzhiyun } 551*4882a593Smuzhiyun else /* If we have a full buffer's worth, write it out */ 552*4882a593Smuzhiyun { 553*4882a593Smuzhiyun- bytebuff1 = (buff2 >> 56); 554*4882a593Smuzhiyun+ bytebuff1 = (uint8_t)(buff2 >> 56); 555*4882a593Smuzhiyun *dst++ = bytebuff1; 556*4882a593Smuzhiyun- bytebuff2 = (buff2 >> 48); 557*4882a593Smuzhiyun+ bytebuff2 = (uint8_t)(buff2 >> 48); 558*4882a593Smuzhiyun *dst++ = bytebuff2; 559*4882a593Smuzhiyun- bytebuff3 = (buff2 >> 40); 560*4882a593Smuzhiyun+ bytebuff3 = (uint8_t)(buff2 >> 40); 561*4882a593Smuzhiyun *dst++ = bytebuff3; 562*4882a593Smuzhiyun- bytebuff4 = (buff2 >> 32); 563*4882a593Smuzhiyun+ bytebuff4 = (uint8_t)(buff2 >> 32); 564*4882a593Smuzhiyun *dst++ = bytebuff4; 565*4882a593Smuzhiyun ready_bits -= 32; 566*4882a593Smuzhiyun 567*4882a593Smuzhiyun@@ -8622,12 +8644,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, 568*4882a593Smuzhiyun return (-1); 569*4882a593Smuzhiyun } 570*4882a593Smuzhiyun 571*4882a593Smuzhiyun- if (!(rbuff = (unsigned char *)limitMalloc(buffsize))) 572*4882a593Smuzhiyun+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */ 573*4882a593Smuzhiyun+ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) 574*4882a593Smuzhiyun { 575*4882a593Smuzhiyun- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize); 576*4882a593Smuzhiyun+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); 577*4882a593Smuzhiyun return (-1); 578*4882a593Smuzhiyun } 579*4882a593Smuzhiyun- _TIFFmemset(rbuff, '\0', buffsize); 580*4882a593Smuzhiyun+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); 581*4882a593Smuzhiyun 582*4882a593Smuzhiyun ibuff = *ibuff_ptr; 583*4882a593Smuzhiyun switch (rotation) 584*4882a593Smuzhiyun@@ -9155,13 +9178,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width, 585*4882a593Smuzhiyun } 586*4882a593Smuzhiyun else /* If we have a full buffer's worth, write it out */ 587*4882a593Smuzhiyun { 588*4882a593Smuzhiyun- bytebuff1 = (buff2 >> 56); 589*4882a593Smuzhiyun+ bytebuff1 = (uint8_t)(buff2 >> 56); 590*4882a593Smuzhiyun *dst++ = bytebuff1; 591*4882a593Smuzhiyun- bytebuff2 = (buff2 >> 48); 592*4882a593Smuzhiyun+ bytebuff2 = (uint8_t)(buff2 >> 48); 593*4882a593Smuzhiyun *dst++ = bytebuff2; 594*4882a593Smuzhiyun- bytebuff3 = (buff2 >> 40); 595*4882a593Smuzhiyun+ bytebuff3 = (uint8_t)(buff2 >> 40); 596*4882a593Smuzhiyun *dst++ = bytebuff3; 597*4882a593Smuzhiyun- bytebuff4 = (buff2 >> 32); 598*4882a593Smuzhiyun+ bytebuff4 = (uint8_t)(buff2 >> 32); 599*4882a593Smuzhiyun *dst++ = bytebuff4; 600*4882a593Smuzhiyun ready_bits -= 32; 601*4882a593Smuzhiyun 602*4882a593Smuzhiyun@@ -9252,12 +9275,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ 603*4882a593Smuzhiyun { 604*4882a593Smuzhiyun case MIRROR_BOTH: 605*4882a593Smuzhiyun case MIRROR_VERT: 606*4882a593Smuzhiyun- line_buff = (unsigned char *)limitMalloc(rowsize); 607*4882a593Smuzhiyun+ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES); 608*4882a593Smuzhiyun if (line_buff == NULL) 609*4882a593Smuzhiyun { 610*4882a593Smuzhiyun- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize); 611*4882a593Smuzhiyun+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES); 612*4882a593Smuzhiyun return (-1); 613*4882a593Smuzhiyun } 614*4882a593Smuzhiyun+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); 615*4882a593Smuzhiyun 616*4882a593Smuzhiyun dst = ibuff + (rowsize * (length - 1)); 617*4882a593Smuzhiyun for (row = 0; row < length / 2; row++) 618*4882a593Smuzhiyun@@ -9289,11 +9313,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ 619*4882a593Smuzhiyun } 620*4882a593Smuzhiyun else 621*4882a593Smuzhiyun { /* non 8 bit per sample data */ 622*4882a593Smuzhiyun- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1))) 623*4882a593Smuzhiyun+ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES))) 624*4882a593Smuzhiyun { 625*4882a593Smuzhiyun TIFFError("mirrorImage", "Unable to allocate mirror line buffer"); 626*4882a593Smuzhiyun return (-1); 627*4882a593Smuzhiyun } 628*4882a593Smuzhiyun+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); 629*4882a593Smuzhiyun bytes_per_sample = (bps + 7) / 8; 630*4882a593Smuzhiyun bytes_per_pixel = ((bps * spp) + 7) / 8; 631*4882a593Smuzhiyun if (bytes_per_pixel < (bytes_per_sample + 1)) 632*4882a593Smuzhiyun@@ -9305,7 +9330,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ 633*4882a593Smuzhiyun { 634*4882a593Smuzhiyun row_offset = row * rowsize; 635*4882a593Smuzhiyun src = ibuff + row_offset; 636*4882a593Smuzhiyun- _TIFFmemset (line_buff, '\0', rowsize); 637*4882a593Smuzhiyun+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); 638*4882a593Smuzhiyun switch (shift_width) 639*4882a593Smuzhiyun { 640*4882a593Smuzhiyun case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff)) 641