1From 1e000b3484808f1ee7a68bd276220d1cd82dec73 Mon Sep 17 00:00:00 2001 2From: Su Laus <sulau@freenet.de> 3Date: Thu, 13 Oct 2022 14:33:27 +0000 4Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271, 5 #381, #386, #388, #389, #435) 6 7CVE: CVE-2022-3570 CVE-2022-3598 8Upstream-Status: Backport 9Signed-off-by: Ross Burton <ross.burton@arm.com> 10--- 11 tools/tiffcrop.c | 203 ++++++++++++++++++++++++++--------------------- 12 1 file changed, 114 insertions(+), 89 deletions(-) 13 14diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c 15index f96c7d60..adf0f849 100644 16--- a/tools/tiffcrop.c 17+++ b/tools/tiffcrop.c 18@@ -210,6 +210,10 @@ static char tiffcrop_rev_date[] = "02-09-2022"; 19 20 #define TIFF_DIR_MAX 65534 21 22+/* Some conversion subroutines require image buffers, which are at least 3 bytes 23+ * larger than the necessary size for the image itself. */ 24+#define NUM_BUFF_OVERSIZE_BYTES 3 25+ 26 /* Offsets into buffer for margins and fixed width and length segments */ 27 struct offset { 28 uint32_t tmargin; 29@@ -231,7 +235,7 @@ struct offset { 30 */ 31 32 struct buffinfo { 33- uint32_t size; /* size of this buffer */ 34+ size_t size; /* size of this buffer */ 35 unsigned char *buffer; /* address of the allocated buffer */ 36 }; 37 38@@ -805,8 +809,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, 39 uint32_t dst_rowsize, shift_width; 40 uint32_t bytes_per_sample, bytes_per_pixel; 41 uint32_t trailing_bits, prev_trailing_bits; 42- uint32_t tile_rowsize = TIFFTileRowSize(in); 43- uint32_t src_offset, dst_offset; 44+ tmsize_t tile_rowsize = TIFFTileRowSize(in); 45+ tmsize_t src_offset, dst_offset; 46 uint32_t row_offset, col_offset; 47 uint8_t *bufp = (uint8_t*) buf; 48 unsigned char *src = NULL; 49@@ -856,7 +860,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, 50 TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); 51 exit(EXIT_FAILURE); 52 } 53- tilebuf = limitMalloc(tile_buffsize + 3); 54+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); 55 if (tilebuf == 0) 56 return 0; 57 tilebuf[tile_buffsize] = 0; 58@@ -1019,7 +1023,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf, 59 for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++) 60 { 61 srcbuffs[sample] = NULL; 62- tbuff = (unsigned char *)limitMalloc(tilesize + 8); 63+ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES); 64 if (!tbuff) 65 { 66 TIFFError ("readSeparateTilesIntoBuffer", 67@@ -1213,7 +1217,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, 68 } 69 rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); 70 71- obuf = limitMalloc (rowstripsize); 72+ /* Add 3 padding bytes for extractContigSamples32bits */ 73+ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES); 74 if (obuf == NULL) 75 return 1; 76 77@@ -1226,7 +1231,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, 78 stripsize = TIFFVStripSize(out, nrows); 79 src = buf + (row * rowsize); 80 total_bytes += stripsize; 81- memset (obuf, '\0', rowstripsize); 82+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES); 83 if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) 84 { 85 _TIFFfree(obuf); 86@@ -1234,10 +1239,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, 87 } 88 if ((dump->outfile != NULL) && (dump->level == 1)) 89 { 90- dump_info(dump->outfile, dump->format,"", 91+ if (scanlinesize > 0x0ffffffffULL) { 92+ dump_info(dump->infile, dump->format, "loadImage", 93+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", 94+ scanlinesize); 95+ } 96+ dump_info(dump->outfile, dump->format,"", 97 "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", 98- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf); 99- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf); 100+ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf); 101+ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf); 102 } 103 104 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) 105@@ -1264,7 +1274,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng 106 uint32_t tl, tw; 107 uint32_t row, col, nrow, ncol; 108 uint32_t src_rowsize, col_offset; 109- uint32_t tile_rowsize = TIFFTileRowSize(out); 110+ tmsize_t tile_rowsize = TIFFTileRowSize(out); 111 uint8_t* bufp = (uint8_t*) buf; 112 tsize_t tile_buffsize = 0; 113 tsize_t tilesize = TIFFTileSize(out); 114@@ -1307,9 +1317,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng 115 } 116 src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; 117 118- tilebuf = limitMalloc(tile_buffsize); 119+ /* Add 3 padding bytes for extractContigSamples32bits */ 120+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); 121 if (tilebuf == 0) 122 return 1; 123+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); 124 for (row = 0; row < imagelength; row += tl) 125 { 126 nrow = (row + tl > imagelength) ? imagelength - row : tl; 127@@ -1355,7 +1367,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele 128 uint32_t imagewidth, tsample_t spp, 129 struct dump_opts * dump) 130 { 131- tdata_t obuf = limitMalloc(TIFFTileSize(out)); 132+ /* Add 3 padding bytes for extractContigSamples32bits */ 133+ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); 134 uint32_t tl, tw; 135 uint32_t row, col, nrow, ncol; 136 uint32_t src_rowsize, col_offset; 137@@ -1365,6 +1378,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele 138 139 if (obuf == NULL) 140 return 1; 141+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); 142 143 if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || 144 !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || 145@@ -1790,14 +1804,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 146 147 *opt_offset = '\0'; 148 /* convert option to lowercase */ 149- end = strlen (opt_ptr); 150+ end = (unsigned int)strlen (opt_ptr); 151 for (i = 0; i < end; i++) 152 *(opt_ptr + i) = tolower((int) *(opt_ptr + i)); 153 /* Look for dump format specification */ 154 if (strncmp(opt_ptr, "for", 3) == 0) 155 { 156 /* convert value to lowercase */ 157- end = strlen (opt_offset + 1); 158+ end = (unsigned int)strlen (opt_offset + 1); 159 for (i = 1; i <= end; i++) 160 *(opt_offset + i) = tolower((int) *(opt_offset + i)); 161 /* check dump format value */ 162@@ -2270,6 +2284,8 @@ main(int argc, char* argv[]) 163 size_t length; 164 char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */ 165 166+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3); 167+ 168 little_endian = *((unsigned char *)&little_endian) & '1'; 169 170 initImageData(&image); 171@@ -3222,13 +3238,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, 172 /* If we have a full buffer's worth, write it out */ 173 if (ready_bits >= 32) 174 { 175- bytebuff1 = (buff2 >> 56); 176+ bytebuff1 = (uint8_t)(buff2 >> 56); 177 *dst++ = bytebuff1; 178- bytebuff2 = (buff2 >> 48); 179+ bytebuff2 = (uint8_t)(buff2 >> 48); 180 *dst++ = bytebuff2; 181- bytebuff3 = (buff2 >> 40); 182+ bytebuff3 = (uint8_t)(buff2 >> 40); 183 *dst++ = bytebuff3; 184- bytebuff4 = (buff2 >> 32); 185+ bytebuff4 = (uint8_t)(buff2 >> 32); 186 *dst++ = bytebuff4; 187 ready_bits -= 32; 188 189@@ -3637,13 +3653,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, 190 } 191 else /* If we have a full buffer's worth, write it out */ 192 { 193- bytebuff1 = (buff2 >> 56); 194+ bytebuff1 = (uint8_t)(buff2 >> 56); 195 *dst++ = bytebuff1; 196- bytebuff2 = (buff2 >> 48); 197+ bytebuff2 = (uint8_t)(buff2 >> 48); 198 *dst++ = bytebuff2; 199- bytebuff3 = (buff2 >> 40); 200+ bytebuff3 = (uint8_t)(buff2 >> 40); 201 *dst++ = bytebuff3; 202- bytebuff4 = (buff2 >> 32); 203+ bytebuff4 = (uint8_t)(buff2 >> 32); 204 *dst++ = bytebuff4; 205 ready_bits -= 32; 206 207@@ -3820,10 +3836,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3 208 static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) 209 { 210 uint8_t* bufp = buf; 211- int32_t bytes_read = 0; 212+ tmsize_t bytes_read = 0; 213 uint32_t strip, nstrips = TIFFNumberOfStrips(in); 214- uint32_t stripsize = TIFFStripSize(in); 215- uint32_t rows = 0; 216+ tmsize_t stripsize = TIFFStripSize(in); 217+ tmsize_t rows = 0; 218 uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); 219 tsize_t scanline_size = TIFFScanlineSize(in); 220 221@@ -3836,11 +3852,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) 222 bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1); 223 rows = bytes_read / scanline_size; 224 if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize)) 225- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32, 226+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64, 227 strip + 1, bytes_read, stripsize); 228 229 if (bytes_read < 0 && !ignore) { 230- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows", 231+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows", 232 strip, rows); 233 return 0; 234 } 235@@ -4305,13 +4321,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, 236 /* If we have a full buffer's worth, write it out */ 237 if (ready_bits >= 32) 238 { 239- bytebuff1 = (buff2 >> 56); 240+ bytebuff1 = (uint8_t)(buff2 >> 56); 241 *dst++ = bytebuff1; 242- bytebuff2 = (buff2 >> 48); 243+ bytebuff2 = (uint8_t)(buff2 >> 48); 244 *dst++ = bytebuff2; 245- bytebuff3 = (buff2 >> 40); 246+ bytebuff3 = (uint8_t)(buff2 >> 40); 247 *dst++ = bytebuff3; 248- bytebuff4 = (buff2 >> 32); 249+ bytebuff4 = (uint8_t)(buff2 >> 32); 250 *dst++ = bytebuff4; 251 ready_bits -= 32; 252 253@@ -4354,10 +4370,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, 254 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", 255 row + 1, col + 1, src_byte, src_bit, dst - out); 256 257- dump_long (dumpfile, format, "Match bits ", matchbits); 258+ dump_wide (dumpfile, format, "Match bits ", matchbits); 259 dump_data (dumpfile, format, "Src bits ", src, 4); 260- dump_long (dumpfile, format, "Buff1 bits ", buff1); 261- dump_long (dumpfile, format, "Buff2 bits ", buff2); 262+ dump_wide (dumpfile, format, "Buff1 bits ", buff1); 263+ dump_wide (dumpfile, format, "Buff2 bits ", buff2); 264 dump_byte (dumpfile, format, "Write bits1", bytebuff1); 265 dump_byte (dumpfile, format, "Write bits2", bytebuff2); 266 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); 267@@ -4830,13 +4846,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, 268 /* If we have a full buffer's worth, write it out */ 269 if (ready_bits >= 32) 270 { 271- bytebuff1 = (buff2 >> 56); 272+ bytebuff1 = (uint8_t)(buff2 >> 56); 273 *dst++ = bytebuff1; 274- bytebuff2 = (buff2 >> 48); 275+ bytebuff2 = (uint8_t)(buff2 >> 48); 276 *dst++ = bytebuff2; 277- bytebuff3 = (buff2 >> 40); 278+ bytebuff3 = (uint8_t)(buff2 >> 40); 279 *dst++ = bytebuff3; 280- bytebuff4 = (buff2 >> 32); 281+ bytebuff4 = (uint8_t)(buff2 >> 32); 282 *dst++ = bytebuff4; 283 ready_bits -= 32; 284 285@@ -4879,10 +4895,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, 286 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", 287 row + 1, col + 1, src_byte, src_bit, dst - out); 288 289- dump_long (dumpfile, format, "Match bits ", matchbits); 290+ dump_wide (dumpfile, format, "Match bits ", matchbits); 291 dump_data (dumpfile, format, "Src bits ", src, 4); 292- dump_long (dumpfile, format, "Buff1 bits ", buff1); 293- dump_long (dumpfile, format, "Buff2 bits ", buff2); 294+ dump_wide (dumpfile, format, "Buff1 bits ", buff1); 295+ dump_wide (dumpfile, format, "Buff2 bits ", buff2); 296 dump_byte (dumpfile, format, "Write bits1", bytebuff1); 297 dump_byte (dumpfile, format, "Write bits2", bytebuff2); 298 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); 299@@ -4905,7 +4921,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt 300 { 301 int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; 302 uint32_t j; 303- int32_t bytes_read = 0; 304+ tmsize_t bytes_read = 0; 305 uint16_t bps = 0, planar; 306 uint32_t nstrips; 307 uint32_t strips_per_sample; 308@@ -4971,7 +4987,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt 309 for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 310 { 311 srcbuffs[s] = NULL; 312- buff = limitMalloc(stripsize + 3); 313+ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES); 314 if (!buff) 315 { 316 TIFFError ("readSeparateStripsIntoBuffer", 317@@ -4994,7 +5010,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt 318 buff = srcbuffs[s]; 319 strip = (s * strips_per_sample) + j; 320 bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); 321- rows_this_strip = bytes_read / src_rowsize; 322+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize); 323 if (bytes_read < 0 && !ignore) 324 { 325 TIFFError(TIFFFileName(in), 326@@ -6047,13 +6063,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c 327 uint16_t input_compression = 0, input_photometric = 0; 328 uint16_t subsampling_horiz, subsampling_vert; 329 uint32_t width = 0, length = 0; 330- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0; 331+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0; 332+ tmsize_t scanlinesize = 0; 333 uint32_t tw = 0, tl = 0; /* Tile width and length */ 334- uint32_t tile_rowsize = 0; 335+ tmsize_t tile_rowsize = 0; 336 unsigned char *read_buff = NULL; 337 unsigned char *new_buff = NULL; 338 int readunit = 0; 339- static uint32_t prev_readsize = 0; 340+ static tmsize_t prev_readsize = 0; 341 342 TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); 343 TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); 344@@ -6355,7 +6372,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c 345 TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); 346 return (-1); 347 } 348- read_buff = (unsigned char *)limitMalloc(buffsize+3); 349+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); 350 } 351 else 352 { 353@@ -6366,11 +6383,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c 354 TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); 355 return (-1); 356 } 357- new_buff = _TIFFrealloc(read_buff, buffsize+3); 358+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); 359 if (!new_buff) 360 { 361 free (read_buff); 362- read_buff = (unsigned char *)limitMalloc(buffsize+3); 363+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); 364 } 365 else 366 read_buff = new_buff; 367@@ -6443,8 +6460,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c 368 dump_info (dump->infile, dump->format, "", 369 "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp); 370 371+ if (scanlinesize > 0x0ffffffffULL) { 372+ dump_info(dump->infile, dump->format, "loadImage", 373+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", 374+ scanlinesize); 375+ } 376 for (i = 0; i < length; i++) 377- dump_buffer(dump->infile, dump->format, 1, scanlinesize, 378+ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize, 379 i, read_buff + (i * scanlinesize)); 380 } 381 return (0); 382@@ -7464,13 +7486,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image, 383 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { 384 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); 385 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { 386- int inknameslen = strlen(inknames) + 1; 387+ int inknameslen = (int)strlen(inknames) + 1; 388 const char* cp = inknames; 389 while (ninks > 1) { 390 cp = strchr(cp, '\0'); 391 if (cp) { 392 cp++; 393- inknameslen += (strlen(cp) + 1); 394+ inknameslen += ((int)strlen(cp) + 1); 395 } 396 ninks--; 397 } 398@@ -7533,23 +7555,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) 399 400 if (!sect_buff) 401 { 402- sect_buff = (unsigned char *)limitMalloc(sectsize); 403+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); 404 if (!sect_buff) 405 { 406 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); 407 return (-1); 408 } 409- _TIFFmemset(sect_buff, 0, sectsize); 410+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); 411 } 412 else 413 { 414 if (prev_sectsize < sectsize) 415 { 416- new_buff = _TIFFrealloc(sect_buff, sectsize); 417+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES); 418 if (!new_buff) 419 { 420 _TIFFfree (sect_buff); 421- sect_buff = (unsigned char *)limitMalloc(sectsize); 422+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); 423 } 424 else 425 sect_buff = new_buff; 426@@ -7559,7 +7581,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) 427 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); 428 return (-1); 429 } 430- _TIFFmemset(sect_buff, 0, sectsize); 431+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); 432 } 433 } 434 435@@ -7590,17 +7612,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, 436 cropsize = crop->bufftotal; 437 crop_buff = seg_buffs[0].buffer; 438 if (!crop_buff) 439- crop_buff = (unsigned char *)limitMalloc(cropsize); 440+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 441 else 442 { 443 prev_cropsize = seg_buffs[0].size; 444 if (prev_cropsize < cropsize) 445 { 446- next_buff = _TIFFrealloc(crop_buff, cropsize); 447+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); 448 if (! next_buff) 449 { 450 _TIFFfree (crop_buff); 451- crop_buff = (unsigned char *)limitMalloc(cropsize); 452+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 453 } 454 else 455 crop_buff = next_buff; 456@@ -7613,7 +7635,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, 457 return (-1); 458 } 459 460- _TIFFmemset(crop_buff, 0, cropsize); 461+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); 462 seg_buffs[0].buffer = crop_buff; 463 seg_buffs[0].size = cropsize; 464 465@@ -7693,17 +7715,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, 466 cropsize = crop->bufftotal; 467 crop_buff = seg_buffs[i].buffer; 468 if (!crop_buff) 469- crop_buff = (unsigned char *)limitMalloc(cropsize); 470+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 471 else 472 { 473 prev_cropsize = seg_buffs[0].size; 474 if (prev_cropsize < cropsize) 475 { 476- next_buff = _TIFFrealloc(crop_buff, cropsize); 477+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); 478 if (! next_buff) 479 { 480 _TIFFfree (crop_buff); 481- crop_buff = (unsigned char *)limitMalloc(cropsize); 482+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 483 } 484 else 485 crop_buff = next_buff; 486@@ -7716,7 +7738,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, 487 return (-1); 488 } 489 490- _TIFFmemset(crop_buff, 0, cropsize); 491+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); 492 seg_buffs[i].buffer = crop_buff; 493 seg_buffs[i].size = cropsize; 494 495@@ -7832,24 +7854,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, 496 crop_buff = *crop_buff_ptr; 497 if (!crop_buff) 498 { 499- crop_buff = (unsigned char *)limitMalloc(cropsize); 500+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 501 if (!crop_buff) 502 { 503 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); 504 return (-1); 505 } 506- _TIFFmemset(crop_buff, 0, cropsize); 507+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); 508 prev_cropsize = cropsize; 509 } 510 else 511 { 512 if (prev_cropsize < cropsize) 513 { 514- new_buff = _TIFFrealloc(crop_buff, cropsize); 515+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); 516 if (!new_buff) 517 { 518 free (crop_buff); 519- crop_buff = (unsigned char *)limitMalloc(cropsize); 520+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); 521 } 522 else 523 crop_buff = new_buff; 524@@ -7858,7 +7880,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, 525 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); 526 return (-1); 527 } 528- _TIFFmemset(crop_buff, 0, cropsize); 529+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); 530 } 531 } 532 533@@ -8156,13 +8178,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image, 534 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { 535 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); 536 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { 537- int inknameslen = strlen(inknames) + 1; 538+ int inknameslen = (int)strlen(inknames) + 1; 539 const char* cp = inknames; 540 while (ninks > 1) { 541 cp = strchr(cp, '\0'); 542 if (cp) { 543 cp++; 544- inknameslen += (strlen(cp) + 1); 545+ inknameslen += ((int)strlen(cp) + 1); 546 } 547 ninks--; 548 } 549@@ -8547,13 +8569,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ 550 } 551 else /* If we have a full buffer's worth, write it out */ 552 { 553- bytebuff1 = (buff2 >> 56); 554+ bytebuff1 = (uint8_t)(buff2 >> 56); 555 *dst++ = bytebuff1; 556- bytebuff2 = (buff2 >> 48); 557+ bytebuff2 = (uint8_t)(buff2 >> 48); 558 *dst++ = bytebuff2; 559- bytebuff3 = (buff2 >> 40); 560+ bytebuff3 = (uint8_t)(buff2 >> 40); 561 *dst++ = bytebuff3; 562- bytebuff4 = (buff2 >> 32); 563+ bytebuff4 = (uint8_t)(buff2 >> 32); 564 *dst++ = bytebuff4; 565 ready_bits -= 32; 566 567@@ -8622,12 +8644,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, 568 return (-1); 569 } 570 571- if (!(rbuff = (unsigned char *)limitMalloc(buffsize))) 572+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */ 573+ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) 574 { 575- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize); 576+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); 577 return (-1); 578 } 579- _TIFFmemset(rbuff, '\0', buffsize); 580+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); 581 582 ibuff = *ibuff_ptr; 583 switch (rotation) 584@@ -9155,13 +9178,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width, 585 } 586 else /* If we have a full buffer's worth, write it out */ 587 { 588- bytebuff1 = (buff2 >> 56); 589+ bytebuff1 = (uint8_t)(buff2 >> 56); 590 *dst++ = bytebuff1; 591- bytebuff2 = (buff2 >> 48); 592+ bytebuff2 = (uint8_t)(buff2 >> 48); 593 *dst++ = bytebuff2; 594- bytebuff3 = (buff2 >> 40); 595+ bytebuff3 = (uint8_t)(buff2 >> 40); 596 *dst++ = bytebuff3; 597- bytebuff4 = (buff2 >> 32); 598+ bytebuff4 = (uint8_t)(buff2 >> 32); 599 *dst++ = bytebuff4; 600 ready_bits -= 32; 601 602@@ -9252,12 +9275,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ 603 { 604 case MIRROR_BOTH: 605 case MIRROR_VERT: 606- line_buff = (unsigned char *)limitMalloc(rowsize); 607+ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES); 608 if (line_buff == NULL) 609 { 610- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize); 611+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES); 612 return (-1); 613 } 614+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); 615 616 dst = ibuff + (rowsize * (length - 1)); 617 for (row = 0; row < length / 2; row++) 618@@ -9289,11 +9313,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ 619 } 620 else 621 { /* non 8 bit per sample data */ 622- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1))) 623+ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES))) 624 { 625 TIFFError("mirrorImage", "Unable to allocate mirror line buffer"); 626 return (-1); 627 } 628+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); 629 bytes_per_sample = (bps + 7) / 8; 630 bytes_per_pixel = ((bps * spp) + 7) / 8; 631 if (bytes_per_pixel < (bytes_per_sample + 1)) 632@@ -9305,7 +9330,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ 633 { 634 row_offset = row * rowsize; 635 src = ibuff + row_offset; 636- _TIFFmemset (line_buff, '\0', rowsize); 637+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); 638 switch (shift_width) 639 { 640 case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff)) 641